View
229
Download
0
Category
Preview:
Citation preview
7/26/2019 Data Assest Management System (DAMS)
1/32
Running head: DATA ASSET MANAGEMENT SYSTEM (DAMS)
Data Assest Management System (DAMS)
Datacenter Application
inal Term !ro"ect
Greg #iedeman
MS$T%&'
Regis niersity
7/26/2019 Data Assest Management System (DAMS)
2/32
DATA ASSET MANAGEMENT (DAM) &
A*stract
The +ollo,ing paper contains in+ormation +or supporting a Data Asset Management
System (DAMS) located in a data center ,ith a +ocus an in+rastructure o+ models that are used to
capture- catalog- store and manage digital assets ,hich ,ill *e print media and adertising art
,or./ The process o+ design +or the DAMS ,ill consist o+ the net,or. architecture and
supporting in+rastructure used to create an e++icient system- ,hich is scala*le- +le0i*le- and
resilient/ The system is going to reside in one or more o+ the serer +arm topologies- ,hich
include internet- intranet and e0tranet and the topology *oundaries o+ the system ,ill help to
determine security- including data integrity- assurance- and secure access ,ithout causing a
hindrance to end1users or a++ecting the applications per+ormance/ The net,or. design ,ill
consist o+ a layer & net,or. design including ST!- a layer 2 design ,ith routing protocols
de+ined- SS34T3S- load *alancing- serer monitoring- and caching ,ith a +inal DNS mapping/
This in+ormation should *e enough +or an installation team to deelop a +ull cost estimate-
con+iguration guides- and construction plans/
Ta*le o+ $ontents
7/26/2019 Data Assest Management System (DAMS)
3/32
DATA ASSET MANAGEMENT (DAM) 2
5/ 5ntroduction
55/ Ris. Analysis
555/ 3ayer & Design o+ the Datacenter
56/ 3ayer 2 5! Address Design
6/ SS3 and T3S
65/ 3oad 7alancing
655/ DNS
6555/ Re+erences
I. Introduction
The ,orld today is *ecoming more a*out ones and 8eros as *oo.s are conerted to digital
7/26/2019 Data Assest Management System (DAMS)
4/32
DATA ASSET MANAGEMENT (DAM) 9
media- medical records are +orced to go digital- documents are scanned into computer systems-
pictures- music- moies- and the list continues on ,hat is getting digiti8ed/ 7rand (;;'s to the present recorded in+ormation increasingly disappears into
a digital gap/ ?istorians ,ill consider this a dar. age@/ The management o+ all the digital assets
*ecomes a necessity *ut di++iculties arise as +ormats change and *ecome o*solete- tapes and dis.s
lose integrity- systems *ecome more complicated- ne, methods o+ access *ecome aaila*le- such
as smart phones and ta*lets- and as more data is trans+erred to digital media storage increases and
a storage li+e cycle plan *ecomes eer more important to deelop in an organi8ation to moe data
around easier +or +ast and e++icient access/
The purpose then- +or Digital Asset Management (DAM)- is to deelop the concept into
the data center as a Digital Asset Management System- (DAMS)- ,hich according to Mc$ord
(&''&) contains an in+rastructure o+ modules that are used to capture- catalog- store- and manage
digital assets/ ?e also points out that those assets should e0pand to use in tools that can produce
ideos- audio- ,e* content- and print media/ The digital content must also contain ,ays to
identi+y the asset- group indiidual assets +orming a collection- the a*ility to protect the original
asset as it is used to in these collections- de+ine rights- determine permissions- deelop process
rules- and +inally administer and control the +lo, o+ assets/
A company called Media Rier 33$ ,ill attempt to +rom a *usiness reuirement to easily
share documents ,ith satellite o++ices- and to e0ternal clients/ The companyBs digital o*"ects
consist o+ geological sureys- Microso+t #ord documents- and E0cel spreadsheets along ,ith
lo, to medium resolution images o+ land sureys- satellite photos- and digital ground photos/
The +ront1end access is a ,e* inter+ace- similar to Share!oint- ,ith a login page to control
security access- auditing- and user sessions ,hile proiding a search +unction to enter metadata
7/26/2019 Data Assest Management System (DAMS)
5/32
DATA ASSET MANAGEMENT (DAM) >
in+ormation to pull up certain images/ Metadata could include *ut not limited to a pro"ect 5D- the
name o+ a company- and the name o+ a product or a campaign theme/ sers o+ the system can
use a chec.out method- similar to a li*raryC to gather images to use as re+erences +or no, or later
*ut a+ter a &91hour period the assets ,ill automatically go *ac. on the shel+/ Administrators can
manually oer ride the system to moe assets *ac. on the shel+ *ut cannot e0tend the period o+
&9 hours *ecause o+ the persistent coo.ie e0piration time that is deliered to the user *ro,ser/
Een though items may *e chec.ed out this does not mean that the digital assets can not
still *e ie,ed and chec.ed out *y other mem*ers +or +urther processes such as ordering high
resolution prints or o*taining a hard copy o+ the media/ There ,ill *e certain access controls so
that only certain indiiduals and groups ,ill *e a*le to ie, certain digital media/ or e0ample
one client could not see another clients data and clients ,ill hae speciali8ed employees ,ho ,ill
,or. one on one ,ith the client to ensure that employees only hae access to their supporting
clients/ This ,ill preent employees haing access to all the data assets o+ eery client/
II. Risk Analysis
The +ollo,ing contains a *rie+ summary o+ the top three content elements used *y users
and managed *y the DAMS/ A score o+ high- medium or lo, +or each content element shall *e
gien *ased on the alue o+ the content element to the organi8ation- alue to the user *ased on
the su*"ect o+ the content- the attractieness to an outside attac.er- and insider intent on +raud or
e0tortion/ The ealuation o+ the content elements continues *y loo.ing i+ there are any la,s-
such as ?5!!A- !$5 or ER!A as an e0ample- that are goerning the elements/ The +inal portion
ealuates ,hat tools and technologies are reuired to ensure that the company is proiding
appropriate protections +or the content elements identi+ied/
The +irst content element that is critical +or the DAMS is the ,e* inter+ace granting
7/26/2019 Data Assest Management System (DAMS)
6/32
DATA ASSET MANAGEMENT (DAM) %
access to speci+ic in+ormation +or an employee- administrator- or client to create- read- update- or
delete/ This particular content- also .no,n as authentication- has a rating o+ high +or the
organi8ation *ecause according to 6emuri (&'')- it =is important in esta*lishing trust in critical
*usiness processes@/ 5t is also important to the organi8ation *ecause the identi+ication o+ the
person accessing the system is critical +or sa+eguarding that the in+ormation accessed is correct
+or presentation and manipulation/ 5t also helps to maintain con+identiality and integrity o+ the
in+rastructure *y trac.ing changes made to the system/
Authentication- to the user- also ran.s high +or alue *ecause ,ithout this in+ormation
there is no access to the in+ormation through the ,e*site/ 5t ,ill also preent users +rom
interacting ,ith the system to ie, and update in+ormation ,ith the company/ 5t ,ill also a++ect
communication and slo, do,n an end users e++ectieness and productiity/ Authentication also
protects the client or company +rom an employee ,ho is accessing and manipulating data in such
a ,ay that iolates the companyBs policies/
The attractieness o+ the content element o+ authentication is e0tremely attractie to an
outside attac.er and there+ore ran.ed high/ 5t should *e common sense the ran.ing o+
authentication simply *ecause it ,ill allo, that attac.er to impersonate a user and has the same
principal as +raming someone +or a the+t o+ a physical item/ 5t ,ill also compromise the
trust,orthiness o+ the system and possi*ly turn a,ay +uture *usiness and it *ecomes a pu*lic
relations nightmare +or a compromised system/
The ne0t category ealuated is the alue authentication has to insiders intent on +raud or
e0tortion and again this receies a medium due to the +act that employees o+ the surey company
,ill indeed hae certain rights not only to ie, content *ut also to loo. into other clients login
pro+iles +or trou*leshooting pro*lems or +or training clients and a real threat o+ +raud or e0tortion
7/26/2019 Data Assest Management System (DAMS)
7/32
DATA ASSET MANAGEMENT (DAM)
is not high *ecause the content has more alue to the client then it does to the employee/ An
employee could ho,eer steal in+ormation that a land surey may present and lea. this
in+ormation to outside entities +or gain *ut the employee ,ould already hae authentication into
the system to get the in+ormation/ As o+ no, there are no .no,n la,s +orcing authentication
processes +or the company *ut "ust guidance +or standards *ased on *est practice and some
outlined *y N5ST Special !u*lication
7/26/2019 Data Assest Management System (DAMS)
8/32
DATA ASSET MANAGEMENT (DAM) 9 usa*le addresses- inerse mas. '/'/2/&>>- su*net si8e o+
7/26/2019 Data Assest Management System (DAMS)
16/32
DATA ASSET MANAGEMENT (DAM) %
VLAN 200 )ackend Data!ase *luster % "u!net 10.200.1&3.0 ' 2(
Gate,ay Address '/&''/;2/
Su*net Mas. &>>/&>>/&>>/'
S65 63AN &'' Aggregate4$ore S,itch '/&''/;2/&
S65 63AN &'' Aggregate4$ore S,itch & '/&''/;2/2
?SR! 65! &'' Aggregate4$ore S,itch '/&''/;2/
7ac.end Data*ase $luster Serices 65! $luster 5! address '/&''/;2/'
VLAN 300 % Load )alance "er#ers
Gate,ay Address '/&''/;9/
Su*net &>>/&>>/&>>/'
S65 63AN 2'' Aggregate4$ore S,itch '/&''/;9/&
S65 63AN 2'' Aggregate4$ore S,itch & '/&''/;9/2
?SR! 65! 2'' Aggregate4$ore S,itch '/&''/;9/
!rimary 3oad 7alance Serer F '/&''/;9/'
Secondary 3oad 7alance Serer F '/&''/;9/&'
VLAN (00 % +"P, -dge De#ices
Gate,ay Address '/&''/;>/
Su*net &>>/&>>/&>>/'
S65 63AN 9'' Aggregate4$ore S,itch '/&''/;9/&
S65 63AN 9'' Aggregate4$ore S,itch & '/&''/;9/2
?SR! 65! 9'' Aggregate4$ore S,itch '/&''/;9/
!rimary ire,all 5nside ' F '/&''/;9/
Stand*y ire,all 5nside ' F '/&''/;9/&
?SR! 65! 9'' ire,all F '/&''/;9/'
ire,all Actie 4 Stand*y $on+iguration
$E Routers Redistri*ute S!
ut o+ *and management inter+ace on s,itches '/''/''/ 4 &9
7/26/2019 Data Assest Management System (DAMS)
17/32
DATA ASSET MANAGEMENT (DAM)
5 still hae some uestions on the routing/ 5 ,ill hae to inestigate ,hether 5 can use
7G! all the ,ay to the core layer 2 s,itches or i+ 5 ,ill need to redistri*ute S! into 7G!/ The
M!3S carriers only accept 7G! or static routes +rom the $ustomer Edge ($E) routes/ Since 5
am using diersi+ied carriers there are no managed routers and 5 ,ill hae to manage the routers/
There are some adantages and disadantages to using diersi+ied carriers/
Adantages
More ault domains
3eerage pricing +rom carriers
Automatic carrier +ailoer +or redundancy
Disadantage
3oad 7alance is complicated *et,een carriers
Design $omple0ity
5ncreased cost +or routers
Reduces common o++erings *et,een carriers
5 ,ill also need to discoer internet connectiity and ho, to proide +ault tolerance/ The
original idea is to use t,o circuits ,ith di++erent entry points +rom ,ithin the data center/ 5 ,ill
see i+ 5 ,ant to load *alance *et,een the same carriers and hae them manage the routers or
manage the routers and hae carrier diersi+ication on the internet connection/ The internet
connection ,ill proide 6!N access into the data center- NAT +or ,e*sites and other serices/ 5
,ill still need to proide pu*lic to priate addressing and de*ating ,hether 5 should create a
DMI 8one or e0tranet +arm 8one +or access to the ,e*site inter+aces/ 5+ 5 can +ire,all and NAT
7/26/2019 Data Assest Management System (DAMS)
18/32
DATA ASSET MANAGEMENT (DAM) deice A$3Bs allo,ing any to the deice on port
7/26/2019 Data Assest Management System (DAMS)
22/32
DATA ASSET MANAGEMENT (DAM) &&
gate,ays- or een routers/ The load *alancers are a*le to accomplish the distri*ution in di++erent
,ays *ased on di++erent methods and algorithms/ Depending on the goals and in+rastructure o+
the *alanced entity certain methods- o+ course- ,ill ,or. *etter than others/ #hen choosing the
type o+ algorithm to use the designer must ta.e into consideration the method to create
persistence- =stic.iness@ ,ith the *ac.1end in+rastructure/ 5n the case o+ the DAMS- the *ac.
end serers are in a ,e* +arm that ,ill proide a ,e* inter+ace +or clients/ The clients ,ill hae
the a*ility to ie,- do,nload and upload their data +rom the ,e* content so maintaining
persistence across serers ,ill *e important +actor/ The serer +arm on the *ac. end ,ill contain
serers o+ similar model and type ,ith the same hard,are in each ,e* serer +or consistency and
ease o+ management/ Serer monitoring is ery critical in determining ho, to distri*ute the
tra++ic load along ,ith deciding ,hat serer certain reuests should go to and ho, to reallocate a
serer load in the eent o+ a serer crash or +ailure/ or the DAMS- a dynamic automated +orm
o+ system monitoring is pre+erred along ,ith an e++ectie alerting tool to in+orm administrators o+
any ,arnings- critical +ailures or simple anomalies- such as an unusual increase in tra++ic olume/
The +irst load *alancing design +or the DAMS is a so+t,are solution using Apache ,e*
head serers running modHpro0y- modHpro0yH*alancer- and modHstatus/ ModHpro0y is the core
o+ the so+t,are modules and proides the layer stic.y sessions- ,hile modHpro0yH*alancer
proides three load *alance methods including Reuest $ounting- #eighted Tra++ic $ounting and
!ending Reuest $ounting and +inally the modHstatus ,ill proide the serer monitoring/ The
modHpro0yH*alancer algorithm that seems to +it *est ,ith the DAMS is reuest counting and
idea is that there is a distri*ution o+ the reuests among the arious ,or.ers- *ac. end serers- to
ensure that each gets a share o+ the num*er o+ reuestsC this is a type o+ round ro*in/ Some
reasons to use reuest counting are that all the *ac. end serers ,ill *e the same- it is easier to
7/26/2019 Data Assest Management System (DAMS)
23/32
DATA ASSET MANAGEMENT (DAM) &2
con+igure- the users sessions are not usually long *ecause o+ uploads or do,nloads and it can
*alance eenly across all serers getting +ull utili8ation/ Reuest $ounting is ena*led *y ia
l*methodL*yreuest in the httpd +ile/ The modHpro0yH*alancer also has stic.iness ,ith t,o
,ays to implement and that is a coo.ie and the other is R3 encoding- ,hich the DAMS ,ill
use the coo.ie method to proide stic.iness +or a couple o+ reasons including proiding *etter
+le0i*ility and since it is using layer the client 5! does not matter and does not matter- ,hich
ma.es it easier +or more mo*ility/ To ena*le *alancing manager- ,hich is a ,ay to dynamically
monitor and update the load *alancing policies- the modHstatus is reuired/ The *alancer
manager support ena*les dynamic update o+ *alancer mem*ers/ 7alance manager can then
change *alance +actor or put a mem*er o++line/ The *alance manager is the ,ay to proide
serer monitoring and health/
The load *alancer outside connection is a pu*lic 5! address in the DMI and the inside 5!
connection is part o+ the same priate address su*net as the ,e* serers in the same lan/ This
proides a t,o ,ay arm pro0y to pass tra++ic through the load *alancer to the ,e* serers/ The
pro0y serer can also cache pages in memory to decrease load time o+ images or common
content/ Redundancy is also *uilt into the load *alance serers *y using a module called
heart*eat/ ?eart*eat is a +ree utility that is setup on *oth load *alancers and supplies the pu*lic
65! used and the outside and on the inside to trac. *oth inter+aces in case one +ails/
VII. DN"
The +ollo,ing section descri*es the in+rastructure design +or DNS 8ones including
de+ining replication partners +or redundancy and ho, the 8one ,ill in+luence seeral other
7/26/2019 Data Assest Management System (DAMS)
24/32
DATA ASSET MANAGEMENT (DAM) &9
components- such as the load *alancer- ,e* portal- MyS3 data*ases- and the Actie Directory
in+rastructure/ The data center ,ill consist o+ t,o DNS serers and t,o 8ones/ ne +or Actie
Directory 8one and the other +or a split 8one that ,ill contain the e0ternal 8one records +or the
,e* portal/ At the end o+ descri*ing the 8one setup- there is a net,or. diagram to sho, ,here in
the datacenter the internal DNS serers lie/
The internal DNS serers are Microso+t DNS and run on the same serers in the data
center as the Microso+t Actie Directory Serers/ The internal DNS ,ill hae the Actie
Directory DNS 8one and the main 5nternet 8one/ The +orest in Actie Directory ,ill proide the
=priate@ internal DNS 8one called mediarier/pri- ,hich is an actie directory integrated 8one/
This ,ill contain all the serice records +or actie directory along ,ith all the serers- s,itches-
routers- load *alancers- routers- and +ire,all entries/ The registrars +or the domain
mediarier/com hosts the e0ternal dns serers and ,ill only contain the records needed to allo,
clients to connect to the ,e* portal +rom the outside/ or an employee to connect to serers
inside the data center using DNS then the employees local internal DNS serer ,ill do a split
*rain and hae conditional +or,arding setup to direct the reuest to the 8one/ This ,ill .eep
reuests on the priate M!3S net,or. (Schauland- D/ &'';)/ The internal DNS serers are the
only serers that ,ill *e a*le to send replication in+ormation
Actie Directory or,ard Ione mediarier/pri
Name Type Data Timestamp
(same as parent folder) Start of Authority
(SOA)
[86676] ns1mediari!erpri!
7/26/2019 Data Assest Management System (DAMS)
25/32
DATA ASSET MANAGEMENT (DAM) &>
(same as parent folder) Name Ser!er
(NS)
ns1mediari!erpri! stati"
(same as parent folder) Name Ser!er
(NS)
ns#mediari!erpri! Stati"
$rimaryfire%all &ost (A) 1'#''111 stati"
Stand*yfire%all &ost (A) 1'#''1#1 stati"
+ain,ire%all &ost (A) 1'#''11' stati"
ns1 &ost (A) 1'#''1##' stati"
ns# &ost (A) 1'#''1#-' stati"
primload*alan"er &ost (A) 1'#''11' stati"
se"load*alan"er &ost (A) 1'#''1#' stati"
mys.l1 &ost (A) 1'#''1-#' stati"
mys.l# &ost (A) 1'#''1-#1 stati"
mys.l- &ost (A) 1'#''1-## stati"
%e*1 &ost (A) 1'#''1##'
%e*# &ost (A) 1'#''1##1
%e*- &ost (A) 1'#''1###
a""esss%it"h'1 &ost (A) 1'1''1''1'
a""esss%it"h'# &ost (A) 1'1''1''11
a""esss%it"h'- &ost (A) 1'1''1''#'
a""esss%it"h' &ost (A) 1'1''1''#1
/ores%it"h'1 &ost (A) 1'1''1''1
/ores%it"h'# &ost (A) 1'1''1''#
"erouter'1 &ost (A) 1'#''1-'
"erouter'# &ost (A) 1'#''1'
fi*ers%it"h &ost (A) 1'#''1--'
7/26/2019 Data Assest Management System (DAMS)
26/32
DATA ASSET MANAGEMENT (DAM) &%
These addresses ,ill not *e pu*lished to the outside ,orld *ut only shared ,ith internal
employees ,ho must manage the in+rastructure/ The other users ,ho go to mediarier/com ,ill
use e0ternal DNS serers hosted *y the registrar/
7/26/2019 Data Assest Management System (DAMS)
27/32
DATA ASSET MANAGEMENT (DAM) &
7/26/2019 Data Assest Management System (DAMS)
28/32
DATA ASSET MANAGEMENT (DAM) &
Recommended