MODULE •

Cloud Security
m
Cloud Security Risks and Countermeasures,
Data Protection in Cloud, Cloud Application Security, Cloud Identity and Access Management, Cloud Securify
as a Service.
Self-Learning Topics: Metasploit, Ettercap.

4.1 Introduction to Cloud Computing ..................................................................................... ••••·•·•••••••••················ .............. 4·2

GQ. Define Cloud Computing. Explain its characteristics ....................................................................................... 4•2
GQ. Explain cloud computing service models and deployment models ......................................................... - ...... 4-2
4.1 .1 Characteristics of Cloud Computing ............................................................................................................... 4-3
4.1.2 Cloud Computing Service Models ................................................................................................................... 4-3
4.1.3 Deployment Models ........................................................................................................................................ 4-4
4.2 Cloud Security Risks and Countermeasures ............................................................................................................... 4·5
GQ. Explain various risks in cloud security along with their countermeasures ....................................................... 4-5
4.3 Data Protection in Cloud ....................................................... ........................................................................................ 4-8
UQ. Write a note on: Data Protection in Cloud 1mjid-l4◄ij1 ............................................................................... 4-8
4.4 Cloud Application Security .......................................................................................................................................... 4-10
GQ. Define Cloud.Application Security. Explain various threats to cloud application security .............................. 4-10
GQ. Explain different types of solutions available to cloud application security ......................... ........................... 4-10
4.4.1 Cloud Application Security Threats ............................................................................................................... 4-11
4.4.2 Types of Cloud Application Security Solution ............................................................................................... 4-11
4.43 Practices for Effective Cloud Application Security ........................................................................................ 4-12
4.5 Cloud Identity and Access Management (Cloud IAM) ................................................................................................ 4-14
UQ. Write a note on: Cloud Identity and Access Management •M•MtJ44€i ................................................. 4-14
4.5.1 Features of Cloud 1AM .................................................................................................................................. 4-14
4.5.2 Need of Cloud 1AM ....................................................................................................................................... 4-14
4.5.3 Benefits of Cloud 1AM ....................................................................................... 4-14
············································
4.5.4 Identity and Access Management from Major Cloud Providers 4.15
····································································
4 .6 Cloud Security as a Service ........................................ _....................................................... ...4-17
GQ. Explain Cloud Security as a Service with its benefits........................... 4.17
4 .6. 1
.
Benefits of Security as a Service ............ .,...........................................
························································· 4.19
·························································
4.7 Self-Leaming Topics........ ............................................................................... 4.19
····························································
4.8 Multiple Choice Questions ................................................................................................................................... ........ 4.21

• Chapter Ends ................... ··.. ·.. ··..... ···.. ···.. ····..... ···.... ,................................................................................................ 4-22

(MU- New Syllabus w.e.f academic year 22-23) (M7-66) Ii] Tech-Neo Publications ...A SACHIN SHAH Venture
 ~~~ ~~~ ~~~ £~
~~Se:.;;c;.u""ri~ty_,(_M_u_-s_e_m=.7--1-T-=)=== === === === === ==~
,ructure
1nfras ~
y - - - ----: -:-::= -=::- =-::: ----- -- without having to keep the bulk of tha t syste m on
~ INTRO DUCT ION TO CLOUD
~ 4• coMP UTJN G . their own computers.

---------Define
----- - Cloud
---- ---- ----
Compu ting. . its, ,:
Explain
. In fact, most people already use a variety of cloud
computing_ services withou t even realizi ng it.
: GQ• characteristics.. , , ,, •.. />'~/ ;{: \ :,: Gmail, Google Drive, TurboT ax, and even
: GQ, Explain cloud c~mputi9g,: ,5e,cyi5,,,irn ?d~J~~ij~cf ! Facebo ok and Instagr am are all cloud- based
:_ - - - - ~':p~O__Y~:~t -~O~=':,"' -~_
,.~j :;tU'.( :~~:~. t ;:Z:,z: applications.
, Cloud computing is an evolvi ng paradig m. • For all of these services, users are sendin g their
, Cloud computing is a term that has gained personal data to a cloud- hosted server that stores
widespread use over the last few years. the information for later access.

With the expone ntial increas e in data use that has • And as useful as these applica tions are for
accomp anied society 's transit ion into the digital personal use, they're even more valuab le for
st
21 century, it is becom ing more and more businesses that need to be able to access large
difficult for individ uals and organi zations to keep amounts of data over a secure , online netwo rk
all of their vital inform ation, programs, and connection.
systems up and runnin g on in-hou se computer • The NIST Definition of Cloud Compu ting:
servers. "Cloud computing is a model for enabli ng
• The solution to this proble m is one that has been ubiquitous, convenient, on-dem and netwo rk
around for nearly as long as the interne t, but that access to a shared pool of config urable compu ting
has only recently gained widesp read application resources (e.g., networks, servers , storag e,
for businesses. applications, and services) that can be rapidly
provisioned and released with minim al
• Cloud computing operat es on a similar principle
management effort or service provid er
as web-based email clients , allowin g users to
interaction".
access all of the feature s and files of the system
three service models, and four deploy ment
• This cloud model is compo sed of five essential characteristics,
models as shown in Fig. 4.1.1.

Rapid
Electricity Essential
Characteristics

Service Models

Deployment Models

,,<;;g. 4 ~l.l":'; ~~ NIST Visual Model of Cloud Computing

(tviu N
66
- ew Syllabus w.e.f academic year 22 -23) (M 7 - )
li1 Tech-N eo Publica tions ...A SACHIN SHAH V enture
,
Infrastructure Securit (MU-Sern.7-IT)
'a.. 4. 1 . 1 Characteristics of Cloud
Computing
Following are the essential characteristics of the
cloud computing :
► 1. On-demand self-service
A consumer can unilaterally provision computing
cap~bilities, such as server time and network
storage, as needed automatically without requiring
human interaction with each service provider.
► 2. Broad network access
Capabilities are available over the network and
accessed through standard mechanisms that
promote use by heterogeneous thin or thick c1ient
platforms (e.g., mobile phones, tablets, laptops,
and workstations).
► 3. Resource pooling
• The provider's computing resources are pooled to
serve multiple consumers using a multi-tenant
model, with different physical and virtual
resources dynamically assigned and reassigned
according to consumer demand.
• There is a sense of location independence in that
the customer generally has no control or
knowledge over the exact location of the provided
resources but may be able to specify location at a
higher level of abstraction (e.g., country, state,
or datacenter).
• Examples of resources inc1ude storage,
processing, memory, and network bandwidth.
► 4. Rapid elasticity
• Capabilities can be elastically provisioned and
released, in some cases automatically, to scale
rapidly outward and inward commensurate with
demand.
• To the consumer, the capabilities available for
provisioning often appear to be unlimited and can
be appropriated in any quantity at any time.
(MU-New Syllabus w.e.f academic year 22-23) (M7-66)
Cloud Securi
s.
►
Measured service
• Cloud systems automatically control and optimile
resource use by leveraging a metering capability at
some level of abstraction appropriate to the type
of service (e.g., storage, processing, bandwidth,
and active user accounts).
• Typically, this is done on a pay-per-use or charge.
per-use basis. Resource usage can be monitored,
controlled, and reported, providing transparency
for both the provider and consumer of the utilized
service.
~ 4.1.2 Cloud Computing Service Models
Three different services offered by cloud
computing are as folJows:
► 1. Software as a Service (SaaS)
• The capability provided _by Saas to the consumer
is to use the provider's applications running on a
c1oud infrastructure.
• A c1oud infrastructure is the collection of
hardware anq software that enables the five
essential characteristics of cloud computing.
• The cJoud infrastructure can be viewed as
containing both a physical layer and an abstraction
layer.
• The physical layer consists of the hardware
resources that are necessary to support the cloud
services being provided, and typically includes
server, storage and network components .
• The abstraction layer consists of the software
deployed across the physical layer, which
manifests the essential cloud characteristics.
Conceptually the abstraction layer sits above the
physical layer.
• The applications are accessible from various client
devices through either a r,hln client interface, such
as a web browser (e.g., web-based email), or a
program interface.
Iii Tech-Neo Publications...A SACHIN SHAH Venture
►
securi (MU-Sem.7-IT)
1ructure (Cloud Securi
1ofrA~
P- nsumer does not manage or control the •
T~oo "nf . ld. It may be owned, managed, and operated by lhe
• underlying cloud 1 rastructure me u mg network,
. organization, a third party, or some combination
operating systems, storage, or even
servers, . . ... . of them, and it may existon or off premises.
. •dual application capabilities, with the
.ind1v1
posst"ble exception . of limited
. user-specific ~--y-:::r:-~
. ation configuration settings.
· · · Private . ., . •·.
appIJC :. · Cloud ,· , ,
Platform as a Service (PaaS)
► 2,
The capability provided by PaaS to the consumer
is to deploy onto the cloud infrastructure
consumer-created or acquired applications created
using programming languages, libraries, services,
and tools supported by the provider. Organization

• This capability does not necessarily preclude the Fig. 4.1.2 : Private Cloud
use of compatible programming languages,
libraries, services, and tools from other sources. ► 2. Community cloud

, The consumer does not manage or control the

• The cloud infrastructure is provisioned for
exclusive use by a specific community of
underlying cloud infrastructure including network.
consumers from organizations that have shared
servers, operating systems, or storage, but has
concerns (e.g., mission, security requirements,
control over the deployed applications and
policy, and compliance considerations).
possibly configuration settings for the application-
hosting environment. • ~t may be owned, managed, and operated by one
► 3. Infrastructure as a Service (IaaS) or more of the organizations in the community, a
third-party, or some combination of them, and it
• The capability provided by IaaS to the consumer
may exist on or off premises.
is to provision processing, storage, networks, and
Community Cloud Model
other fundamental computing resources where the
consumer is able to deploy and run arbitrary
software, which can include operating systems and
applications.
• The consumer does not manage or control the
underlying cloud infrastructure but has control
over operating systems, storage, and deployed
applications; and possibly limited control of select
networking components (e.g., host firewalls).
~ 4.1.J Deployment Models
The above-mentioned cloud services can be
deployed majorly in four different ways as follows:
► 1
· Private cloud
• The cloud infrastructure is provisioned for Organization 1 Organization 1

exclusive use by a single organization comprising Fig. 4.1.3 : Community Cloud

lllUltiple consumers (e.g., business units).
(Mu.Ne
w Syllabus w.e.f academic year 22-23) (
M7 66)
- ~ Tech-Neo Publications..A SACHIN SHAH Venture
 Cloud Securi .. ..Pa e no. 4-S
Infrastructure Securit

~
MU-Sem.7-IT
CL.OUD SECURITY RISKS AND ~ :
► 3. Public cloud d COUNTERMEASURES
• The cloud infrastructure is provisioned for open
use by the general public .

•
business, academic, or government organization,
or some combination of them. It exists on_ the
premises of the cloud provider.
There are various security risks in the cloud. Some
of the major potential risks to the security of cloud
systems with efficient countermeasures for them are
given below.
I@" Risk 1 - oata Breaches

• (E_ data breach is a scen_~o ~here c~nfidential,

secured, private or sensitive mformat10n comes
out, accessed, stolen, or used by unauthorized
]1111111[
peoplo
• µt may arise because of any human mistakes,
~ ftware or application vulnerabilities, or wrop.g

~
Fig. 4.1.4: Public Cloud
~ Countermeasure s
_,,1
security measur~.

• The best way to handle data breaches is to create

► 4. Hybrid cloud
The cloud infrastructure is a composition of two
or more distinct cloud infrastructures (private,
community, or public) that remain unique entities,,
but are bound together by standardized or
proprietary technology that enables data and
application portability (e.g., cloud bursting for
load balancing between clouds).
an
-
effective security program at an organizational
lev~i;
• 'This security program must contain Multifactor
Authentication (MFA) and Encrypti~nJ
• 'MFA uses more than one method for
authentication such as biometric verification,
security tokens, password to verify the identity of

•
the consumeJ
-
Encryption is the process of encoding the
information in a such way that only authorized
parties can read messages. Still, encryption does
not - avoid interception, but it denies any
unauthorized access to sensitive informatiod.
-._,J

Risk 2 - System Vulnerabilities

PUBLIC:lii
CLOUD
• System vulnerabilities are exploitable bugs in
programs that attackers can use to infiltrate a
computer system to steal data, take control of the
Fig. 4.1.5: Hybrid Cloud
system, or disrupt service operations.

(MU-New Syllabus w.e.f academic year 22-23) (M7-66) [i1 Tech-Nee Publications...A SACHIN SHAH venture
 securi (MU-Sem. 7-IT)
r\lcture
~¢ . vulnerabilities with in the components ~~ Cloud Securi .... Pa e no. 4-6
~~ . .
, ting syste m like the syste m kerne l , libranes
0pera . . , be monitored and traceable to the actual owne r of
application tools , put the secur ity of an the account.
. ifi1cant risk.
and . es and data at sign
servic ~ · Risk 4 - Permanent Data Loss
it cou
nterm easu res •
Permanent data loss because of cloud servi ce
tern vulne rabil ities. can be hand led by the providerS' fault is a very rare incident.
' sys .
adrninistrat10n of basic IT proce sses. Such as • But still, there is a little bit chanc e of perm anen t
regular vulne rabil ity scann ing, prom pt patch data loss in the cloud because of some uneth ical
management, and a quic k follo w-up on reported hackers that try to delete cloud data perm anen tly
system threats. to harm businesses and any sudden, unex pecte d
natural calamities can destroy cloud data cente rs.
, . Vulnerability scan ning is the autom ated process of
those ident ifyin g secu rity vulne rabili ties of · ~
Coun term easu res

computing syste ms in a netw ork.
, A patch is a piece of softw are that update
computer prog ram and its supp ortin g data to fix or
improve it. This inclu des fixin g security
vulnerabilities and othe r bugs .
rally calle d bug fixes or bug
, Such patch es are gene
fixes, and impr ove usab ility or perfo rman ce.
Ii' Risk 3 - Acco unt Hija ckin g
• It is an old meth od in whic h credentials and • Daily data backup and off-site storage play a vital
passwords are reuse d, to incre ase the impact of
such attacks.
• In this attacker intru des into the user's credentials,
· · · and
the attacker then eave sdrop s user's act1vities
transactions, whic h allow s the attacker to
manipulate the user' s data, return falsified
infonnation, and redir ect clien ts of users to
illegitimate sites.
~ finite system resources such as processor power,
Coun term easu res
• The organization shou ld avoid the sharing of
account crede ntials betw een the users
services.
• A.p P1Y two-f actor authe ntica tion tee hniques where
ever Possible.
coun t shoul d
' A.II
'--------acco unts and activ ities of the ac --- --- --;
(~U-N~ - (M7-6 6)
Syllabus w.e.f acade mic year 22- 23)
• Users can encrypt data before uploading into the
a cloud, and then users must carefully prote ct the
encryption key because, once the key is lost, so
the data is also lost.
• Some cloud providers distribute data and
applications across multiple zones for more
protection.
• Apply various data backup measures and disas ter
recovery models.
role to avoid permanent data loss.
of Serv ice (DoS )
~ Risk 5 - Deni al
• It is the most common attack in which autho rized
users can not able to access their data or their
applications.
• When the cloud faces a DoS attack, the targeted
cloud service consumes inordinate amou nts of
memory, disk space, or network bandwidth.
This causes an intolerable system slow down and
and •
leaves all authorized service users confu sed and
angry as to why the service is not responding.
proce ssing
• DoS attacks utilize large amounts of
power, a bill the user, unfortunately, has to pay.
::: ;;- --- ~~ ~- ~- =- ~- --- --
~ Tech-Neo Publications...A SACHIN SHAH Venture

Infrastructure Securi MU-Sem.?-IT
~ Countermeasures
• No way can completely prevent DoS attacks but
some measures can reduce the risk of DoS attacks
in the cloud.
• Use DoS attack detection technology .
• Intrusion prevention systems and firewall
manufacturers now offer DoS protection
technologies that include signature detection and
connection verification techniques to limit the
success of Dos attacks.
• Use throttling and rate-limiting technologies that
can reduce the effects of a Dos attack.
~ Risk 6 - Malicious Insiders
• CERN says "an insider threat to an organization is
a current or former employee, contractor, or other
business partner who has or had authorized access
to an organization's data or network, syst~m, and
intentionally exceeded or misused that access in a
manner that negatively affected the
confidentiality, integrity, or availability of the
organization's information or information
systems."
• It's easy to misunderstand a bungling attempt to
perform a routine job as "malicious" insider
activity. For example, an administrator can
accidentally copy a sensitive customer database to
a publicly accessible server.
~ Countermeasures
• It's recommended that organizations should
control the encryption process and keys,
segregating duties and minimizing access given to
users.
• Effective logging, monitoring, and auditing
administrator activities are also critical.
~ Risk 7 - Insecure Interfaces and APis
• Providers of cloud computing exhibit a set of
(MU-New Syllabus w.e.f academic year 22-23) (M7-66)
Cloud Securi .... Pa e no. 4-
software user interfaces (Uls) or applica::
programming interfaces (APis) that customers use
to manage and interact with cloud services.
• Provisioning, management, orchestration and
monitoring are all performed
. with these interfacel
• The security and availability of general cloud
services are dependent on the security of these
basic APis.
• From authentication and access control to
encryption and activity monitoring, these
interfaces must be designed to protect against both
accidental and malicious attempts to circumvent
policy.
• Organizations and third parties may build on these
interfaces to offer value-added services to their
customers.
• Thus, this introduces the complexity of the new
layered API; which also increases risk, because _
organizations may be required to relinquish their
credentials to third parties in order to enable their
agency.
• Therefore, /<\.Pis and _Uls are generally the most
exposed part of a system,_perhaps the only asset
with an IP address available outside the _trusted
organizational boundary.
• These assets will be the target of heavy attack, and
adequate controls protecting them from the
Internet are the first line of defense and detection.
~ Countermeasures
• Security-focused code reviews and rigorous
penetration testing, so far, are the two reliable
countenrteasures to this type of attack.
• Security code review is the process of auditing the
source code for an application to verify that the
pr~per security controls are present, and they work
as mtended and that they have been invoked in all
the right places.
Iii Tech-Neo Publications ...A SACHIN SHAH Venture
 re security (MU-Sem.7-IT)
s~ltl . (Cloud Security)., ..P811-
,.-ation test on .the other hand, which is also
-;,-.A peneu..
• kJJOWO as pen test, 1s an attack on a computer .
that looks for security weaknesses,
5yste111 . .
p<>tentially gammg access to the computer's
featureS and data.
This process typically identifies the target systems
' and a particular goal then reviews available
information and undertakes various means to
attain the goal.
, · A penetration test target may be a white
box (which provides background and
system information) or black box (which provides
only basic or no information except the
company name).
• A penetration test can help determine whether a
system is vulnerable to attack if the defenses were
sufficient and which defenses (if any) the test
defeated.
Iii' Risk 8 - Insufficient Identity, Credential and
Access Management
• Data breaches and other attacks frequently result
from lax authentication, weak passwords, and
poor key or certificate management.
• Usually, some organizations struggle with identity
management as they try to assign penms · ns
· stO
appropriate to the user's job role.
• Importantly, they sometimes forget to remove user
access when a job function changes or when a user
leaves the organization. · security, and then specify the security policy for
• The system must scale to handle lifecycle
lllanagement for the huge number of its users.
1d
• entity management systems must support
illlinediate de-provisioning of access to re~our~es
When personnel changes, such as job termmation
or role change, occurred.
th
• Organizations planning to unify identity wi a
clouct
th provider need to know the security measures
e cloud provider uses to protect the identity
Platfo~rm~·:.....___ _ _ _ _ _ _ _ _ __ _ _ ___J_ _ _
I (l.1u.New Syllabus w.e.f academic year 22-23) (M7-GG)
~
,_ no. (4-81
• -
• Centralizing identity into a single repository ha"
its risks.
· h the trade-off of the
• Organizations need to we1g
convenience of centralizing identity againSl tbe
risk of having that repository become an
extremely high-value target for attackers.
B" Countermeasures
• Multifactor authentication syStems such as a
smartcard, OTP, and phone authentication are
required for users and operators of a cloud service
because such systems make it harder for attackers
to log in with stolen passwords.
• This form of authentication helps· address
password theft, where stolen passwords enable
access to resources without user consent.
• Stealing of password can manifest in common
network lateral movement attacks, such as "pass
the hash".
. .\ J.J,' 1)ATA PROTECTION fN CLOUD
, . ------- - - -- - - - - - - - - ~
~('1~~rit,~-a note on: Data Prote~ien in Cloud , . :
~ ~ : .ie .1M
ri1'..i: : _ .: _._ .:. ____ - - - - - - - - - - - - - - _,_ - -1
• (Ear the majority of enterprises, d_ata protection is a
key security conce~:7
• ~fore using the cloud, users must explicitly
identify the data objects that need to be protected,
classify the data according to how it affects
data protection as well as the means for enforcing
the polic~
• @ata objects for the majority of applications
would contain not just massive amounts of data
stored in cloud servers (such as user databases
and/or file systems), but also data that is being
transferred between the cloud and the user (s) and
may be done so over the lnternet or using mobile
mediiJ
~::J,---~~~-- -------- -
~ Tech-Neo Publications...A SACHIN SHAH Venture
Infrastructure Securi MU-Sem.7-IT
• In many cases, it would be more affordable and
practical to migrate huge amounts of data to the
cloud via portable media, such as archive tapes,
rather than sending it over the Intern~
• T!Ie user identity data produced by the user
management model, the service audit data
produced by the auditing model, the service
profile data used to describe the service
instance(s), the temporary runtime data produced
by the instance(s), and many other application
data are examples of data object0
• @ ifferent data types would have varied economic
value, and hence, different security implications
for cloud user~
• For instance, a user database that is stored at rest
on cloud servers may be a key asset for cloud
users, necessitating strong security measures to
ensure the privacy, availability, and integrity of
the data.
• User privacy may be impacted by user identify
information, which may include Personally
Identifiable Information (PII). Therefore, access to
user identifying information should only be
permitted for authorized users.
• D ata from service audits serve as proof of
compliance with and rulfilment of Service Level
Agreements (SLA) and should not be maliciously
alter~
• ~ formation about a service's profile should be
well-protected because it could be used by
attackers to find and identify service instanceD
• · C ritical user business data may be present in
temporary runtime data, which should be
separated during runtime and securely disposed of
after runtim§ _
• r.nie basic security services for information
security provide data assurance of data that
include: Confidentiality, Integrity, and
Availability (CIA).
(MU-New Syllabus w.e.f academic year 22-23) (M7-66)
Cloud Securi .... Pa e no. 4-
9
• The inherent properties of cloud computing lllake
the problem of data security more challenging.
There would need to be a number of security
•
services i~ place before pote1:1tial cloud users
could migrate their applications and data safely to
the cloud.
These services include the following, however not
•
all may be required for every application :
► 1. Data Confidentiality Assurance
• This service protects against the disclosure of
information to unauthorized parties.
• Data confidentiality is a fundamental security
measure that must be in place in cloud computing.
This security service might be relevant to all data
objects discussed above, notwithstanding · the
possibility that various applications may have
varied needs about the types of data that require
confidentiality protection.
► 2. Data Integrity Protection
• This service protects against malicious data
alteration.
• Cloud customers must have a mechanism to verify
that the data they have outsourced to remote cloud
servers is secure both while it is at rest and while
it is in transit. For users of the cloud, a security
solution like this would be essential.
• Since the audit data would raise legal issues, it is
essential to ensure their authenticity while
examining cloud services. This security service is
also applicable to other data objects discussed
above.
► 3. Guarantee of Data Availability
• This service guarantees that all user requests for
data retrieval from the cloud will be met.
• In relation to the fulfilment of Service 1,evel
Agreements, this service is extremely vital for
data that is at rest on cloud servers.
Ii] Tech-Nee Publkations ...A SACHIN SHAH ventu~ I
j
 tructure Securi (MU-Sem.7-IT

1nfr11;::::;;=:::::~~:::~:::::ii=======d~~~~~!,;,=~~~~~l1},
pata availability assurance is extre
for long-term data storage services d
.
me1y unportan
t • The system can easily be audited in the event of
lih d ue to the
growing like oo of data loss d local storage. However, in cloud computing, the
or egradation
over time. service provider must ensure reliable transparency
►
of data access.
4. secure Data Access
The purpose of -this security service · .
1s to restrict
access to data content to users who are th .
au onzed.
In real-world scenarios, exposing appli·.cat·10n data
•
to unauthorized users could jeopardize a cloud
user's business objectives.

, Legal issues may arise when sensitive information
is improperly disclosed in mission-critical
systems.
, Users of the cloud may require fine-grained data
access control in the sense that different users may
have access to distinct sets of data in order to
protect sensitive data more effectively.
• -The majority of the data elements mentioned
• Cloud application security is defined as a set of
policies, governance, tools and processes used to
govern and secure information exchanged within
collaborative cloud environments and applications
deployed to the cloud.
• Cloud solutions are ubiquitous in modem
enterprises. As a result, cloud security is now front
and center for optimizing enterprise security
posture.

above are suitable to this security service. • Modem enterprise workloads are spread across a
· wide variety of cloud platforms ranging from
► 5. Regulations and Compliance
suites of Saas products like Google Workspaces
• Storage and access to sensitive data may need to and Microsoft 365 to custom cloud-native
adhere to specific compliance in real-:- world applications running across multiple hyper-scale
application circumstances. cloud service providers.
• The Health Insurance Portability and As a result, network perimeters are more dynamic
•
• Accountability (HIP AA) Act, for instance, may than ever and critical data and workloads face
place restrictions on the publication of medical threats that simply didn't exist a decade ago.
records. In addition, the location of the data would • Enterprises must be able to ensure workloads are
th protected wherever they run. Additionally, cloud
frequently be a concern due to problems wi
export-law violations. Before transferring th eir computing adds a new wrinkle to data sovereignty
data to the cloud customers of the service should and data governance that can complicate
carefully cons~der these regulatory and compliance.
compliance concerns. • Individual cloud service providers often offer
► 6 security solutions for their platforms, but in a
• Service Audition
lnis service, which is essential for co~liance world where multi-cloud is the norm, solutions
enr echarusm to that can protect an enterprise end-to-end across all
orcement, gives cloud users a m
keep track of how their data is accessed. platforms are needed.

r~\J-N (M7-66)
lil Tech-Neo Publications .. A SACHIN SHAH Venture
ew Syllabus w.e.f academic year 22 - 23 )
 · Cloud securi ) .... Pa e no. 4-1,
Infrastructure Securi MU-Sem .7-IT . n . one of the most conun0
Misconfigurat10 •
~ :-1 Cloud Appllcad~a,,Securlty • . • , n
t breach es 1s misconfigurations
d
reasons for a a .
~ -r" Threats ( p. r- J ) )
The frequency o
• ·
f misconfigurat10n m the cloud i~
. . .
. art to the compl exity mvolved in
Follow ing are the threats to cloud application due m large P .
. . manag ement (which leads to
security: configuration
. . . .d· anual proces ses) and access control
• Account hijacking : Y! eak passwords and data disJomte m ·
breaches often lead to legitimate accounts being across cloud providers.
compromised. If an attacker compromises an Phisbing and social engineering : Phishing and
account, they can gain ·access to sensitive data and
•
social engineering attacks that exploi t the human
completely control cloud assets] 'd
Si e ·Of enterpr ise . securit y are one of the most
,
• Credential exposure : ~ corollary to account frequently exploit ed attack vector s.
hijacking is credential exposure. Exposing Complexity and lack of visibility : Because
credentials in the cloud (GitHub, for example) can •
many enterpris~ enviro nments are multi-cloud, the
lead to account hijacking and a wide range of
complexity of config uration management,
sophisticated long-term attackQ
. .., granular monitoring across platfor ms, and access
• Bots and automated attacks !Bots and control often lead. to disjoin ted workfl ows that
malicious scanners are an unfortunate'-reality of involve manual config uration and limit visibility
exposing any service to the Internet. As a result,
which further exacer bates cloud security
any cloud service or web-facing application must
challenges.
account for the threats posed by automated
attacks] a. 4.4.2 Types of Cloud Application
•
----
Insecure APis : /APis are one of the most
common mechanisms for sharing data, both
Security Solution
There is no shortage of securit y solutio ns designed
internally and externally, in modern cloud
to help enterprises mitigate cloud applic ation security
environments. However, because APis are often
threats. Some of them are describ ed below :
both feature and data- rich, they are a popular
attack surface for hackersl_, ► 1. Cloud Acces s Secur ity Broke r (CASS )

• Over sharing of data : ~ loud data storage makes

• Acco rding to Gartner, a cloud access security
it trivial to share data using URLs. This greatly broker (CASB) is an on~premis es or cloud-based
streamlines enterprise collaboration. However, it security policy enforc ement point that is placed
also increases the likelihood of assets being between cloud ·
service consum ers and cloud
accessed by unauthorized or malicious userg service_ providers to combi ne and interject
enterpnse security Ii .
• DoS attacks : Denial of Service (DoS) attacks · po cies as cloud-b ase d
against large enterprises have been a cyber resources are accessed.
security threat for a long time. With so many • CASBs act as a t k
ga e eeper to cloud services and
modern organizations dependent on public cloud enforce gran 1 .
u ar secunt y policie s.
services, attacks against cloud service providers ► 2• Web A r .
PP •cation Firew all (WAF )
can now have an exponential impact. • A Web ap r .
appli • p ication firewall (WAF) protec ts web
cations from .
a vanety of application layer
(MU-New Syllabus w.e.f academic year 22-23) (M7-66)
!il Tech-Neo Pubr .
icatio ns...A SACHIN SHAH Venture
 e security (MU-Sem.7-IT)
1ructu'
F- . .
cks such as cross-site scnpting (Xss
atta ki . . ), SQL •
. uon ' and coo e po1sonmg, among oth ers. Each site in the databa1-1c is assigned to a specific
jJlfc
URL rt1 ter, which could be a category or group.
cks to apps are the leading cause of b. .
Atta reaches
' theY are the gateway to your valuable data. With
► 6
• Web Application and API Protection
(WAAP)
right W AF in place, you can block the array of
the . • ·WAAP (Web Application & API Protection) is a
attacks that rum to exfiltrate that data b
. . t y term coined by Gartner to describe cloud-based
comprorrusmg your sys ems.
services that act as a security shield against
► 3_ Runtime Application Self Protection
cybercriminals, DDoS attacks, malicious bots, and
(RASP)
other emerging cyber threats. It is more effective
, Runtime Application Self Protection (RASP) is a and powerful than any traditional firewall or ·
security solution designed to provide personalized security solution.
protection to applications.
• The WAAP is located right on the outer edge of
, It takes advantage of insight into an application's the network, monitoring traffic flow and filtering
internal data and state to enable it to identify requests made to the web apps and APls.
threats at runtime that may have otherwise been • Offered typically through the cloud, web
overlooked by other security solutions. application and API protection solutions offer
► 4. Intrusion Dete~ion System (IDS) / multi-layered, comprehensive, and highly scalable
Intrusion Prevention System (IPS) protection.
• Intrusion detection systems (IDS) and intrusion ~ 4.4.l Practices for Effective Cloud
prevention systems (IPS) constantly watch your Application Security
network, identifying possible incidents and
Cloud application security requires a
logging information about them. stopping the
comprehensive approach to secure not only the
incidents, and reporting them to security
application itself, but the infrastructure that it fUflS on
administrators.
as well. Here are five cloud application best practices
• In addition, some networks use IDS/JPS for
for implementing effective security measures:
identifying problems with security policies and
► 1. Identity Access Management
.deterring individuals from violating security
policies. • Application security doesn't exis_t in a silo, so it's
important to integrate secure measures like
• IDS/IPs have become a necessary addition to th e
identity access management (1AM) with broader
security infrastructure of most organizations,
enterprise security processes.
precisely because they can stop attackers while
lhey are gathering information about your JAM ensures every user is authenticated and can
•
network. only access authorized data and application
► S. URL Filtering functionality.
' URL fil1 tenng
. .
works by companng
all web traffic
. • A holistic approach to 1AM can protect cloud
ag · st tamed applications and improve the overall security
. ain URL filters, which are typical1Y con
in a database of sites that users are permitted to posture of an organization.
acces
~ denied from accessing.
(Mu ~ Tech-Neo Publications ...A SACHIN SHAH Venture
-New S II ) (M7-66)
Y abus w.e.f academic year 22-23

Infrastructure Securi (MU-Sam.7-IT
► 2. Encr yptio n
• Implementing encryption in the right nrcus
optimizes appli cation pcrfonmrn ce while
protecti ng sensitive data.
• ln gcneraJ , t11c three types of data encryption to
consider are encryption in transit, encryption at
rest. and encryption in use.
(i) Encryption in transit protects data as it's
transmitted between cloud systems or to end-
users. This includes encrypting communication
between two services, whether they're internal or
external, so that data cannot be intercepted by
unauthorized third parties.
(ii) Encryption at rest ensures data cannot be read by
unauthorized users while it is stored in the cloud.
This can include multiple layers of encryption at
the hardware, file, and database levels to fully
protect sensitive application · data from data
breaches.
(iii) Encryption in use is aimed at protecting data that
is currently being processed, which is often the
most vulnerable data state. Keeping data in use
safe involves limiting access beforehand using
IAM, role-based access control, digital rights
protection, and more.
• Leveraging encryption for data in each of these
stages can reduce the risk of cloud applications
leaking sensitive data. This is crucial for achieving
a high level of security and privacy that protects
organizations from inte11ectual property theft,
reputationa1 damage, and Joss of revenue.
Thre at Moni torin g
► 3.
• After applications are deployed to the cloud, it's
crucial to continuously monitor for cyber threats
in real-time.
• Since the application security threat landscape is
constantly evolving, leveraging threat inte11igence
(MU-New Syllabus w.e.f academic year 22-23) (M7-6
6)
Cloud Securi
data is crucial for staying ahead of .
marICJ% 1
actors.
This enables deve l~p~ ent tea~s to find and
• remediate cloud appJ1cat10n security threat s before
they impact end-users.
_ oc1ta Priva cy and Com plian ce
► 4
Along with application security, data privacy, and
• compliance are crucial for protecting end-users 01
cloud native applications.
For example, compliance with GDPR requires
•
careful vetting of 9pen-source components, which
are frequently used to speed up cloud native
application development.
In addition, data encryption, access controls, and
•
other cloud security controls can also help protect
the privacy of application users.
► s. Auto mate d Secu rity Test ing
• A key part of DevSecOps js integrating automated
security testing directJy into the development
process.
• By automatically scanning for vulnerabilities
throughout the continuous integration and
delivery (CI/CD) process,
continuous
deveJopment teams can ensure every new software
buiJd is secure before deploying to the cloud.
• This includes not only the code and open-source
libraries that applications rely on, but the
container images and infrastructure configurations
they're using for cloud deployments.
• In addition, implementing developer-friendly
security scanning tooling with existing developer
workflows can enable the "shifting left" of cloud
application security.
• Shifting left testing can dramatica11y reduce the
coS t of vulnerability detection and remediation,
while also enSuring developers can continue
pushing code quickly.
riJ Tech-Neo Public ations ...A SACHIN SHAH Venture
 securit (MU-Sem .7-1

•'""'""' 14
r~._s
~ o MANAGEMENT
U D IDENTITY AND ACC~>
<CLou~_1411 ~
·T-------........--~r!·"'!:.!~"'~·1;;:o":"'.ur!!:1L~le.~
no ~+...,_.·
,,. 4 ,S. 1
----- - -- --- -----
(
-----.
wn
-t; a note on: Cloud ldu11t1t -
u~,: ..A...... - '
u <:cos~ t
Ft.,tor,1 of Cloud 1AM
I AM typ 1r ,ti I y In, I urk >11 !h('
'vQ· Managem~n~ - - - - - ...... - -
---- - .. - .. . . __ __ _ _,
• : ( r1 l1 0WHlll

~-- - . ,Joud pnwidns ofkr II rich Ponr . . I.

put,hc c n1to nf Sin~h· Arn•~"' C'onttol f uterf•c., : f 'nf »11 c lmu-l
, . ,, ·\nd the only way to gove n .1
,cf\T!Cl:S, • 1 1111 u secure plntfori11 \1.·rv1cc<, . cloud 1AM ,,ffer .,.
~O)HllY
<io l 11 11fl rt"l

l
,f them is through ide ntity and accc,,,<•s_
·\C:t'lllt'lll (1AM).
1n:lll, ~
.\l'l_ -~in•'
(l l U e
t0 Gartner, Identity and
' ~t:magement (1AM) is the security discipline that
~ables the right individuals to access the right
resources at the right times for the right reasons.
I.AM addresses the mission-critical need to ensure
appropriate access to resources across increasingly
heterogeneous technology environments.
, Enterprises traditionally used on-premises 1AM
software to manage identity and access policies,
but nowadays, as companies .add more cloud
services· to their environments, the process of
managing identities is getting more complex.
Therefore, adopting cloud-based Identity-as-a-
clear and stnndord accc <:<i cot1trn l ,nrc rf,Jt.C Alt
cloud service., can he occe<; <,cd through the 111 -• me::-
intcrfacc.
Ace ess
2.
Enhanced Security : You can de fin e ,ncrc., .. cd
securi ty for critical applications .
3.
Resource-level Access Control : Use rs ca n tie
given permissions to access resources ar various
granularity levels by way of roles that you can
define.
&. 4.5.2 Need of Cloud 1AM
• To initiate. capture. record. and mannge user
identities and associated access rights, identity and
access management technology cun be utilized .
According to policies and roles. all users are
authenticated. authorized. and evaluated.

Service (IDaaS) and cloud IAM solutions • If 1AM operations arc not properly regulated. the
becomes a logical step. organization may not be in compliance with
regulations, and management may not be able to
• Cloud Identity and Access Management
prove that company data is not at risk of being
(Cloud IAM) lets administrators authorize who
exploited in the event of an audit.
· · full
can take action on specific resources, g1vmg
~ 4.5.3 Benefits of Cloud 1AM
control and visibility to manage Google Cloud
resources centrally. A company may find it difficult to adopt cloud
• For enterpnses
. .h
wit compIe x organizational Identity and Access Management solutions since they
structures, hundreds of workgroups, an ct· many don't directly increase profitability, and ceding control
. over infras truc ture is difficult. An 1AM solution,
ProJects, 1AM provides a u nif'ied view. into
.
however, has several advantages, including the
sec unty
·policy across your entire organizat.J.on,
. h built-in auditing to ease compliance following:
Wit
Processes. B relying on the centralized trust model.
• y
enterprise security costs
f
or
th'rd
• -party
applications can be reduced.

(Mu.Ne . ) (M7-66) ~ Tech-Nee Publications... A SACHIN SHAH Venture

w Syllabus w.e.f academic year 22-23
Infrastructure Securi (MU-Sem.7-IT)
• Regardless of where your users are located, they
can access the solution from any device.
• Through Single Sign-On, you can give users
access to all your applications.
• Multifactor Authentication can be used to protect
mission-critical apps and sensitive data.
• In addition, it promotes compliance with
procedures and processes.
• Typical problems include people being granted
permissions based on their needs and tasks and
not revoking them when they are no longer
' .
needed, leading to users having lots of privileges
they don't need.
"a.. 4.5.4 Identity and Access Management
from Major Cloud Providers
► 1. Amazon
• Amazon Web Services (AWS) cloud provides
users with a secure virtual platform to deploy their
applications. It offers high-level data protection
when compared to an on-premises environment, at
a lower cost.
• Among various AWS security services, Identity
and Access Management (1AM) is the most
widely used .one. It enables secure control access
to AWS resources and services for the users. Also,
it helps to create and manage AWS users as well
as groups and provides necessary permissions to
allow or deny access to AWS resources.
llF Features of 1AM at AWS
IAM at Amazon Web Services will offer you the
following features :
• Shared access to your AWS account : Without
sharing your password, you are eligible to access
the other permission with respect to the
administrator as well as the resources from your
current AWS account.
(MU-New Syllabus w.e.f academic year 22-23) (M7-66)
• Granular permissions : By using this granular
permission, you are able to grant ·the permissions
for different according to their resources. By
considering an example, you can give the whole
access to Amazon EC2, S3 (Amazon simple
storage services) as well as to remaining AWs
services. While the other users can allow getting
the read-only access along with the administrator
EC2 instances in order to access the process of
billing information .
Secured access to AWS sources : This 1AM
feature at AWS will be used to secure all the login
credentials which can succeed on the EC2
instances. You can also offer them the permissions
in order to access your application with respect to
the AWS services.
• Multi-factor authentication (MFA) : By using
the MFA you can easily add the two-factor
authentication not only for your account but also
for the individual users for more security. Either
you are . your user can provide an access key or
password in order to work with your account with
the help of a cod~ that is specifically configured
by the device.
• Identity Federation : The identity federation at
1AM will allow the users who already have their
passwords. For example, let us consider an X
corporate network or else an internet provider in
order to get temporary access to your current
AWS account.
• Identity information for assurance : Are you
using the Cloud Trail option for your AWS
account, then you will definitely get the log
records that contain all the information that is
made according to the resources in your account.
All those information are generally named as tbe
1AM identities.
[i1 Tech-Neo Publications...A SACHIN SHAH Venture
1n~8Structure
~ ~~S~e~c~un;;·ty~(M~U~--s_e_m_.7~-:IT)~~~=====~====~;;;;;;;:;;;=d~~~~~~~~~J;4-~1~
~Cl DSS Compliance : The 1AM at AWS will
th
' completely support all e storage, transmission,
th
storage of data by bo provider and merchant in
order to validate the complaint with PCI (Payment
card Industry) DSS (Data Security Standard).
► 2. Google
, Google Identity and Access Management is a web
service that gives cloud administrators
authority to decide who can take a particular
action on a particular resource.
, In simple words, 1AM lets one decide who
(Identity) has what role (Access) to which
resource.
Iii' Features of IAM at Google
Google's Identity and Access Management offers
a number of features to improve the user experience.
Some of these are :
• Single interface : One access control interface for
all IAM services
• Fine-grained control : Can grant access at
resource level granularity if needed
• Automatic recommendations : Recommender
detects resources having more permissions than
required
• Context-aware access Control
resources based on various attributes
• Flexible roles : Option of Custom Roles expands
I.he Possible number of roles exponentially
• Var·iety of input options : 1AM policies
· · can be
created & managed through Console or CLI
Audit trail : A full audit trail is provided without
addi ·
► honal cost
l. 18t,,t
enabl:BM Identity and access management (1AM)
les y 1 tfonn
Serv·1 ou to securely authenticate users for P a
Ces · ntly
~ trol access to resources constste
(~lJ
-New Syll b
a us w.e.f academic year 22-23) (M -
(Cloud Securit .... Pa e no. 6~
across the IBM Cloud platform. For example, witb
only a single login to IBM Cloud with your IBMid,
you have access to any of your service consoles and
their applications without having to log in to each of
them separately.
I@' Features of IAM at IBM
IBM Cloud 1AM provides a wide range of features
the
for your identity and access management needs.
► 1. User management
• With unified user management, you can add and
delete users in an account for both platform and
classic infrastructure services.
• You can organize a group of users in an access
group to make assigning access for more than one
user or service ID at a time a quick and easy task.
► 2. Fine-grained access control
• Access for users, service IDs, access groups, and
trusted profiles are defined by a policy. Within the
policy, the scope of access can be assigned to a set
of resources in a resource group, a single resource,
or account management services. After the target
is set, you can define what actions are allowed by
the subject of the policy by selecting access roles.
• Roles provide a way to tailor the level of access
that is granted for the subject of the policy to
access to
perform actions on the target of policy, whether it
is platform management tasks within the account
or accessing a service's UI or completing API
calls.
3. Access groups for streamlined access
►
management
• Quickly and easily assign access for a group of
users, service IDs, or trusted profiles that are
organized in an access group by assigning access
to the group, and then add or remove identities as
needed to grant or deny access to account
resources.
~ Tech-Neo Publicatio ns...A SACHIN SHAH Venture
7 66)
 Infrastructure Securi MU-Sem.7 -IT
7. APl keY • f or
Clou d Securl

u•er auth enti cati on

f I
• Access groups cna,\ Ic you tn numagl;~ 1, minimal ► , multiple API keys for a user tr> \
you can create
number of policies in the ncclHmt. • t' tion scenarios, and the same key
4. support key ro a .
►
Trus ted prof iles for elim inat ing the
ccessing multtple servi.ces.
need to man age cred entia ls can be use d for a
I keys enable users who use two.
• Automatjcally grant federated users access to your • IBM Cloud AP
·cation or a federated ID to automate
account with conditions based on Security factor authentl
• t· n
Assertion Markup Language (SAML) attributes authentica 10 to the console from the command
from your corporate &rectory. line.
• Trusted profiles can also be used to set up fine-
• A user can also h ave a single class. ic infrastructure
grajned authorization for applications that are API key that can be used to access class
ic
running in compute resources. This way, infrastructure APls; however, this is not required
you
aren't required to create service IDs or API keys as you can use IBM Clou d API keys to access
the
for the compute resources. same APis.
• Assign access to the profile by adding it to an s.
access group or by assigning individual policies,
► Serv ice IDs
A service ID identifies a service or applicatio
and then add or remove conditions as needed to • n
similar to bow a user ID identifies a user. These
grant or deny access to account resources. By are IDs that can be used by applications
using trusted profiles, you can centrally manage to
authenticate with an IBM Clou d service.
the access lifecycle to multiple IBM Cloud assets.
• Policies can be assigned to each serv ice ID
► s. Fede rate d user s to
control the level of access that is allow ed by
• Your users might already have identities outside an
application that uses the service ID, and an API
of IBM Cloud in your corporate directory. If your
key can be created to enable the authentication.
users need to work with IBM Cloud resources or
work with applications that access those resources,
then those users also need IBM Cloud credentials.
• , I
• You can use a trusted profile to specify JtS I

permissions for users whose identity is federated

- -- I

from your organization or an external IdP. By
using your IdP, you can provide a way for users in
your company to use single sign-on (SSO).
► 6. Com pute reso urce s
• Security-as-a-service model focu ses on secur
ity
provided as cloud services; i.e., security delivered
through the cloud instead of on-p remi se secur
ity
solutions.

• By using trusted profiles, you can define fine- • The security-as-a-service mod el can also enhan
ce
grained authorization for all applications that are ~unctionality of exis ting on-premise
running in a compute resource without creating
implementations by work ing as a hybr id solution.
service IDs or managing the API key lifecycle for
• Cloud Security as a Service, also known
applications. as
Security as a Service (SEC aaS) is a Cloud-ba
The trusted profiles provide better control for sed
• solution that d r '
e ivers outs ourc ed cyber secun•t)'
granting access to compute resources. services.

(MU- New Syllabus w.e.f academic year 22-23

) (M7 -66)
li1 Tech -Neo Publi catio ns ...A SACHIN SHAH
Venture
 e securi (MU-Sem.7-IT)
,ructur
1nfras • •
}oud compu tmg has mcrea sed in recent
as C years,
' so have the numbe r of cyber securit y threats that
can
access the Cloud . This has led
many
co rnp anies to outsou rce Cloud securit y service
.
s
just as they would any other service .
cornpanies that are highly depend ent on IT
systems, in particu lar those that own an app, need
to understand the differe nt securit y solutio ns and
what these alterna tives mean for their busine ss.
, More import antly, compa nies with Cloud Apps
need to unders tand why having a reliabl e and
trusted SECaa S provid er is essenti al to their
business succes s.
, Cloud Securit y as a Servic e is a third-p arty
solution to cyber securit y threats . Provid ers of
these service s help app compa nies manag e their
risks in various ways.
• One of the most import ant ones is through
DevOps best practic es. Havin g a rigorou s Quality
Assurance proces s also helps. By guaran teeing
that Contin uous Integra tion (CI) and Contin uous
Deployment (CD) proces ses are done correctly,
many risks related to the softwa re of your app can
be minimized.
• Another import ant Cloud securit y solutio n is to
implement an Intrusi on Manag ement sySlem,
something that many Cloud securit y provide rs
offer.
' lntru s10
· n Manag ement
refers to. the posst'bTty
11 of
identifying in real-tim e who bas access to your
. network throug h the use of Jntn1sion Detecti on
Systems (IDS) and Intrusi on Preven tion System s
(lPS).
• l:Iavin . ·
g clear mform ation on who ·th e Perpetra tor
of a
system is can help manag e secun·cy threats.
lbus th . ·d tifying and
' ese tools are very useful 1Il 1 en
Prevenr
ing cyber-a ttacks.
l~u
-New s II M7-66)
Y abus w.e.f academ ic year 22-23) (
Cloud Securlt .. .. Pa e no. 4-18
• The Cloud Security Alli ance (CS A) has identifi ed
various categones
· of
secunt. y-as-a- serv1ce
.
offerin gs as discuss ed below :
(i) Id ent·Ity and
Access Manag ement : It incJude s
managi ng access to enterpr ise resourc es by
verifyin g the identity of an entity and grantin g it
correct level of access based on its author ized
level.
(ii) Data Loss Prevention : Data Loss
Preven tion is
protect ing and securin g the data at variou s stages
in the cloud·viz. data at rest, in motion and in use
both in the cloud and on-prem ises.
(iii) Web Security : Web Securit y is real-tim e
protection offered via the cloud by redirec ting web
traffic to the cloud provide r and then forwar ding
clean traffic to the custom er's organiz ation.
(iv) Email Security : Email Securit y provid es contro l
over inbound and outbou nd emails , thereby
protecting the organiz ation from phishin g,
malicious attachments, and enforc ing corpor ate
·polices as desired by the custom er organiz ation.
(v) Security Assessments : These are audits done by
third party for cloud services or ass~ssm ents of
on-premises systems via cloud-p rovided solutio ns
based on some industry standards.
(vi) Intrusion Management : Intrusio n Manag ement
is the process of intrusion detecti on / preven tion
using signature or anomal y-based approa ch to
respond to unusua l events.
(vii) Security InformatioJ} and Event Management
(SIEM) : SIEM analyse s and correla tes logs and
event information related ~o securit y issues to
provide real-time reporti ng and alerts on securit y
incidents / events that may require attentio n .
(viii) Encryption : It is the process of provid ing
private and public key cryptog raphic algorit hms
for security of data at rest, in motion and in use
both in the cloud and on premises.
~ Tech-Neo Publications...A SACHIN SHAH Venture
Infrastructu re Securi (MU-Sem.7-IT
(ix) Business Continuity and Disaster Recovery :
These are the processes and measures to ensure
operational resiliency in the event of any failures
and service interruptions.
(x) Network Security : Network Security consists of
security provisions that allocate access, distribute,
monitor, and protect the underlying network
resource services.
• The main areas of focus today are email security,
end point protection, web/ Internet protection,
Vulnerability Assessment and management,
Identity management, anti-malware and anti-spam
being provided by various vendors.
• Other emerging hosted security services include
Managed firewalls, IDS and JPS, instant
messaging security, · authentication, e-mail
archiving and Cloud based vulnerability
management etc.
• Security-as-a-service is likely to continue to grow
in future not only in terms of security capabilities
but also in terms of different options, services
being offered and their intensity.
~ 4.6.1 . Benefits of Security as a Service
There are a lot of advantages to using a security as
a service offering. These include :
► 1. You work with the lateSt and moSt
updated security tools available
• For anti-virus tools to be effective and useful, they
need to work with the latest virus definitions,
allowing them to stomp out threats, even the
•
newest ones.
With security as a service, you're always using
tools that are updated with the latest threats and
options. This means no more worrying that your
users are not updating their anti-virus software and
keeping other software up to date to ensure the
latest security patches are in use.
(MU -New Syllabus w.e.f academic year 22-23) (M7-66)
The same case goes for updating and mai nl<tining
•
spam filters.
You get t he best security people
► 2.
working for you
IT secun·tY experts are at your beck and call, and
they may h ave more experience and a better
skillset than anybody on your IT team.
3 _ Faster provisioning
►
• The beauty of as-a-service offerings is that you
can give your users access to these tools instantly.
SECaaS offerings are provided on demand, so you
•
can scale up or down as the need arises, and you
can do so with speed and agility·
► 4. You get to focus on what's more
important for your organization
Using a web interface or having access to a
management dashboard can make it easier for
your own IT team to administer and control
security processes within the organization.
► s. Makes in-house management simpler.
• If you have protected data, it is not enough to just
keep it secure.
• You should know when a user accesses this data
when he or she does not have any legitimate
business reason to access it.
► 6. Save on costs
• You do not have to buy hardware or pay for
software licenses.
• Instead, you can replace the upfront capital with
variable operating expense, usually at a discounted
rate compared to the upfront costs.
-
► 1. Metasploit
•
The Metasploit framework is a very powerfu l tool
which can be used by cybercriminals as well as
ethical hackers to probe systematic vulnerabilities
on networks and servers .
---
[il Tech-Neo Publications ...A SACHIN SHAHventure
r

1nfra~;::;:~:;:"'~":'::::=::::7--------~~~~::::!l\:l.-!::ll:.:;~1,!~!i
tructure Securi MU-Sem. 7-IT

Project is compt 1 , . . Cloud Securl .... Pa 8 no . 4-20

fh e :Metasploit
a
• I ct sccun1
· ct . that provides
. data· about securityY cnumc ru t nrs, network enumerato rs and has h
proJe ..
vuJnerab1lit1es and assists penetration testing. dumps.

.
It is owned by Rapid7, a US-based cyber security (v) Payloarl modules : Provide shell code that run s
, f
. .
flflll. A notable subproject of MetasplOit a ter the tester succeeds in penetrating· a system.
· 1s the
open-source Metasploit Framewor k a tool used to Payloads can be static scripts, or can use
M
develop and run exploit code on remot target eterpreter, an advanced payload method that Jet~
. e t t
systems. · es ers write their own DLLs or create new exploit
capabilities.
, The Metasploit project includes anti-forensics and
. (vi) No Operation (NOPS) generator : Produces
remediation too1s, some of which are built into the random bytes that can pad buffers, with the
Metasploit Framewor k.
objective of bypassing intrusion detection and
, Metasploit comes pre-install ed on the Kali Linux prevention (IDS/IPS) systems.
operating system. (
vii) Datastore : It is a central configuration that lets
• The Metasploit Framewor k contains a large testers define how Metasploit components behave.
number of tools that enable penetration testers to It also enables setting dynamic parameters and
identify security vulnerabil ities, carry out attacks, variables and reuse them between modules and
and evade detection. payloads. Metasploit has a global datastore and a
specific datastore for each module.
• Many of the tools are organized as customizable
modules. Here are some of the most commonly • Metasploit integrates with almost any
used tools : reconnaissance tool, allowing you to identify the

(i) MSFconsole : This is the main Metasploit vulnerability you want.

► 2. Ettercap
command-line interface (CLI). It allows testers to
scan systems for vulnerabili ties, conduct network • Ettercap is an open-source tool that can be used to
support man-in-the-middle attacks on networks.
reconnaissance, launch exploits, and more.
(ti) E • Ettercap can capture packets and then write them
xploit modules : Allow testers to target a
back onto the network.
specific, known vulnerabili ty. Metasploit h as a
large number of exploit modules, including buffer • Ettercap enables the diversion and alteration of
overflow and SQL injection exploits. Each module data virtually in real-time.
has a malicious payload tester that can execute • Ettercap can also be used for the protocol analysis
ag. necessary to analyze network traffic.
amst target systems.
(ill) AUXiliary modules : Allow testers to perf~rm • Ettercap has a nice Graphical User Interface (UI)
additional actions required during a penetr~t~on as well as a command line interface.
test Which are not related to directly exploi~g
VUlner b'li . fu ing scannmg, • While Ettercap can support network traffic
a 1 ties. For example, zz ' f
and analysis, the most frequent use o Ettercap is to set
up man-in-the-middle attacks using:..., ARP
(.IV) p denial of service (DoS). t s to
Ost-exploitation modules : Allow tes er
deep ystem and poisoning.
en their access on a target s .
connected systems. For example, applicau~o:'.n~----:::::::::;;- - - - - - -- - - - - - - - -
(t,,,\J ~ Tech-Neo Publications ...A SACHIN SHAH Venture
-News ) (M7-66)
Yllabus w.e.f academic year 22- 23
 (.; IV u....-. ,
Infrast ructure Securit MU-Se m.7-11 In -
Q.4.3 . . -d fo r .
exclusive use by a sing1"'
prov1 s1
. onc• compri sing mul tiple
.
• Penetration testing yo u can emula te incl udes man- consumers. c
organ1 zauon .
in-the-middle att acks, crcdcnrial s caprurc, ONS . (b) Pubhc
(a) pnvatc .
spoofing. and OoS attack . (c) c ommunity (d) Hybri d ✓Ans. : (aJ
• Ettercap also supports both active and passive MFA stands for . .
Q.4.4 (a) :Multi Factor Authentication
deep analysis of many protocols and includes
(b) :Multi Factor Agree ment
many features for network and host analysis.
(c) :Multi Factor Assess~en.t
Many "sniffing" modes are available ~ this
• (d) :Multi Factor Authonzat10n ✓Ans. : (a)
includes MAC based, , IP based, ARP based
Pll stands f o r - - - - - -
(full duplex), and Public ARP based (half duplex). Q. 4.5 (a) Personally Identifiable Information
Etterc ap can also detect a switched local area (b) Physically Identifiable Information
netwo rk (LAN ) and use the OS fingerprints to (c) Personally Indicated Information
determ ine the total geom etry of the LAN. (d) Physically Indicated Information ✓Ans. : (a)
Etterc ap is a neces sary part of the tool inventory Q. 4.6 WAF stands for _ _ _ __
•
for any penet ration tester or ethical hacker. (a) Web Application Filter
(b) Web Application Firewall
Etterc ap can be used with many different
• (c) Web Application Frame work
opera ting system s but Ettercap works best on most ✓Ans.: (b)
(d) Web Application Funct ion
versio ns of Linux. Many penetration testers and
Q. 4.7 RASP stands for _ _ _ _ __
securi ty analys ts favor Kali Linux as the preferred (a) Realtime Application Self Protection
distribution. (b) Runtime Application Self Privac y
Etterc ap interc epts and alters traffic on a netwo rk (c) Runtime Application Self Protec tion
(d) Realtime Application Self Privac y ✓ Ans. : (c)
segme nt, captu res passw ords, has powerful WAAP stands for _ _ _ _ _ _ __
(and easy to use) filtering langu age that allows for Q. 4.8
(a) Web Application and API Protection
custo m scripting, condu cts active eavesdropping
(b) Web Appliance and API Protection
agains t a numb er of comm on protocols like TELN ET,
(c) Wireless Applic ation and API Protection
FTP, POP, IMAP, rlogin, SSHl , ICQ, SMB, MySQL,
( d) Wireless Appliance and API Protection
I-fITP , NNTP , Xl 1, Napster, IRC, RIP, BGP, SOCK S ✓Ans,: (a)
5, IMAP 4, VNC, LDAP , NFS, SNMP , Half-Life, Which of the following is a comp liance standard?
Q. 4.9
Quake 3, MSN, YMSG! (a) PCI-DSS
(b) HIPPA
(c) GLBA
(d) All of the mentioned ✓Ans, : (d)
Q. 4.1 The NIST model of cloud computing consist of
_ _ _ _ characteristics. Q. 4.10 are respon sible for keeping their
(a) Three (b) Four apprication
. s up to date - and must therefore ensure
(c) Five (d) Six ✓Ans.: (c) they have a patch strategy (to ensure that their
In _ _ _ _ cloud, the cloud infrastructure is applications are screen ed from malware and
Q. 4.2 hackers scanni ng for vulner abilities- that aUoW
provisioned for open use by the general public.
unauthon·zed access to their data within 011
(a) Private (b) Public the cl d
to be gained ).·
(c) Community (d) Hybrid ✓Ans. : (b)
(a) Customers (b) Providers

N~on~e~--~✓~ADS·:
9
- : : :: :: := == =~ -::~ :-:- ::--- ' -
-- i(c~)~B~ot~
b - -~(~d~) ()
(M U-New Syllabu s w.e.f academ ic year 22-23) (M7-66)
!i1 Tech- Neo Public ations ... A SACHI N SHAH venture
r

tra
10
-~~u~
securi

c1oud providers.
.
(MU-Sem .7-IT)

must enable
. •
.
ly appropna tely with these regulations.
• to
their customers
Cloud Securi
mapping those to contro ls that e xi st in yo ur
Q4,11
· cornP chosen cloud service pro vider.
payment Card Industry Data Security
(d) Data should be trarn1ferrcd and stored in an
(a) Standard (PCI)
encrypted format for security purpose.
) Health Insurance Portability and ✓Ans.: (a)
(b Accounta bility Act (HIP AA)
Q. 4.18 The characteristic of something having ~n
(c) Sarbanes- Oxley Act (SOA)
provided by an authorized source in the context o f
(d) All of the above ✓Ans.: (d)
security is known as _ _ _ _ _ __
Do not put confident ial informatio n, including (a) Integrity (b) Confident iality
Q,4.12
personally identifiab le informati on (PII), into the (c) Authenticity (d) Availabili ty ✓Ans.: (c)
Cloud. Q. 4.19 In _ _ _ _ cloud, an organizati on rents cloud
(a) True (b) False ✓ Ans. : (a)
services from cloud providers on demand basis.
Q. 4,13 Compared to in-house hosting, cloud-based (a) Public (b) Private
hosting _ _ __ (c) Protected (d) Hybrid ✓ Ans. : (a)

(a) Provides better visibility of security and Q. 4.20 Which of the iollowing mechanis m addresses the
disaster preparedn ess capabiliti es challenge of propagating the authentic ation and
(b) Minimize s the risk of investing in technology authorization information for a cloud service
that will soon become obsolete consumer across multiple cloud services?
(c) Provides greater control over the location of. (a) Hashing
data (b) Single Sign-on
(d) Requires a significan t amount of capital (c) Digital Signatures
✓Ans.: (b) ✓Ans.: (b)
(d) Public Key cryptography
Q, 4.14 Which of the following is not a type of cloud?
(a) Public (b ). Private
(c) Protected (d) Hybrid ✓Ans. : (c)

Q. 4.15 Which of the following mechanis ms are contained Q.1 Define cloud computing. List and explain the
. ?
by cloud API for accessing cloud services• characteristics of cloud computing.
(a) Abstraction (b) Authentic ation Explain different service models and deployme nt
Q.2
(c) Replicatio n (d) Segmenta tion ✓Ans.: (b) models in cloud computing.
Q. 4·16 Which of the following Cloud security Q.3 Describe in brief different risks and their
characteristic states that the data have not been countermeasures for cloud security.
altered by an unauthori zed party? Q.4 Write a note on: Data Protection in Cloud
(a) Integrity (b) Confident iality Explain different threats to cloud applicatio n security.
✓ Ans. : (a) Q.5
(c) A uthenticity (d) Avat·1ab"l'ty
11 Also explain the strategies that can be _used as a
Q,4,17 solution to cloud application security.
Point out the incorrect statement .
'd similar Write a note on: Cloud Identity and Access
(a) All deployme nt models provi e Q.6
security services. • Management
(b fm g service
) Different types of cloud compu rity a. 1 Explain Cloud Security as a service. Also state its
els of secu
models provide different lev benefits.
services.
() ms to a cloud
c Adapting your on-premis es sySte . what
deternune
. d and
mo del requires that you
security mechanis ms are requlfe ~J-- ----- ----- ----- =~-- -=-- -
Chapter Ends ...

□□ o