Please read this disclaimer before proceeding:

This document is confidential and intended solely for the educational purpose of
RMK Group of Educational Institutions. If you have received this document
through email in error, please notify the system manager. This document
contains proprietary information and is intended only to the respective group /
learning community as intended. If you are not the addressee you should not
disseminate, distribute or copy through e-mail. Please notify the sender
immediately by e-mail if you have received this document by mistake and delete
this document from your system. If you are not the intended recipient you are
notified that disclosing, copying, distributing or taking any action in reliance on
the contents of this information is strictly prohibited.
 AD8602- DATA AND
INFORMATION
SECURITY

DEPT: AI-DS
BATCH / YEAR: 2020-24 / III
CREATED BY: Ms. MARY SELVAN
Table of Contents

Sl. Topics Page

No. No.
1. Contents 5

2. Course Objectives 6

3. Pre Requisites (Course Name with Code) 8

4. Syllabus (With Subject Code, Name, LTPC details) 10

5. Course Outcomes (6) 12

6. CO-PO/PSO Mapping 14

16
Lecture Plan (S.No., Topic, No. of Periods, Proposed date, Actual
7.
Lecture Date, pertaining CO, Taxonomy level, Mode of Delivery)

8. Activity based learning 18

Lecture Notes ( with Links to Videos, e-book reference, PPTs, Quiz 20

9.
and any other learning materials )
Assignments ( For higher level learning and Evaluation - Examples: 48
10.
Case study, Comprehensive design, etc.,)

11. Part A Q & A (with K level and CO) 50

12. Part B Qs (with K level and CO) 56

Supportive online Certification courses (NPTEL, Swayam, Coursera, 58

13.
Udemy, etc.,)

14. Real time Applications in day to day life and to Industry 60

15. Content beyond syllabus 62

16. Assessment Schedule ( Proposed Date & Actual Date) 64

17. Prescribed Text Books & Reference Books 66

18. Mini Project 68

Course Objectives
Course Objectives
• To understand the basics of Number Theory and Security

• To understand and analyze the principles of different encryption techniques

• To understand the security threats and attacks

• To understand and evaluate the need for the different security aspects in real
time applications

• To learn the different applications of information security

PRE REQUISITES
 Prerequisites

SUBJECT CODE: MA8391

SUBJECT NAME: Probability and Statistics

SUBJECT CODE: CW8691

SUBJECT NAME: Computer Networks
Syllabus
Syllabus
AD8602 DATA AND INFORMATION SECURITY LTPC 3003

UNIT I FUNDAMENTALS OF SECURITY 9

Computer Security Concepts - Threats, Attacks and Assets – Security Functional
Requirements – Fundamental Security Design Principles – Attack Surfaces and Attack
Trees. Computer Security Strategy– Number Theory: Prime Numbers and
Factorization, Modular Arithmetic, GCD and Euclidean Algorithm, Chinese Remainder
Theorem, Multiplication Modulo m and the Totient Function, Problems, Fermat and
Euler Theorem. Primitive Roots and the Structure of F*p, Number in other Bases,
Fast Computation of Powers in Z/mZ, Multiplicative Functions, Group Theory, Fields
and Problems
UNIT II ENCRYPTION TECHNIQUES AND KEY MANAGEMENT 9
Symmetric Encryption Principles – Data Encryption Standard – Advanced Encryption
Standard – Stream Ciphers and RC4 - Cipher Block Modes Operation – Digital
Signatures - Key Distributions - Public Key Cryptosystem: RSA, Elliptic Curve
Cryptography - Key Exchange Algorithms: Diffie Hellmen and ELGamal Key Exchange
UNIT III AUTHENTICATION, INTEGRITY AND ACCESS CONTROL 9
Authentication: Security Hash Function – HMAC – Electronic User Authentication
Principles, Password Based Authentication, Token Based and Remote Authentication;
Internet Authentication Applications: Kerberos X.509 – Public Key Infrastructure;
Access Control: Access Control Principles - Subjects, Objects, and Access Rights -
Discretionary Access Control - Example: UNIX File Access Control – Role Based
Access Control - Attribute-Based Access Control - Identity, Credential, and Access
Management - Trust Frameworks
UNIT IV SECURITY 9
System Security: Firewall, Viruses, Worms, Ransomware, Keylogger, Greyware, IDS,
DDoS Network Security: SSL – TLs – HTTPS –IP Security; OS Security: Introduction
to Operating System Security - System Security Planning - Operating Systems
Hardening - Application Security - Security Maintenance - Linux/Unix Security -
Windows Security - Virtualization Security; Wireless Security: Risks and Threats of
Wireless- Wireless LAN Security- Wireless Security Policy-Wireless Security
Architectures-Wireless security Tools
UNIT V SECURITY APPLICATIONS 9
IOT security: Introduction- Architectures- Security challenges- Security
requirements- Trust, Data confidentiality, and privacy in IOT- Security in future IOT
systems; Cloud Security: Security requirements - Security patterns and Architectural
elements- Cloud Security Architecture Security Management in the Cloud- Availability
Management- SaaS Availability Management PaaS Availability Management- IaaS
Availability Management- Access control- Security Vulnerability, Patch and
Configuration Management.
Course Outcomes
Course Outcomes
CO# COs K Level
Understand the fundamentals of security and the significance of
CO1 K1
number theory in computer security
Learn the public key cryptographic standards and authentication
CO2 K3
scheme
CO3 Able to apply the security frameworks for real time applications K2

CO4 Understand the security threats and attacks in IoT, Cloud K3

Able to develop appropriate security algorithms understanding the
CO5 K3
possible threats

Knowledge Level Description

K6 Evaluation

K5 Synthesis

K4 Analysis

K3 Application

K2 Comprehension

K1 Knowledge
CO – PO/PSO Mapping
 CO – PO /PSO Mapping Matrix

CO PO PO PO PO PO PO PO PO PO PO PO PO PSO PSO PS0

# 1 2 3 4 5 6 7 8 9 10 11 12 1 2 3

CO1 3 3 3 1 - 2 - - - - - - 1 2 1

CO2 3 3 3 1 - 2 - - - - - - 1 2 1

CO3 3 2 3 1 - 2 - - - - - - 1 2 1

CO4 3 2 3 1 - 2 - - - - - - 1 2 1

CO5 3 2 3 1 - 2 - - - - - - 1 2 1

1 – Low, 2 – Medium, 3 – Strong

Lecture Plan
Unit V
 Lecture Plan – Unit 4- SECURITY
Sl. Topic Nu Propos Actual CO Taxon Mode
No mb ed Lecture omy of
er Date Date Level Deliver
of y
Peri
ods
1 System Security: 1 CO4 K3 PPT /
Firewall, Viruses, Chalk &
Worms, Ransomware, Talk
Keylogger, Greyware,
IDS, DDoS
2 Network Security: SSL 1 CO5 K3 PPT /
– TLs – HTTPS Chalk &
Talk
3 IP Security 1 CO4 K3 PPT /
Chalk &
Talk
4 OS Security: 1 CO4 K3 PPT /
Introduction to Chalk &
Operating System Talk
Security - System
Security Planning
5 Operating Systems 1 CO4 K3 PPT /
Hardening - Application Chalk &
Security - Security Talk
Maintenance
6 Linux/Unix Security - 1 CO5 K3 PPT /
Windows Security Chalk &
Talk

7 Virtualization Security 1 CO5 K3 PPT /

Chalk &
Talk

8 Wireless Security: Risks 1 CO5 K3 PPT /

and Threats of Chalk &
Wireless- Wireless LAN Talk
Security
9 Wireless Security 1 CO5 K3 PPT /
Policy-Wireless Security Chalk &
Architectures-Wireless Talk
security Tools
Activity Based Learning
Unit V
Activity Based Learning
Lecture Notes – Unit 5
 UNIT V – SECURITY APPLICATIONS
5.1 IOT security:
Introduction
What Is IoT?
The concept of the Internet of Things (IoT) was introduced by Kevin Ashton, a
co-founder of the Auto-ID Center at MIT, in 1998.
The vision is that objects (“things”) are connected to each other and thereby
they create IoT in which each object has its distinct identity and can communicate with
other objects. IoT objects can vary dramatically in size from a small wearable device to a
cruise ship. IoT transforms ordinary products such as cars, buildings, and
machines into smart, connected objects that can communicate with people,
applications and each other.
There are various definitions of IoT. The International Telecommunication Union
(ITU) defined the term Internet of Things as "Internet of Things will connect the world's
objects in both a sensory and intelligent manner".
In 2014, the Joint Technical Committee of the International Organization for
Standardization (ISO) and the International Electrotechnical Commission (IEC) defined IoT
as “an infrastructure of interconnected objects, people, systems and information resources
together with intelligent services to allow them to process information of the physical and
the virtual world and react”.
At the IoT reception layer, sensors placed within devices, objects, and machinery collect,
measure, and record information about the physical environment, such as temperature,
humidity, gas pressure, and motion. This information can be read, integrated and analyzed
at higher IoT layers. NIST uses two acronyms, IoT and NoT (Network of Things).
IoT is considered a subset of NoT, since IoT has its “things” connected to the
Internet. In contrast, some types of NoT use only Local Area Networks (LAN), with none of
their “things” connected to the Internet.
The IoT growth is driven by business needs as part of enterprise digital
transformation (Fig. 5.1). According to Machina Research, the total number of IoT
connections will grow from six billion in 2015 to 27 billion by 2025.
 UNIT V – SECURITY APPLICATIONS

Fig 5.1 Key Business Drivers for IoT Development

IoT solutions not only involve various technology domains such as mobile
communications, cloud, data, security, telecommunications, and networking but they also
lead to cross-industrial use of data (for example, data generated in smart home and
industrial applications is used in the automotive domain) (Fig. 5.2). This opens a possibility
for establishing business partnerships between horizontal industries, such as
telecommunication operators, and vertical industries, such as car manufacturers, as new
business models.

Fig 5.2 IoT Connecting Technologies and Disparate Industries

IoT Security and IoT Architectures:

IoT security solutions should be extremely scalable to apply to an exponentially
increasing number of various IoT devices. A growing variety of IoT applications creates
new security challenges. In addition to traditional security domains such as cryptography,
secure communication, and privacy assurances, IoT security also focuses on trust/identity
management, data confidentiality, privacy protection, etc
 UNIT V – SECURITY APPLICATIONS

IoT Architecture:
IoT architecture refers to the tangle of components such as sensors,
actuators, cloud services, Protocols, and layers that make up IoT networking systems. In
general, it is divided into layers that allow administrators to evaluate, monitor, and
maintain the integrity of the system. The architecture of IoT is a four-step process
through which data flows from devices connected to sensors, through a network, and
then through the cloud for processing, analysis, and storage.
Different Layers of IoT Architecture:
A four-layer architecture is the standard and most widely accepted format.

There are four layers present i.e., the Perception Layer, Network Layer,
Processing Layer, and Application Layer.
Perception/Sensing Layer
The first layer of any IoT system involves “things” or endpoint devices that serve as a
conduit between the physical and the digital worlds. Perception refers to the physical
layer, which includes sensors and actuators that are capable of collecting, accepting, and
processing data over the network. Sensors and actuators can be connected either
wirelessly or via wired connections. The architecture does not limit the scope of its
components nor their location.
 UNIT V – SECURITY APPLICATIONS
Network Layer
Network layers provide an overview of how data is moved throughout the
application. This layer contains Data Acquiring Systems (DAS) and Internet/Network
gateways. A DAS performs data aggregation and conversion functions (collecting and
aggregating data from sensors, then converting analog data to digital data, etc.). It is
necessary to transmit and process the data collected by the sensor devices. That’s what
the network layer does. It allows these devices to connect and communicate with other
servers, smart devices, and network devices. As well, it handles all data transmissions for
the devices.

Processing Layer
The processing layer is the brain of the IoT ecosystem. Typically, data is
analyzed, pre-processed, and stored here before being sent to the data center, where it is
accessed by software applications that both monitor and manage the data as well as
prepare further actions. This is where Edge IT or edge analytics enters the picture.

Application Layer
User interaction takes place at the application layer, which delivers application-
specific services to the user. An example might be a smart home application where users
can turn on a coffee maker by tapping a button in an app or a dashboard that shows the
status of the devices in a system. There are many ways in which the Internet of Things can
be deployed such as smart cities, smart homes, and smart health.

IoT Security Challenges

Three categories of IoT risks include:
1. Risks that are typical in any Internet system
2. Risks that are specific to IoT devices
3. Safety to ensure no harm is caused by misusing actuators, for instance.
 UNIT V – SECURITY APPLICATIONS
Scalability: Managing a large number of IoT nodes requires scalable security solutions.
Connectivity: In IoT communications (Section 6), connecting various devices of different
capabilities in a secure manner is another challenge.
End-to-End Security: End-to-end security measures between IoT devices and Internet
hosts are equally important.
Authentication and Trust: Proper identification and authentication capabilities and their
orchestration within a complex IoT environment are not yet mature. This prevents
establishment of trust relationships between IoT components, which is a prerequisite for
IoT applications requiring ad-hoc connectivity between IoT components, such as Smart City
scenarios. Trust management for IoT is needed to ensure that data analytics engines are
fed with valid data. Without authentication it is not possible to ensure that the data flow
produced by an entity contains what it is supposed to contain.
Identity Management: Identity management is an issue as poor security practices are
often implemented. For example, the use of clear text/Base64 encoded IDs/passwords with
devices and machine-to-machine (M2M) is a common mistake. This should be replaced
with managed tokens such as JSON Web Tokens (JWT) used by OAuth/OAuth2
authentication and authorization framework (the Open Authorization).
Attack-Resistant Security Solutions: Diversity in IoT devices results in a need for
attack resistant and lightweight security solutions. As IoT devices have limited compute
resources, they are vulnerable to resource enervation attacks.
Security threats to IoT devices:
 UNIT V – SECURITY APPLICATIONS

Security Requirements in IoT:

Security is significant obstacle in IoT. It involves sensing of infrastructure security,
communication network security, application security and general system security.
 UNIT V – SECURITY APPLICATIONS
IoT security has diverse meaning which is depicted in the below diagram:

In IoT, each connected device could be a potential doorway into the IoT
infrastructure or personal data.
Security concern would elevate once IoT reaches next level of interoperability
and autonomous decision making and higher order security loopholes.
 UNIT V – SECURITY APPLICATIONS

The IoT key security requirements can be presented as shown in below Fig. The
main security requirements are categorized into six domains.

The need for privacy is the core property of self-actualization in IoT. There are
several applications working in many different grounds like patient monitoring system,
traffic control, energy consumption inventory management, smart parking, civil protection
any many others. Privacy should be guaranteed to the end user.
After security, the main aspect occurs is the privacy and with privacy, there is trust (see
Fig. 2), according to the internet of things, trust is also an important aspect or factor which
is developed by the end user when there is an element of security and privacy in the
device
 UNIT V – SECURITY APPLICATIONS
The current issue in IoT security concerns the access IoT has to sensitive data and the
movement of sensitive data overall. With enough time, hackers could theoretically use a
connected kettle to gain your business’ WIFI password.
Therefore, IoT security depends on intra-network data loss prevention. This tool helps
ensure that IoT devices can’t simply access data to which they aren’t entitled. Further, it
prevents malicious actors from moving data through network nodes or out of the network;
instead, it keeps all the data stored securely until an authorized user decides to move it.
This can apply to devices as much as people.
Integration with Backup
When we discuss IoT security, the conversation usually hinges on endpoint security.
Certainly, this stems from accurate beliefs. After all, IoT devices represent one more aspect
of the hardware-based digital perimeter; each device opens another potential attack vector
for external threat actors. Without visibility into every device brought by endpoint security,
hackers could find a solid foothold for infections.
Unnecessary Capabilities
Of course, the future of IoT security depends largely on your own commitment to
cybersecurity and the steps you take to ensure it. For example, many IoT devices come
with default administrator passwords which are easily guessed or cracked. Your security
team needs to take the time to reset these passwords wherever possible. Further, you
need to turn off unnecessary capabilities on each device which could hamper cybersecurity
efforts and protections.
Updates and Patches
Security depends on making sure that IoT devices receive regular updates to their security
firmware and software. Like all devices, the updates these devices receive contain vital
security patches and threat intelligence. Unfortunately, many IoT developers fail to make
patching these devices a priority.
(i) Next Generation IoT Security: Data Confidentiality
Homomorphic Encryption - Homomorphic encryption schemes make it
possible to perform mathematical operations on ciphertexts. Ex: Private healthcare
Searchable Encryption - Searchable encryption schemes allow a storage
provider to search for keywords or patterns in encrypted data.
So it is not possible to gain any knowledge of the underlying plaintext.
 UNIT V – SECURITY APPLICATIONS
(ii) Next Generation IoT Security: Trust
Trust Establishment - mainly focus on establishing trust in public keys and
their assignment to users, s mainly focus on establishing trust in public keys and their
assignment to user
Blockchain and IoT: Trust in Transactions
Trust in Platforms – Hardware and software
Identity Management -

(iii) Next Generation IoT Security: Privacy

Privacy Through Data Usage Control - The key advantage of data usage
control is that it provides users with the ability to control the usage of their data even
when it is managed by others.
Privacy in Multifaceted and Dynamic Contexts - As more data is being
stored, transmitted and processed via shared infrastructure, future IoT platforms will
require new advanced services and technologies to enforce adequate access controls.

5.2 CLOUD SECURITY

What is Cloud Security Architecture?
Cloud security starts with a cloud security architecture. An organization should
first understand its current cloud security posture, and then plan the controls and cloud
security solutions it will use to prevent and mitigate threats. This planning is critical to
secure hyper-complex environments, which may include multiple public clouds, SaaS and
PaaS services, on-premise resources, all of which are accessed from both corporate and
unsecured personal devices.
Why Do You Need a Cloud Security Architecture?
As organizations become more dependent on the cloud, they must also place a
bigger focus on security. Most off-network data flows through cloud-based services, yet
many of these cloud services are used without any security planning. The use of cloud
service providers and multiple personal devices makes it difficult for companies to view and
control data flows. Cloud collaboration bypasses ordinary network control measures. Access
to sensitive data on unmanaged personal devices presents a major risk.
 UNIT V – SECURITY APPLICATIONS
Security and risk management experts find it difficult to gain visibility over a
complex mix of devices, networks and clouds. These network security mosaics, fraught
with hidden vulnerabilities, are an invitation for attackers to attempt breaches.
Many cloud service providers do not provide detailed information about their
internal environment, and many common internal security controls cannot be directly
converted to a public cloud.
For all these reasons, organizations need to think about cloud security as a new
challenge, and build a cloud security architecture that will help them adequately secure this
complex environment.
Cloud Security Architecture Patterns
The right pattern can help you implement security across your organization. For
example, it can help you protect the CIA (confidentiality, integrity, and availability) of your
cloud data assets, as well as respond to security threats. You can implement security
controls directly, or use security controls as a service offered by your cloud provider or
third-party vendors.

The cloud security architecture model is usually expressed in terms of:

• Security controls—which can include technologies and processes. Controls should take
into account the location of each service—company, cloud provider, or third party.
• Trust boundaries—between the different services and components deployed on the
cloud
• Standard interfaces and security protocols—such as SSL, IPSEC, SFTP, LDAPS, SSH, SCP,
SAML, OAuth, etc.)
• Techniques used for token management—authentication, and authorization
• Encryption methods including algorithms like 128-bit AES, Triple DES, RSA, Blowfish.
• Security event logging—ensuring all relevant security events are captured, prioritized,
and delivered to security teams.

Each security control should be clearly defined using the following attributes:
• Service function—what is the service’s role? For example, encryption, authorization,
event data collection.
 UNIT V – SECURITY APPLICATIONS
• Logical location—public cloud service, third party service, or on-premises. Location
affects performance, availability, firewall policies, and service management.
• Protocol—what protocol is used to access the service? For example, REST, HTTPS, SSH.
• Input/Output – what does the service receive and what is it expected to deliver? For
example, input is a JSON feed and output is the same feed with encrypted payload data.
• Control mechanisms—what types of control does the service achieve? For example,
data at rest protection, user authentication, application authentication.
• Users and operators—who operates or benefits from the service? For example,
endpoint devices, end users, business managers, security analysts.

Cloud Computing Security Architectural elements:

The cloud security architecture model differs depending on the type of cloud
service: IaaS (Infrastructure as a Service), PaaS (Platform as a Service), or SaaS (Software
as a Service). Below we explain different security considerations for each model.
IaaS Cloud Computing Security Architecture
IaaS provides storage and network resources in the cloud. It relies heavily on
APIs to help manage and operate the cloud. However, cloud APIs are often not secure,
because they are open and easily accessible from the web.
The cloud service provider (CSP) is responsible for securing the infrastructure
and abstraction layer used to access the resources. Your organization's security obligations
cover the rest of the layers, mainly containing the business applications.
To better visualize cloud network security issues, deploy a Network Packet Broker
(NPB) in an IaaS environment. The NPB sends traffic and data to a Network Performance
Management (NPM) system, and to the relevant security tools. In addition, establish
logging of events occurring on network endpoints.
IaaS cloud deployments require the following additional security features:
• Network segmentation
• Intrusion Detection System and Intrusion Prevention System (IDS/IPS)
• Virtual firewalls placed in front of web applications to protect against malicious code, and
at the edge of the cloud network
• Virtual routers
 UNIT V – SECURITY APPLICATIONS
SaaS Cloud Computing Security Architecture
SaaS services provide access to software applications and data through a
browser. The specific terms of security responsibility may vary between services, and are
sometimes up for negotiation with the service provider.
Cloud Access Security Brokers (CASB) offers logging, auditing, access control and
encryption capabilities that can be critical when investigating security issues in a SaaS
product. In addition, make sure your SaaS environment has:
• Logging and alerting
• IP whitelists and/or blacklists
• API gateways, in case the service is accessed via API
PaaS Cloud Computing Security Architecture
PaaS platforms enable organizations to build applications without the overhead
and complexity associated with managing hardware and back-end software. In a PaaS
model, the CSP protects most of the environment. However, the company is still
responsible for the security of the applications it is developing.
Therefore, a PaaS security architecture is similar to a SaaS model. Ensure you
have CASP, logging and alerting, IP restrictions and an API gateway to ensure secure
internal and external access to your application’s APIs.

CLOUD SECURITY ARCHITECTURE:

A cloud security architecture (also sometimes called a “cloud computing security
architecture”) is defined by the security layers, design, and structure of the platform, tools,
software, infrastructure, and best practices that exist within a cloud security solution. A
cloud security architecture provides the written and visual model to define how to
configure and secure activities and operations within the cloud, including such things as
identity and access management; methods and controls to protect applications and data;
approaches to gain and maintain visibility into compliance, threat posture, and overall
security; processes for instilling security principles into cloud services development and
operations; policies and governance to meet compliance standards; and physical
infrastructure security components.
 UNIT V – SECURITY APPLICATIONS
Cloud security, in general, refers to the protection of information, applications, data,
platforms, and infrastructure that operate or exist within the cloud. Cloud security is
applicable to all types of cloud computing infrastructures, including public clouds, private
clouds, and hybrid clouds. Cloud security is a type of cybersecurity.
Key Elements of a Cloud Security Architecture
When developing a cloud security architecture several critical elements should be included:
• Security at Each Layer: Ensure that each layer of the cloud’s security stack is “self-
defending.” There may be multiple components in each layer, so having defense-in-
depth is critical. This goes into having things like automatic updates on operating
systems, secure coding and monitoring logs.
• Centralized Management of Components: This is taking the concept of multiple
components in each layer and managing each — especially security — from one place,
making sure to incorporate efficiency opportunities.
• Redundant & Resilient Design: Building out disaster recovery plans and having
backups on hand to re-establish operations. Another aspect of this is making sure you
have resiliency built into all components, or at least the ones that continuously need to
be online.
• Elasticity & Scalability: When it comes to elasticity, we have to keep in mind specific
design options. When scaling, should it be a horizontal or vertical scale? In other words,
can you make the server bigger or add more servers/services?
• Appropriate Storage for Deployments: When choosing storage, it comes down to
your organization’s use cases and needs. Take time to look at the options available as
they are not created equal. Each has its security controls and different performance
specifications.
• Alerts & Notifications: While designing how the components will talk to each other
and how users interact with those components, you need to ensure that you are being
alerted and notified. This keeps you in the loop on what is happening in your cloud
infrastructure.
• Centralization, Standardization, & Automation: Centralization is using services and
tools that can be integrated into a single dashboard for viewing. Standardization is
creating consistent architectural security models across the vast amount of services
offered in the cloud, reducing the burden of implementation of those new services.
Finally, Automation, the more you can automate your infrastructure, the quicker you can
scale and respond to incidents and issues.
 UNIT V – SECURITY APPLICATIONS
SECURITY MANAGEMENT IN THE CLOUD:
Cloud security management is the practice of securing your data and operations
in the cloud from theft or damage. As demand for cloud computing expands, cloud security
services are expected to grow as organizations become more aware of the importance of
securing their presence in the cloud. This article tackles what cloud security management
means and why it is important, how to evaluate cloud security management service
providers, and the pros and challenges of cloud security management.
Implementation of security management in cloud computing
Among several strategies you can adopt to keep your cloud secure are:
• Perform security audits. Analyze your cloud-based products and services for potential
security loopholes on a regular basis.
• Set appropriate levels of protection. Task your IT security team with complete
control of the security settings for your cloud-based applications, setting them to the
highest level possible.
• Use data encryption and network security monitoring tools. Add another level of
protection to your data by encrypting them, and only allow legitimate traffic into your
network.
• Manage end-user devices. Make sure that only authorized devices are given access to
your network and data.
• Manager users. Set appropriate user-level controls to limit data access to authorized
users only. Ensure that your users only have access to the data they need in their line of
work.
• Monitor user activity. Make use of reports to view user activity in your cloud, and gain
a better understanding of security risks surrounding your operations.

Challenges of cloud security management

There are also challenges in managing cloud security, including:

• Difficulties in tracking data use.This is especially true since cloud services provided
by a third-party vendor lie outside your corporate network. Be prepared to ask your
vendor for audit trail logs when necessary.
• Security risks inherent in multi-tenant environments. Multi-tenant environments
may expose your network to malicious attacks. Even if someone else’s network is
targeted, your network may still end up as collateral damage. The risk may be lower
when you have a reputable vendor host your cloud environment.
 UNIT V – SECURITY APPLICATIONS
• Access restriction management. Ensuring access restrictions in your on-premises
infrastructure are carried over to your cloud environment. When applicable, your IT
team must ensure that you have BYOD policies for your end -users, and that only
authorized devices and locations are allowed access to your cloud services.
• Meeting compliance requirements. Ensure that your cloud services pass compliance
requirements. You may assume that the vendor will take care of compliance. This is a
mistake that can lead to heavy fines from regulators. Since compliance is always your
responsibility, you should have a team ready to handle this for your organization.
• Asset misconfiguration potential. A misconfiguration can leave your network open
to attack. To prevent this from happening, assign a team to review configuration settings
and changes. Have a team ready to plug potential holes when needed.

Availability Management in Cloud Computing

Cloud Services are not immune to outages (failure/interruption) and the severity and the
scope of impact on the customer can vary based on the situation. As it will depend on the
criticality of the cloud application and its relationship to internal business processes.
1. Impact on business: In the case of business-critical applications where businesses rely
on the continuous availability of service, even a few minutes of service failure can have a
serious impact on the organization’s productivity, revenue, customer satisfaction, and
service-level compliance.
2. Impact on customers: During a cloud service disruption, affected customers will not
be able to access the cloud service and in some cases may suffer degraded performance
or user experience. For Example:- when a storage service is disrupted, it will affect the
availability and performance of a computing service that depends on the storage service.

For example, on December 20, 2005, Salesforce.com (the on-demand customer

relationship management service) said it suffered from a system outage that prevented
users from accessing the system during business hours. Users “experienced intermittent
access” because of a database cluster error in one of the company’s four global network
nodes, company officials said in a statement the day following the outage.
 UNIT V – SECURITY APPLICATIONS
Factors Affecting Availability:
The cloud service’s ability to recover from an outage situation and availability depends on a
few factors, including the cloud service provider’s data center architecture, application
architecture, hosting location redundancy, diversity of Internet service providers (ISPs),
and data storage architecture.

Following is a list of the major factors:

• The redundant design of System as a Service and Platform as a Service application.
• The architecture of the Cloud service data center should be fault-tolerant.
• Having better Network connectivity and geography can resist disaster in most cases.
• Customers of the cloud service should quickly respond to outages with the support team
of the Cloud Service Provider.
• Sometimes the outage affects only a specific region or area of cloud services, so it is
difficult in those cases to troubleshoot the situation.
• There should be reliability in the software and hardware used in delivering cloud
services.
• The infrastructure of the network should be efficient and should be able to cope-up with
DDoS(distributed denial of service ) attacks on the cloud service.
• Not having proper security against internal and external threats, e.g., privileged users
abusing privileges.

SaaS Availability Management

System as a Service Customer’s Responsibility:
• Customers should understand the Service Level Agreement(SLA) and communication
methods so that they will be informed on service outages or maintenance.
• Customers should be aware of options to support availability management that is they
should understand the factors affecting availability management.
• The customer of System as a service should be aware that the cloud service is
multitenant which means Cloud Service Providers typically offer a Standard Service Level
Agreement(SLA) for all customers. Thus, Cloud Service Providers may not be able to
provide their services to the customers if the standard Service level-Agreement(SLA)
does not meet the service requirements. However, if you are a medium or large
enterprise with a big budget, a custom SLA can be made available.
• The customers should be aware of how resource democratization occurs within the
Cloud Service Providers to best predict the likelihood of system availability and
performance during business fluctuations.
 UNIT V – SECURITY APPLICATIONS
System as a Service Health Monitoring:
The following options are available to customers to stay informed on the health of their
service:
• Service dashboards should be published by the Cloud Service Providers So that they can
publish the current state of services and can also inform the outage or any kind of
maintenance of the cloud.
• Customer should check their mailing list as the service provider might have notified them
about recently occurring outrages.
• Use third-party tools to check the health of the application.

PaaS Availability Management:

Platform as a Services Customer’s Responsibilities:
The following considerations are for Platform as a Services Customers:
• PaaS platform service levels: Customers should read and understand the terms and
conditions of the Cloud Service Provider’s Service Level Agreements.
• Third-party web services provider service levels: When your Platform as a
Services application depends on a third-party service it is critical to understand the
Service Level Agreements of that service. Network connectivity parameters with third-
party service providers. Example: Bandwidth and latency factors.
• Platform as a Service Health Monitoring: The following options are available to
customers to monitor the health of their service:
• Service health dashboard published by the Cloud Service Provider.
• Cloud Service Providers customer mailing list that notifies customers of
occurring and recently occurred outages
• Use third-party tools to check the health of the application
IaaS Availability Management:
IaaS Providers Availability Considerations include computing and building Storage
Infrastructure. Other services such as account management, a message queue service, an
identity and authentication service, a database service, a billing service, and monitoring
services. Customer Responsibility for the IaaS are to provision and manage the life cycle of
virtual servers.
 UNIT V – SECURITY APPLICATIONS
To manage the IaaS virtual infrastructure includes
Availability of CSP network available, host, storage, and support application
infrastructure. Cloud service provider’s data center architecture, including a geographically
diverse and fault-tolerance architecture should be efficient. With these being present
infrastructure also must be reliable.
– Internal or third-party-based service monitoring tools (e.g., Nagios)
– Web console or API that publishes the current health status of your virtual
servers and network.
• Infrastructure as a Service Health Monitoring: The following options are available
to Infrastructure as a Service customer for managing the health of their service:
• Service health dashboard published by the Cloud Service Providers.
• Cloud Service Providers customer mailing list that notifies customers of
occurring and recently occurred outages.
• Third-party-based service monitoring tools that periodically check the health of
your Infrastructure as a Service virtual server.

ACCESS CONTROL :
Access requirements must be aware to the client users and system
administrators (privileged users) who access network, system, and application resources.
The functionalities of access control management include defining who should
have access to what resources (Assignment of entitlements to users, and also to audit and
report to verify entitlement assignments), why should the users have access to the
resource they hold (Assignment of entitlements based on the user’s job functions and
responsibilities), how can the user access the resources which will state the authentication
methods and strength check before granting access to the resources.
In a cloud computing model, network based access control plays a diminishing
role. User access control should be strongly emphasized in the cloud, since it can strongly
bind a user’s identity to the resources in the cloud and will help with fine granular access
control, user accounting, support for compliance, and data protection. User access
management controls, including strong authentication, single sign-on (SSO), privilege
management, and logging and monitoring of cloud resources, play a significant role in
protecting the confidentiality and integrity of your information in the cloud.
 UNIT V – SECURITY APPLICATIONS
The following are the six control statements:
• Control access to information.
• Manage user access rights.
• Encourage good access practices.
• Control access to network services.
• Control access to operating systems.
• Control access to applications and systems.
Access Control: SaaS
In the SaaS delivery model, the CSP is responsible for managing all aspects of the network,
server, and application infrastructure. In that model, since the application is delivered as a
service to end users, usually via a web browser, network-based controls are becoming less
relevant and are augmented or superseded by user access controls, e.g., authentication
using a one-time password. Hence, customers should focus on user access controls
(authentication, federation, privilege management, deprovisioning, etc.) to protect the
information hosted by SaaS. Some SaaS services, such as Salesforce.com, augment
network access control (e.g., source IP address/network-based control) to user access
control in which case customers have the option to enforce access based on network and
user policy parameters.

Access Control: PaaS

In the PaaS delivery model, the CSP is responsible for managing access control to the
network, servers, and application platform infrastructure. However, the customer is
responsible for access control to the applications deployed on a PaaS platform. Access
control to applications manifests as end user access management, which includes
provisioning and authentication of users.

Access Control: IaaS

IaaS customers are entirely responsible for managing all aspects of access control to their
resources in the cloud. Access to the virtual servers, virtual network, virtual storage, and
applications hosted on an IaaS platform will have to be designed and managed by the
customer.
 UNIT V – SECURITY APPLICATIONS
In an IaaS delivery model, access control management falls into one of the following two
categories:
(i) CSP infrastructure access control
Access control management to the host, network, and management applications that are
owned and managed by the CSP
(ii)Customer virtual infrastructure access control
Access control management to your virtual server (virtual machines or VMs), virtual
storage, virtual networks, and applications hosted on virtual servers.

In summary, from an enterprise customer perspective, access management is an essential

security process to protect the confidentiality, integrity, and availability (CIA) of information
hosted in the cloud. A robust access management program should include procedures for
provisioning, timely deprovisioning, flexible authentication, privilege management,
accounting, auditing, and support for compliance management. Cloud customers should
understand the CSP-specific access control features for networks, systems, and
applications, and appropriately manage access.

SECURITY VULNERABILITY, PATCH, AND CONFIGURATION MANAGEMENT

The ability for malware (or a cracker) to remotely exploit vulnerabilities of
infrastructure components, network services, and applications remains a major threat to
cloud services. It is an even greater risk for a public PaaS and IaaS delivery model where
vulnerability, patch, and configuration management responsibilities remain with the
customer. Customers should remember that in cloud computing environments, the lowest
or highest common denominator of security is shared by all tenants in a multitenant virtual
environment. Hence, the onus is with the customers to understand the scope of their
security management responsibilities.
Customers should demand that CSPs become more transparent about their cloud
security operations to help customers understand and plan complementary security
management functions.
 UNIT V – SECURITY APPLICATIONS
By and large, CSPs are responsible for the vulnerability, patch, and configuration (VPC)
management of the infrastructure (networks, hosts, applications, and storage) that is CSP
managed and operated, as well as third-party services that they may rely on. However,
customers are not spared from their VPC duties and should understand the VPC aspects for
which they are responsible. A VPC management scope should address end-to-end security
and should include customer-managed systems and applications that interface with cloud
services.
As a standard practice, CSPs may have instituted these programs within their security
management domain, but typically the process is internal to the CSP and is not apparent to
customers. CSPs should assure their customers of their technical vulnerability management
program using ISO/IEC 27002 type control and assurance frameworks.

Security Vulnerability Management

Vulnerability management is an essential threat management element to help protect
hosts, network devices, and applications from attacks against known vulnerabilities. Mature
organizations have instituted a vulnerability management process that involves routine
scanning of systems connected to their network, assessing the risks of vulnerabilities to the
organization, and a remediation process (usually feeding into a patch management
program) to address the risks. Organizations using ISO/IEC 27002 are known to address
this program using a technical vulnerability management control objective, which states:
Objective: To reduce risks resulting from exploitation of published technical vulnerabilities.
Technical vulnerability management should be implemented in an effective, systematic, and
repeatable way with measurements taken to confirm its effectiveness. These considerations
should include operating systems, and any other applications in use.
Both the customer and the CSP are responsible for vulnerability management of the cloud
infrastructure, depending on the SPI service in context.

Security Patch Management

Similar to vulnerability management, security patch management is a vital threat
management element in protecting hosts, network devices, and applications from
unauthorized users exploiting a known vulnerability.
 UNIT V – SECURITY APPLICATIONS
Patch management processes follow a change management framework and feeds directly
from the actions directed by your vulnerability management program. Security patch
management mitigates risk to your organization by way of insider and outsider threats.
Hence, SaaS providers should be routinely assessing new vulnerabilities and patching the
firmware and software on all systems that are involved in delivering the *aaS service to
customers.
The scope of patch management responsibility for customers will have a low-to-
high relevance in the order of SaaS, PaaS, and IaaS services—that is, customers are
relieved from patch management duties in a SaaS environment, whereas they are
responsible for managing patches for the whole stack of software (operating system,
applications, and database) installed and operated on the IaaS platform. Customers are
also responsible for patching their applications deployed on the PaaS platform.

Security Configuration Management

Security configuration management is another significant threat management practice to
protect hosts and network devices from unauthorized users exploiting any configuration
weakness. Security configuration management is closely related to the vulnerability
management program and is a subset of overall IT configuration management. Protecting
the configuration of the network, host, and application entails monitoring and access
control to critical system and database configuration files, including OS configuration,
firewall policies, network zone configuration, locally and remotely attached storage, and an
access control management database.
In the SPI service delivery model, configuration management from a customer
responsibility perspective has a low-to-high relevance in the order of SaaS, PaaS, and IaaS
services—that is, SaaS and PaaS service providers are responsible for configuration
management of their platform, whereas IaaS customers are responsible for configuration
management of the operating system, application, and database hosted on the IaaS
platform. Customers are also responsible for configuration management of their
applications deployed on the PaaS platform.
 UNIT V – SECURITY APPLICATIONS
(i) SaaS VPC Management
SaaS VPC management focuses on managing vulnerabilities, security patching, and system
configuration in the CSP-managed infrastructure, as well as the customer infrastructure
interfacing with the SaaS service. Since the SaaS delivery model is anchored on the
premise that the application service is delivered over the Internet to a web browser
running on any computing device (personal computer, virtual desktop, or mobile device), it
is important to secure the endpoints from which the cloud is accessed. Hence, a VPC
management program should include endpoint VPC management requirements and should
be tailored to the corporate environment. It is standard practice for most companies to
institute a standard OS image for personal computers that include security tools such as
antivirus, anti-malware, firewall, and automatic patch management from a central
management station.
SaaS provider responsibilities
The following list represents SaaS VPC scope:
• Systems, networks, hosts, applications, and storage that are owned and operated by the
CSP
• Systems, networks, hosts, applications, and storage that are managed by third parties
• Personal computers and smartphones owned by the SaaS employees and contractors
SaaS customer responsibilities
SaaS customers are responsible for VPC management of their systems that interface with
the SaaS service. The responsibilities include:
• Personal computers of a SaaS user.
• Applications or services that interface with the SaaS service.
• Security testing of the SaaS service. Although SaaS providers are responsible for
vulnerability management of the software delivered as a service, some enterprise
customers can choose to independently assess the state of application security.

Note: The scope of the VPC management program should include browser security,
systems, and applications (on both trusted and untrusted zones) located at a
customer’s premises interfacing with SaaS services.
 UNIT V – SECURITY APPLICATIONS
(ii)PaaS VPC Management
PaaS VPC management focuses on VPC management in the CSP-managed infrastructure,
as well as the customer infrastructure interfacing with the PaaS service. Since applications
deployed on a PaaS platform are accessed from a web browser running on an endpoint
device (personal computer, virtual desktop, or mobile device), the program should include
endpoint VPC management scope.
PaaS provider responsibilities
Similar to a SaaS model, the PaaS CSP is responsible for VPC management of the
infrastructure that is operated by the CSP, as well as third-party services that they may rely
on.
PaaS customer responsibilities
PaaS customers are responsible for VPC management of the applications implemented and
deployed on the PaaS platform. Vulnerabilities or the configuration weakness of
applications deployed on a PaaS platform should be treated similarly to a standard
application operating in your data center (e.g., private cloud). Software vulnerabilities are
introduced by design flaws or coding errors. Configuration weakness can be introduced by
improper configuration of an application in the area of authentication and privilege
management. In addition, PaaS applications that rely on third-party web services may
simply become weak and vulnerable by way of vulnerabilities in the third-party service, and
that is out of your control.
PaaS customers should follow standard practices embedded in the Software Development
Life Cycle (SDLC), which helps to reduce software application vulnerabilities. Following are
some of the standard practices:
• Application white-box testing
• Application black-box testing
• Application penetration testing
• Vulnerability alerts
PaaS customers are also responsible for VPC management of their systems that interface
with the PaaS service. These systems include:
• Personal computers of a PaaS user
• Browsers used for accessing the PaaS service
• Applications located at the customer’s premises that interface with the PaaS service
 UNIT V – SECURITY APPLICATIONS
(iii)IaaS VPC Management
IaaS VPC management focuses on the CSP-managed infrastructure, as well as the
customer infrastructure interfacing with the IaaS service. IaaS VPC management diverges
from SaaS and PaaS in that the infrastructure delineation, network boundary between
customers, and CSP infrastructure are blurred. For each layer of infrastructure (network,
host, storage), the customer and CSP have responsibilities in managing VPC in the
respective layers from their perspective (i.e., the CSP is responsible for the common CSP
infrastructure available to all customers, and the customer is responsible for the virtual
infrastructure available to the customer for the duration of use). Hence, a VPC
management program should address both the common and shared infrastructures.
IaaS provider responsibilities
In general, an IaaS CSP is responsible for VPC management of the infrastructure that is
owned and operated by the CSP, as well as the third-party infrastructure and services they
may rely on. The VPC management scope should include:
• Systems, networks, hosts (hypervisors), storage, and applications that are CSP-owned
and operated
• Systems, networks, hosts, storage, and applications that are managed by third parties
• The web console or management station used by customers to manage their virtual
infrastructure
• Personal computers owned by the IaaS employees and contractors
IaaS customer responsibilities
IaaS customers are responsible for VPC management of the virtual infrastructure allocated
by an IaaS CSP for customer use.
IaaS administrators are also responsible for VPC management of their systems that
interface with an IaaS service. These systems include:
• Cloud management station, which is the host that the customer manages for managing
the virtual infrastructure in an IaaS cloud
• Personal computers of IaaS administrators
• Browsers used for accessing the IaaS service
 UNIT V – SECURITY APPLICATIONS
Summary:
Activities IaaS PaaS SaaS

Availability Manage VM availability Manage this activity for Provider

management with fault-tolerant applications deployed in responsibility
architecture the PaaS platform (the
provider is responsible
for their runtime engine
and services)
Patch and •Manage VM image • Manage this activity • Provider
configuration Hardening for applications responsibility
management • Harden your VMs, deployed in the PaaS
applications, and platform
database using your • Test your application
established security for OWASP Top 10
hardening process vulnerabilities
• Manage activities for
your VMs, database,
and applications using
your established
security management
process

Vulnerability • Manage OS, • Manage this activity • Provider

management application, and for applications responsibility
database deployed in the
vulnerabilities PaaS platform (the
leveraging provider is responsible
your established for their runtime engine
vulnerability and services)
management
Process
Access • Manage network and • Manage developer • Manage user
control user access control to access provisioning provisioning
management VM, secure privilege • Restrict access using • Restrict access
access to management authentication methods Using
consoles, install host (user- and network- authentication
IDS, and manage host based controls) methods (user-
firewall policies • Federate identity and and network-
enable SSO if SAML is based controls)
supported • Federate identity
and enable SSO if
SAML is supported
Assignments
 Assignments

EXAMPLES OF CLOUD SERVICE PROVIDERS

1. Amazon Web Services (IaaS)
2. Google (SaaS, PaaS)
3. Microsoft Azure Services Platform (PaaS)
4. Proofpoint (SaaS, IaaS)
5. RightScale (IaaS)
6. Salesforce.com (SaaS, PaaS)
7. Sun Open Cloud Platform
8. Workday (SaaS)
Part A – Q & A
Unit - V
 PART-A
1. What Is IoT?
The International Telecommunication Union (ITU) defined the term Internet of Things as
"Internet of Things will connect the world's objects in both a sensory and intelligent
manner".
IoT transforms ordinary products such as cars, buildings, and machines into smart,
connected objects that can communicate with people, applications and each other.

2. What are security challenges and requirement in IoT?

These security challenges for IoT include device vulnerabilities, data privacy concerns, and
network insecurity. To address these challenges, you can consult an IoT app development
company who will implement robust security measures such as device authentication,
encryption, and regular software updates.

3. What is IoT security architecture?

Internet of Things (IoT) devices implement important functionality and have access to
sensitive data, making security essential. An IoT security architecture uses IoT security
solutions to protect IoT devices.

4. What are the 5 challenges of IoT?

The 5 Biggest Challenges Facing the IoT Today
• Privacy and Security. Cybersecurity is always a concern for any network technology, but
the IoT represents a unique security challenge for a few reasons:
• Data Service Needs.
• Regulation.
• Device Compatibility.
• Public Perception.

5. Why is security required in IoT?

Securing the company against cyber threats requires securing all devices connected to the
corporate network. IoT security is a vital component of a corporate cybersecurity strategy
because it limits the risks posed by these insecure, networked devices.

6. What are the 3 types of architecture of IoT?

A basic IoT architecture consists of three layers:
• Perception (the sensors, gadgets, and other devices)
• Network (the connectivity between devices)
• Application (the layer the user interacts with)
 PART-A
7. What are security requirements in IoT?
The key requirements for any IoT security solution are: Device and data security, including
authentication of devices and confidentiality and integrity of data. Implementing and
running security operations at IoT scale.

8. What are the four 4 components of IoT?

However, all complete IoT systems are the same in that they represent the integration of
four distinct components: sensors/devices, connectivity, data processing, and a user
interface.

9. What is data confidentiality in IoT?

The confidentiality of the data must be ensured at rest (i.e., storage) and in transit (i.e.,
during transmission). Generally, confidentiality is achieved through encryption; however, in
the context of IoT, ensuring confidentiality becomes a challenge due to the large number of
devices and their resource constraints.

10. What is trust in IoT?

The concept “trust in IoT” refers to the examination of the behavior of devices linked to the
same network. The trust connection between two devices influences the future behavior of
their interactions. When devices trust each other, they prefer to share services and
resources to some degree

11. What are the ways of security privacy and trust in IoT?
Most commonly observed requirements for IoT security are namely authentication,
confidentiality and access control. There are several available ways in which security,
privacy, and trust of IoT can be managed in which NFC, RFID, and WSN are commonly
used. Content may be subject to copyright.

12. What are elements of IoT security?

The key requirements for any IoT security solution are: Device and data security, including
authentication of devices and confidentiality and integrity of data. Implementing and
running security operations at IoT scale. Meeting compliance requirements and requests.

13. What is security feature of IoT?

IoT security can be understood as a cybersecurity strategy and protection mechanism that
safeguards against the possibility of cyberattacks which specifically target physical IoT
devices that are connected to the network.
 PART-A
14. What do you think the future will hold for IoT security?
Consumer IoT will implement hardware firewalls
As consumers become more conscious regarding their privacy and safety of the IoT
devices, protection must improve. For the safety of these devices, IoT will likely use
hardware firewalls to ensure security from hacks, viruses and phishing scams.

15. What is the future of IoT 2023?

According to projections, IoT expenditure will reach $1.1 trillion in 2023, maintaining the
year-over-year growth rate. As the number of connected devices grows, businesses must
understand the finest ways to incorporate IoT into the problems they are currently dealing
with.

16. What is the industrial future of IoT?

The implementation and use of the internet of things (IoT) has transformed how industries
operate, communicate, and utilize data— and it's only continuing to grow. It is estimated
that by 2025, over 75 billion devices will be connected via IoT

17. What are the cloud security requirements?

Below are six things to look for in a cloud solution and some questions to ask your CSP
provider about security:
Controls designed to prevent data leakage.
Strong authentication.
Data encryption.
Visibility and threat detection.
Continuous compliance.
Integrated security.

18. What are the 5 pillars of cloud security?

• Identity and access management.
• Infrastructure protection.
• Data protection.
• Detection controls.
• Incident response.

19. What is cloud security and why is it required?

Cloud security is a collection of procedures and technology designed to address external
and internal threats to business security. Organizations need cloud security as they move
toward their digital transformation strategy and incorporate cloud-based tools and services
as part of their infrastructure.
 PART-A
20. What is cloud security architecture?
Cloud security architecture is the umbrella term used to describe all hardware, software
and infrastructure that protects the cloud environment and its components, such as data,
workloads, containers, virtual machines and APIs.

21. What are the four areas of cloud security?

The four areas are: (1) Encryption, Identity & Access Management (IAM), Security
Operations, and Threat Detection. Cloud storage providers like Amazon Cloud Drive encrypt
customer data with keys that are controlled solely by the user

22. What are the architectural considerations in cloud computing security

architecture?
These elements are often considered separately rather than part of a coordinated
architectural plan. It includes access security or access control, network security, application
security, contractual Security, and monitoring, sometimes called service security

23. What is the difference between cloud security and cloud security
architecture?
The difference between "cloud security" and "cloud security architecture" is that the former
is built from problem-specific measures while the latter is built from threats. A cloud
security architecture can reduce or eliminate the holes in Security that point-of-solution
approaches are almost certainly about to leave.

24. What is SaaS PaaS IaaS in cloud computing?

There are 3 main types of cloud computing as-a-service options and each one covers a
degree of management for you: infrastructure-as-a-service (IaaS), platform-as-a-service
(PaaS), and software-as-a-service (SaaS)

25. What are IaaS PaaS and SaaS examples?

Unlike SaaS users, IaaS customers must manage the applications, runtime, middleware,
operating systems, and data they access.
Common examples of PaaS, SaaS, and IaaS.
Platform Examples
SaaS Gmail, Slack, and Microsoft Office 365
IaaS Amazon Web Services, Microsoft Azure, and Google Compute Engine

26. What is SaaS and PaaS services?

PaaS, or platform as a service, is on-demand access to a complete, ready-to-use, cloud-
hosted platform for developing, running, maintaining and managing applications. SaaS, or
software as a service, is on-demand access to ready-to-use, cloud-hosted application
software.

27. What is an example of a SaaS?

SaaS platforms involve software that is available via third-party over the Internet. Examples
of popular SaaS providers include: BigCommerce. Google Workspace, Salesforce.

28. What are 3 examples of IaaS?

Examples of IaaS include Rackspace, Amazon Web Services (AWS) Elastic Compute Cloud
(EC2), Microsoft Azure, Google Compute Engine (GCE) and Joyent.
 PART-A
29. What is SaaS management?
SaaS Management is the business practice of proactively monitoring and managing the
purchasing, onboarding, licensing, renewals, and off-boarding of all the software-as-a-
service (SaaS) applications within a company's technology portfolio.

30. What is the difference between patch management and configuration

management?
A patch management product scans devices, installs patches, and reports on the success
and failure of the process. Configuration Management: Configuration management enables
an organization to define an authorized set of configurations for devices in use within the
environment.

31. What is cloud vulnerability management?

Cloud vulnerability management is a term that refers to the continuous process of
identifying, reporting, and remediating security risks found within the cloud platform

32. What are the two types of configuration management approach?

There are two types of configuration management approaches. Pull Model: The nodes are
dynamically updated with the configurations that are present in the server. Push Model:
Centralized server pushes the configurations on the nodes.

33. What is cloud configuration management?

As the name suggests, cloud configuration management involves configuring your
hardware and software elements within a cloud environment so they can efficiently and
safely communicate. Cloud management (CM) tools allow you to automate various
configuration states.
Part B – Questions
 Part-B Questions

Q. Questions CO K Level
No. Level
1 Explain about the IOT Security Architecture and its CO4 K3
applications
2 Describe about Security requirement and Challenges CO4 K3
3 Explain about Cloud Security Architecture and CO4 K3
Management.
4 Briefly explain the different types SaaS and PaaS CO4 K3
Availability Management
5 Describe about Access Control and Security CO4 K3
Vulnerability
6 Explain the stages of Patch and Configuration CO4 K3
Management in detail.
Supportive online
Certification courses
(NPTEL, Swayam, Coursera,
Udemy, etc.,)
Supportive Online Certification
Courses

Sl. Courses Platform

No.
1 Cryptography and Network Security NPTEL
2 Introduction to Cryptology NPTEL
3 Foundations of Cryptography NPTEL
4 Computational number theory and cryptography NPTEL
5 Cryptography Coursera
6 Applied Cryptography Coursera
7 Number theory and cryptography Coursera
8 Cryptography and Information theory Coursera
9 Asymmetric cryptography and key management Coursera
10 Symmetric Cryptography Coursera
11 Introduction to Cryptography Udemy
12 Cryptography with Python Udemy
13 Complete Cryptography master class Udemy
Real time Applications in
day to day life and to
Industry
Real Time Applications

 Secure Network Communications Secure Socket Layer (SSL)

 The SSL Handshake Protocol authenticates each end of the connection (server
and client), with the second or client authentication being optional. In phase 1,
the client requests the server's certificate and its cipher preferences. When the
client receives this information, it generates a master key and encrypts it with
the server's public key, then sends the encrypted master key to the server. The
server decrypts the master key with its private key, then authenticates itself to
the client by returning a message encrypted with the master key. Following
data is encrypted with keys derived from the master key. Phase 2, client
authentication, is optional. The server challenges the client, and the client
responds by returning the client's digital signature on the challenge with its
public-key certificate.
 SSL uses the RSA public-key cryptosystem for the authentication steps. After the
exchange of keys, a number of different cryptosystems are used, including RC2,
RC4, IDEA, DES and triple-DES.
Content Beyond
Syllabus
Contents beyond the Syllabus

 The impact of cloud computing on the role of corporate it

Assessment Schedule
(Proposed Date &
Actual Date)
 Assessment Schedule

Assessment Proposed Actual Course Program

Tool Date Date Outcome Outcome
(Filled Gap)
Assessment I

Assessment II
Model
Prescribed Text Books
& Reference
Prescribed Text & Reference
Books

Sl. Book Name & Author Book

No.

1 William Stallings, “Cryptography and Network Security Text Book

Principles and Practice”, Fifth Edition, 2011, Pearson Education
International

2 William Stallings and Lawrie Brown, “Computer Security Text Book

Principles and Practice”, Third Edition,2015, Pearson Education
International

3 Tim Mather, Subra Kumaraswamy and Shahed Latif, “Cloud Reference

Security and Privacy: An Enterprise Perspective on Risks and Book
Compliance”, 2009, Oreilly

4 Mikhail Gloukhovtsev, “IoT Security: Challenges, Solutions & Reference

Future Prospects”, 2018, Knowledge Sharing Article, Dell Inc. Book

5 Pradip KumarDas, Hrudaya Kumar Tripathy, Shafiz Affendi Mohd Reference

yusuf, Privacy and Security Issues in Big Data, An Analytical Book
View on Business Intelligence. Springer 2021.
Mini Project Suggestions
Mini Project
1. SAS 70 REPORT CONTENT EXAMPLE
2. SYSTRUST REPORT CONTENT EXAMPLE
3. OPEN SECURITY ARCHITECTURE FOR CLOUD COMPUTING
 Thank you

Disclaimer:

This document is confidential and intended solely for the educational purpose of RMK Group of
Educational Institutions. If you have received this document through email in error, please notify the
system manager. This document contains proprietary information and is intended only to the
respective group / learning community as intended. If you are not the addressee you should not
disseminate, distribute or copy through e-mail. Please notify the sender immediately by e-mail if you
have received this document by mistake and delete this document from your system. If you are not
the intended recipient you are notified that disclosing, copying, distributing or taking any action in
reliance on the contents of this information is strictly prohibited.