Cloud Computing

Prepared and Compiled by: Ms. Sarita Neupane

Kathford International College of Engineering and Management
Unit-5: Cloud Security
5.1 Introduction to Cloud Computing Security

Cloud security refers to the set of policies, technologies, controls, and best practices implemented
to protect data, applications, and infrastructure in cloud computing environments. As
organizations increasingly adopt cloud services to store, process, and manage their data, ensuring
the security of these resources becomes paramount. Cloud security encompasses various aspects,
including:

1. Data Security:
o Encryption: Protecting data through encryption ensures that even if unauthorized
access occurs, the data remains unreadable without the proper decryption keys.
o Access Controls: Implementing robust access controls ensures that only
authorized individuals or systems have the appropriate permissions to access
sensitive data.

2. Identity and Access Management (IAM):

o Authentication: Verifying the identity of users and systems is fundamental to
preventing unauthorized access.
o Authorization: Controlling and managing user permissions, specifying what
actions and resources they can access, is crucial for security.

3. Network Security:
o Firewalls: Deploying firewalls helps control incoming and outgoing network
traffic, protecting against unauthorized access and potential cyber threats.
o Virtual Private Cloud (VPC): Isolating and segmenting resources within a
virtual private network enhances network security in cloud environments.

4. Incident Response and Monitoring:

o Logging and Monitoring: Continuous monitoring of activities and logging
events allows for the detection of potential security incidents.
o Incident Response: Having a well-defined plan for responding to security
incidents ensures a timely and effective response to any security breaches.
 5. Compliance and Legal Considerations:
o Ensuring that cloud deployments comply with industry regulations and legal
requirements is essential. Many cloud service providers offer compliance
certifications for specific standards (e.g., GDPR, HIPAA).

6. Physical Security:
o While the physical infrastructure is owned and managed by the cloud service
provider, it's essential to understand and ensure that they have implemented
appropriate physical security measures in their data centers.

7. Secure Development Practices:

o Incorporating security into the software development lifecycle helps identify and
address vulnerabilities early in the development process.

8. Security Patching and Updates:

o Regularly updating and patching software, applications, and systems is crucial to
addressing known vulnerabilities and maintaining a secure environment.

9. Data Residency and Sovereignty:

o Organizations must be aware of where their data is stored and processed to
comply with regional data residency requirements and address data sovereignty
concerns.

10. Service Level Agreements (SLAs):

o Understanding the security commitments and responsibilities outlined in the
SLAs with the cloud service provider is essential for a clear understanding of the
shared responsibility model.

Cloud security is often a shared responsibility between the cloud service provider and the
customer. Cloud service providers typically secure the infrastructure, while customers are
responsible for securing their data, applications, and access configurations. Adopting a
comprehensive and well-implemented cloud security strategy is crucial for mitigating risks and
ensuring the confidentiality, integrity, and availability of data in cloud environments.
5.2 Cloud Security Challenges and Risks:

Cloud computing offers numerous benefits, such as scalability, flexibility, and cost-efficiency,
but it also introduces various security challenges and risks. It's important for organizations to be
aware of these issues and implement robust security measures to mitigate potential threats. Here
are some common cloud security challenges and risks:

1. Data Breaches:
o Unauthorized access to sensitive data is a significant concern.
o Inadequate access controls and weak authentication mechanisms can lead to data
breaches.
2. Data Loss:
o Data stored in the cloud may be at risk of loss due to accidental deletion,
hardware failure, or other unforeseen events.
o Lack of proper backup and recovery mechanisms can exacerbate data loss risks.
o
3. Hacked Interfaces and Insecure APIs

As we all know, cloud computing is completely depends on Internet, so it is compulsory to

protect interfaces and APIs that are used by external users. APIs are the easiest way to
communicate with most of the cloud services. In cloud computing, few services are
available in the public domain. These services can be accessed by third parties, so there
may be a chance that these services easily harmed and hacked by hackers.

4. Vendor lock-in

Vendor lock-in is the of the biggest security risks in cloud computing. Organizations may
face problems when transferring their services from one vendor to another. As different
vendors provide different platforms, that can cause difficulty moving one cloud to
another.

5. Denial of Service (DoS) attacks

Denial of service (DoS) attacks occur when the system receives too much traffic to buffer
the server. Mostly, DoS attackers target web servers of large organizations such as
banking sectors, media companies, and government organizations. To recover the lost
data, DoS attackers charge a great deal of time and money to handle the data.
 6. Shared Technology Vulnerabilities:

 Multi-tenancy in cloud environments means that multiple users share the same
infrastructure.
 Vulnerabilities in the underlying technology may impact the security of all users.

7. Inadequate Logging and Monitoring:

 Insufficient monitoring and logging make it challenging to detect and respond to

security incidents promptly.
 Lack of visibility into the cloud environment can delay the identification of malicious
activities.

To address these challenges, organizations should adopt a comprehensive approach to cloud

security, including regular security assessments, encryption, access controls, and continuous
monitoring of the cloud environment. Additionally, staying informed about emerging threats and
best practices in cloud security is crucial for maintaining a strong defense against evolving risks.

5.3 Software-as-a-Service Security

SaaS (Software as a Service) security refers to the measures and processes implemented to
protect the data and applications hosted by a SaaS provider. This typically includes measures
such as encryption, authentication, access controls, network security, and data backup and
recovery.

Why is SaaS Security important?

SaaS (Software as a Service) has become increasingly popular in recent years due to its
flexibility, cost-effectiveness, and scalability. However, this popularity also means that SaaS
providers and their customers face significant security challenges.

SaaS Security is important because:

 Sensitive data would be well-protected and not compromised by hackers, malicious insiders or
other cyber threats.
 SaaS security helps avoid severe consequences such as legal liabilities, damage to reputation and
loss of customers.
 Aids in increasing the trust of the SaaS provider to the customers.
 Aids in compliance with security standards and regulations.
 Ensures the security and protection of applications and data hosted from cyber threats,
minimizing the chances of data breaches and other security incidents.
Source: Hackernoon

Software-as-a-service (SaaS) is an on-demand, cloud-based software delivery model that enables

organizations to subscribe to the applications they need without hosting them in house. SaaS is
one of several categories of cloud subscription services, including platform-as-a-service and
infrastructure-as-a-service. SaaS has become increasingly popular because it saves organizations
from needing to purchase servers and other infrastructure or maintain an in-house support staff.
Instead, a SaaS provider hosts and provides SaaS security and maintenance to their software.
Some well-known SaaS applications include Microsoft 365, Salesforce.com, Cisco Webex, Box,
and Adobe Creative Cloud. Most enterprise software vendors also offer cloud versions of their
applications, such as Oracle Financials Cloud.

SaaS providers handle much of the security for a cloud application. The SaaS provider is
responsible for securing the platform, network, applications, operating system, and physical
infrastructure. However, providers are not responsible for securing customer data or user access
to it. Some providers offer a bare minimum of security, while others offer a wide range of SaaS
security options.

Below are SaaS security practices that organizations can adopt to protect data in their SaaS
applications.

 Data Encryption:

 Implement strong encryption for data at rest, in transit, and during processing.
 Leverage encryption mechanisms provided by the cloud service provider (CSP) and
ensure that sensitive data is adequately protected.
 Identity and Access Management (IAM):

 Utilize robust IAM controls to manage user identities and access permissions.
 Employ multi-factor authentication (MFA) to enhance user authentication

 Logging and Monitoring:

 Implement comprehensive logging and monitoring solutions to detect and respond to

security incidents.
 Regularly review logs for anomalous activities and potential security threats.

 Secure APIs:

 If the SaaS application exposes APIs, secure them with proper authentication and
authorization mechanisms.
 Regularly audit API security and monitor for any vulnerabilities.

 Regular Security Audits:

 Conduct regular security audits and assessments to identify and remediate vulnerabilities.
 Evaluate the effectiveness of security controls and make necessary adjustments.

 Backup and Disaster Recovery:

 Implement regular data backups to prevent data loss due to accidental deletion or system
failures.
 Develop and test a robust disaster recovery plan to ensure business continuity.

 Employee Training and Awareness:

 Train employees on security best practices, including safe use of SaaS applications and
recognition of potential security threats.
 Foster a security-aware culture within the organization.

 Patch Management:

 Regularly update and patch the SaaS application and underlying infrastructure to address
known security vulnerabilities.
 Work closely with the cloud provider to ensure timely updates to the underlying platform.

 Network Security:

 Implement strong network security controls to protect data in transit.

 Leverage features provided by the cloud provider, such as virtual private clouds (VPCs),
to isolate and secure network traffic.
5.4 Security Monitoring

Cloud security monitoring is the practice of continuously supervising both virtual and physical
servers to analyze data for threats and vulnerabilities. Cloud security monitoring solutions often
rely on automation to measure and assess behaviors related to data, applications and
infrastructure.

Cloud security monitoring solutions can be built natively into the cloud server hosting
infrastructure (like AWS’s CloudWatch, for example) or they can be third-party solutions that
are added to an existing environment.

Cloud security-monitoring works by collecting log data across servers. Advanced cloud
monitoring solutions analyze and correlate gathered data for anomalous activity, then send alerts
and enable incident response.

A cloud security monitoring service will typically offer:

Visibility. Moving to the cloud inherently lowers an organization’s visibility across their
infrastructure, so cloud monitoring security tools should bring a single pane of glass to monitor
application, user and file behavior to identify potential attacks.

Scalability. Cloud security monitoring tools should be able to monitor large amounts of data
across a variety of distributed locations.

Auditing. It is a challenge for organizations to manage and meet compliance requirements, so

cloud security monitoring tools should provide robust auditing and monitoring capabilities.

Continuous monitoring. Advanced cloud security monitoring solutions should continuously

monitor behavior in real time to quickly identify malicious activity and prevent an attack.
5.5 Security Architecture Design

The Cloud Security Alliance (CSA) stack model defines the boundaries between each service
model and shows how different functional units relate. A particular service model defines the
boundary between the service provider's responsibilities and the customer. The following
diagram shows the CSA stack model:

Key Points to CSA Model

 IaaS is the most basic level of service, with PaaS and SaaS next two above levels of

services.
 Moving upwards, each service inherits the capabilities and security concerns of the model
beneath.
 IaaS provides the infrastructure, PaaS provides the platform development environment,
and SaaS provides the operating environment.
 IaaS has the lowest integrated functionality and security level, while SaaS has the
highest.
 This model describes the security boundaries at which cloud service providers'
responsibilities end and customers' responsibilities begin.
Although each service model has a security mechanism, security requirements also depend on
where these services are located, private, public, hybrid, or community cloud.

 A security architecture framework should be established with consideration of processes

(enterprise authentication and authorization, access control, confidentiality, integrity,
nonrepudiation, security management, etc.), operational procedures, technology
specifications, people and organizational management, and security program compliance
and reporting.
 A security architecture document should be developed that defines security and privacy
principles to meet business objectives. Documentation is required for management
controls and metrics specific to asset classification and control, physical security, system
access controls, network and computer management, application development and
maintenance, business continuity, and compliance.
 A design and implementation program should also be integrated with the formal system
development life cycle to include a business case, requirements definition, design, and
implementation plans.

 Technology and design methods should be included, as well as the security processes
necessary to provide the following services across all technology layers:

Authentication

Authorization

Availability

Confidentiality

Integrity

Accountability

Privacy

 The creation of a secure architecture provides the engineers, data center operations
personnel, and network operations personnel a common blueprint to design, build, and
test the security of the applications and systems.
5.6 Data Security

Data is currency for modern businesses. Organizations use data analytics to make decisions
about new products and services or to provide better customer experiences. As companies
collect, store, transmit, process, and use more data, they increase their use of the cloud.
Additionally, cloud-based technologies enable workforce collaboration across geographic
regions as well as between internal and external users.
Complex IT environments often use a combination of on-premises, cloud, multi-cloud, and
hybrid infrastructures, meaning that they store vast amounts of sensitive data in multiple
locations.

What Is Data Security?

Data security includes the technologies and processes an organization uses to protect sensitive
data both on-premises and in the cloud.

Sensitive information includes corporate and non-public personal information (NPI), including:

 Intellectual property
 Names
 Birth dates
 Government identification information, like social security numbers and driver's license
information
 Physical address
 IP address
 Biometric information

Cloud Data Security

Cloud data security refers to the technologies and controls that discover, classify, and protect all
data in the cloud to mitigate risks arising from data loss, misuse, breaches, and unauthorized
access.
In other word, cloud data security refers to the strategies, policies, and tools employed to protect
sensitive information stored in cloud computing environments. To safeguard sensitive data and
infrastructure, organizations must establish measures, policies, and technologies that secure their
cloud-computing environment. This includes protecting not only the stored data but also the
infrastructure supporting it.
  The ultimate challenge in cloud computing is data-level security, and sensitive data is the
domain of the enterprise, not the cloud computing provider.

 Security will need to move to the data level so that enterprises can be sure their data is
protected wherever it goes.
 For example, with data-level security, the enterprise can specify that this data is not
allowed to go outside of the country. It can also force encryption of certain types of data
and permit only specified users to access the data.

5.7 Application Security

Application security describes security measures at the application level that aim to prevent data
or code within the app from being stolen or hijacked. It encompasses the security considerations
that happen during application development and design, but it also involves systems and
approaches to protect apps after they are deployed.

Application security may include hardware, software, and procedures that identify or minimize
security vulnerabilities. A router that prevents anyone from viewing a computer’s IP address
from the Internet is a form of hardware application security. But security measures at the
application level are also typically built into the software, such as an application firewall that
strictly defines what activities are allowed and prohibited. Procedures can entail things like an
application security routine that includes protocols such as regular testing.

Types of Application Security

Different types of application security features include authentication, authorization, encryption,
logging, and application security testing. Developers can also code applications to reduce
security vulnerabilities.

 Authentication: When software developers build procedures into an application to

ensure that only authorized users gain access to it. Authentication procedures ensure that
a user is who they say they are. This can be accomplished by requiring the user to provide
a user name and password when logging in to an application. Multi-factor authentication
requires more than one form of authentication—the factors might include something you
know (a password), something you have (a mobile device), and something you are (a
thumb print or facial recognition).
 Authorization: After a user has been authenticated, the user may be authorized to access
and use the application. The system can validate that a user has permission to access the
application by comparing the user’s identity with a list of authorized users.
Authentication must happen before authorization so that the application matches only
validated user credentials to the authorized user list.
 Encryption: After a user has been authenticated and is using the application, other
security measures can protect sensitive data from being seen or even used by a
cybercriminal. In cloud-based applications, where traffic containing sensitive data travels
between the end user and the cloud, that traffic can be encrypted to keep the data safe.
  Logging: If there is a security breach in an application, logging can help identify who got
access to the data and how. Application log files provide a time-stamped record of which
aspects of the application were accessed and by whom.
 Application security testing: A necessary process to ensure that all of these security
controls work properly.

5.8 Virtual Machine Security

Securing virtual machines (VMs) in cloud computing is crucial to ensuring the confidentiality,
integrity, and availability of your data and applications. Here are some key considerations for
virtual machine security in cloud computing:

1. Hypervisor Security:

 Choose a reputable and secure hypervisor for your virtual machines.

 Regularly update and patch the hypervisor to address any security vulnerabilities.

2. Isolation:

 Ensure proper isolation between virtual machines to prevent unauthorized access or

interference.
 Leverage features such as VLANs, Virtual Private Clouds (VPCs), or network security
groups to control traffic between VMs.

3. Network Security:

 Implement robust network security measures, such as firewalls, intrusion detection and
prevention systems, and secure communication protocols.
 Use network segmentation to limit the exposure of VMs to potential threats.
4. Data Encryption:

 Encrypt data both in transit and at rest to protect it from unauthorized access.
 Utilize encryption protocols like TLS/SSL for communication and disk encryption for
storage.

5. Access Controls:

 Implement strong access controls to restrict user and application access to VMs.
 Use Identity and Access Management (IAM) tools to manage permissions and roles.

6. Patch Management:

 Regularly apply security patches to the operating system, applications, and software
running on virtual machines.
 Automate patch management processes to ensure timely updates.

7. Monitoring and Logging:

 Set up comprehensive monitoring for VMs to detect any abnormal activities.

 Implement centralized logging to track and analyze events, aiding in the identification of
security incidents.

8. Incident Response Plan:

 Develop and regularly update an incident response plan to address security breaches
promptly.
 Perform regular drills to ensure the effectiveness of the response plan.

9. Backup and Disaster Recovery:

 Implement regular backups of VMs and critical data to facilitate quick recovery in case of
a security incident.
 Test the backup and recovery processes to ensure their reliability.

10. Security Compliance:

 Adhere to industry-specific and regulatory compliance standards relevant to your

organization.
 Regularly audit and assess the security posture of your virtual machines.

11. User Education:

 Educate users and administrators about security best practices and potential threats.
 Encourage the use of strong authentication methods, such as multi-factor authentication.
12. Vendor Security:

 If using Infrastructure as a Service (IaaS) providers, evaluate their security practices and
certifications.
 Understand the shared responsibility model and ensure that your security measures align
with the provider's responsibilities.

5.9 Identity Management and Access Control

Identity Management (IDM) refers to the processes and technologies used to manage and secure
digital identities within an organization. The goal of identity management is to ensure that only
authorized individuals or entities have access to resources, systems, and data.

To verify identity, a computer system will assess a user for characteristics that are specific to
them. If they match, the user's identity is confirmed. These characteristics are also known as
"authentication factors," because they help authenticate that a user is who they say they are.

The three most widely used authentication factors are:

 Something the user knows (e.g username and password)

 Something the user has (eg. OTP in smartphone)
 Something the user is (eg. Fingerprint, retina scan etc)

Access Control involves regulating and managing access to resources, systems, or information
based on the permissions associated with an individual's digital identity. Access control
mechanisms ensure that users have the appropriate level of access and permissions needed to
perform their tasks, while also preventing unauthorized access.

Key components of access control include:

1. Authentication:
o Verifying the identity of users through credentials (e.g., usernames and
passwords) or more advanced methods like biometrics or smart cards.
2. Authorization:
o Granting or denying access to specific resources based on the authenticated user's
permissions and privileges. This is often implemented through policies, rules, or
access control lists (ACLs).
3. Role-Based Access Control (RBAC):
o Assigning roles to users and granting permissions based on those roles. This
simplifies access management by associating permissions with job functions.
4. Access Control Lists (ACLs):
o Lists that define permissions attached to an object, such as files or directories,
specifying which users or system processes are granted access.
 5. Encryption:
o Protecting sensitive data by converting it into unreadable code that can only be
deciphered with the appropriate encryption key.
6. Biometric Access Control:
o Using unique physical or behavioral characteristics (e.g., fingerprints, retina
scans) to authenticate and grant access to individuals.
7. Access Reviews:
o Periodic assessments of user access rights to ensure that permissions are still
appropriate and aligned with the principle of least privilege.

By integrating effective identity management and access control practices, organizations can
enhance security, streamline user management processes, and ensure compliance with regulatory
requirements.