UNIT-V

What is cloud security?

Cloud security is the set of control-based security measures and technology protection,
designed to protect online stored resources from leakage, theft, and data loss. Protection
includes data from cloud infrastructure, applications, and threats. Security applications
uses software the same as SaaS (Software as a Service) model.

How to manage security in the cloud?

Cloud service providers have many methods to protect the data.

Firewall is the central part of cloud architecture. The firewall protects the network and the
perimeter of end-users. It also protects traffic between various apps stored in the cloud.

Access control protects data by allowing us to set access lists for various assets. For example,
you can allow the application of specific employees while restricting others. It's a rule that
employees can access the equipment that they required. We can keep essential documents
which are stolen from malicious insiders or hackers to maintaining strict access control.

Data protection methods include Virtual Private Networks (VPN), encryption, or masking. It
allows remote employees to connect the network. VPNaccommodates the tablets and
smartphone for remote access. Data masking maintains the data's integrity by keeping
identifiable information private. A medical company share data with data masking without
violating the HIPAA laws.

For example, we are putting intelligence information at risk in order of the importance of
security. It helps to protect mission-critical assets from threats. Disaster recovery is vital for
security because it helps to recover lost or stolen data.

Benefits of Cloud Security System

We understand how the cloud computing security operates to find ways to benefit your
business.

Cloud-based security systems benefit the business by:

o Protecting the Business from Dangers

o Protect against internal threats
o Preventing data loss
o Top threats to the system include Malware, Ransomware, and
o Break the Malware and Ransomware attacks
o Malware poses a severe threat to the businesses.
WHAT ARE THE SECURITY ASPECTS

Although the cloud hosting technology offers several benefits to its users, there are certain
concerns that it carries with it. Some of the client data is housed in the cloud vendor's
environment which may or may not comply with all the security norms and policies, leaving
the client data susceptible to attacks and lapses. In case there is a bug in the vendor
environment, all the users will become vulnerable to attacks by hackers. However, cloud
adopts the following security measures to efficiently tackle these security aspects.

- Each user must be completely isolated from the other users through the virtualization
technology with firewalls, intrusion detection and prevention measures.

- The data communication between the cloud service provider and client must be secured
using VPNs (virtual private networks).

Request-based Access

- Users must authenticate themselves to get access to the organization's data that run on the
cloud. This is a federated identity service which integrates the identity management of an
organization and cloud service provider.

- Users must check the policies and then assess to decide which cloud hosting providers
would suit their requirements of security, reliability etc.
Some of the salient features of cloud computing that are beneficial to every organization
include on-demand resource availability, resource pooling, rapid elasticity, metered services
and access via the internet.

Some of the Risks Include:

- Data loss or leakage could damage the business reputation as well as create a doubt or
suspicion that could affect employer/employee relationship.

- It will create huge financial losses to the business. This can be mitigated by having a control
on access to data only by authorized personal.

The data is stored away from the business premises of the customer. This has been the
primary concern of every CIO.

Security of the Cloud

Technology has developed but with it the activities of the cyber criminals also have
advanced. DDoS attacks can cripple the functioning of a business. Strong firewalls and anti-
malware solutions can reduce the severity of the risk.

Another solution is the encryption of data while it is being transmitted from the client to
provider. The consumers should be kept in individual compartments to make sure that if one
account is compromised the other users will not be affected.
People mostly ask what are the security aspects provided with cloud computing provides.
Cloud security is nothing without its key technologies that makes it more secured. Such
technologies are-

Encryption- It is a technology that makes data being understood only by the concerned
authority. Its only motive is to make the format of the data that cannot be easily interpreted.
Such technology or process is termed encryption. Cloud technology relies a lot on encryption
to keep the data secured. Some data if unencrypted can be a cause of great hazards to a
company. Due to encryption, there are unexpected aspects of data security in cloud
computing.

Firewall- security aspects of cloud computing are not just limited to encryption. A firewall is
a very secure way of keeping the data safe by creating an additional layer of protection. It
makes sure that all it blocks all the malicious attacks. Such malicious attacks are very
frequent through web traffic. Cloud firewalls are hosted over the cloud, unlike traditional
firewalls that were not efficient as they stayed on-premises.

Security Policies- Aspects of data security in cloud computing knows no bounds. Security
policies are applied throughout the complete cloud infrastructure. For better cloud security,
there must be a proper configuration of security settings through strict security policies.
When a company does not take its security policies seriously then they end up going through
data breaches.

Backup Plans- Data security also asks for backup plans so that not a single bit of data is
inside the realm of risk. To avoid any kind of data loss, data should be backed either on-
premises or on any other cloud. There should be always a plan B to cover any losses that may
occur during data loss. To be more sure about data security, cloud technology has come up
with multi-cloud and hybrid cloud infrastructure.

Auditing & Compliance in Cloud Computing

Cloud computing is best defined by the National Institute of Standards and Technology
(NIST). NIST is a portion of the U.S. Department of Commerce with the mission of
encouraging innovation through science, technology, and standards – including cloud
computing. According to NIST, “Cloud computing is a model for enabling ubiquitous,
convenient, on-demand network access to a shared pool of configurable computing resources
(e.g., networks, servers, storage, applications, and services) that can be rapidly provisioned
and released with minimal management effort or service provider interaction. This cloud
model is composed of five essential characteristics, three service models, and four
deployment models.”
This definition was created to set a baseline for the discussion around cloud computing. As
defined, cloud computing includes the following:
 Five Essential Characteristics – On-demand self-service, broad network access,
resource pooling, rapid elasticity, and measured service.
 Three Service Models – Software-as-a-Service (SaaS), Platform-as-a-Service (PaaS),
and infrastructure-as-a-Service (Iaas).
 Four Deployment Models – Private cloud, community cloud, public cloud, and hybrid
cloud.
The different characteristics, service models, and deployment models can be shaped and
morphed into different resources depending on the needs of the organization.

Auditing in Cloud Computing

In general, an audit is when a third-party independent group is engaged to obtain evidence
through inquiry, physical inspection, observation, confirmation, analytics procedures, and/or
re-performance.
In a cloud computing audit, a variation of these steps is completed in order to form an opinion
over the design and operational effectiveness of controls identified in the following areas:

 Communication
 Security incidents
 Network security
 System development or change management
 Risk management
 Data management
 Vulnerability and remediation management
 Tone at the top or leaderships commitment to transparency and ethical behavior

What is Cloud Compliance?

Cloud compliance is meeting the requirements or criteria needed to meet a certain type of
certification or framework. There are a variety of different types of compliance that may be
required by the industry, including requests for proposals, clients, etc. The type of cloud
security and compliance requirements will help determine the cloud compliance that is right
for an organization.
For example, SOC 2 does not have any specific requirements around cloud compliance but
does have criteria, such as CC6.1 “The entity implements logical access security software,
infrastructure, and architectures over protected information assets to protect them from
security events to meet the entity’s objectives.” To provide users assurance that the criteria
have been met, certain controls are enabled to show evidence of cloud compliance. Some of
these include security groups to control access to sensitive information, encryption of
information, and regular patching.
Some other cloud compliance programs include:

 FedRAMP
 Cloud Security Alliance (CSA)
 HITRUST
 ISO 27017
 PCI

How Do You Achieve Cloud Compliance?

While a great question, the achievement of cloud compliance is not a simple answer. Why
you may ask? Because it is possible to be compliant today and out of compliance tomorrow.
However, the best way to provide users that cloud compliance has been achieved is to one set
a goal of what that means and two, obtain the use of a third party to validate that at the time
of testing, controls were designed and implemented and if looking back over a period of time,
that those controls operated consistently. Goals in this instance are generally whether or not a
company is in compliance with certain criteria or frameworks. Once the scope of the cloud
computing audit has been established, execution can commence.
During the planning and execution stages of a cloud security and compliance audit, it is
important to have a clear understanding of what the objectives of the audit include, as noted
above. Companies should strive to align their business objectives with the objectives of the
audit. This will ensure that time and resources spent will help achieve a strong internal
control environment and lower the risk of a qualified opinion.

Cloud Audit Objectives

Auditors use objectives as a way of concluding the evidence they obtain. Below is a sample
list of cloud computing objectives that can be used by auditors and businesses alike.

 Define a Strategic IT Plan: The use of IT resources should align with company
business strategies. When defining this objective, some key considerations should
include whether IT investments are supported by a strong business case and what
education will be required during the rollout of new IT investments.
 Define the Information Architecture: The information architecture includes the
network, systems, and security requirements needed to safeguard the integrity and
security of information. Whether the information is at rest, in transit, or being
processed.
 Define the IT Processes, Organization, and Relationships: Creating processes that
are documented, standardized, and repeatable creates a more stable IT environment.
Businesses should focus on creating policies and procedures that include organization
structure, roles and responsibilities, system ownership, risk management, information
security, segregation of duties, change management, incident management, and disaster
recovery.
 Communicate Management Aims and Direction: Management should make sure its
policies, mission, and objectives are communicated across the organization.
 Assess and Manage IT Risks: Management should document those risks that could
affect the objectives of the company. These could include security vulnerabilities, laws
and regulations, access to customers or other sensitive information, etc.
 Identify Vendor Management Security Controls: As companies are relying on other
vendors such as AWS to host their infrastructure or ADP for payroll processing,
companies need to identify those risks that could affect the reliability, accuracy, and
safety of sensitive information.

What is the Scope of a Cloud Computing Audit?

The scope of a cloud computing audit will include the procedures specific to the subject of
the audit. Additionally, it will include the IT general controls related to the following:

 Organization and Administration

 Communication
 Risk Assessment
 Monitoring Activities
 Logical and Physical Access
 Systems Operations
 Change Management
An auditor is free to review and require evidence for any of the controls identified within
these areas to gain the required assurance that controls are designed and operate effectively. It
is also important to note that the controls that are maintained by a vendor are not included in
the scope of a cloud computing audit.

What is the Responsibility of a Cloud Auditor?

The role of an auditor is to provide an objective opinion based on facts and evidence that a
company has controls in place to meet a certain objective, criteria, or requirement.
Additionally, in many cases, the auditor will also provide an opinion on whether or not those
controls operated over a period of time. Auditing the cloud for compliance is no different. In
instances where the audit requires cloud compliance to satisfy the criteria, the auditor will ask
for evidence that controls are enabled (i.e. security groups, encryption, etc). This will allow
the cloud auditor to provide an opinion of whether controls were in place and as applicable if
they operated over a period of time.

What Factors Should be Included as Part of Your Cloud Audit Checklist?

As mentioned before, auditors rely on different types of procedures such as inquiry, physical
inspection, observation, confirmation, analytics procedures, and/or re-performance to collect
evidence. These test procedures will be used in combination to obtain evidence to provide an
opinion on the service being audited. While a checklist for an audit doesn’t really exist as
every environment is a little different, below are example tests performed for each of the IT
general control areas identified above. Note that this is not an all-inclusive list.

Control Area Procedures

 Inspect the company’s organizational structure

Organization and  Inspect job positions with employee roles and responsibilities
Administration  Observe interviews to determine whether the company’s test
technical competencies
 Inspect evidence of completed background checks

Communication  Inspect policies and procedures

 Inspect evidence that policies and procedures are available to
all employees for reference
 Inspect company Terms of Use or Privacy documentation to
determine whether or not they identify responsibilities and
commitments
 Inquire of management about their commitment to ethical
values

Risk Assessment  Inspect the company’s documented risk assessment

 Inspect the risk assessment to determine whether mitigation
activities are identified, as required

Monitoring Activities  Inspect documentation which identifies system vulnerabilities

 Inspect system configurations to determine whether
notifications are provided when vulnerabilities or failures are
identified
 Inspect evidence that identified vulnerabilities are remediated

Logical and Physical  Observe that the office requires a badge to enter
 Access  Inspect evidence that individuals with administrator level
access are authorized
 Inspect the password policy used to enter the network

Systems Operations  Inspect monitoring tools used to monitor traffic and alert on
suspicious activity
 Inspect evidence that the tools successfully send alerts, as
required
 Inspect evidence that notifications are followed-up on and
remediated as necessary

Change Management  Inspect evidence to confirm that changes are defined and
documented, approved for development, tested, and approved
for implementation

Cloud security risks and challenges

Cloud suffers from similar security risks that you might encounter in traditional
environments, such as insider threats, data breaches and data loss, phishing, malware, DDoS
attacks, and vulnerable APIs.

However, most organizations will likely face specific cloud security challenges, including:

Lack of visibility

Cloud-based resources run on infrastructure that is located outside your corporate network
and owned by a third party. As a result, traditional network visibility tools are not suitable for
cloud environments, making it difficult for you to gain oversight into all your cloud assets,
how they are being accessed, and who has access to them.

Misconfigurations

Misconfigured cloud security settings are one of the leading causes of data breaches in cloud
environments. Cloud-based services are made to enable easy access and data sharing, but
many organizations may not have a full understanding of how to secure cloud infrastructure.
This can lead to misconfigurations, such as leaving default passwords in place, failing to
activate data encryption, or mismanaging permission controls.

Access management

Cloud deployments can be accessed directly using the public internet, which enables
convenient access from any location or device. At the same time, it also means that attackers
can more easily gain authorized resources with compromised credentials or improper access
control.

Dynamic workloads

Cloud resources can be provisioned and dynamically scaled up or down based on your
workload needs. However, many legacy security tools are unable to enforce policies in
flexible environments with constantly changing and ephemeral workloads that can be added
or removed in a matter of seconds.

Compliance

The cloud adds another layer of regulatory and internal compliance requirements that you can
violate even if you don’t experience a security breach. Managing compliance in the cloud is
an overwhelming and continuous process. Unlike an on-premises data center where you have
complete control over your data and how it is accessed, it is much harder for companies to
consistently identify all cloud assets and controls, map them to relevant requirements, and
properly document everything.

Software–as–a–Service Security

SaaS (Software as a Service) security refers to the measures and processes implemented to
protect the data and applications hosted by a SaaS provider. This typically includes measures
such as encryption, authentication, access controls, network security, and data backup and
recovery.
Why is SaaS Security important?
SaaS (Software as a Service) has become increasingly popular in recent years due to its
flexibility, cost-effectiveness, and scalability. However, this popularity also means that SaaS
providers and their customers face significant security challenges.
SaaS Security is important because:
 Sensitive data would be well-protected and not compromised by hackers, malicious
insiders or other cyber threats.
 SaaS security helps avoid severe consequences such as legal liabilities, damage to
reputation and loss of customers.
 Aids in increasing the trust of the SaaS provider to the customers.
 Aids in compliance with security standards and regulations.
 Ensures the security and protection of applications and data hosted from cyber threats,
minimizing the chance,s of data breaches and other security incidents.
Challenges in SaaS security
Some of the most significant challenges in SaaS security include:
1. Lack of Control
SaaS providers typically host applications and data in the cloud, meaning that customers have
less direct control over their security. This can make it challenging for customers to monitor
and manage security effectively.
2. Access Management
SaaS applications typically require users to log in and authenticate their identity. However,
managing user access can be challenging, particularly if the provider is hosting applications
for multiple customers with different access requirements.
3. Data Privacy
SaaS providers may be subject to data privacy regulations, which can vary by jurisdiction.
This can make it challenging to ensure compliance with all relevant laws and regulations,
particularly if the provider hosts data for customers in multiple countries.
4. Third-party integration
SaaS providers may integrate with third-party applications, such as payment processors or
marketing platforms. However, this can increase the risk of security incidents, as
vulnerabilities in third-party software can potentially affect the entire system.
5. Continuous monitoring
SaaS providers must continuously monitor their systems for security threats and
vulnerabilities. This requires a high level of expertise and resources to detect and respond to
security incidents effectively.
What makes SaaS applications risky?
1. Virtualization
Cloud computing systems run on virtual servers to store and manage multiple accounts and
machines, unlike traditional networking systems. In such a case, if even a single server is
compromised it could put multiple stakeholders at risk. Though virtualization technology has
improved significantly over time, it still poses vulnerabilities that are often easy targets for
cybercriminals. When properly configured and implemented with strict security protocols, it
can provide significant protection from numerous threats.
2. Managing identity
Many SaaS providers allow for Single Sign-on (SSO) abilities to ease access to applications
greatly. This is most helpful when there are multiple SaaS applications and access is role-
based. Some of the providers do have secure data access systems, however, with an increase in
the number of applications, it becomes quite complicated and difficult to manage securely.
3. Standards for cloud services
SaaS security can greatly vary based on the provider and the standards maintained by them.
Not all SaaS providers conform to globally accepted SaaS security standards. Even those
providecomplicatedliant might not have SaaS-specific certification. Standards such as ISO
27001 can offer a certain level of confidence; however, if not carefully evaluated they might
not have all security avenues covered under the certification.
4. Obscurity
that the time customers are not aware of the processes handled by the SaaS service provider. If
a SaaS provider tries to be too obscure about the backend details, consider it a red flag. To be
completely confident regarding SaaS security the customers must know in detail how
everything works.
Most popular SaaS providers are transparent about their backend processes; however, several
providers may not disclose details such as their security protocols and multi-tenant
infrastructure. In such cases, Service Level Agreements (SLA) are useful since it compels the
provider to disclose all responsibilities. After all, customers have a right to know how their
data is protected against cyber-attacks and information exposure among other SaaS risks.
5. Data location
SaaS tools might store clients’ data in some other geographical region, but not all providers
can promise that due to several factors such as data laws and cost. Sometimes clients would be
comfortable with their data being stored within their country. Data location should also be
based on factors such as data latency and load balancing.
6. Access from anywhere
SaaS apps can be accessed from anywhere and that is one of the reasons which makes them
more appealing. However, this feature has its own set of risks. Incidents such as accessing the
application using an infected mobile device or public WiFi without any VPN would
compromise the server. If the endpoints are not secure it would allow attackers to enter the
server.
7. Data control
Since all data will be hosted on the cloud, clients do not have complete control over it. If
something goes wrong, clients are at the mercy of the SaaS provider. Once agreeing to a price
model, the provider becomes responsible for storing and managing data. In such cases, clients
often worry about who has access to it, scenarios of data corruption, and access by third
parties and competitors, to name a few. When sensitive data is stored, answers to these queries
become much more crucial.
SaaS Security Best Practices
No system is safe and as we saw above, SaaS offerings also have security concerns that need
to be resolved. By following the below security practices, you can leverage the powerful
features and advantages of SaaS without worrying about security.
1. End-to-end data encryption
This means that all kinds of interaction between server and user happens over SSL
connections and are encrypted. However, end-to-end encryption should also exist for data
storage. Many providers have the option to encrypt the data by default, while some clients
need to explicitly specify this. Clients can also have the option to encrypt specific fields such
as financial details by using Multi-domain SSL certificates.
2. Vulnerability testing
You can expect SaaS providers to make high claims regarding SaaS security. But the onus to
verify these claims can end up with the clients. If the SaaS provider has tools or checks, they
should be reliable and meets all standards. Apart from these, you should also ensure that
intensive checks are done on the SaaS systems.
There are multiple ways to assess SaaS security, such as automated tools or manually by
security experts. A comprehensive SaaS security check should meet both automated and
manual checks since it would also consider real-world scenarios and the latest threats. A
number of quality SaaS security solutions are available to help you with the security testing
process.
3. Policies for data deletion
Data deletion policies play an important role in customers’ data safe. SaaS providers should be
clear in declaring their data deletion policies to their clients. These policies are mentioned in the
service agreement and should include what would happen after the customer’s data retention
timeline ends. When applicable, client data should be programmatically deleted from the server
and respective logs should be generated.

4. Data security at the user level

Multiple levels of SaaS security can limit the damage from cyber-attacks. At the user level,
security protocols such as role-based permissions and access, and enforced distribution of tasks,
will protect your system from attacks that leverage internal security gaps.
5. Virtual Private Network/Virtual Private Cloud
VPN and VPC provide a safe environment for clients for their operation and data storage. These
are better options and more secure than multi-tenant systems. These also enable users to log in and
use SaaS applications from anywhere by securing endpoints and protecting the infrastructure.
6. Virtual Machine Management
Your virtual machine needs to be updated regularly to maintain a secure infrastructure. Keep up
with the latest threats and patches on the market and deploy them timely to protect your VM.

7. Scalability & Reliability

SaaS offers great scalability (both vertical as well as horizontal) & reliability features. You have
the benefit of adding a new enhanced feature or additional resources as per your wish. Scaling
cannot be realized instantly, thus the vendor must put together a plan for horizontal redundancy. A
CDN (Content delivery network) adds more robustness to scaling.

8. Transport Layer Security and configuration certificates

SaaS security is greatly enhanced when a provider protects externally transmitted data using
Transport Layer Security. Moreover, TLS also improves privacy between communicating
applications and users. Make sure that the certificates are appropriately configured and follow
security protocols. The same applies to internal data too. Internal data should also be stored in an
encrypted format and any intra-application transfer should be protected. Further, cookie
security should be looked into as well.

9. User privileges and multi-factor authentication

Different categories of users should have different levels of privileges. Cybercriminals often
misuse privileges to access the core files of an application. Admins should have exclusive access
to crucial files and folders. Also, authentication is a major point of entry for attackers. 2 Factor
Authentication is the new standard for logging into applications. Make sure the SaaS application
adheres to this custom.

10. Logs
Logs help in monitoring SaaS security incidents and help in detecting any cyber attacks. SaaS
systems should have automatic logTwo-factor authentication should be available to clients to assist
in audits or regular monitoring.

11. Data Loss Prevention

Data Loss Prevention (DLP) consists of two parts, detection, and action. DLP systems can scan
outgoing or transferred data for sensitive information through keyword and phrase searches. Once
detected, data transfer is blocked preventing any leakage. For a robust system, the DLP system can
send alerts to the administrator who verifies if the detection is correct. There are also SaaS APIs
that enforce DLP protocols in your application.

12. Deployment security

Deployment can be either done on public cloud services or a SaaS vendor. In case you decide to
self-deploy your SaaS application then you need to test the security thoroughly and adopt enough
safeguards to protect your application against cyber attacks.
Most of the big cloud providers take care of all your SaaS security needs, however, when opting
for a public cloud vendor, make sure that they follow all globally accepted standards.

13. Be updated about OWASP security issues

Whenever testing your SaaS security, always keep an eye out for the top security issues reported
by OWASP. This provides a trusted repository for the latest security issues found and probable
fixes. Based on this you can design your tests that can discover security vulnerabilities in your
SaaS application. Also, this provides you with enough information to fix these issues and protect
against attacks that exploit these.
 Cloud Security Governance
Cloud security governance refers to the management model that facilitates effective and
efficient security management and operations in the cloud environment so that an enterprise’s
business targets are achieved. This model incorporates a hierarchy of executive mandates,
performance expectations, operational practices, structures, and metrics that, when
implemented, result in the optimization of business value for an enterprise.

Cloud security governance helps answer leadership questions such as:

 Are our security investments yielding the desired returns?
 Do we know our security risks and their business impact?
 Are we progressively reducing security risks to acceptable levels?
 Have we established a security-conscious culture within the enterprise?

Strategic alignment, value delivery, risk mitigation, effective use of resources, and
performance measurement are key objectives of any IT-related governance model, security
included. To successfully pursue and achieve these objectives, it is important to understand
the operational culture and business and customer profiles of an enterprise, so that an
effective security governance model can be customized for the enterprise.

Cloud Security Governance Challenges

Whether developing a governance model from the start or having to retrofit one on existing
investments in cloud, these are some of the common challenges:

Lack of senior management participation and buy-in

The lack of a senior management influenced and endorsed security policy is one of the
common challenges facing cloud customers. An enterprise security policy is intended to set
the executive tone, principles and expectations for security management and operations in the
cloud. However, many enterprises tend to author security policies that are often laden with
tactical content, and lack executive input or influence. The result of this situation is the
ineffective definition and communication of executive tone and expectations for security in
the cloud. To resolve this challenge, it is essential to engage enterprise executives in the
discussion and definition of tone and expectations for security that will feed a formal
enterprise security policy. It is also essential for the executives to take full accountability for
the policy, communicating inherent provisions to the enterprise, and subsequently enforcing
compliance
Lack of embedded management operational controls
Another common cloud security governance challenge is lack of embedded management
controls into cloud security operational processes and procedures. Controls are often
interpreted as an auditor’s checklist or repackaged as procedures, and as a result, are not
effectively embedded into security operational processes and procedures as they should be,
for purposes of optimizing value and reducing day-to-day operational risks. This lack of
embedded controls may result in operational risks that may not be apparent to the enterprise.
For example, the security configuration of a device may be modified (change event) by a
staffer without proper analysis of the business impact (control) of the modification. The net
result could be the introduction of exploitable security weaknesses that may not have been
apparent with this modification. The enterprise would now have to live with an inherent
operational risk that could have been avoided if the control had been embedded in the change
execution process.
Lack of operating model, roles, and responsibilities

Many enterprises moving into the cloud environment tend to lack a formal operating model
for security, or do not have strategic and tactical roles and responsibilities properly defined
and operationalized. This situation stifles the effectiveness of a security management and
operational function/organization to support security in the cloud. Simply, establishing a
hierarchy that includes designating an accountable official at the top, supported by a
stakeholder committee, management team, operational staff, and third-party provider support
(in that order) can help an enterprise to better manage and control security in the cloud, and
protect associated investments in accordance with enterprise business goals. This hierarchy
can be employed in an in-sourced, out-sourced, or co-sourced model depending on the
culture, norms, and risk tolerance of the enterprise.

Lack of metrics for measuring performance and risk

Another major challenge for cloud customers is the lack of defined metrics to measure
security performance and risks – a problem that also stifles executive visibility into the real
security risks in the cloud. This challenge is directly attributable to the combination of other
challenges discussed above. For example, a metric that quantitatively measures the number of
exploitable security vulnerabilities on host devices in the cloud over time can be leveraged as
an indicator of risk in the host device environment. Similarly, a metric that measures the
number of user-reported security incidents over a given period can be leveraged as a
performance indicator of staff awareness and training efforts. Metrics enable executive
visibility into the extent to which security tone and expectations (per established policy) are
being met within the enterprise and support prompt decision-making in reducing risks or
rewarding performance as appropriate.
The challenges described above clearly highlight the need for cloud customers to establish a
framework to effectively manage and support security in cloud management, so that the
pursuit of business targets are not potentially compromised. Unless tone and expectations for
cloud security are established (via an enterprise policy) to drive operational processes and
procedures with embedded management controls, it is very difficult to determine or evaluate
business value, performance, resource effectiveness, and risks regarding security operations
in the cloud. Cloud security governance facilitates the institution of a model that helps
enterprises explicitly address the challenges described above.
 Key Objectives for Cloud Security Governance
Building a cloud security governance model for an enterprise requires strategic-level security
management competencies in combination with the use of appropriate security standards and
frameworks (e.g., NIST, ISO, CSA) and the adoption of a governance framework (e.g.,
COBIT). The first step is to visualize the overall governance structure, inherent components,
and to direct its effective design and implementation. The use of appropriate security
standards and frameworks allow for a minimum standard of security controls to be
implemented in the cloud, while also meeting customer and regulatory
compliance obligations where applicable. A governance framework provides referential
guidance and best practices for establishing the governance model for security in the cloud.
The following represents key objectives to pursue in establishing a governance model for
security in the cloud. These objectives assume that appropriate security standards and a
governance framework have been chosen based on the enterprise’s business targets, customer
profile, and obligations for protecting data and other information assets in the cloud
environment.

1. Strategic Alignment
Enterprises should mandate that security investments, services, and projects in the cloud are
executed to achieve established business goals (e.g., market competitiveness, financial, or
operational performance).

2. Value Delivery
Enterprises should define, operationalize, and maintain an appropriate security
function/organization with appropriate strategic and tactical representation, and charged with
the responsibility to maximize the business value (Key Goal Indicators, ROI) from the pursuit
of security initiatives in the cloud.

3. Risk Mitigation
Security initiatives in the cloud should be subject to measurements that gauge effectiveness in
mitigating risk to the enterprise (Key Risk Indicators). These initiatives should also yield
results that progressively demonstrate a reduction in these risks over time.

4. Effective Use of Resources

It is important for enterprises to establish a practical operating model for managing and
performing security operations in the cloud, including the proper definition and
operationalization of due processes, the institution of appropriate roles and responsibilities,
and use of relevant tools for overall efficiency and effectiveness.

5. Sustained Performance
Security initiatives in the cloud should be measurable in terms of performance, value and risk
to the enterprise (Key Performance Indicators, Key Risk Indicators), and yield results that
demonstrate attainment of desired targets (Key Goal Indicators) over time.
Risk Management

Before learning risk management, let us take a glance at cloud computing. Cloud computing
is a technology that allows its user to access resources such as storage, memory, network, and
computing; these resources are physically present at any geographical location, but can be
accessed over the internet from anywhere in the globe. This advancement in technology has
revolutionised the working of businesses and organisations. More and more organisations are
investing in cloud deployment infrastructure rather than on-premise infrastructure. This
mobilization of technology introduces new risks associated with cloud computing, which
needs to be treated with foresight. To manage these risks, risk management plans are
implemented by organisations. Risk management is the process of identifying, assessing, and
controlling threats to an organisation's system security, capital and resources. Effective risk
management means attempting to control future outcomes proactively rather than reactively.
In the context of cloud computing, risk management plans are curated to deal with the risks
or threats associated with the cloud security. Every business and organisation faces the risk of
unexpected, harmful events that can cost the organisation capital or cause it to permanently
close. Risk management allows organisations to prevent and mitigate any threats, service
disruptions, attacks or compromises by quantifying the risks below the threshold of
acceptable level of risks.

Process of Risk Management

Risk management is a cyclically executed process comprised of a set of activities for

overseeing and controlling risks. Risk management follows a series of 5 steps to manage risk,
it drives organisations to formulate a better strategy to tackle upcoming risks. These steps are
referred to as Risk Management Process and are as follows:

 Identify the risk

 Analyze the risk
 Evaluate the risk
 Treat the risk
 Monitor or Review the risk

Now, let us briefly understand each step of the risk management process in cloud computing.

1. Identify the risk - The inception of the risk management process starts with the
identification of the risks that may negatively influence an organisation's strategy or
compromise cloud system security. Operational, performance, security, and privacy
requirements are identified. The organisation should uncover, recognise and describe
risks that might affect the working environment. Some risks in cloud computing
include cloud vendor risks, operational risks, legal risks, and attacker risks.
2. Analyze the risk - After the identification of the risk, the scope of the risk is
analyzed. The likelihood and the consequences of the risks are determined. In cloud
computing, the likelihood is determined as the function of the threats to the system,
the vulnerabilities, and consequences of these vulnerabilities being exploited. In
analysis phase, the organisation develops an understanding of the nature of risk and its
potential to affect organisation goals and objectives.
3. Evaluate the risk - The risks are further ranked based on the severity of the impact
they create on information security and the probability of actualizing. The
 organisation then decides whether the risk is acceptable or it is serious enough to call
for treatment.
4. Treat the risk - In this step, the highest-ranked risks are treated to eliminate or
modified to achieve an acceptable level. Risk mitigation strategies and preventive
plans are set out to minimise the probability of negative risks and enhance
opportunities. The security controls are implemented in the cloud system and are
assessed by proper assessment procedures to determine if security controls are
effective to produce the desired outcome.
5. Monitor or Review the risk - Monitor the security controls in the cloud
infrastructure on a regular basis including assessing control effectiveness,
documenting changes to the system and the working environment. Part of the
mitigation plan includes following up on risks to continuously monitor and track new
and existing risks.

The steps of risk management process should be executed concurrently, by individuals or

teams in well-defined organisational roles, as part of the System Development Life
Cycle (SDLC) process. Treating security as an addition to the system, and implementing risk
management process in cloud computing independent to the SDLC is more difficult process
that can incur higher cost with a lower potential to mitigate risks.

Types of Risks in Cloud Computing

This section involves the primary risks associated with cloud computing.

1. Data Breach - Data breach stands for unauthorized access to the confidential data of
the organisation by a third party such as hackers. In cloud computing, the data of the
organisation is stored outside the premise, that is at the endpoint of the cloud
service provider(CSP). Thus any attack to target data stored on the CSP servers may
affect all of its customers.
2. Cloud Vendor Security Risk - Every organisation takes services offered by different
cloud vendors. The inefficiency of these cloud vendors to provide data security and
risk mitigation directly affects the organisation's business plan and growth. Also,
migrating from one vendor to another is difficult due to different interfaces and
services provided by these cloud vendors.
3. Availability - Any internet connection loss disrupts the cloud provider's services,
making the services inoperative. It can happen at both the user's and the cloud service
provider's end. An effective risk management plan should focus on availability of
services by creating redunadancy in servers on cloud such that other servers can
provide those services if one fails.
4. Compliance - The service provider might not follow the external audit process,
exposing the end user to security risks. If a data breach at the cloud service provider's
end exposes personal data, the organisation may be held accountable due to improper
protection and agreements.

Apart from these risks, cloud computing possesses various security risks bound under 2 main
categories.

 Internal Security Risks

 External Security Risks
Internal Security Risks

Internal security risks in cloud computing include the challenges that arise due to
mismanagement by the organisation or the cloud service provide. Some internal security risks
involve:

1. Misconfiguration of settings - Misconfiguration of cloud security settings, either by

the organisation workforce or by the cloud service provider, exposes the risk of a data
breach. Most small businesses cloud security and risk management are inadequate for
protecting their cloud infrastructure.
2. Malicious Insiders - A malicious insider is a person working in the organisation and
therefore already has authorized access to the confidential data and resources of the
organization. With cloud deployments, organisations lack control over the underlying
infrastructure; making it very hard to detect malicious insiders.

External Security Risks

External security risks are threats to an organisation arising from the improper handling of the
resources by its users and targeted attacks by hackers. Some of the external security risks
involve:

1. Unauthorized Access - The cloud-based deployment of the organisation's

infrastructure is outside the network perimeter and directly accessible from the public
internet. Therefore, it is easier for the attacker to get unauthorized access to the server
with the compromised credentials.
2. Accounts Hijacking - The use of a weak or repetitive password allows attackers to
gain control over multiple accounts using a single stolen password. Moreover,
organizations using cloud infrastructure cannot often identify and respond to such
threats.
3. Insecure APIs - The Application Programming Interfaces(APIs) provided by the
cloud service provider to the user are well-documented for ease of use. A potential
attacker might use this documentation to attack the data and resources of the
organisation.

Need for Risk Management

Above discussed risks are the primary security concern for individuals, businesses, and
organisations. If actualized, some risks may cause a business to close. These risks need to be
treated proactively by implementing risk management strategies. By implementing a risk
management plan and considering the various potential risks or events before they occur, an
organisation may save money and time and protect its future. This is because a robust risk
management plan will help an organisation establish procedures to prevent potential threats
and minimise their impact if they occur. This ability to understand and control risks allows
organisations to be more confident in their business decisions. Moreover, effective risk
management helps organisations to understand the processes deeply and provide information
that can be used to make informed decisions to provide increased levels of security and
ensure that the business remains profitable. In cloud computing, the organisation sets risk
management plans which help them to identify appropriate cloud vendors and service
providers, make proper service-level agreements and set up better budgeting plans.
Benefits of Risk Management

Risk management enables organisations to ensure any potential threats to cloud-deployments

security, assets, and business plans are identified and treated before they derail the
organisation's goals. It has far-reaching benefits that can fundamentally change the decision
making process of the organisation. Here are some benefits of robust risk management:

1. Forecast Probable Issues - The risk management process in cloud computing

identifies all the possible risks or threats associated with the cloud service provider,
the cloud vendor, the organisation, and the users. It helps an organisations to mitigate
risks by implementing appropiate control strategies and create a better business plan.
2. Increases the scope of growth - Risk management in cloud computing forces
organisations to study the risk factors in detail. Thus, the workforce is aware of all the
possible catastrophic events; and the organisation creates a framework that can be
deployed to avoid risks that are decremental to both the organisation and the
environment. Hence, risk management enables organisations to take a calculated risks
and accelerate their growth.
3. Business Process Improvement - Risk Management requires organisations to collect
information about their processes and operations. As a result, organisations can find
inefficient processes or the scope for improvement in a process.
4. Better Budgeting - Organisations implementing risk management strategies often
have clear insights into the finances. Thus, they can create more efficient budgets to
implement risk management plans and achieve the organisational goals.

Security Monitoring

Cloud security monitoring encompasses several processes that allow organizations to review,
manage, and observe operational workflows in a cloud environment.

Cloud security monitoring combines manual and automated processes to track and assess the
security of servers, applications, software platforms, and websites.

Cloud security experts monitor and assess the data held in the cloud on an ongoing basis.
They identify suspicious behavior and remediate cloud-based security threats. If they identify
an existing threat or vulnerability, they can recommend remediations to address the issue
quickly and mitigate further damage.

Cloud security monitoring is the practice of continuously supervising both virtual and
physical servers to analyze data for threats and vulnerabilities. Cloud security monitoring
solutions often rely on automation to measure and assess behaviors related to data,
applications and infrastructure.

How Does Cloud Security Monitoring Work?

Cloud security monitoring solutions can be built natively into the cloud server hosting
infrastructure (like AWS’s CloudWatch, for example) or they can be third-party solutions
that are added to an existing environment (like Blumira). Organizations can also perform
cloud monitoring on premises using existing security management tools.
Like a SIEM, cloud security monitoring works by collecting log data across servers.
Advanced cloud monitoring solutions analyze and correlate gathered data for anomalous
activity, then send alerts and enable incident response. A cloud security monitoring service
will typically offer:
Visibility. Moving to the cloud inherently lowers an organization’s visibility across their
infrastructure, so cloud monitoring security tools should bring a single pane of glass to
monitor application, user and file behavior to identify potential attacks.
Scalability. Cloud security monitoring tools should be able to monitor large amounts of data
across a variety of distributed locations.
Auditing. It’s a challenge for organizations to manage and meet compliance requirements, so
cloud security monitoring tools should provide robust auditing and monitoring capabilities.
Continuous monitoring. Advanced cloud security monitoring solutions should continuously
monitor behavior in real time to quickly identify malicious activity and prevent an attack.
Integration. To maximize visibility, a cloud monitoring solution should ideally
integrate with an organization’s existing services, such as productivity suites (i.e. Microsoft
365 and G Suite), endpoint security solutions (i.e. Crowdstrike and VMware Carbon Black)
and identity and authentication services (i.e. Duo and Okta).
Learn More About Blumira’s Cloud Security Monitoring >

Cloud Security Risks

Cloud environments come with different security risks than traditional on-premises
environments. Some common cloud security threats include:
Misconfigurations. Human error — or failing to set the right security controls in a cloud
platform — is one of the biggest cloud security threats. Examples of misconfigurations
include accidentally allowing unrestricted outbound access or opening up access to an S3
bucket. Cloud misconfiguration can be extremely damaging; one real-life example of this was
the Capital One breach in 2019, in which a former Amazon employee was able to expose
personal records of Capital One customers due to a misconfigured web application firewall
(WAF).
Data loss. The collaboration and shareability of cloud services are double-edged swords;
these benefits often make it too easy for users to share data with the wrong internal parties or
external third-parties. 64% of cybersecurity professionals cited data loss and leakage as a top
cloud security concern, according to Synopsys’ Cloud Security Report.
API vulnerabilities. Cloud applications use APIs to interact
with each other, but those APIs aren’t always secure. Malicious actors can launch denial-of-
service (DoS) attacks to exploit APIs, allowing them to access company data.
Malware. Malware is a real threat in the cloud. Data and documents constantly travel to and
from the cloud, which means that there are more opportunities for threat actors to
launch malware attacks such as hyperjacking and hypervisor infections.
IAM complexity. Identity and access management (IAM) in a cloud or hybrid cloud
environment can be extremely complex. For larger organizations, the process of simply
understanding who has access to which resources can be time-consuming and difficult. Other
IAM challenges in the cloud include ‘zombie’ SaaS accounts (inactive users), and improper
user provisioning and deprovisioning. Hybrid environments where users must access a mix of
SaaS apps and on-premises applications can introduce siloes and further complicate IAM,
leading to misconfigurations and security gaps.

Benefits of Cloud Security Monitoring

Cloud security monitoring provides the following benefits:

Maintain compliance. Monitoring is a requirement for nearly every major regulation, from
HIPAA to PCI DSS. Cloud-based organizations must use monitoring tools to avoid
compliance violations and costly fees.
Identify vulnerabilities. Automated monitoring solutions can quickly alert IT and security
teams about anomalies and help identify patterns that point to risky or malicious behavior.
Overall, this brings a deeper level of observability and visibility to cloud environments.
Prevent loss of business. An overlooked security incident can be detrimental and even result
in shutting down business operations, leading to a decrease in customer trust and satisfaction
— especially if customer data was leaked. Cloud security monitoring can help with business
continuity and data security, while avoiding a potentially catastrophic data breach.
Increase security maturity. An organization with a mature infosec model has a proactive,
multi-layered approach to security. A cloud monitoring solution enables organizations to
include cloud as one of those layers and provides visibility into the overall environment.

Security Architecture Design

Security in cloud computing is a major concern. Proxy and brokerage services should be
employed to restrict a client from accessing the shared data directly. Data in the cloud should
be stored in encrypted form.

Security Planning

Before deploying a particular resource to the cloud, one should need to analyze several
aspects of the resource, such as:

o A select resource needs to move to the cloud and analyze its sensitivity to risk.
o Consider cloud service models such as IaaS, PaaS,and These models require the
customer to be responsible for Security at different service levels.
o Consider the cloud type, such as public, private, community, or
o Understand the cloud service provider's system regarding data storage and its transfer
into and out of the cloud.
o The risk in cloud deployment mainly depends upon the service models and cloud
types.

Understanding Security of Cloud

Security Boundaries

The Cloud Security Alliance (CSA) stack model defines the boundaries between each
service model and shows how different functional units relate. A particular service model
defines the boundary between the service provider's responsibilities and the customer. The
following diagram shows the CSA stack model:
Key Points to CSA Model
o IaaS is the most basic level of service, with PaaS and SaaS next two above levels of
services.
o Moving upwards, each service inherits the capabilities and security concerns of the
model beneath.
o IaaS provides the infrastructure, PaaS provides the platform development
environment, and SaaS provides the operating environment.
o IaaS has the lowest integrated functionality and security level, while SaaS has the
highest.
o This model describes the security boundaries at which cloud service providers'
responsibilities end and customers' responsibilities begin.
o Any protection mechanism below the security limit must be built into the system and
maintained by the customer.

Although each service model has a security mechanism, security requirements also depend on
where these services are located, private, public, hybrid, or community cloud.

Understanding data security

Since all data is transferred using the Internet, data security in the cloud is a major concern.
Here are the key mechanisms to protect the data.

o access control
 o audit trail
o certification
o authority

The service model should include security mechanisms working in all of the above areas.

Separate access to data

Since the data stored in the cloud can be accessed from anywhere, we need to have a
mechanism to isolate the data and protect it from the client's direct access.

Broker cloud storage is a way of separating storage in the Access Cloud. In this approach,
two services are created:

1. A broker has full access to the storage but does not have access to the client.
2. A proxy does not have access to storage but has access to both the client and the
broker.
3. Working on a Brocade cloud storage access system
4. When the client issues a request to access data:
5. The client data request goes to the external service interface of the proxy.
6. The proxy forwards the request to the broker.
7. The broker requests the data from the cloud storage system.
8. The cloud storage system returns the data to the broker.
9. The broker returns the data to the proxy.
10. Finally, the proxy sends the data to the client.

All the above steps are shown in the following diagram:

Encoding

Encryption helps to protect the data from being hacked. It protects the data being transferred
and the data stored in the cloud. Although encryption helps protect data from unauthorized
access, it does not prevent data loss.

Why is cloud security architecture important?

The difference between "cloud security" and "cloud security architecture" is that the former is
built from problem-specific measures while the latter is built from threats. A cloud security
architecture can reduce or eliminate the holes in Security that point-of-solution approaches
are almost certainly about to leave.

It does this by building down - defining threats starting with the users, moving to the cloud
environment and service provider, and then to the applications. Cloud security architectures
can also reduce redundancy in security measures, which will contribute to threat mitigation
and increase both capital and operating costs.

The cloud security architecture also organizes security measures, making them more
consistent and easier to implement, particularly during cloud deployments and
redeployments. Security is often destroyed because it is illogical or complex, and these flaws
can be identified with the proper cloud security architecture.
Elements of cloud security architecture

The best way to approach cloud security architecture is to start with a description of the
goals. The architecture has to address three things: an attack surface represented by external
access interfaces, a protected asset set that represents the information being protected, and
vectors designed to perform indirect attacks anywhere, including in the cloud and attacks the
system.

The goal of the cloud security architecture is accomplished through a series of functional
elements. These elements are often considered separately rather than part of a coordinated
architectural plan. It includes access security or access control, network security, application
security, contractual Security, and monitoring, sometimes called service security. Finally,
there is data protection, which are measures implemented at the protected-asset level.

A complete cloud security architecture addresses the goals by unifying the functional
elements.

Cloud security architecture and shared responsibility model

The security and security architectures for the cloud are not single-player processes. Most
enterprises will keep a large portion of their IT workflow within their data centers, local
networks, and VPNs. The cloud adds additional players, so the cloud security architecture
should be part of a broader shared responsibility model.

A shared responsibility model is an architecture diagram and a contract form. It exists

formally between a cloud user and each cloud provider and network service provider if they
are contracted separately.

Each will divide the components of a cloud application into layers, with the top layer being
the responsibility of the customer and the lower layer being the responsibility of the cloud
provider. Each separate function or component of the application is mapped to the
appropriate layer depending on who provides it. The contract form then describes how each
party responds.

Data Security

Data security includes the technologies and processes an organization uses to protect sensitive
data both on-premises and in the cloud.

Sensitive information includes corporate and non-public personal information (NPI), including:

 Intellectual property
 Names
 Birth dates
 Government identification information, like social security numbers and driver's license
information
 Physical address
 IP address
 Biometric information
Further, as legislative bodies respond to ransomware attacks and data breaches by enacting new
data protection laws, some best practices have emerged, including:

 Data classification
 Data anonymization and pseudonymization
 Data encryption
 User access controls

What is Cloud Data Security?

‍
Cloud data security refers to the technologies and controls that discover, classify, and protect all
data in the cloud to mitigate risks arising from data loss, misuse, breaches, and unauthorized
access.

This includes:
 Detecting and classifying structured and unstructured data
 Implementing and monitoring access management controls at the file and field levels
 Identifying storage locations for structured and unstructured data
 Data transmission flows
 Encryption configurations
Data security is a fundamental component of an organization’s cybersecurity strategy.

Why Is Sensitive Data Protection Important in Cloud Computing?

As organizations use more data, they need to protect its confidentiality, integrity, and availability.
Cloud computing models enable collaboration and analytics but present unique challenges.
Integrity
Cloud computing and analytics enable organizations to make data-driven decisions. One
study found:
 83% of CEOs want a data-driven organization
 74% of senior executives require data in decision making
Organizations need to protect sensitive information to ensure the integrity of the data that their
analytics models use. To do this, they need to mitigate risks associated with unauthorized access,
including internal users who can make changes to data.
Availability
As organizations build out their data cultures, breaking down data silos becomes more important.
The cloud enables this collaboration, but organizations need to ensure that they protect sensitive
information’s availability, like ensuring no one accidentally deletes a data set.

Confidentiality
With hybrid and multi-cloud environments, monitoring data use becomes even more challenging.
As data travels between services, organizations need to worry about application programming
interface (API) configurations. By protecting sensitive information, organizations prevent data
loss and leaks that compromise confidentiality.
What Are the Benefits of Cloud Data Security?
While protecting sensitive data is important, the same practices, controls, and processes benefit
companies, too.
Mitigate Data Breach Risk
Over the first half of 2022, the number of weekly cyberattacks increased by 42%. When broken
down by malware type, the data looks like this:
 23%: Multipurpose malware, including botnets and banking Trojans
 15%: Cryptominers
 13%: Infostealer
 12%: Mobile
 8%: Ransomware
Some data security controls reduce a cyberattack’s success rate. For example, implementing data
access controls makes it more difficult for attackers to get to the information. Other data controls,
like encryption, make the data unusable and unreadable if attackers succeed.
Protect Brand Reputation
Brand reputation generates customer interest and provides insight into financial
performance. Research found that 72% of business leaders believe reputation will be a bigger
driver of business performance than margin over the next five years. Every data breach that
makes the news undermines a company’s brand reputation. By mitigating these risks,
organizations protect themselves.
Enhance Customer Trust
Today’s customers consider a company’s data privacy policies and data protections as part of
their buying decisions. Customer trust starts with an organization’s privacy policies, but it also
incorporates brand reputation.
According to one analyst, consumers want companies to provide transparency around digital-
trust policies finding:
 85% of respondents said knowing a company’s data privacy policies is important before
making a purchase
 46% of consumers often or always consider another brand if they are unclear about how a
company will use their data
 53% of consumers make online purchases or use digital services only after making sure
that the company has a reputation for protecting its customers’ data
Cloud data security enables organizations to implement data privacy controls that ensure safe
customer data sharing.

Avoid Fines and Fees

Data privacy and protection law noncompliance leads to costly fines and legal fees. For example,
a company that violates the General Data Protection Regulation (GDPR) can face fines up to €10
million, or 2% of its worldwide annual revenue. These fines apply to violations which may not be
cybersecurity incidents. For example, one of the first GDPR fines was levied against
a Portuguese hospital for allowing too many people to have too much access. Additionally,
companies often face expensive lawsuits in a data breach’s aftermath.

Application security
Application security describes security measures at the application level that aim to prevent
data or code within the app from being stolen or hijacked. It encompasses the security
considerations that happen during application development and design, but it also involves
systems and approaches to protect apps after they get deployed.
Application security may include hardware, software, and procedures that identify or
minimize security vulnerabilities. A router that prevents anyone from viewing a computer’s
IP address from the Internet is a form of hardware application security. But security measures
at the application level are also typically built into the software, such as an application
firewall that strictly defines what activities are allowed and prohibited. Procedures can entail
things like an application security routine that includes protocols such as regular testing.

Application security definition

Application security is the process of developing, adding, and testing security features within
applications to prevent security vulnerabilities against threats such as unauthorized access
and modification.

Why application security is important?

Application security is important because today’s applications are often available over
various networks and connected to the cloud, increasing vulnerabilities to security threats and
breaches. There is increasing pressure and incentive to not only ensure security at the
network level but also within applications themselves. One reason for this is because hackers
are going after apps with their attacks more today than in the past. Application security
testing can reveal weaknesses at the application level, helping to prevent these attacks.
Types of application security

Different types of application security features include authentication, authorization,

encryption, logging, and application security testing. Developers can also code applications to
reduce security vulnerabilities.

 Authentication: When software developers build procedures into an application

to ensure that only authorized users gain access to it. Authentication procedures
ensure that a user is who they say they are. This can be accomplished by requiring
the user to provide a user name and password when logging in to an application.
Multi-factor authentication requires more than one form of authentication—the
factors might include something you know (a password), something you have (a
mobile device), and something you are (a thumb print or facial recognition).
 Authorization: After a user has been authenticated, the user may be authorized to
access and use the application. The system can validate that a user has permission
to access the application by comparing the user’s identity with a list of authorized
 users. Authentication must happen before authorization so that the application
matches only validated user credentials to the authorized user list.
 Encryption: After a user has been authenticated and is using the application,
other security measures can protect sensitive data from being seen or even used by
a cybercriminal. In cloud-based applications, where traffic containing sensitive
data travels between the end user and the cloud, that traffic can be encrypted to
keep the data safe.
 Logging: If there is a security breach in an application, logging can help identify
who got access to the data and how. Application log files provide a time-stamped
record of which aspects of the application were accessed and by whom.
 Application security testing: A necessary process to ensure that all of these
security controls work properly.

Application security in the cloud

Application security in the cloud poses some extra challenges. Because cloud environments
provide shared resources, special care must be taken to ensure that users only have access to
the data they are authorized to view in their cloud-based applications. Sensitive data is also
more vulnerable in cloud-based applications because that data is transmitted across the
Internet from the user to the application and back.
Mobile application security

Mobile devices also transmit and receive information across the Internet, as opposed to a
private network, making them vulnerable to attack. Enterprises can use virtual private
networks (VPNs) to add a layer of mobile application security for employees who log in to
applications remotely. IT departments may also decide to vet mobile apps and make sure they
conform to company security policies before allowing employees to use them on mobile
devices that connect to the corporate network.
Web application security

Web application security applies to web applications—apps or services that users access
through a browser interface over the Internet. Because web applications live on remote
servers, not locally on user machines, information must be transmitted to and from the user
over the Internet. Web application security is of special concern to businesses that host web
applications or provide web services. These businesses often choose to protect their network
from intrusion with a web application firewall. A web application firewall works by
inspecting and, if necessary, blocking data packets that are considered harmful.

Virtual Machine Security

The term “Virtualized Security,” sometimes known as “security virtualization,” describes

security solutions that are software-based and created to operate in a virtualized IT
environment. This is distinct from conventional hardware-based network security, which is
static and is supported by equipment like conventional switches, routers, and firewalls.
Virtualized security is flexible and adaptive, in contrast to hardware-based security. It can
be deployed anywhere on the network and is frequently cloud-based so it is not bound to a
specific device.
In Cloud Computing, where operators construct workloads and applications on-demand,
virtualized security enables security services and functions to move around with those on-
demand-created workloads. This is crucial for virtual machine security. It’s crucial to
protect virtualized security in cloud computing technologies such as isolating multitenant
setups in public cloud settings. Because data and workloads move around a complex
ecosystem including several providers, virtualized security’s flexibility is useful for
securing hybrid and multi-cloud settings.

Types of Hypervisors

Type-1 Hypervisors
Its functions are on unmanaged systems. Type 1 hypervisors include Lynx Secure, RTS
Hypervisor, Oracle VM, Sun xVM Server, and Virtual Logic VLX. Since they are
placed on bare systems, type 1 hypervisor do not have any host operating systems.
Type-2 Hypervisor
It is a software interface that simulates the hardware that a system typically communicates
with. Examples of Type 2 hypervisors include containers, KVM, Microsoft Hyper V,
VMWare Fusion, Virtual Server 2005 R2, Windows Virtual PC, and VMware
workstation 6.0.

Type I Virtualization
In this design, the Virtual Machine Monitor (VMM) sits directly above the hardware and
eavesdrops on all interactions between the VMs and the hardware. On top of the VMM is a
management VM that handles other guest VM management and handles the majority of a
hardware connections. The Xen system is a common illustration of this kind of
virtualization design.
Type II virtualization
In these architectures, like VMware Player, allow for the operation of the VMM as an
application within the host operating system (OS). I/O drivers and guest VM management
are the responsibilities of the host OS.
Service Provider Security
The system’s virtualization hardware shouldn’t be physically accessible to anyone not
authorized. Each VM can be given an access control that can only be established through
the Hypervisor in order to safeguard it against unwanted access by Cloud administrators.
The three fundamental tenets of access control, identity, authentication, and
authorization, will prevent unauthorized data and system components from being accessed
by administrators.
Hypervisor Security
The Hypervisor’s code integrity is protected via a technology called Hyper safe. Securing
the write-protected memory pages, expands the hypervisor implementation and prohibits
coding changes. By restricting access to its code, it defends the Hypervisor from control-
flow hijacking threats. The only way to carry out a VM Escape assault is through a local
physical setting. Therefore, insider assaults must be prevented in the physical Cloud
environment. Additionally, the host OS and the interaction between the guest machines
need to be configured properly.
Virtual Machine Security
The administrator must set up a program or application that prevents virtual machines from
consuming additional resources without permission. Additionally, a lightweight process
that gathers logs from the VMs and monitors them in real-time to repair any VM
tampering must operate on a Virtual Machine. Best security procedures must be used to
 harden the guest OS and any running applications. These procedures include setting up
firewalls, host intrusion prevention systems (HIPS), anti-virus and anti-spyware
programmers, online application protection, and log monitoring in guest operating systems.
Guest Image Security
A policy to control the creation, use, storage, and deletion of images must be in place for
organizations that use virtualization. To find viruses, worms, spyware, and rootkits that
hide from security software running in a guest OS, image files must be analyzed.
Benefits of Virtualized Security
Virtualized security is now practically required to meet the intricate security requirements
of a virtualized network, and it is also more adaptable and effective than traditional
physical security.
 Cost-Effectiveness: Cloud computing’s virtual machine security enables businesses to
keep their networks secure without having to significantly raise their expenditures on
pricey proprietary hardware. Usage-based pricing for cloud-based virtualized security
services can result in significant savings for businesses that manage their resources
effectively.
 Flexibility: It is essential in a virtualized environment that security operations can
follow workloads wherever they go. A company is able to profit fully from virtualization
while simultaneously maintaining data security thanks to the protection it offers across
various data centers, in multi-cloud, and hybrid-cloud environments.
 Operational Efficiency: Virtualized security can be deployed more quickly and easily
than hardware-based security because it doesn’t require IT, teams, to set up and
configure several hardware appliances. Instead, they may quickly scale security systems
by setting them up using centralized software. Security-related duties can be automated
when security technology is used, which frees up more time for IT employees.
 Regulatory Compliance: Virtual machine security in cloud computing is a requirement
for enterprises that need to maintain regulatory compliance because traditional
hardware-based security is static and unable to keep up with the demands of a
virtualized network.
Virtualization Machine Security Challenges
 As we previously covered, buffer overflows are a common component of classical
network attacks. Trojan horses, worms, spyware, rootkits, and DoS attacks are
examples of malware.
 In a cloud context, more recent assaults might be caused via VM rootkits, hypervisor
malware, or guest hopping and hijacking. Man-in-the-middle attacks against VM
migrations are another form of attack. Typically, passwords or sensitive information are
stolen during passive attacks. Active attacks could alter the kernel’s data structures,
seriously harming cloud servers.
 HIDS or NIDS are both types of IDSs. To supervise and check the execution of code,
use programmed shepherding. The RIO dynamic optimization infrastructure, the v
Safe and v Shield tools from VMware, security compliance for hypervisors, and Intel
vPro technology are some further protective solutions.
Four Steps to ensure VM Security in Cloud Computing
Protect Hosted Elements by Segregation
To secure virtual machines in cloud computing, the first step is to segregate the newly
hosted components. Let’s take an example where three features that are now running on an
edge device may be placed in the cloud either as part of a private subnetwork that is
invisible or as part of the service data plane, with addresses that are accessible to network
users.
 All Components are Tested and Reviewed
Before allowing virtual features and functions to be implemented, you must confirm that
they comply with security standards as step two of cloud-virtual security. Virtual
networking is subject to outside attacks, which can be dangerous, but insider attacks can be
disastrous. When a feature with a backdoor security flaw is added to a service, it becomes a
part of the infrastructure of the service and is far more likely to have unprotected attack
paths to other infrastructure pieces.
Separate Management APIs to Protect the Network
The third step is to isolate service from infrastructure management and orchestration.
Because they are created to regulate features, functions, and service behaviors, management
APIs will always pose a significant risk. All such APIs should be protected, but the ones
that keep an eye on infrastructure components that service users should never access must
also be protected.
Keep Connections Secure and Separate
The fourth and last aspect of cloud virtual network security is to make sure that connections
between tenants or services do not cross over into virtual networks. Virtual Networking is
a fantastic approach to building quick connections to scaled or redeployed
features, but each time a modification is made to the virtual network, it’s possible that an
accidental connection will be made between two distinct services, tenants, or
feature/function deployments. A data plane leak, a link between the actual user networks, or
a management or control leak could result from this, allowing one user to affect the service
provided to another.

Identity Management and Access Control

The concept of Identity management and access control in cloud computing covers most
areas of technology, access control is merging and aligning with other combined activities.
Some of these are automated using single sign-on capabilities; others operate in a standalone,
segregated fashion.
The combination of access control and effective management of those technologies,
processes, and controls has given rise to identity and access management (IAM). In a
nutshell, IAM includes people, processes, and systems that manage access to enterprise
resources.
This is achieved by ensuring that the identity of an entity is verified (who are they, can they
prove who they are) and then granting the correct level of access based on the assets,
services, and protected resources being accessed.
IAM typically looks to utilize a minimum of two—preferably three or more—factors of
authentication. Within cloud environments, services should include strong authentication
mechanisms for validating users’ identities and credentials .
In line with best practice, one-time passwords should be utilized as a risk reduction and
mitigation technique .
The key phrases that form the basis and foundation for IAM in the enterprise include the
following:
1. Provisioning and de-provisioning
2. Centralized directory services
3. Privileged user management
3. Authentication and access management
Each is discussed in the following sections Identity management and access control in cloud
computing.
1. Provisioning and Deprovisioning
Provisioning and de-provisioning are critical aspects of access management and Identity
management and access control in cloud computing. Think of setting up and removing users.

In the same way, as you would set up an account for a user entering your organization
requiring access to resources, provisioning is the process of creating accounts to allow users
to access appropriate systems and resources within the cloud environment.

The ultimate goal of user provisioning is to standardize, streamline, and create an efficient
account creation process while creating a consistent, measurable, traceable, and auditable
framework for providing access to end-users.

Deprovisioning is the process whereby a user account is disabled when the user no longer
requires access to the cloud-based services and resources.

This is not just limited to a user leaving the organization but may also be due to a user
changing a role, function, or department.

Deprovisioning is a risk-mitigation technique to ensure that authorization creep or additional

and historical privileges are not retained, thus granting access to data, assets, and resources
that are not necessary to fulfill the job role.

2. Centralized Directory Services

As when building a house or large structure, the foundation is key. In the world of IAM, the
directory service forms the foundation for IAM and security both in an enterprise
environment and within a cloud deployment.

Directory service stores, processes, and facilitates a structured repository of information

stored, coupled with unique identifiers and locations.

The primary protocol for centralized directory services is Lightweight Directory Access
Protocol (LDAP), built and focused on the X.500 standard.16 LDAP works as an application
protocol for querying and modifying items in directory service providers like Active
Directory.
Active Directory is a database-based system that offers authentication, directory, policy, and
other services to a network. Essentially, LDAP acts as a communication protocol to interact
with Active Directory.

LDAP directory servers store their data hierarchically (similar to domain name system [DNS]
trees and UNIX file structures) with a directory record’s distinguished name (DN) read from
the individual entries back through the tree, up to the top level.

Each entry in an LDAP directory server is identified through a DN access to directory

services, should be part of the IAM solution, and should be as robust as the core
authentication modes used.
The use of privileged identity management (PIM) features is strongly encouraged for
managing access of the administrators of the directory.

If these are hosted locally rather than in the cloud, the IAM service requires connectivity to
the local LDAP servers, in addition to any applications and services for which it is managing
access.

Within cloud environments, directory services are heavily utilized and depended upon as the
go-to trusted source by the IAM framework as a secure repository of identity and access
information.

The same can be said for federated environments.

Again, trust and confidence in the accuracy and integrity of the directory services are must-
haves.

3. Privileged User Management

As the name implies, privileged user management focuses on the process and ongoing
requirements to manage the lifecycle of user accounts with the highest privileges in a system.

Privileged accounts typically carry the highest risk and impact because compromised
privileged user accounts can lead to significant permissions and access rights being obtained,
thus allowing the user or attacker to access resources and assets that may negatively affect the
organization.

The key components from a security perspective relating to privileged user management
should, at a minimum, include the ability to track usage, authentication successes and
failures, and authorization times and dates; log successful and failed events; enforce
password management, and contain sufficient levels of auditing and reporting related to
privileged user accounts.

Many organizations monitor this level of information for standard or general users, which
would be beneficial and useful in the event of an investigation; however, the privileged
accounts should capture this level of detail by default because attackers often target and
compromise a general or standard user, with the view to escalating privileges to a more
privileged or admin account.

Not forgetting that a number of these components are technical by nature, the overall
requirements that are used to manage these should be driven by organizational policies and
procedures.

Note that segregation of duties can form an extremely effective mitigation and risk reduction
technique around privileged users and their ability to effect major changes.

4. Authorization and Access Management

Access to devices, systems, and resources forms a key driver for use of cloud services (broad
network access); without it, the overall benefits that the service may provide are reduced to
the enterprise, and legitimate business or organizational users are isolated from their
resources and assets.

In the same way that users require authorization and access management to be operating and
functioning to access the required resources, security requires these service components to be
functional, operational and trusted to enforce security within cloud environments. In its
simplest form, authorization determines the user’s right to access a certain resource.

(Think of entry onto a plane with your reserved seat or when you may be visiting an official
residence or government agency to visit a specified person.) Access management is focused
on the manner and way in which users can access relevant resources, based on their
credentials and characteristics of their identity.

Autonomic security

Autonomic security operations (ASO) is a new approach to security operations. It attempts

to overcome the increasing challenges faced by traditional SOCs.

Cybersecurity leaders Anton Chuvakin, Senior Security Staff, Office of the CISO at Google
and Iman Ghanizada, Global Head of Autonomic Security at Google are among the biggest
proponents of ASO. They describe ASO as a combination of philosophies, practices, tools,
and processes that improves an organization’s ability to withstand security attacks.
The Google Cloud website describes it as an “adaptive, agile, and highly automated
approach to threat management.”

Autonomic security operations use automation, machine learning, and artificial intelligence to
improve overall cybersecurity efficiency. In security operations, autonomic capabilities go
beyond automating repetitive tasks. ASO also intelligently manages resources, improves
detection and response to threats, and makes overall cyber risk management more effective.
Autonomic security operations can accelerate SOC transformation, helping companies
leverage their current infrastructure and resources. Modern security operations centers, unlike
the traditional SOC, leverage automation and machine learning and minimize the need for
human intervention. In the long run, they are more efficient, overcome the skills gap, and are
agile.
Key capabilities of ASO
1. Automation: For routine and repetitive tasks, including things like log analysis, patch
management, and vulnerability scanning. Reducing manual efforts leaves room for
other tasks, improving response times as well as overall execution.
2. Uses AI/ML: To detect anomalies, identify patterns, and improve decision making
based on very large and constantly growing volumes of data from security systems
and tools.
3. Resilience and self-healing systems: Can automatically respond to incidents, isolate,
and contain affected systems, and proceed with remediation.
4. Threat intelligence and analytics: Continuously monitor and analyze data — from
logs to threat feeds, to network traffic. Gain enhanced situational awareness.
5. Adaptive and dynamic defenses: Automatically adjust configurations and access to
deploy countermeasures.
 6. Integration and orchestration across all security tools and systems, from firewalls to
intrusion detection to SIEM, and more. Get greater visibility, coordination, response,
and remediation.

Advance Concepts in Cloud Computing

Cloud management refers to managing the data, security, resources, performance, storage,
backups, applications, deployment, capacity, etc. It is the responsibility of the cloud
service provider to set up, configure and manage the cloud.

Cloud Management Task

1. Data Flow of the System: There should be a detailed understanding of process flow. The
process flow describes the movement of data belonging to the organization through the
cloud solution.
2. Service Provider Security Procedure: The customer should know the security provided
by the cloud service provider. The security can include an encryption policy, multitenant
use, employee screening, etc.
3. Vendor lock-In Awareness: The customer may know how to switch to the cloud service
provider. How the organizational data will be exported from one service provider to
another should be known.
4. Monitor Audit Logs: The logs must be audited regularly to know what errors occurred
in the system.
5. Testing and Validation: It is necessary to test the cloud provider's solution and ensure it
is error-free, making the system reliable and robust.

Benefits of Cloud Management

1. Quick Delivery Time: Nowadays, clients need faster service delivery with proper
management. Service providers can do this through proper management that satisfies
their customers.
2. Flexibility: The resource requirements are variable as per the requirement. The cloud
provider should provide the resources with maximum flexibility so that customers can
modify them as per their needs; also, the cost should base on the pay-per-use model.
3. Security: The data is a leading resource for an organization, and this data should be
handled safely and securely in the environment. It is the responsibility of the service
provider to manage the data with the proper security mechanisms.
4. Cost Effective: The cloud is used by both small and large organisations. So, it should be
taken care of pricing model. Mostly, the cloud provider should charge as per the
resources used, which is a cost-effective per-per-use model, and customer needs to pay
only for what they use.

While managing the cloud infrastructure, unauthorized access, denial of service attacks,
network eavesdropping, side-channel attacks, etc., computing threads should be handled
using surveillance and management tools.