UNIT IV

Cloud Security
Cloud Security Concepts
• Securing the Cloud: Cloud Information security
fundamentals, Cloud security services, Design principles,
Policy Implementation
• Cloud Computing Security Challenges, Cloud Computing
Security Architecture .
• Legal issues in cloud Computing.
• Data Security in Cloud: Business Continuity and Disaster
Recovery , Risk Mitigation.
• Understanding and Identification of Threats in Cloud
• SLA-Service Level Agreements, Trust Management
What is cloud security?
• Cloud security is the set of control-based security measures and
technology protection, designed to protect online stored resources
from leakage, theft, and data loss.
• Protection includes data from cloud infrastructure, applications, and
threats. Security applications uses a software the same as SaaS
(Software as a Service) model.
• Cloud security refers to protecting data stored online via cloud
computing environments (instead of data centers) from theft,
deletion, and leakage.
• There are many protective methods that help secure the cloud;
• These measures include access control, firewalls, penetration testing,
obfuscation, tokenization, virtual private networks (VPN), and not
using public internet connections.
 Benefits of Cloud Security System
Cloud-based security systems benefit the business by:
• Protecting the Business from Dangers
• Protect against internal threats
• Preventing data loss
• Top threats to the system include Malware, Ransomware, and
• Break the Malware and Ransomware attacks
• Malware poses a severe threat to the businesses.
• Authentication Attacks

Brute Force Attacks

Dictionary Attacks

Credential Stuffing Attacks

• Attack Model for XML Signature
Fundamentals of Cloud Security
1. Understand what you’re responsible for
different cloud services require varying levels of responsibility.
• For instance, while software-as-a-service (SaaS) providers ensure that
applications are protected and that data security is guaranteed.
• IaaS environments may not have the same controls. To ensure
security, cloud customers need to double check with their IaaS
providers to understand who’s in charge of each security control.
• 2. Control user access – a huge challenge for enterprises has been
controlling who has access to their cloud services. Too often,
organizations accidently publically expose their cloud storage service
despite warnings from cloud providers to avoid allowing storage drive
contents to be accessible to anyone with an internet connection.
• CSO advises that only load balancers and bastion hosts should be
exposed to the internet. Further, do not allow Secure Shell (SSH)
connections directly from the internet as this will allow anyone who
finds the server location to bypass the firewall and directly access the
data.
• Instead, use your cloud provider’s identity and access control tools
while also knowing who has access to what data and when. Identity
and access control policies should grant the minimum set of privileges
needed and only grant other permissions as needed. Configure
security groups to have the narrowest focus possible and where
possible, use reference security group IDs. Finally, consider tools that
let you set access controls based on user activity data.
• 3. Data protection – data stored on cloud infrastructures should
never be unencrypted. Therefore, maintain control of encryption keys
where possible. Even though you can hand the keys over to cloud
service providers, it is still your responsibility to protect your data. By
encrypting your data, you ensure that if a security configuration fails
and exposes your data to an unauthorized party, it cannot be used.
• 4. Secure credentials –. AWS access keys can be exposed on public
websites, source code repositories, unprotected Kubernetes
dashboards, and other such platforms
• Therefore, you should create and regularly rotate keys for each
external service while also restricting access on the basis of IAM roles.
Never use root user accounts – these accounts should only be used
for specific account and service management tasks. Further, disable
any user accounts that aren’t being used to further limit potential
paths that hackers can compromise.
• 5. Implement MFA – your security controls should be so rigorous that
if one control fails, other features keep the application, network, and
data in the cloud safe. By tying MFA (multi-factor authentication) to
usernames and passwords, attackers have an even harder time
breaking in. Use MFA to limit access to management consoles,
dashboards, and privileged accounts.
• 6. Increase visibility – to see issues like unauthorized access
attempts, turn on security logging and monitoring once your cloud
has been set up.
Major cloud providers supply some level of logging tools that can be
used for change tracking, resource management, security analysis, and
compliance audits.
• 7. Adopt a shift–left approach – with a shift-left approach, security
considerations are incorporated early into the development process
rather than at the final stage. Before an IaaS platform goes live,
• enterprises need to check all the code going into the platform while
also auditing and catching potential misconfigurations before they
happen.
• One tip – automate the auditing and correction process by choosing
security solutions that integrate with Jenkins, Kubernetes, and others.
Just remember to check that workloads are compliant before they’re
put into production. Continuously monitoring your cloud
environment is key here.
What Are Cloud Security Services?
• Cloud security services are a set of services designed to mitigate risk
and improve compliance of cloud environments.
• Since these environments can be quite complex, involving a wide
range of technologies and processes and, at the same time, exposed
to a variety of threats, they can’t be protected by a one-size-fits-all
solution. Rather, most of these services tackle specific areas. We’ll
elaborate on that in a moment.
• Technically speaking, these services are actually managed cloud-
security services, meaning, they’re managed and operated by third
parties.
• Offloading security operations to a third party has several benefits,
including:
1. Threats can be monitored, detected, and responded to by experts
who actually know what to do. This ensures threats are dealt with
properly and completely.
2. Managed cloud security services providers are usually also trained
to help organizations achieve regulatory compliance—an area that’s
normally also outside of an organization’s expertise.
3. Your IT staff no longer have to handle cyber incidents and can focus
instead on supporting your core business operations.
What Are Some Types of Cloud Security
Services?
• Cloud environments can be quite complex, consisting of a mishmash
of technologies and processes.
• At the same time, they’re exposed to a wide range of threats. Hence,
you normally don’t find a one-size-fits-all cloud security service.
• Rather, most of these services tackle specific areas. Some of the most
common types of cloud security services include
1. data loss prevention (DLP),
2. Identity and access management (IAM),
3. Email security,
4. web security, and
5. intrusion detection.
Data Loss Prevention
• With so much data being uploaded to and generated by cloud
services, and with so many applications and devices accessing that
data, the chance of data loss is enormous.
• DLP services are built to detect the presence of sensitive data—credit
card data, electronic Protected Health Information (ePHI), social
security numbers, etc.—and prevent them from falling into the wrong
hands.
• Identity and Access Management
• IAM services ensure that users adhere to the principle of least
privilege, meaning they force users to access cloud resources and
perform actions that are permissible to their designated role or
function.
• For instance, an ordinary user shouldn’t be able to create instances or
delete snapshots.
• An IAM service can enforce that policy. By using an IAM service,
administrators can create permission policies and then associate
them with a user or group of users.
Email Security
• As the weakest link in the security chain, users are often the targets in
cyberattacks.
• And because practically all users use email, many of these attacks—
such as phishing and Trojans—are carried out through that medium.
• Some of these attacks may compromise your cloud environment.
• For instance, a spear phishing attack may be aimed at acquiring cloud
administrator credentials.
• One way to mitigate these threats is by employing a capable email
security service that can detect phishing emails and malicious
attachments.
• Web Security
• Increased usage of cloud services is an added burden to IT
administrators, who now have to deal with a much larger attack
surface.
• Users access cloud services from different locations—in their
headquarters, at home, in branch offices, or just about anywhere.
• Web security solutions, which sit between users (regardless of
location) and the internet in typical scenarios, provide administrators
the means to secure these connections and protect them against
cyber threats.
• Intrusion Detection
• Intrusion-detection solutions monitor inbound and outbound traffic
for suspicious activities and detect potential threats.
• Usually, detection is done through pattern recognition mechanisms
that identify specific signatures and behaviors.
• Traditional intrusion detection is usually applied to the network layer.
However, we’re now seeing more solutions applying this kind of
protection to the host layer (i.e., to the virtual machines themselves).
• By detecting threats before they can exploit vulnerabilities,
businesses can prevent threat actors from establishing a beachhead
in the targeted system.
Principles of Cloud Security
• Implement a strong identity foundation.
• Enable traceability
• Apply security at all layers
• Automate security best practices
• Protect data in transit and at rest
• Keep people away from data
• Prepare for security events
Advanced Cloud Security Challenges
• It becomes more challenging when adopting modern cloud
approaches Like:
• Automated cloud integration,(CI)
• Continuous deployment (CD) methods, (CI/CD)
• Distributed serverless architecture,
• Short-term assets for tasks such as a service and container.
Many Risk faced by today's cloud-oriented
organizations
1. Enlarged Surface
• Public cloud environments have become a large and highly attractive surface for
hackers and disrupt workloads and data in the cloud. Malware, zero-day, account
acquisition and many malicious threats have become day-to-day more dangerous.
2. Lack of visibility and tracking
• Cloud providers have complete control over the infrastructure layer and cannot
expose it to their customers in the IaaS model. The lack of visibility and control is
further enhanced in the SaaS cloud models. Cloud customers are often unable to
identify their cloud assets or visualize their cloud environments effectively.
3. Ever-changing workload
• Cloud assets are dynamically demoted at scale and velocity. Traditional security
tools implement protection policies in a flexible and dynamic environment with
an ever-changing and short-term workload.
4. DevOps, DevSecOps and Automation
• Organizations are adopting an automated DevOps CI/CD culture that
ensures the appropriate security controls are identified and
embedded in the development cycle in code and templates. Security-
related changes implemented after the workload is deployed to
production can weaken the organization's security posture and
lengthen the time to market.
5. Granular privileges and critical management
• At the application level, configured keys and privileges expose the
session to security risks. Often cloud user roles are loosely configured,
providing broad privileges beyond therequirement. An example is
• allowing untrained users or users to delete or write databases with no
business to delete or add database assets.
6. Complex environment
• These days the methods and tools work seamlessly on public cloud
providers, private cloud providers, and on-premises manage
persistent security in hybrid and multi-cloud environments-it
including geographic Branch office edge security for formally
distributed organizations.
7. Cloud Compliance and Governance
• All the leading cloud providers have known themselves best, such as
PCI 3.2, NIST 800-53, HIPAA and GDPR.
• It gives the poor visibility and dynamics of cloud environments. The
compliance audit process becomes close to mission impossible unless
the devices are used to receive compliance checks and issue real-time
alerts
Cloud Computing Security Architecture

• A select resource needs to move to the cloud and analyze its sensitivity to
risk.
• Consider cloud service models such as IaaS, PaaS,and These models
require the customer to be responsible for Security at different service
levels.
• Consider the cloud type, such as public, private, community, or
• Understand the cloud service provider's system regarding data storage and
its transfer into and out of the cloud.
• The risk in cloud deployment mainly depends upon the service models and
cloud types.
Cloud Computing Security Architecture
Main Cloud Security Issues and Threats
9. Denial of Service Attacks
1. Misconfiguration 10. Data Loss/Leakage
2. Unauthorized Access 11. Data Privacy/Confidentiality
3. Insecure Interfaces/APIs 12. Accidental Exposure of
4. Hijacking of Accounts Credentials
13. Incident Response
5. Lack of Visibility
14. Legal and Regulatory
6. External Sharing of Data Compliance
7. Malicious Insiders 15. Data
8. Cyberattacks Sovereignty/Residence/Control
16. Protecting the Cloud
Service level agreements in Cloud Computing
• A Service Level Agreement (SLA) is the bond for the performance of
the negotiation between a cloud service provider and a client.
• Earlier, in cloud computing, all service level agreements were
negotiated between a customer and a service consumer.
• Particular aspects of the service, such as quality, availability,
responsibilities are agreed upon between the service provider and
the service user.
• It defines:
• The metrics used to measure the level of service provided.
• Remedies or penalties resulting from failure to meet the promised
service level expectations
Service level agreements usually specify certain
parameters, which are mentioned below:
• Availability of the Service (uptime)
• Latency or the response time
• Service components reliability
• Each party accountability
• Warranties
Types of SLA
• The selection of the types of SLA in an organization depends on many
significant aspects.
Components of SLA
• Document overview
• Strategic goals
• Description of services
• Exclusions
• Service performance
• Redressing
• Stakeholders
• Security
• Risk management and disaster recovery
• Service tracking and reporting
• Periodic review and change processes
• Termination process
 Common Metrics of SLA
• Abandonment Rate: Percentage of calls abandoned while waiting to be answered.
• ASA(Average Speed to Answer): Average time t takes for a call to be answered by the
service desk.
• Resolution time: The time it takes for an issue to be resolved once logged by the service
provider.
• Error rate: The percentage of errors in a service, such as coding errors and missed
deadlines.
• TSF(Time Service Factor): Percentage of calls answered within a definite timeframe.
• FCR(First-Call Resolution): A metric that measures a contact center's ability for its agents to
resolve a customer's inquiry or problem on the first call or contact.
• TAT(Turn-Around-Time): Time is taken to complete a particular task.
• TRT(Total Resolution Time): Total time is taken to complete a particular task.
• MTTR(Mean Time To Recover): Time is taken to recover after an outage of service.
• Security: The number of undisclosed vulnerabilities, for example. If an incident occurs,
service providers should demonstrate that they've taken preventive measures.
Risk in Cloud Computing