Unit 4 - Cloud Computing - WWW - Rgpvnotes.in
Unit 4 - Cloud Computing - WWW - Rgpvnotes.in
The revenue we generate from the ads we show on our website and app
funds our services. The generated revenue helps us prepare new notes
and improve the quality of existing study materials, which are
available on our website and mobile app.
If you don't use our website and app directly, it will hurt our revenue,
and we might not be able to run the services and have to close them.
So, it is a humble request for all to stop sharing the study material we
provide on various apps. Please share the website's URL instead.
Downloaded from www.rgpvnotes.in, whatsapp: 8989595022
Cloud security fundamentals, Vulnerability assessment tool for cloud, Privacy and Security in cloud, Cloud
computing security architecture: Architectural Considerations- General Issues, Trusted Cloud computing,
Secure Execution Environments and Communications, Micro- architectures; Identity Management and
Access control-Identity management, Access control, Autonomic Security, Cloud computing security
challenges: Virtualization security management- virtual threats, VM Security Recommendations, VM-
Specific Security techniques, Secure Execution Environments and Communications in cloud.
UNIT IV
• Zscaler: It calls its product the “Direct to Cloud Network,” and like many of these products, it is
much easier to deploy and can be much more cost efficient than traditional appliance security. The
company’s products protect us from advanced persistent threats by monitoring all the traffic that
comes in and out of our network as a kind of “checkpost in the cloud.” But we don’t have to filter
all that traffic in from one central point. We can monitor specific, local networks as well given the
flexibility of the cloud. Zscaler also protects iOS and Android devices within the company, which can
then be monitored through its special mobile online dashboard.
• CipherCloud: It is here to secure all those other “as a service” products we use, such as Salesforce,
Chatter, Box, Office 365, Gmail, Amazon Web Services, and more. It promises to protect that prized
company data user just giving away to these services, as well as communications, and more. It does
this through many of the means. It also provides mobile security support.
• DocTrackr: It is a security layer that sits on top of file sharing services such as Box and Microsoft
Sharepoint. It is built on the idea that once user sends a document out of a system, it is truly out of
his/her hands: People can save it, change it, send it, and more and sender lost control of it.
DocTrackr aims to stop that from happening. It lets user set user privileges for each person he/she
share a document with. It further tracks everyone who opens the file, so user know who’s looking
at the information and he/she can even pull documents back, effectively stop sharing them.
Data integrity: Data integrity means protecting data from unauthorized deletion, modification, or
fabrication. Managing entity's admittance and rights to specific enterprise resources ensures that valuable
data and services are not abused, misappropriated, or stolen.
Data integrity in the cloud system means preserving information integrity. The data should not be lost or
modified by unauthorized users. Data integrity is the basis to provide cloud computing service such as
SaaS, PaaS, and IaaS. Besides data storage of large-scaled data, cloud computing environment usually
provides data processing service. Data integrity can be obtained by techniques such as RAID-like strategies
and digital signature.
Data confidentiality: It is important for users to store their private or confidential data in the cloud.
Authentication and access control strategies are used to ensure data confidentiality. The authentication,
encryption and access control ensure the data confidentiality in cloud computing.
Data availability: It means even in case of hard disk damage, disasters and network failures occur the data
is safe and available to user also user’s data can be used or recovered and verified.
Data Privacy: It is the ability of cloud hide information about them and reveals it selectively. In the cloud,
the privacy means when users visit the sensitive data, the cloud services can prevent potential adversary
from inferring the user’s behavior by the user’s visit model.
Cloud Computing Security Architecture identifies the main cloud Actors, their roles, and the main
architectural components necessary for managing and providing cloud services. In a cloud environment,
there are security threats and security requirements that differ for different cloud deployment models and
the necessary mitigations against such threats and cloud Actor responsibilities for implementing security
control.
Security architecture serves as the guide and can accelerate application migration to clouds while
managing the security risks. In addition, cloud security architecture patterns should highlight the trust
boundary between various services and components deployed at cloud services. The security architecture
also point out standard interfaces, security protocols (SSL, TLS, IPSEC, LDAPS, SFTP, SSH, SCP, SAML, OAuth,
Tacacs, OCSP, etc.) and mechanisms available for authentication, token management, authorization,
encryption methods (hash, symmetric, asymmetric), encryption algorithms (Triple DES, 128-bit AES,
Blowfish, RSA, etc.), security event logging, source-of-truth for policies and user attributes and coupling
models (tight or loose).Finally the patterns should be leveraged to create security checklists that need to
be automated by configuration management tools.
Security architecture highlight the following attributes for each of the security services consumed by the
cloud application:
#Logical location: Native to cloud service, in-house, third party cloud. The location may have an
implication on the performance, availability, firewall policy as well as governance of the service.
#Protocol: Specifies the protocol(s) that are used to invoke the service. For example REST with X.509
certificates for service requests.
#Service function: Specifies the function of the service. For example encryption of the artifact, logging,
authentication and machine finger printing.
#Input/Output: Specifies the inputs, including methods to the controls, and outputs from the security
service. For example, Input = XML doc and Output =XML doc with encrypted attributes.
#Control description: Specifies the security control offered by the security service. For example data
protection, confidentiality, user authentication and application authentication.
#Actor: Specifies the users of this service. For example, End point, End user, Enterprise administrator, IT
auditor and Architect.
The term trusted PC refers to a PC with built-in security mechanisms that place minimal reliance on the
end user to keep the machine and its peripheral devices secure. The intent is that, once effective
mechanisms are built into hardware, computer security will be less dependent on the vigilance of
individual users and network administrators than it has ever been. Some concerns have arisen about
possible loss of user privacy and autonomy as a result of such solutions.
In cloud computing, the major burden of establishing a secure execution environment is transferred from
the client to the cloud provider. However, protected data transfers must be established through strong
authentication mechanisms, and the client must have practices in place to address the privacy and
confidentiality of information that is exchanged with the cloud. In fact, the client’s port to the cloud might
provide an attack path if not properly provisioned with security measures. Therefore, the client needs
assurance that computations and data exchanges are conducted in a secure environment. This assurance is
affected by trust enabled by cryptographic methods. Also, research into areas such as compiler-based
virtual machines promises a more secure execution environment for operating systems.
Another major concern in secure execution of code is the widespread use of “unsafe” programming
languages such as C and C++ instead of more secure languages such as object-oriented Java and structured,
object-oriented C#.
SECURE COMMUNICATIONS
As opposed to having managed, secure communications among the computing resources internal to an
organization, movement of applications to the cloud requires a reevaluation of communications security.
These communications apply to both data in motion and data at rest.
Secure cloud communications involves the structures, transmission methods, transport formats, and
security measures that provide confidentiality, integrity, availability, and authentication for transmissions
over private and public communications networks. Secure cloud computing communications should ensure
the following:
Confidentiality: It ensures that only those who are supposed to access data can retrieve it. Loss of
confidentiality can occur through the intentional release of private company information or through a
misapplication of network rights. Some of the elements of telecommunications used to ensure
confidentiality are as follows:
• Network security protocols
• Network authentication services
• Data encryption services
Integrity: It ensures that data has not been changed due to an accident or malice. Integrity is the
guarantee that the message sent is the message received and that the message is not intentionally or
unintentionally altered. Integrity also contains the concept of non-repudiation of a message source. Some
of the constituents of integrity are as follows:
• Firewall services
• Communications Security Management
• Intrusion detection services
Availability: It ensures that data is accessible when and where it is needed, and that connectivity is
accessible when needed, allowing authorized users to access the network or systems. Also it is included in
that assurance is the guarantee that security services for the security practitioner are usable when they are
needed. Some of the elements that are used to ensure avail- ability are as follows:
• Fault tolerance for data availability, such as backups and redundant disk systems
• Acceptable logins and operating process performances
• Reliable and inter-operable security processes and network security mechanisms
MICRO- ARCHITECTURES
A microarchitecture is a hardware implementation of an ISA (instruction set architecture). An ISA is a
structure of commands and operations used by software to communicate with hardware. A
microarchitecture is the hardware circuitry that implements one particular ISA.
For example, x86-64 is the ISA used by most modern laptop and desktop computers. It is implemented by
various microarchitectures, including those designed by Intel and AMD. Software that is compiled for the
x86-64 ISA can run on any microarchitecture designed to use the x86-64 instruction set.
Multiple CPU models may be designed for a particular microarchitecture. For this reason,
microarchitecture is sometimes referred to as a "family" or "generation" of CPU. For example, Intel Kaby
Lake (7th generation) and Coffee Lake (8th generation) are separate microarchitectures, each with a
"family" of compatible CPUs.
The word "microarchitecture" is sometimes abbreviated µarch. The Greek letter µ ("mu") is the scientific
abbreviation for "micro." Because this letter does not appear on some keyboards, the abbreviation uarch
may also be used.
AUTONOMIC SECURITY
Autonomic computing refers to the self-management of complex distributed computing resources, that
can adapt to unpredictable changes with transparency to operators and users. Security is one of the four
key elements of autonomic computing and includes proactive identification and protection from arbitrary
attacks.
Autonomic computing (AC) refers to the self-managing characteristics of distributed computing resources,
adapting to unpredictable changes while hiding intrinsic complexity to operators and users. Initiated by
IBM in 2001, this initiative ultimately aimed to develop computer systems capable of self-management, to
overcome the rapidly growing complexity of computing systems management, and to reduce the barrier
that complexity poses to further growth.
Autonomic computing is a computer’s ability to manage itself automatically through adaptive technologies
that further computing capabilities and cut down on the time required by computer professionals to
resolve system difficulties and other maintenance such as software updates.
Insider Threats: Sometimes, the biggest threats to an organization’s cybersecurity are internal. Insider
threats are usually seen as more hazardous than outsider threats as they can take several months or years
to identify.
The masterminds are usually individuals with legitimate access to an organization’s cloud systems.
Whether they happen intentionally or maliciously, insider threats will cause a lot of harm to the cloud
system. Therefore, it is essential to detect, investigate and respond to them as fast as possible.
The reason why these attacks can go undetected for long periods is that businesses lack the proper
systems to identify these attacks and are unprepared to identify and resolve them. In addition, companies
have little to no control over underlying cloud infrastructure.
Monitoring user analytics and gaining visibility into behavioral anomalies can be a way to signal an active
insider threat as well as putting employees and processes to the test with adversary simulation and control
tuning.
Denial-of-Service Attacks: Due to the rise of cyber attacks, an increasing number of companies are shifting
their data control to the cloud. However, this leaves most applications and essential internal functions that
are cloud-based exposed to denial-of-service attacks.
In a denial-of-service attack, a hacker floods a system with more web traffic than it can handle at its peak.
This results in operations stalling entirely, with internal users and customers unable to access the system,
making it unable to operate the business.
Subsequently, companies need to find ways to stop denial-of-service attacks before they occur and cause
serious setbacks. One strategy is to rely on dynamic application security tools, which will scan the web
applications for threats while they are running and can identify denial-of-service attacks in their early
stages or before they happen.
Insecure Interfaces and APIs: Software user interfaces and APIs are usually responsible for the provision,
monitoring and management of cloud services. Cloud service providers are working tirelessly to advance
APIs and interfaces, but this growth has also increased security risks associated with them.
Cloud service providers use a specific framework to provide APIs to programmers, which leaves their
systems more vulnerable to attackers. As such, organizations risk improper authorizations, previously used
passwords and anonymous access. The best way to solve this is knowing how to properly design the cloud
security with a multi-layer approach, which is required to help curb unauthorized access and ensure that
the software is secure.
Hijacking of Accounts: The growing reliance on cloud-based infrastructure has also contributed to a high
number of account hijacking cases. Depending on the attacker’s intent and how they will use the accessed
information, cloud account hijacking can have devastating consequences for a business, such as
information being falsified or leaked to other parties.
Account hijacking attacks can also damage a brand’s reputation and the relationships they have with their
customers. The integrity and good reputation a company has built for years can be destroyed with one
cyber attack. Legal implications could also follow if customers decide to sue the company for exposing their
confidential data.
Having rock-solid facilities that utilize electronic surveillance and multifactor access systems is important to
minimize the risk of hijacking and disruptions to operations. Having a provider that also offers features
such as secure data transfer, encrypted data storage and security logs will provide detection of brute-force
attacks.
Misconfiguration: Misconfiguration is one of the leading threats businesses face in their cloud-based
systems. Most business owners are inexperienced in matters surrounding cloud-based infrastructure,
which exposes them to various data breaches that can impact their operations.
Misconfiguration often results from the need to make cloud data accessible and shareable. Limiting access
only to eligible people and, depending on the cloud service provider, can impact a company’s ability to
control these systems dramatically. Basic cloud storage services often come with critical security measures
such as client-side encryption, intrusion detection systems and internal firewalls. Being familiar with
vendor-provided security settings is critical.
Shared data and computations on shared (typically off-premises) clouds can be exposed in the right
circumstances. This particularly applies to MapReduce operations. To prevent this leakage, consider
dedicated clouds, where there is a lesser chance of malicious actors having a presence.
The clouds are often considered a more valuable target by attackers. The inability of IT to monitor the
activities of the user happens when the user’s client is connected to a cloud with an encrypted connection.
In that case, the user can interact with the cloud and perhaps perform unauthorized actions. To combat
this, consider federating. Monitor our logs to see which applications are in use and use a proxy to intercept
cloud traffic. We can also use an analytics engine and create relevant rules at the endpoint device.
Overcoming Challenges
In general, always follow the best security practices whether users are a tenant or a provider, such as
tracking new vulnerabilities and attacks against components of the cloud. If users are a cloud provider, do
background research on entities that wish to join the environment.
If users are a tenant, always understand the cloud model and compensate for any weaknesses inherent in
that type. Be sure to support TLS 1.2 access. This ensures stronger cryptography and is the latest secure
protocol for connections to Web servers.
Both providers and tenants should institute regular vulnerability scanning as frequently as is feasible. They
should also lock IP addresses so only authorized networks are able to access the cloud or site. If this is not
possible as a provider, then be sure to employ strong authentication and access controls.
As a provider, make logs relevant to the tenants available. This complements the tenant’s own logging.
As a tenant, make sure all software is up to date. PaaS providers need to do the same with their
environments. In one of the most important measures, tenants must encrypt data. This is critical for data
protection, but be sure to implement cryptography correctly. There are solutions available to minimize the
ciphertext reduplication problem.
B. VM Image Management: VM Image (VMI) is a type of file or the format of the data which is
used to create the virtual machine in the environment of virtualization. Hence, the confidential data
and the integrity of VMIs is very important when the VMs are migrating or its starting.
circumstances that may emerge in the phase of testing. It helps the programming of the function code
much more efficient. Efficient patch management also decreases the possibility of attacking at the VM
level. In the virtual environment the distribution of patches to the VMs is a key issue.
D. Audit: In the lifecycle of the Virtual machines, the sensitive data and the behavior of the
virtual machines should be monitored throughout the virtual system. This may be done with auditing
which provides the mechanism to check the traces of the activities left by the virtual system. To monitor
the virtual machine behavior and the sensitive data whether it operates the virtual system well in
a safe manner, we audit. We can get the destruction reasons of the system and data easily from the
records, if we regularly log all the activities left by the virtual system. This helps when the destruction of
any type of data happens. The required strategies can be developed against the harmful results on the
basis of these records.
VIRTUAL THREATS
Some of the virtual threats to Cloud computing security are:
1. Shared clipboard
Shared clipboard technologies enables information to become transferred between VMs as well as the
host, offering a means of moving information between malicious programs in VMs of various security
realms.
2. Keystroke logging
Some VM technologies allow the logging of keystrokes and screen updates to become passed across virtual
terminals within the virtual machine, writing to host files and permitting the monitoring of encrypted
terminal connections in the VM.
3. VM monitoring in the host
Since all network packets coming from or planning to a VM pass with the host, the host may be able to
impact the VM from the following this:
• Starting, stopping, pausing, and restart VMs.
• Monitoring and configuring resources available to the VMs, including CPU, memory, disk, and
network usage of VMs.
• Adjusting the amount of CPUs, level of memory, quantity and variety of virtual disks, and quantity
of virtual network interfaces offered to a VM.
• Monitoring the applications running inside the VM.
• Viewing, copying, and modifying data stored about the VM’s virtual disks.
4. Virtual machine monitoring from another VM
VMs shouldn’t have the ability to directly access one another’s virtual disks around the host. If the VM
platform uses a virtual hub or switch for connecting the VMs to the host, then intruders may possibly be
able to use a hacker technique called “ARP poisoning” to redirect packets planning to or in the other VM
for sniffing.
5. Virtual machine backdoors
A backdoor, covert communications channel between the guest and host could allow intruders to execute
potentially harmful operations.
VM SECURITY RECOMMENDATIONS
Following virtual machine security recommendations helps ensure the integrity of cloud:
• General Virtual Machine Protection: A virtual machine is, in most respects, the equivalent of a
physical server. Employ the same security measures in virtual machines that we do for physical
systems.
• Use Templates to Deploy Virtual Machines: When we manually install guest operating systems and
applications on a virtual machine, we introduce a risk of misconfiguration. By using a template to
capture a hardened base operating system image with no applications installed, we can ensure that
all virtual machines are created with a known baseline level of security.
• Minimize Use of the Virtual Machine Console: The virtual machine console provides the same
function for a virtual machine that a monitor provides on a physical server. Users with access to the
virtual machine console have access to virtual machine power management and removable device
connectivity controls. Console access might therefore allow a malicious attack on a virtual machine.
• Prevent Virtual Machines from Taking Over Resources: When one virtual machine consumes so
much of the host resources that other virtual machines on the host cannot perform their intended
functions, a Denial of Service (DoS) might occur. To prevent a virtual machine from causing a DoS,
use host resource management features such as setting Shares and using resource pools.
• Disable Unnecessary Functions Inside Virtual Machines: Any service that is running in a virtual
machine provides the potential for attack. By disabling system components that are not necessary
to support the application or service that is running on the system, we reduce the potential of the
system.
files. If a snapshot is taken, the contents are also encrypted. Most virtualization platforms give us the
flexibility to split VM files and place them on different datastores, allowing for more flexibility in encryption
deployment and implementation.
Cloud communications is the blending of multiple communication modalities. These include methods such
as voice, email, chat and video, in an integrated fashion to reduce or eliminate communication lag. Cloud
communications is essentially internet-based communication. The storage, applications and switching are
handled and hosted by a third party through the cloud. Cloud services are a broader aspect of cloud
communication. These services act as the primary data center for enterprises, and cloud communications
is one of the services offered by cloud service providers.
Cloud communications evolved from data to voice with the introduction of VoIP (voice over Internet
Protocol). A branch of cloud communication is cloud telephony, which refers specifically to voice
communications
Cloud communications providers host communication services through servers that they own and
maintain. The customers, in turn, access these services through the cloud and only pay for services that
they use, doing away with maintenance associated with PBX (private branch exchange) system
deployment.
Cloud communications provides a variety of communication resources, from servers and storage to
enterprise applications such as data security, email, backup and data recovery, and voice, which are all
delivered over the internet. The cloud provides a hosting environment that is flexible, immediate, scalable,
secure and readily available.
The need for cloud communications has resulted from the following trends in enterprise:
• Distributed and decentralized company operations in branch and home offices
• Increase in the number of communication and data devices accessing the enterprise networks
• Hosting and managing IT assets and applications
The cloud is hosted and managed by a third party, and the enterprise pays for and uses space on the cloud
for its requirements. This has allowed enterprises to save on costs incurred for hosting and managing data
storage and communication on its own.
The following are some of the communication and application products available under cloud
communications that an enterprise can utilize:
• Private branch exchange
• SIP Trunking
• Call center
• Fax services
• Interactive voice response
• Text messaging
• Voice broadcast
• Call-tracking software
• Contact center telephony
All of these services cover the various communication needs of an enterprise. These include customer
relations, intra- and inter-branch communication, inter-department memos, conference, call forwarding
and tracking services, operations center and office communications hub.
Cloud communications is a center for all enterprise-related communication that is hosted, managed and
maintained by third-party service providers for a fee charged to the enterprise.