CLOUD COMPUTING - II

UNIT- III CLOUD SECURITY AND ISSUES:

What is Cloud Security?

Cloud security deals with the processes, policies, resources, and technologies involved in
keeping cloud computing architectures protected from cybersecurity threats and risks. Effective
cloud security measures aim to keep cloud data, applications, and services shielded against new
and existing threats via proper controls and solutions. Cloud security can be achieved via the
shared responsibility model, wherein both cloud service providers (CSPs) and cloud customers
have their own aspects that they would need to manage and secure.

Cloud Security: Understanding Shared

Responsibility
Broadly speaking, the concepts of “security of the cloud” versus “security in the
cloud” have been pioneered by Amazon to clarify the shared responsibility of vendors
and customers with regard to cloud security and compliance. Vendors are mainly
responsible for the physical and network infrastructure that make up the cloud service,
and then a sliding scale is applied depending on the specific cloud service purchased,
which then determines the customer’s direct security responsibility.

The different cloud service models — infrastructure as a service (IaaS), platform as a

service (PaaS), and software as a service (SaaS) — determine which components —
from the physical infrastructure hosting the cloud right down to the data created,
processed, and stored in it — will be the responsibility of the vendor or the customer,
and therefore who will be responsible for securing them.

Security Issues in Cloud Computing :

There is no doubt that Cloud Computing provides various Advantages but there are also some
security issues in cloud computing. Below are some following Security Issues in Cloud
Computing as follows.

1. Data Loss –
Data Loss is one of the issues faced in Cloud Computing. This is also known as Data
Leakage. As we know that our sensitive data is in the hands of Somebody else, and we
 don’t have full control over our database. So if the security of cloud service is to break by
hackers then it may be possible that hackers will get access to our sensitive data or
personal files.

2. Interference of Hackers and Insecure API’s –

As we know if we are talking about the cloud and its services it means we are talking
about the Internet. Also, we know that the easiest way to communicate with Cloud is
using API. So it is important to protect the Interface’s and API’s which are used by an
external user. But also in cloud computing, few services are available in the public
domain. An is the vulnerable part of Cloud Computing because it may be possible that
these services are accessed by some third parties. So it may be possible that with the help
of these services hackers can easily hack or harm our data.

3. User Account Hijacking –

Account Hijacking is the most serious security issue in Cloud Computing. If somehow the
Account of User or an Organization is hijacked by Hacker. Then the hacker has full
authority to perform Unauthorized Activities.

4. Changing Service Provider –

Vendor lock In is also an important Security issue in Cloud Computing. Many
organizations will face different problems while shifting from one vendor to another. For
example, An Organization wants to shift from AWS Cloud to Google Cloud Services then
they ace various problem’s like shifting of all data, also both cloud services have different
techniques and functions, so they also face problems regarding that. Also, it may be
possible that the charges of AWS are different from Google Cloud, etc.

5. Lack of Skill –
While working, shifting o another service provider, need an extra feature, how to use a
feature, etc. are the main problems caused in IT Company who doesn’t have skilled
Employee. So it requires a skilled person to work with cloud Computing.

6. Denial of Service (DoS) attack –

This type of attack occurs when the system receives too much traffic. Mostly DoS attacks
occur in large organizations such as the banking sector, government sector, etc. When a
DoS attack occurs data is lost. So in order to recover data, it requires a great amount of
money as well as time to handle it.

What are the Security Risks of Cloud Computing

Cloud computing provides various advantages, such as improved collaboration, excellent
accessibility, Mobility, Storage capacity, etc. But there are also security risks in cloud
computing.

Some most common Security Risks of Cloud Computing are given below-
Data Loss
Data loss is the most common cloud security risks of cloud computing. It is also known as data
leakage. Data loss is the process in which data is being deleted, corrupted, and unreadable by a
user, software, or application. In a cloud computing environment, data loss occurs when our
sensitive data is somebody else's hands, one or more data elements can not be utilized by the data
owner, hard disk is not working properly, and software is not updated.

Hacked Interfaces and Insecure APIs

As we all know, cloud computing is completely depends on Internet, so it is compulsory to
protect interfaces and APIs that are used by external users. APIs are the easiest way to
communicate with most of the cloud services. In cloud computing, few services are available in
the public domain. These services can be accessed by third parties, so there may be a chance that
these services easily harmed and hacked by hackers.708

Hello Java Program for Beginners

Data Breach
Data Breach is the process in which the confidential data is viewed, accessed, or stolen by the
third party without any authorization, so organization's data is hacked by the hackers.

Vendor lock-in
Vendor lock-in is the of the biggest security risks in cloud computing. Organizations may face
problems when transferring their services from one vendor to another. As different vendors
provide different platforms, that can cause difficulty moving one cloud to another.

Increased complexity strains IT staff

Migrating, integrating, and operating the cloud services is complex for the IT staff. IT staff must
require the extra capability and skills to manage, integrate, and maintain the data to the cloud.

Spectre & Meltdown

Spectre & Meltdown allows programs to view and steal data which is currently processed on
computer. It can run on personal computers, mobile devices, and in the cloud. It can store the
password, your personal information such as images, emails, and business documents in the
memory of other running programs.
Denial of Service (DoS) attacks
Denial of service (DoS) attacks occur when the system receives too much traffic to buffer the
server. Mostly, DoS attackers target web servers of large organizations such as banking sectors,
media companies, and government organizations. To recover the lost data, DoS attackers charge
a great deal of time and money to handle the data.

Account hijacking
Account hijacking is a serious security risk in cloud computing. It is the process in which
individual user's or organization's cloud account (bank account, e-mail account, and social media
account) is stolen by hackers. The hackers use the stolen account to perform unauthorized
activities.

Cloud Security Threats:

This section introduces several common threats and vulnerabilities in cloud-based

environments and describes the roles of the aforementioned threat agents.

Traffic Eavesdropping:
Traffic eavesdropping occurs when data being transferred to or within a cloud (usually from
the cloud consumer to the cloud provider) is passively intercepted by a malicious service
agent for illegitimate information gathering purposes The aim of this attack is to directly
compromise the confidentiality of the data and, possibly, the confidentiality of the
relationship between the cloud consumer and cloud provider. Because of the passive nature
of the attack, it can more easily go undetected for extended periods of time.

Malicious Intermediary:
The malicious intermediary threat arises when messages are intercepted and altered by a
malicious service agent, thereby potentially compromising the message’s confidentiality
and/or integrity. It may also insert harmful data into the message before forwarding it to its
destination.

Denial of Service:
The objective of the denial of service (DoS) attack is to overload IT resources to the point
where they cannot function properly. This form of attack is commonly launched in one of the
following ways:
• The workload on cloud services is artificially increased with imitation messages or
repeated communication requests.
• The network is overloaded with traffic to reduce its responsiveness and cripple its
performance.
 • Multiple cloud service requests are sent, each of which is designed to consume excessive
memory and processing resources. Successful DoS attacks produce server degradation
and/or failure.

Insufficient Authorization:
The insufficient authorization attack occurs when access is granted to an attacker
erroneously or too broadly, resulting in the attacker getting access to IT resources that are
normally protected. This is often a result of the attacker gaining direct access to IT resources
that were implemented under the assumption that they would only be accessed by trusted
consumer programs. A variation of this attack, known as weak authentication, can result
when weak passwords or shared accounts are used to protect IT resources. Within cloud
environments, these types of attacks can lead to significant impacts depending on the range
of IT resources and the range of access to those IT resources the attacker gains.

Virtualization Attack:
Virtualization provides multiple cloud consumers with access to IT resources that share
underlying hardware but are logically isolated from each other. Because cloud providers
grant cloud consumers administrative access to virtualized IT resources (such as virtual
servers), there is an inherent risk that cloud consumers could abuse this access to attack the
underlying physical IT resources. A virtualization attack exploits vulnerabilities in the
virtualization platform to jeopardize its confidentiality, integrity, and/or availability.

A trusted attacker successfully accesses a virtual server to compromise its underlying

physical server. With public clouds, where a single physical IT resource may be providing
virtualized IT resources to multiple cloud consumers, such an attack can have significant
repercussions.

Overlapping Trust Boundaries:

If physical IT resources within a cloud are shared by different cloud service consumers,
these cloud service consumers have overlapping trust boundaries. Malicious cloud service
consumers can target shared IT resources with the intention of compromising cloud
consumers or other IT resources that share the same trust boundary. The consequence is that
some or all of the other cloud service consumers could be impacted by the attack and/or the
attacker could use virtual IT resources against others that happen to also share the same trust
boundary.

Summary of Key Points:

• Traffic eavesdropping and malicious intermediary attacks are usually carried out by
malicious service agents that intercept network traffic.
• A denial of service attack occurs when a targeted IT resource is overloaded with requests in
an attempt to cripple or render it unavailable. The insufficient authorization attack occurs
 when access is granted to an attacker erroneously or too broadly, or when weak passwords
are used.
• A virtualization attack exploits vulnerabilities within virtualized environments to gain
unauthorized access to underlying physical hardware. Overlapping trust boundaries represent
a threat whereby attackers can exploit cloud-based IT resources shared by multiple cloud
consumers.

Threat Agents:

A threat agent is an entity that poses a threat because it is capable of carrying out an attack.
Cloud security threats can originate either internally or externally, from humans or software
programs.

Anonymous Attacker:
An anonymous attacker is a non-trusted cloud service consumer without permissions in the
cloud It typically exists as an external software program that launches network-level attacks
through public networks. When anonymous attackers have limited information on security
policies and defenses, it can inhibit their ability to formulate effective attacks. Therefore,
anonymous attackers often resort to committing acts like bypassing user accounts or stealing user
credentials, while using methods that either ensure anonymity or require substantial resources for
prosecution.

Malicious Service Agent:

A malicious service agent is able to intercept and forward the network traffic that flows within a
cloud It typically exists as a service agent (or a program pretending to be a service agent) with
compromised or malicious logic. It may also exist as an external program able to remotely
intercept and potentially corrupt message contents.

Trusted Attacker:
A trusted attacker shares IT resources in the same cloud environment as the cloud consumer and
attempts to exploit legitimate credentials to target cloud providers and the cloud tenants with
whom they share IT resources. Unlike anonymous attackers (which are non trusted), trusted
attackers usually launch their attacks from within a cloud’s trust boundaries by abusing
legitimate credentials or via the appropriation of sensitive and confidential information.
Trusted attackers (also known as malicious tenants) can use cloud-based IT resources for a wide
range of exploitations, including the hacking of weak authentication processes, the breaking of
encryption, the spamming of e-mail accounts, or to launch common attacks, such as denial of
service campaigns. Malicious Insider Malicious insiders are human threat agents acting on behalf
of or in relation to the cloud provider. They are typically current or former employees or third
parties with access to the cloud provider’s premises. This type of threat agent carries tremendous
damage potential, as the malicious insider may have administrative privileges for accessing
cloud consumer IT resources.

Summary of Key Points :

• An anonymous attacker is a non-trusted threat agent that usually attempts attacks from outside of a
cloud’s boundary.

• A malicious service agent intercepts network communication in an attempt to maliciously use or

augment the data.

• A trusted attacker exists as an authorized cloud service consumer with legitimate credentials that it uses
to exploit access to cloud-based IT resources.

• A malicious insider is a human that attempts to abuse access privileges to cloud.

Additional Considerations:-
This section provides a diverse checklist of issues and guidelines that relate to cloud security.
The listed considerations are in no particular order.

Flawed Implementations:
The substandard design, implementation, or configuration of cloud service deployments can have
undesirable consequences, beyond runtime exceptions and failures. If the cloud provider’s
software and/or hardware have inherent security flaws or operational weaknesses, attackers can
exploit these vulnerabilities to impair the integrity, confidentiality, and/or availability of cloud
provider IT resources and cloud consumer IT resources hosted by the cloud provider.

Security Policy Disparity:

When a cloud consumer places IT resources with a public cloud provider, it may need to accept
that its traditional information security approach may not be identical or even similar to that of
the cloud provider. This incompatibility needs to be assessed to ensure that any data or other IT
assets being relocated to a public cloud are adequately protected. Even when leasing raw
infrastructure-based IT resources, the cloud consumer may not be granted sufficient
administrative control or influence over security policies that apply to the IT resources leased
from the cloud provider. This is primarily because those IT resources are still legally owned by
the cloud provider and continue to fall under its responsibility. Furthermore, with some public
clouds, additional third parties, such as security brokers and certificate authorities, may introduce
their own distinct set of security policies and practices, further complicating any attempts to
standardize the protection of cloud consumer assets.

Contracts:
Cloud consumers need to carefully examine contracts and SLAs put forth by cloud providers to
ensure that security policies, and other relevant guarantees, are satisfactory when it comes to
asset security. There needs to be clear language that indicates the amount of liability assumed by
the cloud provider and/or the level of indemnity the cloud provider may ask for. The greater the
assumed liability by the cloud provider, the lower the risk to the cloud consumer. Another aspect
to contractual obligations is where the lines are drawn between cloud consumer and cloud
provider assets. A cloud consumer that deploys its own solution upon infrastructure supplied by
the cloud provider will produce a technology architecture comprised of artifacts owned by both
the cloud consumer and cloud provider.

Risk Management:
When assessing the potential impacts and challenges pertaining to cloud adoption, cloud
consumers are encouraged to perform a formal risk assessment as part of a risk management
strategy. A cyclically executed process used to enhance strategic and tactical security, risk
management is comprised of a set of coordinated activities for overseeing and controlling risks.
The main activities are generally defined as risk assessment, risk treatment, and risk control.

• Risk Assessment – In the risk assessment stage, the cloud environment is analyzed to identify
potential vulnerabilities and shortcomings that threats can exploit. The cloud provider can be
asked to produce statistics and other information about past attacks (successful and unsuccessful)
carried out in its cloud. The identified risks are quantified and qualified according to the
probability of occurrence and the degree of impact in relation to how the cloud consumer plans
to utilize cloud-based IT resources.

• Risk Treatment – Mitigation policies and plans are designed during the risk treatment stage
with the intent of successfully treating the risks that were discovered during risk assessment.
Some risks can be eliminated, others can be mitigated, while others can be dealt with via
outsourcing or even incorporated into the insurance and/or operating loss budgets. The cloud
provider itself may agree to assume responsibility as part of its contractual obligations.

• Risk Control – The risk control stage is related to risk monitoring, a three-step process that is
comprised of surveying related events, reviewing these events to determine the effectiveness of
previous assessments and treatments, and identifying any policy adjustment needs. Depending on
the nature of the monitoring required, this stage may be carried out or shared by the cloud
provider.

CLOUD SECURITY MECHANISM:

1. Encryption:

The data, by default, is coded in a readable form known as plaintext. When transmitted
over a network, the risk is unauthorized and potentially dangerous access.

Encryption technology relies on a standard algorithm called cipher to convert original

text data into encrypted data, called ciphertext. Access to ciphertext does not disclose the
exact details of writing, with the exception of other metadata types, such as message
length and creation date. When encryption is used for listening data, data is paired with a
string of characters called an encryption key. The encryption key is used to encrypt
ciphertext back to its original writing format.

Asymmetric Encryption
A malicious service provider cannot retrieve data from encrypted messages. Refund
attempt may also reveal to the cloud service customer.

2. Hashing:

Hashing is the conversion of a string of characters into a limited number of short lengths
or a key that reflects the original string. Hashing is used to identify and retrieve items
from the database because it is faster to find an object using the shorter hashed key than
to find it using the original value. It is also used in many encryption algorithms.
There are many well-known hash functions used in cryptography. These include
message-digest hash works MD2, MD4, and MD5, which is used to incorporate digital
signatures into a short form called message-digest, and the Secure Hash Algorithm
(SHA), a standard algorithm, which makes it large (60- bit) digestion message and
similar to MD4. An effective hash function for storing and retrieving, however, may not
work for cryptographic detection purposes or errors.

Malware hashes are used by anti-virus programs to identify viruses. They contain the
numerical values of the code that differs from this virus. Anti-virus software compares
malware hashes and software-hardware hashes within a computer program to detect
malware.
The diagram shows the creation of a malware hash by creating a cryptographic hash of
malware code to create a path that can be used by anti-virus software to identify the virus.
The authors of Malware have learned to customize viruses on each infected machine,
creating unique hashes for each copy submitted challenging the anti-virus programs.
3. Digital Signatures:

The digital signature mechanism is a means of providing data integrity, data authenticity
through authentication, and non-repudiation. A message is assigned a digital signature
prior to transmission, and if the message experiences any subsequent, unauthorized
modifications then it is rendered as invalid. A digital signature provides evidence that the
message received is the same as the original message sent by the rightful sender.

Both hashing and asymmetrical encryption are involved in the creation of a digital
signature, which exists as a message digest that was encrypted by a private key and
appended to the original message. To decrypt the digital signature’s encrypted hash, the
recipient verifies the signature validity by using the corresponding public key, which
produces the message digest. To produce the message digest hashing mechanism is
applied to the original message. Identical results from the two different processes is an
indication that the message maintained its integrity.

4. Single Sign-On:

The single sign-on (SSO) mechanism enables one cloud service consumer to be
authenticated by a security broker, which establishes a security context while the cloud
service consumer accesses cloud-based IT resources. Otherwise, with every subsequent
request, the service consumer would need to re-authenticate itself.
The advantage to the SSO machine is how it enables independent IT resources to
generate and distribute operational authorization and validation signals. The information
originally provided by the cloud client remains active during the user’s session, while its
security information is shared with other IT resources. SSO Security Vendor assists when
a cloud buyer needs access to cloud-based cloud services.
5. Public Key Infrastructure:

A common approach for managing the issuance of asymmetric keys is based on the PKI
(public key infrastructure) mechanism, which exists as a system of protocols, practices,
rules, and data formats that enable large-scale systems to securely use public-key
cryptography. This system is used to associate public keys with their corresponding key
owners (known as public-key identification) while enabling the verification of key
validity. PKIs have digitally signed data structures that rely on the use of digital
certificates, that bind public keys to certificate owner identities, as well as to related
information, such as validity periods. A third-party certificate authority (CA) digitally
signs the Digital certificates.

The components of a PKI include a CA that issues the certificates, a registration authority
(RA) to approve the issuance of the certificates, a public directory containing the issued
certificates, and the certificate revocation list (CRL).

6. Identity and Access Management:

Cloud Identity and Access Management typically include the following features:

Single Access Control Interface: Cloud IAM solutions provide a clean and consistent
access control interface for all cloud platform services. All cloud services can use the
same interface.

Enhanced Security: You can define increased security for critical applications.
Resource-level Access Control. You can define roles and grant permissions to users for
allowing them to access resources at different granularity levels.
Hardened Virtual Server Image

A virtual server is created from a template configuration called a virtual server image or virtual
image machine. Hardening is the process of stripping unnecessary software from a system to
limit potential vulnerabilities that can be exploited by attackers. Removing redundant programs,
closing unnecessary server ports, and disabling unused services, internal root accounts, and guest
access are all examples of hardening.
A hardened virtual server image is a template for virtual service instance creation that has been
subjected to a hardening process (Figure 1). This generally results in a virtual server template
that is significantly more secure than the original standard image.
Hardened virtual server images help counter the denial of service, insufficient authorization, and
overlapping trust boundaries threats.

Figure 1 – A cloud provider applies its security policies to harden its standard virtual server
images. The hardened image template is saved in the VM images repository as part of a resource
management system.
CLOUD COMPUTING ISSUES:
The delivery of computing services from a remote location. Cloud Computing is Internet-based
computing, where shared resources, software, and information are provided to computers and
other devices on demand.
These are major issues in Cloud Computing:
1. Privacy:

The user data can be accessed by the host company with or without permission. The service
provider may access the data that is on the cloud at any point in time. They could accidentally
or deliberately alter or even delete information.

2. Compliance:

There are many regulations in places related to data and hosting. To comply with regulations
(Federal Information Security Management Act, Health Insurance Portability and
Accountability Act, etc.) the user may have to adopt deployment modes that are expensive.

3. Security:

Cloud-based services involve third-party for storage and security. Can one assume that a
cloud-based company will protect and secure one’s data if one is using their services at a very
low or for free? They may share users’ information with others. Security presents a real threat
to the cloud.

4. Sustainability:

This issue refers to minimizing the effect of cloud computing on the environment. Citing the
server’s effects on the environmental effects of cloud computing, in areas where climate favors
natural cooling and renewable electricity is readily available, the countries with favorable
conditions, such as Finland, Sweden, and Switzerland are trying to attract cloud computing
data centers. But other than nature’s favors, would these countries have enough technical
infrastructure to sustain the high-end clouds?

5. Abuse:

While providing cloud services, it should be ascertained that the client is not purchasing the
services of cloud computing for a nefarious purpose. In 2009, a banking Trojan illegally used
the popular Amazon service as a command and control channel that issued software updates
and malicious instructions to PCs that were infected by the malware So the hosting companies
and the servers should have proper measures to address these issues.
6, Higher Cost:

If you want to use cloud services uninterruptedly then you need to have a powerful network
with higher bandwidth than ordinary internet networks, and also if your organization is broad
and large so ordinary cloud service subscription won’t suit your organization. Otherwise, you
might face hassle in utilizing an ordinary cloud service while working on complex projects and
applications. This is a major problem before small organizations, that restricts them from
diving into cloud technology for their business.

7. Recovery of lost data in contingency:

Before subscribing any cloud service provider goes through all norms and documentations and
check whether their services match your requirements and sufficient well-maintained resource
infrastructure with proper upkeeping. Once you subscribed to the service you almost hand over
your data into the hands of a third party. If you are able to choose proper cloud service then in
the future you don’t need to worry about the recovery of lost data in any contingency.

8. Upkeeping(management) of Cloud:

Maintaining a cloud is a herculin task because a cloud architecture contains a large resources
infrastructure and other challenges and risks as well, user satisfaction, etc. As users usually pay
for how much they have consumed the resources. So, sometimes it becomes hard to decide
how much should be charged in case the user wants scalability and extend the services.

9. Lack of resources/skilled expertise:

One of the major issues that companies and enterprises are going through today is the lack of
resources and skilled employees. Every second organization is seeming interested or has
already been moved to cloud services. That’s why the workload in the cloud is increasing so
the cloud service hosting companies need continuous rapid advancement. Due to these factors,
organizations are having a tough time keeping up to date with the tools. As new tools and
technologies are emerging every day so more skilled/trained employees need to grow. These
challenges can only be minimized through additional training of IT and development staff.

10. Pay-per-use service charges:

Cloud computing services are on-demand services a user can extend or compress the volume
of the resource as per needs. so you paid for how much you have consumed the resources. It is
difficult to define a certain pre-defined cost for a particular quantity of services. Such types of
ups and downs and price variations make the implementation of cloud computing very difficult
and intricate. It is not easy for a firm’s owner to study consistent demand and fluctuations with
the seasons and various events. So it is hard to build a budget for a service that could consume
several months of the budget in a few days of heavy use.

*******