Cloud and Data Center Security

CP2422 – James Cook University Singapore

CP2422 - James Cook Univeristy Singapore 1

Module 1: Week 1 and 2
Introduction: Design security architectures that assures secure isolation of
physical and logical infrastructures including compute, network and storage,
comprehensive data protection at all layers, end-to-end identity and
access management

• Introduction to the Data center, Cloud and Security Basics

• Cloud Security Alliance Guidance
• Introduction to Cloud Security Architecture Principles
• Intro to IaaS, SaaS, PaaS Security Controls
• Introduction to Virtualization Security, Container Security Controls and Architecture
• Converged Infrastructure

CP2422 - James Cook Univeristy Singapore 2

Learning Objectives
After completing this module, you should be able to:
• Understand about Data Center and Cloud Computing infrastructure
• Define different types of cloud computing models
• Review the guidelines from Cloud Security Alliance
• Understand Data center and Cloud Security controls

CP2422 - James Cook Univeristy Singapore 3

Week 1:
Introduction
to the Cloud
and Data center
Security

CP2422 - James Cook Univeristy Singapore 4

Data Center
Racks of servers , Storage arrays
Large server and storage farms Cooling infrastructure, Power converters
Backup generators

This Facility stores and manage business-critical data and applications, so Data center security is critical in data center
design.

Together, they provide:

Network infrastructure. This connects servers (physical and virtualized), data center services, storage, and external
connectivity to end-user locations.

Storage infrastructure. Data is the fuel of the modern data center. Storage systems are used to hold this valuable commodity.

Computing resources. Applications are the engines of a data center. These servers provide the processing, memory, local
storage, and network connectivity that drive applications.

CP2422 - James Cook Univeristy Singapore 5

Data Center

• In the traditional computing model,

infrastructure is thought of as hardware.
• Hardware solutions are physical, which
means they require space, staff, physical
security, planning, and capital
expenditure.
• Have a long hardware procurement cycle
• Require you to provision capacity by
guessing theoretical maximum peaks

CP2422 - James Cook Univeristy Singapore 6

Data Center – Physical Aspects
• Utilities: cooling, power supply, backup power, etc.
• Physical constraints: barriers, checkpoints, floor plan, etc.
• Sensors: cameras, climate control etc

CP2422 - James Cook Univeristy Singapore 7

Data Center – Physical Aspects (cont'd)

Perimeter Security
Perimeter security :
• The first layer of data center security is to
Facility Controls
discourage, detect, and delay any
unauthorized entry of personnel at the
Computer Room Controls
perimeter.
• This can be achieved through a high-
resolution video surveillance system,
motion-activated security lighting, fiber-
optic cable, etc.
• Video content analytics (VCA) can detect
Cabinet Controls
individuals and objects and check for any
illegal activity. Track movements of
people and avoid false alarms.
Facility controls :
• In case of any breach in the
perimeter monitoring, the
second layer of defense
restricts access. It is an access
control system using
card swipes or biometrics.
• High-resolution video
surveillance and analytics can
identify the person entering
and prevent tailgating.
• More complex VCA can read
license plates, conduct facial
recognition, and detect
smoke and fire threats.​

CP2422 - James Cook Univeristy Singapore 8

Data Center – Physical Aspects (cont'd)
Perimeter Security
Facility Controls Computer room controls :
• The third layer of physical
Computer Room Controls security further restricts
access through diverse
verification methods including:
monitoring all restricted areas,
deploying entry restrictions such as
turnstile, providing VCA, providing
Cabinet Controls biometric access control devices
to verify finger and thumb
prints, irises, or vascular pattern,
and using radio frequency
identification.
CP2422 - James Cook Univeristy Singapore
Cabinet controls.
• The first three layers ensure entry
of only authorized personnel.
However, further security to restrict
access includes cabinet locking
mechanisms.
• This layer addresses the fear of
an “insider threat,” such as a
malicious employee.
• After implementing the first three
layers well, cabinets housing the
racks inside the computer room also
need to be protected to avoid any
costly data breach.
9
Data Center – Google Data center tour

CP2422 - James Cook Univeristy Singapore 10

Data Center - Tiers
The most widely adopted standard for data center design and data center infrastructure is ANSI/TIA-942. It
includes standards for ANSI/TIA-942-ready certification, which ensures compliance with one of four
categories of data center tiers rated for levels of redundancy and fault tolerance.

Tier 1: Basic site infrastructure. A Tier 1 data center offers limited protection against physical events. It has
single-capacity components and a single, nonredundant distribution path.
Tier 1 data center requirements are generally utilized by small businesses and feature:
• 99.671% Uptime
• No redundancy
• 28.8 Hours of downtime per year.

Tier 2: Redundant-capacity component site infrastructure. This data center offers improved protection against
physical events. It has redundant-capacity components and a single, nonredundant distribution path.
• The benefits of a Tier 2 facility include:
• 99.749% Uptime
• Partial redundancy in power and cooling
• Experience 22 hours of downtime per year
CP2422 - James Cook Univeristy Singapore 11
Data Center - Tiers
Tier 3: Concurrently maintainable site infrastructure. This data center protects against virtually all physical
events, providing redundant-capacity components and multiple independent distribution paths. Each
component can be removed or replaced without disrupting services to end users.
Tier 3 data center specifications are utilized by larger businesses and feature:
• 99.982% uptime (Tier 3 uptime)
• No more than 1.6 hours of downtime per year
• N+1* fault tolerant providing at least 72-hour power outage protection

Tier 4: Fault-tolerant site infrastructure. This data center provides the highest levels of fault tolerance and
redundancy. Redundant-capacity components and multiple independent distribution paths enable
concurrent maintainability and one fault anywhere in the installation without causing downtime.
Tier 4 data center certification typically serve enterprise corporations and provide the following:
• 99.995% uptime per year (Tier 4 uptime)
• 2N+1 fully redundant infrastructure (the main difference between tier 3 and tier 4 data centers)
• 96-hour power outage protection
• 26.3 minutes of annual downtime.

CP2422 - James Cook Univeristy Singapore 12

Data Center - Types
Enterprise data centers
These are built, owned, and operated by companies and are optimized for their end user. Most of them are housed in the
Corporate Campuses.

Managed services data centers

These data centers are managed by a third party (or a managed services provider) on behalf of a company. The company
leases the equipment and infrastructure instead of buying it.

Colocation data centers

In colocation data centers also called Colo, a company rents space within a data center owned by others and located off
company premises. The colocation data center hosts the infrastructure: building, cooling, bandwidth, security, etc., while
the company provides and manages the components, including servers, storage, and firewalls.

Cloud data centers

In this off-premises form of data center, data and applications are hosted by a cloud services provider such as Amazon Web
Services (AWS), Microsoft (Azure), or IBM Cloud or other public cloud provider.
CP2422 - James Cook Univeristy Singapore 13
Data Center – Security Overview
CP2422 - James Cook Univeristy Singapore 14
 Why do we need to Secure Data Center :
Data Center – • Losing data and applications can
impact the organization’s ability
to conduct business.
Security
Overview • The large volume of information
and the criticality of the services
housed in Data Center make them
likely target.
• Denial of Service, theft of
confidential information, data
alteration, and data loss are some
of the common security problems
afflicting Data Center
Environments.
CP2422 - James Cook Univeristy Singapore
• Applications become more
complex, there are more chances
for inconsistent installations.
• Hackers use the openness of
the internet to communicate and
develop automated tools the
facilitate the identification and
exploitation of those
vulnerabilities.
• Many attacks tools are widely
available on the internet and are
designed to execute highly
sophisticated attacks using simple
user interfaces.
15
Data Center -Threat landscape and
motivation
L5 :
National
Actors
S
L4 : Industrial
k
Espionage
i
l
l L3 : Organized Crime
L
e
v
e
L2 : Hackers
l

L1 : Viruses, Worms, Trojans etc

Probability to encounter
CP2422 - James Cook Univeristy Singapore 16
Data Center – Security Concerns
Confidentiality:
– Customer's code or data leaking

Integrity:
– Modification of software or data running in data center
– Software or data change in transit (e.g. over network)

Availability:
– Support infrastructure (backup, electricity, etc.)– Customer's access
to their software or data

CP2422 - James Cook Univeristy Singapore 17

Data Center -Vulnerabilities & Common
Attack
The following terms are important to define in the
context of security :

Threat – An event that poses some harm to the data center or

its resources

Vulnerability – A deficiency on a system or resources whose

exploitation leads to the materialization of the threats

Attack – the actual exploitation of a vulnerability to make threat

reality.
CP2422 - James Cook Univeristy Singapore 18
Data Center -Vulnerabilities & Common
Attack (cont'd)
Most of Vulnerabilities found today originated Common attacks
in at least one of the following areas:
• Exploitation of Out-of-Date software.​
• Exploitation of software default (default
• Implementation – Software and protocols flows, admin credentials)
incorrect or faulty software design, incomplete • Unauthorized access
testing, etc.
• Eavesdropping
• Viruses & Worms
• Configuration - Elements not properly configured, • Internet infrastructure attack
use of default, and so on. • Trust Exploitation
• Session Hijacking
• Buffer overflow attacks
• Design – ineffective or inadequate security design,
lack of or inappropriate implementation of
redundancy mechanisms, etc.

CP2422 - James Cook Univeristy Singapore 19

Data Center Compliance
System and Organization Controls is issued to validate reports of internal controls intended for use by Service
organizations.

SOC reports focusses on five areas

Privacy : Access control , MFA, Encryption

Security : Firewall, Intrusion Detection,

MFA
Availability : Performance monitor,
Disaster Recovery, Incident handling
Processing integrity : Quality assurance,
Process monitoring
Confidentiality : Encryption, Access
controls, Firewall
CP2422 - James Cook Univeristy Singapore 20
Data Center Compliance [cont'd]
Who needs a SOC audit *:
• Are you providing a service for clients? - Datacenters , SaaS organizations, claims processing centers etc.,
• Are your existing clients asking for a SOC report? - If the client Auditors request to seek what controls are in place that are outside
the firm has tested and have it approved.

There are 3 types of SOC reports :

SOC1 : It is primarily used to validate controls over the completeness and accuracy of monetary transactions and financial statement
reporting. Service organizations specify their own control objectives and control activities. It is intended for CPA's who audit the
firms.

SOC2 : It is designed to certify the security, processing integrity, availability, confidentiality, and/or privacy of hosted systems and the
data they store or process

SOC3 : This report covers the same testing procedures as a SOC 2 report, but it omits the detailed test results and is intended for
general public distribution.

Additionally, each of the SOC reports can be produced as either a Type I (point-in-time) or Type II (period of time) report. Type II reports are more valuable, since they validate the operating effectiveness
of controls throughout the year.
CP2422 - James Cook Univeristy Singapore 21
Data Center - Challenges

Resource management Energy Efficiency

How to efficiently use server and storage Servers consume huge amounts of energy
resources? Want to be “green”
Many apps have variable, unpredictable Want to save money
workloads
Want high performance and low cost
Automated resource management
Performance profiling and prediction

Larger data centers can be cheaper to buy and run than smaller ones and this has helped grow the popularity of
CP2422 - James Cook Univeristy Singapore 22
Cloud computing.
Cloud Computing
Cloud computing is a new operational model and set of technologies
for managing shared pools of computing resources.

• “Computing may someday be organized as a public utility” - John McCarthy, MIT Centennial in
1961
• Huge computational and storage capabilities available from utilities
• Metered billing (pay for what you use)
• Simple to use interface to access the capability (e.g., plugging into an outlet)

CP2422 - James Cook Univeristy Singapore 23

Cloud Security Alliance (CSA)

The Cloud Security Alliance promotes

implementing best practices for providing
security assurance within the domain of
cloud computing and has delivered a
practical, actionable roadmap for
organizations seeking to adopt the cloud
paradigm.

CP2422 - James Cook Univeristy Singapore 24

 Cloud Security Alliance (CSA) - 14 Domains
Domains Title Description

This domain provides the conceptual framework for the rest of the Cloud Security Alliance’s guidance. It describes and defines
Domain 1 Cloud Computing concept and Architecture cloud computing, sets our baseline terminology, and details the overall logical and architectural frameworks used in the rest of the
document.

Governing in the Cloud

The ability of an organization to govern and measure enterprise risk introduced by cloud computing. Items such as legal
Domain 2 Governance and Enterprise Risk Management precedence for agreement breaches, ability of user organizations to adequately assess risk of a cloud provider, responsibility to
protect sensitive data when both user and provider may be at fault, and how international boundaries may affect these issues.

Potential legal issues when using cloud computing. Issues touched on in this section include protection requirements for
Domain 3 Legal Issues: Contracts and Electronic Discovery information and computer systems, security breach disclosure laws, regulatory requirements, privacy requirements, international
laws, etc.

Maintaining and proving compliance when using cloud computing. Issues dealing with evaluating how cloud computing affects
Domain 4 Compliance and Audit Management compliance with internal security policies, as well as various compliance requirements (regulatory, legislative, and otherwise) are
discussed here. This domain includes some direction on proving compliance during an audit.

Governing data that is placed in the cloud. Items surrounding the identification and control of data in the cloud, as well as
Domain 5 Information Governance compensating controls that can be used to deal with the loss of physical control when moving data to the cloud, are discussed
here. Other items, such as who is responsible for data confidentiality, integrity, and availability are mentioned.

CP2422 - James Cook Univeristy Singapore 25

Cloud Security Alliance (CSA) - 14 Domains
Domains Title Desciption

Operating in the Cloud

Securing the management plane and administrative interfaces used when accessing the cloud, including both web
Domain 6 Management Plae and Business Continuity
consoles and APIs. Ensuring business continuity for cloud deployments.
Core cloud infrastructure security, including networking, workload security, and hybrid cloud considerations. This
Domain 7 Infrastructure Security
domain also includes security fundamentals for private clouds.
Domain 8 Virtualization and Containers Security for hypervisors, containers, and Software Defined Networks.
Proper and adequate incident detection, response, notification, and remediation. This attempts to address items
Domain 9 Incident Response, Notification and Remediation that should be in place at both provider and user levels to enable proper incident handling and forensics. This
domain will help you understand the complexities the cloud brings to your current incident-handling program.
Securing application software that is running on or being developed in the cloud. This includes items such as
Domain 10 Application Security whether it’s appropriate to migrate or design an application to run in the cloud, and if so, what type of cloud
platform is most appropriate (SaaS, PaaS, or IaaS).
Domain 11 Data Security and Encryption Implementing data security and encryption and ensuring scalable key management.
Managing identities and leveraging directory services to provide access control. The focus is on issues encountered
Domain 12 Identity, Entitlement, and Access Management when extending an organization’s identity into the cloud. This section provides insight into assessing an
organization’s readiness to conduct cloud-based Identity, Entitlement, and Access Management (IdEA).
Providing third-party-facilitated security assurance, incident management, compliance attestation, and identity and
Domain 13 Security as a Service
access oversight.
Established and emerging technologies with a close relationship to cloud computing, including Big Data, Internet of
Domain 14 Related Technologies
Things, and mobile computing.

CP2422 - James Cook Univeristy Singapore 26

 Domain 1: Cloud Computing Concepts and
Architectures
This domain includes 4 sections:
Cloud Security • Defining cloud computing
Alliance (CSA) • Cloud conceptual, architectural, and
reference model
• The cloud logical model
• Cloud security and compliance scope,
responsibilities, and models

CP2422 - James Cook Univeristy Singapore 27

CSA - Definitional model

CP2422 - James Cook Univeristy Singapore 28

CSA - Service Models

CP2422 - James Cook Univeristy Singapore 29

CSA - Deployment models

CP2422 - James Cook Univeristy Singapore 30

CSA – Logical Model
Infostructure: The data and information. Content in a database, file storage, etc.

Applistructure: The applications deployed in the cloud and the underlying

application services used to build them. For example, Platform as a Service
features like message queues, artificial intelligence analysis, or notification
services.

Metastructure: The protocols and mechanisms that provide the interface

between the infrastructure layer and the other layers. The glue that ties the
technologies and enables management and configuration.

Infrastructure: The core components of a computing system: compute, network,

and storage. The foundation that every else is built on. The moving parts.

Different security focuses map to the different logical layers. Application security maps to applistructure, data
security to infostructure, and infrastructure security to infrastructure.
CP2422 - James Cook Univeristy Singapore 31
CSA - Security scope

IaaS PaaS SaaS

Security Responsibility

Mostly consumer Mostly Provider

CP2422 - James Cook Univeristy Singapore 32

CSA - Security scope

CP2422 - James Cook Univeristy Singapore 33

Shared responsibility model and Security
scope
Service Type Responsibility
The cloud provider is responsible for nearly all security, since the cloud consumer can only access and
manage their use of the application and can't alter how the application works.
Software as a Service
For example, a SaaS provider is responsible for perimeter security, logging/monitoring/auditing, and
application security, while the consumer may only be able to manage authorization and entitlements.
The cloud provider is responsible for the security of the platform, while the consumer is responsible for
everything they implement on the platform, including how they configure any offered security
features. The responsibilities are thus more evenly split.
Platform as a Service
For example, when using a Database as a Service, the provider manages fundamental security,
patching, and core configuration, while the cloud consumer is responsible for everything else, including
which security features of the database to use, managing accounts, or even authentication methods.
Just like PaaS, the provider is responsible for foundational security, while the cloud consumer is
responsible for everything they build on the infrastructure. Unlike PaaS, this places far more
responsibility on the client.
Infrastructure as a Service
For example, the IaaS provider will likely monitor their perimeter for attacks, but the consumer is fully
responsible for how they define and implement their virtual network security, based on the tools
available on the service.
CP2422 - James Cook Univeristy Singapore 34
Example : AWS shared responsibility model

CP2422 - James Cook Univeristy Singapore 35

Example : Security in the Cloud

Customer responsibilities:​
Customer data
• Amazon Elastic Compute Cloud (Amazon
EC2) instance operating system​ :
Applications, IAM • Including patching, maintenance​
• Applications​
Operating system, network, and firewall • Passwords, role-based access, etc.​
configuration • Security group configuration​
• OS or host-based firewalls​Including intrusion detection or
Client-side data
Server- Network prevention systems​
encryption
and data
side encryption traffic protection • Network configurations​
(file system (encryption, integr
integrity authentic
or data) ity, identity) • Account management​
ation
• Login and permission settings for each user​

CP2422 - James Cook Univeristy Singapore 36

Example : Security of the Cloud
Cloud Service provider responsibilities:
• Physical security of data centers
• Controlled, need-based access

• Hardware and software infrastructure

• Storage decommissioning, host operating system (OS) access
logging, and auditing

• Network infrastructure
• Intrusion detection

• Virtualization infrastructure
• Instance isolation

CP2422 - James Cook Univeristy Singapore 37

A Simple Cloud Security Process Mode
• Identify necessary security and compliance requirements, and any
existing controls.
• Select your cloud provider, service, and deployment models.
• Define the architecture.
• Assess the security controls.
• Identify control gaps.
• Design and implement controls to fill the gaps.
• Manage changes over time.

CP2422 - James Cook Univeristy Singapore 38

Cloud Security High level architecture
Developer
Data Center Centric
Centric Fully managed
(Bring your model
Security Strategy, Governance,

Identity and Access mgmt.

own Stack)
Business continuity API
PaaS

services
IaaS
Automated Operations
Virtualized Infrastructure

Security Services – Automation, Firewall API,

CA, Logging, Monitoring

CP2422 - James Cook Univeristy Singapore 39

Cloud Security architecture – design
principles
Implement a strong identity foundation: Implement the principle of least privilege and
enforce separation of duties with appropriate authorization for each interaction with
cloud resources. Centralize identity management and aim to eliminate reliance on long-term
static credentials.

Enable traceability: Monitor, alert, and audit actions and changes to your environment in
real time. Integrate log and metric collection with systems to automatically investigate and
take action.

Security by Design: Security by design involves designing a cloud architecture to

implement protections that cannot be bypassed by misconfigured security policies. Apply a
defense in depth approach with multiple security controls. Apply to all layers (for example,
edge of network, VPC, load balancing, every instance and compute service, operating
system, application, and code).

Automation: Automated software-based security mechanisms improve your ability to

securely scale more rapidly and cost-effectively. Create secure architectures, including the
implementation of controls that are defined and managed as code in version-controlled
templates. CP2422 - James Cook Univeristy Singapore 40
Cloud Security architecture – design
principles [cont'd]
Protect data in transit and at rest: Classify your data into sensitivity levels and use
mechanisms, such as encryption, tokenization, and access control where appropriate.

Keep people away from data: Use mechanisms and tools to reduce or eliminate the
need for direct access or manual processing of data. This reduces the risk of mishandling
or modification and human error when handling sensitive data.

Prepare for security events: Prepare for an incident by having incident management and
investigation policy and processes that align to your organizational requirements.
Run incident response simulations and use tools with automation to increase your
speed for detection, investigation, and recovery.

Cloud Compliance: Most organizations are subject to a rapidly-expanding regulatory

landscape as new laws – such as the GDPR, CCPA, CMMC, and others – are passed and
go into effect. With data and processes, protected under these laws and hosted on
cloud-based infrastructure, organizations need solutions that enable them to effectively
manage compliance responsibilities in the cloud.​
CP2422 - James Cook Univeristy Singapore 41
Week 2:
Introduction to
the Cloud and
Data center
Security

CP2422 - James Cook Univeristy Singapore 42

CSA - Reference and Architecture Model

CP2422 - James Cook Univeristy Singapore 43

Infrastructure as a Service

CP2422 - James Cook Univeristy Singapore 44

Infrastructure as a Service -
Customer Responsibility
Minimum Security controls: IaaS customers are responsible for securing their data, user access, applications, operating systems, and
virtual network traffic.
• Unencrypted data: In hybrid and multi-cloud environments, data moves between on-premises and cloud-based resources, and between
different cloud applications. Encryption is essential to protect the data from theft or unauthorized access. An organization can encrypt data
on-premises, before it goes to the cloud, or in the cloud. They may use their own encryption keys or IaaS-provider encryption.
• User role-based permissions: It is a best practice to protect access to cloud infrastructure by ensuring that developers and other users have
only the permissions they need to do their jobs—and no more. Lock root account credentials that can provide an attacker access to all
resources, and deprovision inactive accounts.
• Configuration issues: common errors include :
• Improperly configured inbound or outbound ports
• Multi-factor authentication not activated
• Compromising Accounts and Authentication Bypass
• Monitoring and audit requirements
• Regular testing and vulnerability analysi
• Storage access open to the internet

CP2422 - James Cook Univeristy Singapore 45

Infrastructure as a Service -
Cloud Service Provider Responsibility
Minimum Security controls: IaaS providers are responsible for the controls that protect their underlying servers and data.
• Physical access permissions. An IaaS provider is responsible for implementing secure access controls to the physical facilities, IT systems,
and cloud services.
• Compliance audits. IT managers can request proof of compliance (audits and certifications) with relevant regulations, such as healthcare
information security laws or privacy requirements for consumer financial data.
• Monitoring and logging tools. An IaaS provider may offer tools for monitoring, logging, and managing cloud resources.
• Hardware specifications and maintenance. The hardware that underpins cloud infrastructure services impacts performance of those
services. An IT organization can request the provider's hardware specifications, particularly the security devices such as firewalls, intrusion
detection, and content filtering.

CP2422 - James Cook Univeristy Singapore 46

Platform as a Service

CP2422 - James Cook Univeristy Singapore 47

Platform as a Service -
Customer Responsibility
Minimum Security controls: PaaS customer is responsible for securing its applications, data, and user access. The PaaS provider secures
the operating system and physical infrastructure.
• Use threat modeling. The majority of security flaws are introduced during the early stages of software development. Security-conscious
developers can identify and fix potential flaws in the application design by using threat modeling practices and tools. The Open Web
Application Security Project (OWASP) provides developers with resources on the most common application vulnerabilities.
• Check for inherited software vulnerabilities. Third-party platforms and libraries often have vulnerabilities. Developers can inherit them if
they fail to scan for these potential liabilities.
• Implement role-based access controls. Role-based identity and access management helps to ensure developer and other user access to the
resources and tools they need, but not to other resources.
• Manage inactive accounts. Unused accounts provide potential footholds for hackers. Deprovision former employee accounts and other
inactive accounts. Also, lock root account credentials to prevent unauthorized access to administrative accounts.
• Take advantage of provider resources. Most major PaaS providers offer guidelines and best practices for building on their platforms. Many
also provide technical support, testing, integration, and other help for developers.

CP2422 - James Cook Univeristy Singapore 48

Platform as a Service -
Cloud Service Provider Responsibility
Minimum Security controls: PaaS providers are responsible for the controls that protect their underlying servers and data.
• Cloud access security broker (CASB). CASBs, also called cloud security gateways (CSGs), provide a variety of security services, such as
monitoring for unauthorized cloud services; enforcing data security policies including data loss prevention (DLP); restricting access to cloud
services based on the user, device, and application; and auditing cloud configurations for compliance and risk.
• Cloud workload protection platforms (CWPP). Unsecured workloads and containers offer cybercriminals a path into the cloud
environment, so cloud workload protection platforms discover and monitor the containers and workload instances. CWPP services also
apply malware protection and simplify security management across multiple PaaS environments.
• Cloud security posture management (CSPM). A security posture manager continuously audits the cloud environment for security and
compliance issues, as well as provides manual or automated remediation. Increasingly, CASBs are adding CSPM functionality.

CP2422 - James Cook Univeristy Singapore 49

Software as a Service

CP2422 - James Cook Univeristy Singapore 50

Software as a Service -
Cloud Service Provider Responsibility
Minimum Security controls: SaaS providers are responsible for the controls that protect their underlying servers and data.
• Apply identity and access management (IAM) : Provider should allow creation of low-privilege users, which allows separating privileges
between different users and account types. At least a 2FA multi-factor authentication should be implemented to minimize the impact of
credential theft.
• Detect rogue services and compromised accounts : Organizations can use tools, such as cloud access security brokers (CASB) to audit their
networks for unauthorized cloud services and compromised accounts.
• End-to-end Encryption: It means that all user-server interaction is carried out over secure tunnels, which should only terminate within
provider’s network.
• Enforce data loss prevention (DLP) Unsecured workloads and containers offer cybercriminals a path into the cloud environment, so cloud
workload protection platforms discover and monitor the containers and workload instances. CWPP services also apply malware protection
and simplify security management across multiple PaaS environments.
• Data Deletion Policy The data deletion policy is defined in the service level agreement and must specify what would happen to the
customer data once the data retention period ends. In such cases, the data should be deleted programmatically from provider’s systems.
• Security and Compliance regulations : To provide controls and reporting capabilities to ensure compliance with government and industry
regulations.

CP2422 - James Cook Univeristy Singapore 51

Cloud Service provider maturity check
Governance and Security responsibility: Governance and security management responsibilities of the customer versus
those of the cloud provider should be clearly articulated.

Disclosure of security policies, compliance and practices: Cloud providers that host regulated data must meet compliance
requirements such as PCI DSS, Sarbanes-Oxley and HIPAA.

Disclosure when mandated: The cloud service provider should disclose relevant data when disclosure is imperative due to
legal or regulatory needs.

Security architecture: The cloud service provider should disclose security architectural details that either help or hinder
security management as per the enterprise standard. For example, the architecture of virtualization that guarantees isolation
between tenants should be disclosed.

Security Automation: The cloud service provider should support security automation that supports export and import of
security event logs, change management logs, user privileges, firewall policies etc. Provide continuous security monitoring
including support for emerging standards such as Cloud Audit.

CP2422 - James Cook Univeristy Singapore 52

 Domain 8: Virtualization and Containers
Cloud Security This domain includes 4 sections:
Alliance (CSA) • Compute
• Network
• Storage
• Containers

CP2422 - James Cook Univeristy Singapore 53

Virtualization

A virtual computer system is known as a “virtual

machine” (VM): a tightly isolated software
container with an operating system and application
inside. Each self-contained VM is completely
independent. Putting multiple VMs on a single
computer enables several operating systems and
applications to run on just one physical server, or
“host.”

A thin layer of software called a “hypervisor”

decouples the virtual machines from the host and
dynamically allocates computing resources to each
virtual machine as needed.

The resulting benefits include economies of scale and

greater efficiency.
CP2422 - James Cook Univeristy Singapore 54
 VMs have the
Run multiple
following
Partitioning operating systems on
characteristics, which
one physical machine.
offer several benefits.

Divide system Provide fault and

Virtualization – resources between

virtual machines.
Isolation security isolation at
the hardware level.

key
characteristics Preserve performance
with advanced Encapsulation
Save the entire state
of a virtual machine
resource controls. to files.

Move and copy

virtual machines as
easily as moving and
copying files.
Provision or migrate
Hardware
any virtual machine
Independence
to any physical server.

CP2422 - James Cook Univeristy Singapore 55

Virtualization and Cloud Computing
Virtualization and cloud computing are not interchangeable.

Virtualization is software that makes computing environments independent of physical

infrastructure, while cloud computing is a service that delivers shared computing resources
(software and/or data) on demand via the Internet. As complementary solutions,
organizations can begin by virtualizing their servers and then moving to cloud computing for
even greater agility and self-service.

Cloud computing is fundamentally based on pooling resources and virtualization is the

technology used to convert fixed infrastructure into these pooled resources.

Virtualization provides the abstraction needed for resource pools, which are then managed
using orchestration.

Without virtualization, there is no cloud

CP2422 - James Cook Univeristy Singapore 56

Virtualization – Security controls
Virtualization security in cloud computing still follows the shared responsibility model.
The cloud provider will always be responsible for securing the physical infrastructure and the
virtualization platform itself.
Meanwhile, the cloud customer is responsible for properly implementing the available virtualized
security controls and understanding the underlying risks, based on what is implemented and managed
by the cloud provider.
For example, deciding when to encrypt virtualized storage, properly configuring the virtual network and
firewalls, or deciding when to use dedicated hosting vs. a shared host.

CP2422 - James Cook Univeristy Singapore 57

Compute – Security controls
Two important layers for security controls:
• Security of the virtualization technology , the Hypervisor itself :
• The hypervisor primarily is the management interface to the hardware primitives. Isolation of CPU, memory, and I/O is done
at a hardware level, with the hypervisor managing how much of the hardware resources a virtual machine can use
• This part of the hypervisor is called the virtual machine monitor (VMM). With the ability to leverage these CPU
extensions, the attack surface of the hypervisor shrinks considerably.
• From a security standpoint, a primary concern is that of a virtual machine’s running in a highly privileged mode that enables it
to compromise another virtual machine or the VMM itself. However, Intel VT-x and AMD-V extensions don’t enable virtual machines
to run at “Ring-0.” Only the VMM runs at a hardware privilege level; guest OSs run at a virtualized privilege level. The guest OS does
not detect that it is running at a nonprivileged virtualized level.

• Security controls for the virtual assets

• Different instances running on the same physical machine are isolated from each other via the hypervisor. The firewall resides within
the hypervisor layer, between the physical network interface and the instance's virtual interface. All packets must pass through this
layer; thus, an instance’s neighbors have no more access to that instance than any other host on the Internet and can be treated as if
they are on separate physical hosts.
• Customer instances have no access to raw disk devices, but instead are presented with virtualized disks. In addition, memory
allocated to guests is scrubbed (set to zero) by the hypervisor when it is unallocated to a guest. The memory is not returned to the
pool of free memory available for new allocations until the memory scrubbing is complete.

CP2422 - James Cook Univeristy Singapore 58

Compute – Security controls

Customer 1 Customer 2 Customer 3 ….. Customer N

Hypervisor

Virtual Interfaces
Customer N
Customer 1
Security Group
Customer 2
Security Group
Customer 3
Security Group …... Security Group

Firewall

Physical Interfaces

CP2422 - James Cook Univeristy Singapore 59

 Compute – Security controls
Cloud Provider Responsibility
Isolation ensures that compute processes or memory in one virtual
machine/container should not be visible to another.
It is how we separate different tenants, even when they are running
processes on the same physical hardware.
The cloud provider is also responsible for securing the underlying
infrastructure and the virtualization technology from external attack or
internal misuse.
This means using patched and up-to-date hypervisors that are properly
configured and supported with processes to keep them up to date and
secure over time.
This ensures that tenants cannot launch machines based on images
that they shouldn't have access to, such as those belonging to another
tenant, and that a running virtual machine (or other process) is the
one the customer expects to be running.
In addition, cloud providers should assure customers that volatile
memory is safe from unapproved monitoring, since important data
could be exposed if another tenant, a malicious employee, or even an
attacker is able to access running memory. CP2422 - James Cook Univeristy Singapore
Cloud Customer Responsibility
Security settings, such as identity management, to the virtual resources. This
is not the identity management within the resource, such as the operating
system login credentials, but the identity management of who can access
the cloud management of the resource—for example, stopping or changing
the configuration of a virtual machine
Use of dedicated hosting, if available, based on the security context of the
resource. In some situations, the assets run on hardware dedicated only to
customer (at higher cost), even on a multi-tenant cloud.
This may help meet compliance requirements or satisfy security needs in
special cases where sharing hardware with another tenant is considered a
risk.
Monitoring and logging including how to handle system logs from virtual
machine. This can include the status of a virtual machine, management
events, performance, etc.
The customer is also responsible for security controls within the virtualized
resource. This includes all the standard security for the workload, be it a
virtual machine, container, or application code.
60
Network – Security
controls
All clouds utilize some form of virtual
networking to abstract the physical network
and create network resource pool.
There are multiple kinds of virtual networks,
from basic Virtual Local Area Networks
(VLANs) to full Software Defined Networks
(SDN).
Typically, the cloud consumer
provisions desired networking resources from
this pool, which can then be configured within
the limits of the virtualization technique used.

CP2422 - James Cook Univeristy Singapore 61

Network – Security controls
Cloud Provider Responsibility
Primarily responsible for building a secure network infrastructure and
configuring it properly. The absolute top security priority is segregation
and isolation of network traffic to prevent tenants from viewing
another's traffic. This is the most foundational security control for any
multitenant network.
The provider should disable packet sniffing or other metadata "leaks"
that could expose data or configurations between tenants.
Packet sniffing, even within a tenant's own virtual networks, should also
be disabled to reduce the ability of an attacker to compromise a single
node and use it to monitor the network, as is common on non-virtualized
networks.
All virtual networks should enable built-in firewall capabilities for cloud
consumers without the need for host firewalls or external products.
The provider is also responsible for detecting and preventing attacks on
the underlying physical network and virtualization platform. This includes
perimeter security of the cloud itself.
CP2422 - James Cook Univeristy Singapore
Cloud Customer Responsibility
Primarily responsible for properly configuring their deployment of the
virtual network, especially any virtual firewalls.
Also responsible for proper rights management and configuration
of exposed controls in the management plane.
Implement internal security controls and policies to prevent both
modification of consumer networks and monitoring of traffic without
approval or outside contractual agreements.
Apply cloud firewalls on a per-workload basis as opposed to a per-
network basis.
Implement default deny with cloud firewalls and always restrict traffic
between workloads in the same virtual subnet using a cloud firewall
(security group) policy whenever possible.
62
Storage – Security controls

Different types of Cloud Storage

Instance or Volume storage: This is essentially a virtual hard drive for instances or virtual machines.

Object storage: Object storage manages data as objects, meaning all data types are stored in their native
formats. There is no hierarchy of relations between files with object storage — data objects can be distributed
across several machines. Most access is through APIs, not standard file sharing protocols, although cloud
providers may also offer front-end interfaces to support those protocols. ​

Database: Cloud platforms and providers may support a variety of different kinds of databases, including from
managed relational and NoSQL database services, to in- memory caching as a service and petabyte-scale data-
warehouse service

Application/platform: Examples of these would be a content delivery network (CDN), files stored in SaaS,
caching etc.,

CP2422 - James Cook Univeristy Singapore 63

Storage – Security controls
Data security controls tend to fall into three buckets
• Controlling what data goes into the cloud (and where).
• Protecting and managing the data in the cloud.
• Access controls
• Encryption
• Architecture
• Monitoring & Alerting
• Additional controls, including data loss prevention, and enterprise rights management.
• Enforcing information lifecycle management security
• Managing data location/residency.
• Ensuring compliance, including audit artifacts (logs, configurations).
• Backups and business continuity,

CP2422 - James Cook Univeristy Singapore 64

Storage – Security controls
Cloud Provider Responsibility
Access controls should be implemented with a minimum of three layers:
• Management plane: These are controls for managing access of users
that directly access the cloud platform's management plane*
• Public and internal sharing controls: If data is shared externally, to
the public or partners that don't have direct access to the cloud
platform, there will be a second layer of controls for this access.
Storage Encryption at rest and in transit: Encrypt any underlying physical
storage, if it is not already encrypted at another level, to prevent data
exposure.
Several methods include :
• Volume storage encryption
• Object and file storage (Client side , Server-side encryption methods)
• API signing help protect message integrity by preventing tampering
with the request while it is in transit, it also helps protect against
potential replay attacks
Additional Layers include :
• Key management #
• Data Loss Prevention
• Enterprise Rights Management
• Managing data location/residency CP2422 - James Cook Univeristy
same timeSingapore
Cloud Customer Responsibility
Application-level controls: As customers build their own applications on
the cloud platform , they will design and implement controls to manage
access.
A customer-managed key allows a cloud customer to manage their own
encryption key while the provider manages the encryption engine. For
example, using your own key to encrypt SaaS data within the SaaS
platform.
Many providers encrypt data by default, using keys completely in their
control. Some may allow you to substitute your own key, which integrates
with their encryption system.
Account level access security , Multi-Factor authorization, Data security
architectures will be otjher important responsibility of the customer.
Monitoring, auditing and compliance will be an on-going process at the
65
Containers – Security controls
Virtualization lets your operating systems (Windows or
Linux) run simultaneously on a single hardware
system.

A container is a standard unit of software that

packages up code and all its dependencies, so the
application runs quickly and reliably from one
computing environment to another.

A Docker container image is a lightweight, standalone,

executable package of software that includes
everything needed to run an application: code,
runtime, system tools, system libraries and settings.

Containers and virtual machines have similar resource isolation and

allocation benefits, but function differently because
containers virtualize the operating system instead of hardware and are
more portable and efficient. CP2422 - James Cook Univeristy Singapore 66
Containers – Security controls
Building security into the tasks/code running inside the container. It's still
possible to run vulnerable software inside a container and, in some cases,
this could expose the shared operating system or data from other
containers.

Properly securing the image repository. The image repository should be in a

secure location with appropriate access controls configured. This is both to
prevent loss or unapproved modification of container images and definition
files

Assuring the security of the underlying physical infrastructure (compute,

network, storage). This is no different than any other form of virtualization,
but it now extends into the underlying operating system where the
container's execution environment runs.

Assuring the security of the management plane, which in this case are the
orchestrator and the scheduler.
CP2422 - James Cook Univeristy Singapore 67
Converged Infrastructure
Servers
Network switch

Network
and
Storage
Network switch Fiber-channel switch switch

Server and Storage

Storage

Traditional Infrastructure Converged Infrastructure Hyperconverged Infrastructure

CP2422 - James Cook Univeristy Singapore 68

Converged Infrastructure – Security
Users Roles Permission Native Key External key
manager manager

Role 1

Role 2

Self-encrypting Drives Software encryption

Role 3 / Software encryption

RBAC Encryption SSO

Convereged infrastructure that describe software defined datacenters (SDDC) cannot rely on legacy security
methods. The difference in securing traditional multi-dimensional infrastructures versus converged architectures
is that the latter needs a more policy-based approach
CP2422 - James Cook Univeristy Singapore 69
 Data center :
• Special requirement for Physical and virtual security measures, Cooling
conditions and Power requirement
• Different Tiers of Data center

Module key Cloud Computing :

• 14 domains of Cloud security alliance guidelines

takeaways • IaaS , PaaS and SaaS, their security and reference architectures
• Security of the cloud vs security in the cloud
• Virtualization and its security
• Containers and its security
• Converged Infrastructure

CP2422 - James Cook Univeristy Singapore 70

Module summary
After completing this module, you have learned to :
• Define Data Center and Cloud Computing infrastructure
• Define different types of cloud computing models
• Review the guidelines from Cloud Security Alliance
• Understand Data Center and Cloud Security controls

CP2422 - James Cook Univeristy Singapore 71

References
• https://github.com/cloudsecurityalliance/CSA-Guidance • https://sysadminxpert.com/block-storage-vs-object-storage-in-aws/

• https://www.forcepoint.com/cyber-edu/cia-triad • https://www.docker.com/resources/what-container

• https://nvlpubs.nist.gov/nistpubs/Legacy/SP/nistspecialpublication800-145.pdf • https://uptimeinstitute.com/resources/research-and-reports

• https://www.itu.int/en/Pages/default.aspx • https://www.vxchnge.com/blog/n1-data-center-infrastructure-redundancy

• http://www.cloudsecurity.org

• https://www.redhat.com/cms/managed-files/iaas_focus-paas-saas-diagram-1200x1046.png
Videos
• https://www.redhat.com/en/topics/containers/whats-a-linux-container
• A visit to the Cloud : https://www.youtube.com/watch?v=94PO2-TL4Vs
• http://www.rationalsurvivability.com
• Security and Risk mgmt. : https://www.youtube.com/watch?v=8g0NrHExD3g
• https://owasp.org/
• Infrastructure security : https://www.youtube.com/watch?v=cLory3qLoY8
• https://nvlpubs.nist.gov/nistpubs/Legacy/SP/nistspecialpublication800-145.pdf
• Google data center : https://www.youtube.com/watch?v=kd33UVZhnAA
• https://published-prd.lanyonevents.com/published/rsaus19/sessionsFiles/14144/KEY-T07S-A-
Cloud-Security-Architecture-Workshop.pdf • Data center Design : https://www.youtube.com/watch?v=6fxUbUWS1C8

• https://www.infoq.com/articles/cloud-security-architecture-intro/

• https://aws.amazon.com/microservices/

• https://docs.aws.amazon.com/whitepapers/latest/aws-overview-security-
processes/introduction.html

CP2422 - James Cook Univeristy Singapore 72