0% found this document useful (0 votes)
158 views16 pages

Unit 4 - Cloud Computing - WWW - Rgpvnotes.in

The document discusses cloud security fundamentals including vulnerability assessment tools for cloud, privacy and security considerations in cloud computing, and cloud computing security architecture. It covers topics like virtualization security management, secure execution environments, identity management, access control, and cloud security challenges.

Uploaded by

abhiyadav786r
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
0% found this document useful (0 votes)
158 views16 pages

Unit 4 - Cloud Computing - WWW - Rgpvnotes.in

The document discusses cloud security fundamentals including vulnerability assessment tools for cloud, privacy and security considerations in cloud computing, and cloud computing security architecture. It covers topics like virtualization security management, secure execution environments, identity management, access control, and cloud security challenges.

Uploaded by

abhiyadav786r
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 16

Please do not share these notes on apps like WhatsApp or Telegram.

The revenue we generate from the ads we show on our website and app
funds our services. The generated revenue helps us prepare new notes
and improve the quality of existing study materials, which are
available on our website and mobile app.

If you don't use our website and app directly, it will hurt our revenue,
and we might not be able to run the services and have to close them.
So, it is a humble request for all to stop sharing the study material we
provide on various apps. Please share the website's URL instead.
Downloaded from www.rgpvnotes.in, whatsapp: 8989595022

Subject: Cloud Computing (IT702 [B])

Cloud security fundamentals, Vulnerability assessment tool for cloud, Privacy and Security in cloud, Cloud
computing security architecture: Architectural Considerations- General Issues, Trusted Cloud computing,
Secure Execution Environments and Communications, Micro- architectures; Identity Management and
Access control-Identity management, Access control, Autonomic Security, Cloud computing security
challenges: Virtualization security management- virtual threats, VM Security Recommendations, VM-
Specific Security techniques, Secure Execution Environments and Communications in cloud.

UNIT IV

CLOUD SECURITY FUNDAMENTALS


Robust cloud architecture with strong security implementation at all layers in the stack powered with legal
compliances and government protection is the key to cloud security. The cloud security is going to get
evolved as much faster rate.
Cloud is complex and hence security measures are not simple too. Cloud needs to be secured at all layers
in its stack. The major areas of cloud security are at infrastructure level.
Infrastructure level security: A system admin of the cloud provider can attack the systems since he/she
has got all the admin rights. With root privileges at each machine, the system admin can install or execute
all sorts of software to perform an attack. Furthermore, with physical access to the machine, a system
admin can perform more sophisticated attacks like cold boot attacks and even tamper with the hardware.
Protection measures:
• No single person should accumulate all these privileges.
• Provider should deploy stringent security devices, restricted access control policies, and
surveillance mechanisms to protect the physical integrity of the hardware.
• By enforcing a security processes, the provider itself can prevent attacks that require physical
access to the machines.
• The only way a system admin would be able to gain physical access to a node running a costumer’s
virtual machine (VM) is by diverting this VM to a machine under his/her control, located outside the
IaaS’s security perimeter. Therefore, the cloud computing platform must be able to confine the VM
execution inside the perimeter, and guarantee that at any point a system admin with root privileges
remotely logged to a machine hosting a VM cannot access its memory.
• TCG (trusted computing group), a consortium of industry leader to identify and implement security
measures at infrastructure level proposes a set of hardware and software technologies to enable
the construction of trusted platforms suggests use of “remote attestation” (a mechanism to detect
changes to the user’s computers by authorized parties).

VULNERABILITY ASSESSMENT TOOL FOR CLOUD


Some of the popular vulnerability assessment tools are:
• Qualys: It secures our devices and web apps, while helping us remain compliant through its cloud-
only solution no hardware or software required. The company analyzes threat information to make
sure nothing gets in our system. If some malware already happens to be there, it will give us the
steps to fix the problem. Beyond that, Qualys will verify that the issue has been fixed. It scans any
and all web apps we use for vulnerabilities as well, keeping our data safe while we head out in the
wonderful world of SaaS, IaaS, and PaaS.
• Proofpoint: It focuses specifically on email, with cloud-only services tailored to both enterprises
and small to medium sized businesses. Not only does it make sure none of the bad stuff gets in, but
it also protects any outgoing data. Proofpoint further promises that while it stores that data to
prevent data loss, it does not have the keys to decrypt any of the information.

follow us on instagram for frequent updates: www.instagram.com/rgpvnotes.in


Downloaded from www.rgpvnotes.in, whatsapp: 8989595022

• Zscaler: It calls its product the “Direct to Cloud Network,” and like many of these products, it is
much easier to deploy and can be much more cost efficient than traditional appliance security. The
company’s products protect us from advanced persistent threats by monitoring all the traffic that
comes in and out of our network as a kind of “checkpost in the cloud.” But we don’t have to filter
all that traffic in from one central point. We can monitor specific, local networks as well given the
flexibility of the cloud. Zscaler also protects iOS and Android devices within the company, which can
then be monitored through its special mobile online dashboard.
• CipherCloud: It is here to secure all those other “as a service” products we use, such as Salesforce,
Chatter, Box, Office 365, Gmail, Amazon Web Services, and more. It promises to protect that prized
company data user just giving away to these services, as well as communications, and more. It does
this through many of the means. It also provides mobile security support.
• DocTrackr: It is a security layer that sits on top of file sharing services such as Box and Microsoft
Sharepoint. It is built on the idea that once user sends a document out of a system, it is truly out of
his/her hands: People can save it, change it, send it, and more and sender lost control of it.
DocTrackr aims to stop that from happening. It lets user set user privileges for each person he/she
share a document with. It further tracks everyone who opens the file, so user know who’s looking
at the information and he/she can even pull documents back, effectively stop sharing them.

PRIVACY AND SECURITY IN CLOUD


Cloud technology has given opportunities to many businesses to showcase their potential in the business
world. SMEs (small and medium-sized enterprises) are not only getting an opportunity to grow, they are
also taking their business operations to the next level.
Cloud technology provides various advantages like, data management, data storage, zero percent
downtime, CRM management, resource optimization to entire business automation. It also reduces a high
amount of investment and saves a lot of time.
But cloud computing has raised many concerns with IT management, especially when it comes to data
security in the cloud computing. Data security and privacy protection are two major factors. These two
factors are becoming more important for the future development of cloud computing technology in
business, industry, and government. While addressing this fear, Google claimed that data stored in the
cloud are much safer. The basic organization of data security and privacy of cloud computing can be
divided into four parts, as shown in figure 4.1

Figure 4.1: Organization of data security and privacy in cloud computing

Data integrity: Data integrity means protecting data from unauthorized deletion, modification, or
fabrication. Managing entity's admittance and rights to specific enterprise resources ensures that valuable
data and services are not abused, misappropriated, or stolen.
Data integrity in the cloud system means preserving information integrity. The data should not be lost or
modified by unauthorized users. Data integrity is the basis to provide cloud computing service such as
SaaS, PaaS, and IaaS. Besides data storage of large-scaled data, cloud computing environment usually

follow us on instagram for frequent updates: www.instagram.com/rgpvnotes.in


Downloaded from www.rgpvnotes.in, whatsapp: 8989595022

provides data processing service. Data integrity can be obtained by techniques such as RAID-like strategies
and digital signature.

Data confidentiality: It is important for users to store their private or confidential data in the cloud.
Authentication and access control strategies are used to ensure data confidentiality. The authentication,
encryption and access control ensure the data confidentiality in cloud computing.

Data availability: It means even in case of hard disk damage, disasters and network failures occur the data
is safe and available to user also user’s data can be used or recovered and verified.

Data Privacy: It is the ability of cloud hide information about them and reveals it selectively. In the cloud,
the privacy means when users visit the sensitive data, the cloud services can prevent potential adversary
from inferring the user’s behavior by the user’s visit model.

CLOUD COMPUTING SECURITY ARCHITECTURE


Cloud security architecture is a strategy designed to secure and view an enterprise’s data and collaboration
applications in the cloud through the shared responsibility with cloud providers. As more enterprises seek
to accelerate their business by shifting data and infrastructure to the cloud, security has become a higher
priority. Companies are searching for strategies to gain speed and agility with security.
An organization’s growing reliance on the cloud comes with added security concerns. Most data outside of
the network resides in cloud services. This data movement to cloud service providers and various devices
challenges an enterprise’s visibility and control over data.

Cloud Computing Security Architecture identifies the main cloud Actors, their roles, and the main
architectural components necessary for managing and providing cloud services. In a cloud environment,
there are security threats and security requirements that differ for different cloud deployment models and
the necessary mitigations against such threats and cloud Actor responsibilities for implementing security
control.

Figure 4.2: Cloud Security Architecture

Security architecture serves as the guide and can accelerate application migration to clouds while
managing the security risks. In addition, cloud security architecture patterns should highlight the trust
boundary between various services and components deployed at cloud services. The security architecture
also point out standard interfaces, security protocols (SSL, TLS, IPSEC, LDAPS, SFTP, SSH, SCP, SAML, OAuth,
Tacacs, OCSP, etc.) and mechanisms available for authentication, token management, authorization,
encryption methods (hash, symmetric, asymmetric), encryption algorithms (Triple DES, 128-bit AES,

follow us on instagram for frequent updates: www.instagram.com/rgpvnotes.in


Downloaded from www.rgpvnotes.in, whatsapp: 8989595022

Blowfish, RSA, etc.), security event logging, source-of-truth for policies and user attributes and coupling
models (tight or loose).Finally the patterns should be leveraged to create security checklists that need to
be automated by configuration management tools.

Security architecture highlight the following attributes for each of the security services consumed by the
cloud application:
#Logical location: Native to cloud service, in-house, third party cloud. The location may have an
implication on the performance, availability, firewall policy as well as governance of the service.
#Protocol: Specifies the protocol(s) that are used to invoke the service. For example REST with X.509
certificates for service requests.
#Service function: Specifies the function of the service. For example encryption of the artifact, logging,
authentication and machine finger printing.
#Input/Output: Specifies the inputs, including methods to the controls, and outputs from the security
service. For example, Input = XML doc and Output =XML doc with encrypted attributes.
#Control description: Specifies the security control offered by the security service. For example data
protection, confidentiality, user authentication and application authentication.
#Actor: Specifies the users of this service. For example, End point, End user, Enterprise administrator, IT
auditor and Architect.

ARCHITECTURAL CONSIDERATIONS- GENERAL ISSUES


The following table illustrates the dependencies which should be taken into consideration when
architecting security controls into the applications for cloud deployments:
Table 4.1: Architectural dependencies
Public/Hybrid Cloud -Threats Private Cloud -Threats Mitigation
IaaS • OWASP Top 10 • OWASP Top 10 • Testing apps and
• Data leakage (inadequate • Data theft (insiders) API for OWASP
ACL) • Privilege escalation via Top 10
• Privilege escalation via management console vulnerabilities
management console mis- mis-configuration • Hardening of VM
configuration image
• Exploiting VM weakness • Security controls
• DoS attack via API including
• Weak protection of encryption,
privileged keys multi-factor
• VM Isolation failure authentication,
fine granular
authorization,
logging
• Security
automation -
Automatic
provisioning of
firewall policies,
privileged
accounts, DNS,
application
identity
PaaS • Privilege escalation via API • Privilege escalation via
• Authorization weakness in API
platform services such as
Message Queue, NoSQL,
Blob services

follow us on instagram for frequent updates: www.instagram.com/rgpvnotes.in


Downloaded from www.rgpvnotes.in, whatsapp: 8989595022

• Vulnerabilities in the run


time engine resulting in
tenant isolation failure

TRUSTED CLOUD COMPUTING


Trusted computing is a broad term that refers to technologies and proposals for resolving computer
security problems through hardware enhancements and associated software modifications. Several major
hardware manufacturers and software vendors, collectively known as the Trusted Computing Group (TCG),
are cooperating in this venture and have come up with specific solutions. The TCG develops and promotes
specifications for the protection of computer resources from threats posed by malicious entities without
infringing on the rights of end users.
The trusted computing can be defined by breaking it down into four technologies, all of which require the
use of new or improved hardware at the personal computer (PC) level:
• Memory curtaining prevents programs from inappropriately reading from or writing to each other's
memory.
• Secure input/output (I/O) addresses threats from spyware such as keyloggers and programs that
capture the contents of a display.
• Sealed storage allows computers to securely store encryption keys and other critical data.
• Remote attestation detects unauthorized changes to software by generating encrypted certificates
for all applications on a PC.
These measures must be supported by advances and refinements in the software and operating systems
(OSs) that PCs use.
The trusted computing base (TCB) encompasses everything in a computing system that provides a secure
environment. This includes the OS and its standard security mechanisms, computer hardware, physical
locations, network resources and prescribed procedures.

The term trusted PC refers to a PC with built-in security mechanisms that place minimal reliance on the
end user to keep the machine and its peripheral devices secure. The intent is that, once effective
mechanisms are built into hardware, computer security will be less dependent on the vigilance of
individual users and network administrators than it has ever been. Some concerns have arisen about
possible loss of user privacy and autonomy as a result of such solutions.

SECURE EXECUTION ENVIRONMENT


Configuring computing platforms for secure execution is a complex task; and in many instances it is not
performed properly because of the large number of parameters that are involved. This provides
opportunities for malware to exploit vulnerabilities, such as downloading code embedded in data and
having the code executed at a high privilege level.

In cloud computing, the major burden of establishing a secure execution environment is transferred from
the client to the cloud provider. However, protected data transfers must be established through strong
authentication mechanisms, and the client must have practices in place to address the privacy and
confidentiality of information that is exchanged with the cloud. In fact, the client’s port to the cloud might
provide an attack path if not properly provisioned with security measures. Therefore, the client needs
assurance that computations and data exchanges are conducted in a secure environment. This assurance is
affected by trust enabled by cryptographic methods. Also, research into areas such as compiler-based
virtual machines promises a more secure execution environment for operating systems.

Another major concern in secure execution of code is the widespread use of “unsafe” programming
languages such as C and C++ instead of more secure languages such as object-oriented Java and structured,
object-oriented C#.

SECURE COMMUNICATIONS

follow us on instagram for frequent updates: www.instagram.com/rgpvnotes.in


Downloaded from www.rgpvnotes.in, whatsapp: 8989595022

As opposed to having managed, secure communications among the computing resources internal to an
organization, movement of applications to the cloud requires a reevaluation of communications security.
These communications apply to both data in motion and data at rest.

Secure cloud communications involves the structures, transmission methods, transport formats, and
security measures that provide confidentiality, integrity, availability, and authentication for transmissions
over private and public communications networks. Secure cloud computing communications should ensure
the following:

Confidentiality: It ensures that only those who are supposed to access data can retrieve it. Loss of
confidentiality can occur through the intentional release of private company information or through a
misapplication of network rights. Some of the elements of telecommunications used to ensure
confidentiality are as follows:
• Network security protocols
• Network authentication services
• Data encryption services

Integrity: It ensures that data has not been changed due to an accident or malice. Integrity is the
guarantee that the message sent is the message received and that the message is not intentionally or
unintentionally altered. Integrity also contains the concept of non-repudiation of a message source. Some
of the constituents of integrity are as follows:
• Firewall services
• Communications Security Management
• Intrusion detection services

Availability: It ensures that data is accessible when and where it is needed, and that connectivity is
accessible when needed, allowing authorized users to access the network or systems. Also it is included in
that assurance is the guarantee that security services for the security practitioner are usable when they are
needed. Some of the elements that are used to ensure avail- ability are as follows:
• Fault tolerance for data availability, such as backups and redundant disk systems
• Acceptable logins and operating process performances
• Reliable and inter-operable security processes and network security mechanisms

MICRO- ARCHITECTURES
A microarchitecture is a hardware implementation of an ISA (instruction set architecture). An ISA is a
structure of commands and operations used by software to communicate with hardware. A
microarchitecture is the hardware circuitry that implements one particular ISA.

For example, x86-64 is the ISA used by most modern laptop and desktop computers. It is implemented by
various microarchitectures, including those designed by Intel and AMD. Software that is compiled for the
x86-64 ISA can run on any microarchitecture designed to use the x86-64 instruction set.

Multiple CPU models may be designed for a particular microarchitecture. For this reason,
microarchitecture is sometimes referred to as a "family" or "generation" of CPU. For example, Intel Kaby
Lake (7th generation) and Coffee Lake (8th generation) are separate microarchitectures, each with a
"family" of compatible CPUs.

The word "microarchitecture" is sometimes abbreviated µarch. The Greek letter µ ("mu") is the scientific
abbreviation for "micro." Because this letter does not appear on some keyboards, the abbreviation uarch
may also be used.

follow us on instagram for frequent updates: www.instagram.com/rgpvnotes.in


Downloaded from www.rgpvnotes.in, whatsapp: 8989595022

Figure 4.3: Intel micro-architecture

IDENTITY MANAGEMENT AND ACCESS CONTROL


Identity management and access control is the discipline of managing access to enterprise resources to
keep systems and data secure. As a key component of the security architecture, it can help verify users’
identities before granting them the right level of access to workplace systems and information. While
people might use the terms identity management, authentication, and access control interchangeably,
each of these individually serve as distinct layers for enterprise security processes.

IDENTITY MANAGEMENT, AUTHENTICATION, AND ACCESS CONTROL


Identity management—also referred to as identity and access management (IAM) is the overarching
discipline for verifying a user’s identity and their level of access to a particular system. Within that scope,
both authentication and access control which regulates each user’s level of access to a given system play
vital roles in securing user data.
We interact with authentication mechanisms every day. When we enter a username and password, use a
PIN, scan fingerprint, or tap bank card, the identity is being verified for authentication purposes. Once the
identity is verified, access control is implemented to determine level of access. This is important for
applications and services that have different levels of authorization for different users. Access control, for
instance, will allow software administrators to add users or edit profiles while also barring lower-tier users
from accessing certain features and information.

AUTONOMIC SECURITY
Autonomic computing refers to the self-management of complex distributed computing resources, that
can adapt to unpredictable changes with transparency to operators and users. Security is one of the four
key elements of autonomic computing and includes proactive identification and protection from arbitrary
attacks.
Autonomic computing (AC) refers to the self-managing characteristics of distributed computing resources,
adapting to unpredictable changes while hiding intrinsic complexity to operators and users. Initiated by
IBM in 2001, this initiative ultimately aimed to develop computer systems capable of self-management, to

follow us on instagram for frequent updates: www.instagram.com/rgpvnotes.in


Downloaded from www.rgpvnotes.in, whatsapp: 8989595022

overcome the rapidly growing complexity of computing systems management, and to reduce the barrier
that complexity poses to further growth.
Autonomic computing is a computer’s ability to manage itself automatically through adaptive technologies
that further computing capabilities and cut down on the time required by computer professionals to
resolve system difficulties and other maintenance such as software updates.

Figure 4.4: Autonomic security architecture


The move toward autonomic computing is driven by a desire for cost reduction and the need to lift the
obstacles presented by computer system complexities to allow for more advanced computing technology.

CLOUD COMPUTING SECURITY CHALLENGES


Clouds are everywhere these days. They are often cheaper, more powerful, compatible with single sign-on
(SSO) and often accessible via a Web browser. There are six most significant cyber security threats for
cloud networks that businesses face when migrating data or applications to the cloud. These cloud security
threats are always evolving,

Threats to the Cloud


Data Breaches: Data breaches occur when unauthorized individuals access cloud systems and interfere
with the data stored in them. Whether attackers view, copy or transmit data, an organization’s safety is
not guaranteed once such individuals gain access.
The primary cause of data breaches is human error. Lack of knowledge or not educating staff on how to
keep data safe and secure can easily expose business to a hacker. This is why providing sufficient
cybersecurity education on data protection to employees is crucial.

Insider Threats: Sometimes, the biggest threats to an organization’s cybersecurity are internal. Insider
threats are usually seen as more hazardous than outsider threats as they can take several months or years
to identify.
The masterminds are usually individuals with legitimate access to an organization’s cloud systems.
Whether they happen intentionally or maliciously, insider threats will cause a lot of harm to the cloud
system. Therefore, it is essential to detect, investigate and respond to them as fast as possible.
The reason why these attacks can go undetected for long periods is that businesses lack the proper
systems to identify these attacks and are unprepared to identify and resolve them. In addition, companies
have little to no control over underlying cloud infrastructure.
Monitoring user analytics and gaining visibility into behavioral anomalies can be a way to signal an active
insider threat as well as putting employees and processes to the test with adversary simulation and control
tuning.

follow us on instagram for frequent updates: www.instagram.com/rgpvnotes.in


Downloaded from www.rgpvnotes.in, whatsapp: 8989595022

Denial-of-Service Attacks: Due to the rise of cyber attacks, an increasing number of companies are shifting
their data control to the cloud. However, this leaves most applications and essential internal functions that
are cloud-based exposed to denial-of-service attacks.
In a denial-of-service attack, a hacker floods a system with more web traffic than it can handle at its peak.
This results in operations stalling entirely, with internal users and customers unable to access the system,
making it unable to operate the business.
Subsequently, companies need to find ways to stop denial-of-service attacks before they occur and cause
serious setbacks. One strategy is to rely on dynamic application security tools, which will scan the web
applications for threats while they are running and can identify denial-of-service attacks in their early
stages or before they happen.

Insecure Interfaces and APIs: Software user interfaces and APIs are usually responsible for the provision,
monitoring and management of cloud services. Cloud service providers are working tirelessly to advance
APIs and interfaces, but this growth has also increased security risks associated with them.
Cloud service providers use a specific framework to provide APIs to programmers, which leaves their
systems more vulnerable to attackers. As such, organizations risk improper authorizations, previously used
passwords and anonymous access. The best way to solve this is knowing how to properly design the cloud
security with a multi-layer approach, which is required to help curb unauthorized access and ensure that
the software is secure.

Hijacking of Accounts: The growing reliance on cloud-based infrastructure has also contributed to a high
number of account hijacking cases. Depending on the attacker’s intent and how they will use the accessed
information, cloud account hijacking can have devastating consequences for a business, such as
information being falsified or leaked to other parties.
Account hijacking attacks can also damage a brand’s reputation and the relationships they have with their
customers. The integrity and good reputation a company has built for years can be destroyed with one
cyber attack. Legal implications could also follow if customers decide to sue the company for exposing their
confidential data.
Having rock-solid facilities that utilize electronic surveillance and multifactor access systems is important to
minimize the risk of hijacking and disruptions to operations. Having a provider that also offers features
such as secure data transfer, encrypted data storage and security logs will provide detection of brute-force
attacks.

Misconfiguration: Misconfiguration is one of the leading threats businesses face in their cloud-based
systems. Most business owners are inexperienced in matters surrounding cloud-based infrastructure,
which exposes them to various data breaches that can impact their operations.
Misconfiguration often results from the need to make cloud data accessible and shareable. Limiting access
only to eligible people and, depending on the cloud service provider, can impact a company’s ability to
control these systems dramatically. Basic cloud storage services often come with critical security measures
such as client-side encryption, intrusion detection systems and internal firewalls. Being familiar with
vendor-provided security settings is critical.

Additional Risks to Cloud Environments


There is a somewhat rare attack called virtual host confusion. It is often seen with content delivery
networks and shared platform-as-a-service (PaaS) clouds. This attack can allow for server impersonation
under the right circumstances. Once again, the X-Force team is not aware of this being exploited in the
wild. For more information, read the paper “Network-based Origin Confusion Attacks against HTTPS Virtual
Hosting.”
This attack is from the same group that identified Logjam, FREAK, SLOTH and others. To prevent this attack,
never use certificates for more than one domain. Avoid using wildcard certificates and carefully configure
TLS caching and ticketing parameters to be different for every Web server. Finally, make sure our domain
fallback page is an error page.

follow us on instagram for frequent updates: www.instagram.com/rgpvnotes.in


Downloaded from www.rgpvnotes.in, whatsapp: 8989595022

Shared data and computations on shared (typically off-premises) clouds can be exposed in the right
circumstances. This particularly applies to MapReduce operations. To prevent this leakage, consider
dedicated clouds, where there is a lesser chance of malicious actors having a presence.
The clouds are often considered a more valuable target by attackers. The inability of IT to monitor the
activities of the user happens when the user’s client is connected to a cloud with an encrypted connection.
In that case, the user can interact with the cloud and perhaps perform unauthorized actions. To combat
this, consider federating. Monitor our logs to see which applications are in use and use a proxy to intercept
cloud traffic. We can also use an analytics engine and create relevant rules at the endpoint device.

Overcoming Challenges
In general, always follow the best security practices whether users are a tenant or a provider, such as
tracking new vulnerabilities and attacks against components of the cloud. If users are a cloud provider, do
background research on entities that wish to join the environment.
If users are a tenant, always understand the cloud model and compensate for any weaknesses inherent in
that type. Be sure to support TLS 1.2 access. This ensures stronger cryptography and is the latest secure
protocol for connections to Web servers.
Both providers and tenants should institute regular vulnerability scanning as frequently as is feasible. They
should also lock IP addresses so only authorized networks are able to access the cloud or site. If this is not
possible as a provider, then be sure to employ strong authentication and access controls.
As a provider, make logs relevant to the tenants available. This complements the tenant’s own logging.
As a tenant, make sure all software is up to date. PaaS providers need to do the same with their
environments. In one of the most important measures, tenants must encrypt data. This is critical for data
protection, but be sure to implement cryptography correctly. There are solutions available to minimize the
ciphertext reduplication problem.

VIRTUALIZATION SECURITY MANAGEMENT


A. Migration management: VM migration is easy to attack and is a vulnerable process. Special security
mechanisms should be applied when a VM is migrated from a place to somewhere else. It sounds
an easy process but it is not. When any of the organization or an enterprise tries to use any of the
automated tool such as live migration there are many other factors which creep in. While we run two
different VMs on a single machine may cause violation to Payment Card Industry (PCI). This problem
occurs when The VM can be located with the customer’s credit card data on the same physical machine
with the public accessibility web server.
So, to analyze the physical servers for security and compliance postures should be done to provide the
security to the sensitive data of the users. The governed live migration can also violate the policies of
the corporate if the migration does not go through A strict IT infrastructure Library process for the
approval by a change approval board or configuration management system. The Migration
management system is necessary for the virtualization security and it should be planned. If the
migration is not planned then It may even cause the issues with resources outside the environment
which may further introduce database contention or overload of network device or the delays in
I/O storage which may not be expected.

B. VM Image Management: VM Image (VMI) is a type of file or the format of the data which is
used to create the virtual machine in the environment of virtualization. Hence, the confidential data
and the integrity of VMIs is very important when the VMs are migrating or its starting.

C. Patch Management: Patch management is acquiring, installing or testing of system management or


inserting a code changes to the computer system administration. It also includes on the available patches
of the maintaining current knowledge ensuring the patches are installed properly and after installing
test them and lastly documenting all the procedures associated and all the configurations required.
To identify and test the various types of code changes, the patch management is built. Patch
management also extends the monitoring of the functions of the code to identify any of the

follow us on instagram for frequent updates: www.instagram.com/rgpvnotes.in


Downloaded from www.rgpvnotes.in, whatsapp: 8989595022

circumstances that may emerge in the phase of testing. It helps the programming of the function code
much more efficient. Efficient patch management also decreases the possibility of attacking at the VM
level. In the virtual environment the distribution of patches to the VMs is a key issue.

D. Audit: In the lifecycle of the Virtual machines, the sensitive data and the behavior of the
virtual machines should be monitored throughout the virtual system. This may be done with auditing
which provides the mechanism to check the traces of the activities left by the virtual system. To monitor
the virtual machine behavior and the sensitive data whether it operates the virtual system well in
a safe manner, we audit. We can get the destruction reasons of the system and data easily from the
records, if we regularly log all the activities left by the virtual system. This helps when the destruction of
any type of data happens. The required strategies can be developed against the harmful results on the
basis of these records.

VIRTUAL THREATS
Some of the virtual threats to Cloud computing security are:
1. Shared clipboard
Shared clipboard technologies enables information to become transferred between VMs as well as the
host, offering a means of moving information between malicious programs in VMs of various security
realms.
2. Keystroke logging
Some VM technologies allow the logging of keystrokes and screen updates to become passed across virtual
terminals within the virtual machine, writing to host files and permitting the monitoring of encrypted
terminal connections in the VM.
3. VM monitoring in the host
Since all network packets coming from or planning to a VM pass with the host, the host may be able to
impact the VM from the following this:
• Starting, stopping, pausing, and restart VMs.
• Monitoring and configuring resources available to the VMs, including CPU, memory, disk, and
network usage of VMs.
• Adjusting the amount of CPUs, level of memory, quantity and variety of virtual disks, and quantity
of virtual network interfaces offered to a VM.
• Monitoring the applications running inside the VM.
• Viewing, copying, and modifying data stored about the VM’s virtual disks.
4. Virtual machine monitoring from another VM
VMs shouldn’t have the ability to directly access one another’s virtual disks around the host. If the VM
platform uses a virtual hub or switch for connecting the VMs to the host, then intruders may possibly be
able to use a hacker technique called “ARP poisoning” to redirect packets planning to or in the other VM
for sniffing.
5. Virtual machine backdoors
A backdoor, covert communications channel between the guest and host could allow intruders to execute
potentially harmful operations.

VM SECURITY RECOMMENDATIONS
Following virtual machine security recommendations helps ensure the integrity of cloud:
• General Virtual Machine Protection: A virtual machine is, in most respects, the equivalent of a
physical server. Employ the same security measures in virtual machines that we do for physical
systems.
• Use Templates to Deploy Virtual Machines: When we manually install guest operating systems and
applications on a virtual machine, we introduce a risk of misconfiguration. By using a template to
capture a hardened base operating system image with no applications installed, we can ensure that
all virtual machines are created with a known baseline level of security.

follow us on instagram for frequent updates: www.instagram.com/rgpvnotes.in


Downloaded from www.rgpvnotes.in, whatsapp: 8989595022

• Minimize Use of the Virtual Machine Console: The virtual machine console provides the same
function for a virtual machine that a monitor provides on a physical server. Users with access to the
virtual machine console have access to virtual machine power management and removable device
connectivity controls. Console access might therefore allow a malicious attack on a virtual machine.
• Prevent Virtual Machines from Taking Over Resources: When one virtual machine consumes so
much of the host resources that other virtual machines on the host cannot perform their intended
functions, a Denial of Service (DoS) might occur. To prevent a virtual machine from causing a DoS,
use host resource management features such as setting Shares and using resource pools.
• Disable Unnecessary Functions Inside Virtual Machines: Any service that is running in a virtual
machine provides the potential for attack. By disabling system components that are not necessary
to support the application or service that is running on the system, we reduce the potential of the
system.

VM-SPECIFIC SECURITY TECHNIQUES


A. Protecting the VMM
A hypervisor can be used to monitor the virtualized systems it is hosting. However, the hypervisor can in
turn be targeted and modified by an attack. As the hypervisor possesses every privilege on its guest
systems, it is crucial to preserve its integrity. However, while it is possible to ensure the integrity of a
system during boot it is much harder to ensure runtime integrity. So, to ensure runtime integrity, one
could think of installing a second hypervisor under the initial hypervisor dedicated to monitoring it,
similarly to one would have to guarantee that the most privileged hypervisor cannot in turn be corrupted.
Several studies have therefore focused on using other means to ensure the integrity of the most privileged
element.
B. Protecting the VMs against their VMM.
The purpose of CloudVisor is to ensure data confidentiality and integrity for the VM, even if some elements
of the virtualization system (hypervisor, management VM, another guest VM) are compromised. The idea
is that data belonging to a VM but accessed by something else than this VM appears encrypted. To reach
its goal, CloudVisor virtualizes the monitored hypervisor (realizing nested virtualization), therefore
removing the latter from the most privileged zone while still giving it the illusion of the opposite. This
means that the monitored VMM is now running in guest mode while CloudVisor is the only one in root
mode. Any access, requested by the VMM, to some memory belonging to a VM is then trapped by Cloud-
Visor. If the access is not requested by the owner of the requested page, CloudVisor encrypts its content.
C. Virtual Machine Encryption
Because a virtual machine consists of a set of files, machine theft has now become much easier. People will
notice that walking out of the building with a server but not with a USB stick containing a set of VM files.
Furthermore, stealing a virtual machine can be achieved with relative ease by simply snapshotting the VM
and copying the snapshotted files.
D. Encryption under the hypervisor
VMs can be encrypted underneath the hypervisor. By using standard protocols such as NFS or iSCSI, the
encryption is independent of the hypervisor platform. That means hypervisor features such as vMotion and
Live Migration continue to work unchanged. As VMs are copied into an encrypted datastore, they will be
encrypted according to the encryption policy that is put in place.
E. Encryption within the vm
In this model, for all devices encrypted, there is an encrypted path from the VM's operating system
through the hypervisor and down to the storage layer. This prevents VM administrators from being able to
view sensitive data that resides within the VM. In this environment, as with the previous one described,
the key server could reside anywhere.
F. Encryption of vm images and application data
Another model combines encryption at the VM and storage layers. This combined option is superior
because there's an encrypted path for sensitive data all the way from the VM through the hypervisor. This
prevents the VM administrator from seeing cleartext data. In addition, the snapshot, suspend, log, and
other important VM files can be encrypted too, because the encryption "container" encompasses all VM

follow us on instagram for frequent updates: www.instagram.com/rgpvnotes.in


Downloaded from www.rgpvnotes.in, whatsapp: 8989595022

files. If a snapshot is taken, the contents are also encrypted. Most virtualization platforms give us the
flexibility to split VM files and place them on different datastores, allowing for more flexibility in encryption
deployment and implementation.

SECURE EXECUTION ENVIRONMENTS AND COMMUNICATIONS IN CLOUD


An Execution Environment is an environment for executing code, in which those executing the code can
have high levels of trust in that surrounding environment, because it can ignore threats from the rest of
the device.
Hence Execution Environment stands and to distinguish them from the uncertain nature of applications.
The rest of the device hosts a feature Rich OS like Android™, and so is known as the REE (Rich Operating
System Execution Environment).

Cloud communications is the blending of multiple communication modalities. These include methods such
as voice, email, chat and video, in an integrated fashion to reduce or eliminate communication lag. Cloud
communications is essentially internet-based communication. The storage, applications and switching are
handled and hosted by a third party through the cloud. Cloud services are a broader aspect of cloud
communication. These services act as the primary data center for enterprises, and cloud communications
is one of the services offered by cloud service providers.

Cloud communications evolved from data to voice with the introduction of VoIP (voice over Internet
Protocol). A branch of cloud communication is cloud telephony, which refers specifically to voice
communications

Cloud communications providers host communication services through servers that they own and
maintain. The customers, in turn, access these services through the cloud and only pay for services that
they use, doing away with maintenance associated with PBX (private branch exchange) system
deployment.

Cloud communications provides a variety of communication resources, from servers and storage to
enterprise applications such as data security, email, backup and data recovery, and voice, which are all
delivered over the internet. The cloud provides a hosting environment that is flexible, immediate, scalable,
secure and readily available.

The need for cloud communications has resulted from the following trends in enterprise:
• Distributed and decentralized company operations in branch and home offices
• Increase in the number of communication and data devices accessing the enterprise networks
• Hosting and managing IT assets and applications
The cloud is hosted and managed by a third party, and the enterprise pays for and uses space on the cloud
for its requirements. This has allowed enterprises to save on costs incurred for hosting and managing data
storage and communication on its own.

The following are some of the communication and application products available under cloud
communications that an enterprise can utilize:
• Private branch exchange
• SIP Trunking
• Call center
• Fax services
• Interactive voice response
• Text messaging
• Voice broadcast
• Call-tracking software
• Contact center telephony

follow us on instagram for frequent updates: www.instagram.com/rgpvnotes.in


Downloaded from www.rgpvnotes.in, whatsapp: 8989595022

All of these services cover the various communication needs of an enterprise. These include customer
relations, intra- and inter-branch communication, inter-department memos, conference, call forwarding
and tracking services, operations center and office communications hub.
Cloud communications is a center for all enterprise-related communication that is hosted, managed and
maintained by third-party service providers for a fee charged to the enterprise.

follow us on instagram for frequent updates: www.instagram.com/rgpvnotes.in


Thank you for using our services. Please support us so that we can
improve further and help more people.
https://www.rgpvnotes.in/support-us

If you have questions or doubts, contact us on


WhatsApp at +91-8989595022 or by email at [email protected].

For frequent updates, you can follow us on


Instagram: https://www.instagram.com/rgpvnotes.in/.

You might also like