Cloud security follows the Shared Responsibility Model which describes the security responsibilities

of the cloud provider and the cloud customer.

This means that the cloud provider is responsible for the security of the underlying infrastructure
that they lease to their customers, while the customer is responsible for the security of the areas of
the cloud infrastructure over which they have control.

Main components of cloud infrastructure-

Operating system

Middle ware – which is kind of a software which provides general services to the applications
besides those services that are provided through the OS . for example data management
application services, API management etc

Runtime component- which is more related to the developers and is kind of a software or
instruction that is built into development environment to make sure that the code executes in a
proper way

Applications, Data, Servers

Virtualisation – is a kind of software which separates the physical computing device into one or
more virtual devices that each can be used and managed to perform various computing tasks

Networking – routers, switches, modems

Storage

So when all these are managed by the company itself it is the on-premises computing

When company manages the OS, Middleware, runtime, application and data and servers,
virtualisation , networking and storage is managed by CSPs, it is considered to be IAAS

In PAAS the company only manages application and the data , rest everything is managed by CSP

And in SAAS all the components are managed by csp and the company is just the end user of the
services and do not do any processing on their site

Risks and controls for the infrastructure

Legal Transborder requirements- as cloud computing is provided over the internet, there may be
transborder concerns. Suppose I am working in a company located in india and we use the cloud
computing services of the CSP from USA. So there may be conflict in the legal requirements of
both the countries . As data privacy laws may differ in both the countries. We as a company might
be in violation of some regulations in other countries while storing or processing information
within the infrastructure of the cloud service provider

Control –

We should request the list of physical location of the CSP assets

Then review the regulations in their respective locations to ensure the compliance with
organisational requirements with regards to data privacy

It is also a good practice to specify in the contact that the cloud service provider will not move the
assets to the locaions where the regulations are not aligned with the company requirement
Another things to be ensured is that the data transferred from the company premises to the cloud
service providers should be encrypted and proper key management process is in place

Physical security – When the company moves its data to a cloud infrastructure they must still be in
compliance with the corporate policy. At the same time company data may also be accessed by
the staffs working for cloud service provider for activities like routine maintenance, backup
purposes . The risk here is there may be gap between Company and CSP physical security
requirements

Control – It can be recommended that the company requests the security policy of the cloud
service provider and reviews it for compliance with the corporate security policy

It will also be good to specify in the contract that CSP provides the evidence of independent
security reviews, audit certificate reviews that meet the corporate requirement

Data Disposal – When company chooses to stop accepting services from the CSP, CSP should
properly dispose the data before providing services to a new client to prevent unauthorised access

Control – Request CSPs technical specification and control related to data disposal to ensure they
are in compliance with the company requirements

Isolation Failure - Cloud computing, by definition, is about sharing

resources: i.e. processing capacity. Now if one tenant (cloud word for
customer) can influence another’s resources that is considered isolation
failure.
Application disposal- this is similar to data disposal. When using PAAS there is a risk that upon a
contract termination, if the CSP does not dispose application data which may include application
themselves, or respective backups, or the source code or object code, then these data may be
unintentionally disclosed thus creating an opportunity for an application attack or they may be
copies thereby violating company’s intellectual property rights

Incident management – In a public cloud infra if one of the companies is compromised due to
some cyber attack it may expose the cloud and other companies to the attack

Control – from ppt

Hypervisor attack – Next we have hypervisor attacks. Hypervisor is a piece of software that
provides the link between the virtual machines and the underlying physical resources that are
required to run these machines by using hypercalls. If an attacker gains access to virtual machine
in the cloud he could make fake hypercalls to introduce malware or cause certain disruption in the
hypervisor behaviour

Patching/ release management – In a public cloud where one cloud may have 100 of tenants CSP
are able to introduce patches in their applications without proper approval or notification of the
clients. Here the risk would be the company could have a lack of control over the release
management process and could be subject to unexpected side effects od improper patching.

Cyber security solution-

Cloud-based infrastructure is directly accessible from the public Internet,
making it an easy target for cybercriminals. Identity and Access
Management (IAM) solutions are essential to restricting this access to
authorized users.
 Cloud network security solutions are necessary for segmenting cloud
assets to reduce the effect of any cloud breach, monitoring traffic and
protecting the data plane against exploitation and lateral movement.
These solutions automatically and continuously check for misconfigurations
that can lead to data breaches and leaks. This continuous and automated
detection allows organizations to make necessary changes on a
continuous, ongoing basis.
Cloud workloads are applications like any other. They need to be protected
against exploitation of unpatched vulnerabilities, configuration errors, and
other weaknesses.
Organizations are increasingly storing sensitive data in the cloud. This data
must be protected against breach (including encryption in transit and at
rest) and in accordance with applicable laws and regulations.
Cloud security solutions need access to threat intelligence to identify and
protect against the latest cyber threats.
Top security risks associated with cloud infrastructure
Lock in - Sometimes the cloud services interfaces do not guarantee data,
application and service portability. This can make it difficult for the
customer to migrate from one provider to another or migrate data and
services back to an in-house IT environment. This introduces a
dependency on a particular CP for service provision, especially if data
portability, as the most fundamental aspect, is not enabled
Loss of governance –
As a cloud consumer you need to be sufficiently in control of your IT
systems. If the cloud service agreement does not give you the proper tools,
you have a problem. Example: you should be able to make a backup of
your important data and get it out of the cloud provider system.
Compliance risks - investment in achieving certification (e.g., industry
standard or regulatory requirements) may be put at risk by migration to the
cloud:
 if the CP cannot provide evidence of their own compliance with the
relevant requirements
 if the CP does not permit audit by the cloud customer (CC).
In certain cases, it also means that using a public cloud infrastructure
implies that certain kinds of compliance cannot be achieved
Isolation Failure - Cloud computing, by definition, is about sharing
resources: i.e. processing capacity. Now if one tenant (cloud word for
customer) can influence another’s resources that is considered isolation
failure.
Malicious Insider –
INSECURE OR INCOMPLETE DATA DELETION -
You are asking your cloud provider to store your data safely, which they
probably do by making multiple copies. Then you ask them to delete that
same data. That might be hard, as it probably is on multiple disks that are
shared with other customers, so they cannot simply shred the hard disks.