UNIT-4

RESOURSE MANAGEMENT AND SECURITY IN CLOUD

Inter Cloud Resource Management


A theoretical model for cloud computing services is referred to as the “inter-
cloud” or “cloud of clouds.” combining numerous various separate clouds into a
single fluid mass for on-demand operations Simply put, the inter-cloud would
ensure that a cloud could utilize resources outside of its range using current
agreements with other cloud service providers. There are limits to the physical
resources and the geographic reach of any one cloud.
Need of Inter-Cloud
Due to their Physical Resource limits, Clouds have certain Drawbacks:
 When a cloud’s computational and storage capacity is completely depleted,
it is unable to serve its customers.
 The Inter-Cloud addresses these circumstances when one cloud would
access the computing, storage, or any other resource of the infrastructures of
other clouds.
Benefits of the Inter-Cloud Environment include:
 Avoiding vendor lock-in to the cloud client
 Having access to a variety of geographical locations, as well as enhanced
application resiliency.
 Better service level agreements (SLAs) to the cloud client
 Expand-on-demand is an advantage for the cloud provider.
Inter-Cloud Resource Management
A cloud’s infrastructure’s processing and storage capacity could be exhausted.
combining numerous various separate clouds into a single fluid mass for on-
demand operations. Simply put, the intercloud would ensure that a cloud could
utilize resources outside of its range combining numerous various separate
clouds into a single fluid mass for on-demand operations. Such requests for
service allocations received by its clients would still be met by it.
Types of Inter-Cloud Resource Management
1. Federation Clouds: A federation cloud is a kind of inter-cloud where
several cloud service providers willingly link their cloud infrastructures
together to exchange resources. Cloud service providers in the federation
trade resources in an open manner. With the aid of this inter-cloud
technology, private cloud portfolios, as well as government clouds (those
utilized and owned by non-profits or the government), can cooperate.
2. Multi-Cloud: A client or service makes use of numerous independent
clouds in a multi-cloud. A multi-cloud ecosystem lacks voluntarily shared
infrastructure across cloud service providers. It is the client’s or their
1
 agents’ obligation to manage resource supply and scheduling. This strategy
is utilized to use assets from both public and private cloud portfolios. These
multi-cloud kinds include services and libraries.
Topologies used In InterCloud Architecture
1. Peer-to-Peer Inter-Cloud Federation: Clouds work together directly, but
they may also utilize distributed entities as directories or brokers. Clouds
communicate and engage in direct negotiation without the use of intermediaries.
The peer-to-peer federation intercloud projects are RESERVOIR (Resources
and Services Virtualization without Barriers Project).

2. Centralized Inter-Cloud Federation: In the cloud, resource sharing is

carried out or facilitated by a central body. The central entity serves as a registry
for the available cloud resources. The inter-cloud initiatives Dynamic Cloud
Collaboration (DCC), and Federated Cloud Management leverage centralized
inter-cloud federation.

2
3. Multi-Cloud Service: Clients use a service to access various clouds. The
cloud client hosts a service either inside or externally. The services include
elements for brokers. The inter-cloud initiatives OPTIMUS, contrail, MOSAIC,
STRATOS, and commercial cloud management solutions leverage multi-cloud
services.

3
 Multi-Cloud Libraries: Clients use a uniform cloud API as a library to
create their own brokers. Inter clouds that employ libraries make it easier to
use clouds consistently. Java library J-clouds, Python library Apache Lib-
Clouds, and Ruby library Apache Delta-Cloud are a few examples of multiple
multi-cloud libraries.

4
Difficulties with Inter-Cloud Research
The needs of cloud users frequently call for various resources, and the needs
are often variable and unpredictable. This element creates challenging issues
with resource provisioning and application service delivery. The difficulties
in federating cloud infrastructures include the following:
 Prediction of Application Service Behaviour: It is essential that the
system be able to predict customer wants and service Behaviour. It cannot
make rational decisions to dynamically scale up and down until it has the
ability to predict. It is necessary to construct prediction and forecasting
models. Building models that accurately learn and fit statistical functions
suited to various behaviors is a difficult task. Correlating a service’s
various behaviors can be more difficult.
 Flexible Service-Resource Mapping: Due to high operational expenses
and energy demands, it is crucial to enhance efficiency, cost-
effectiveness, and usage. A difficult process of matching services to cloud
resources results from the system’s need to calculate the appropriate
software and hardware combinations. The QoS targets must be met
simultaneously with the highest possible system utilization and efficiency
throughout the mapping of services.
 Techniques for Optimization Driven by Economic Models: An
approach to decision-making that is driven by the market and looks for
the best possible combinations of services and deployment strategies is
known as combinatorial optimization. It is necessary to create
optimization models that address both resource- and user-centered QoS
objectives.

5
 Integration and Interoperability: SMEs may not be able to migrate to
the cloud since they have a substantial number of on-site IT assets, such
as business applications. Due to security and privacy concerns, sensitive
data in an organization may not be moved to the cloud. In order for on-
site assets and cloud services to work together, integration and
interoperability are required. It is necessary to find solutions for the
problems of identity management, data management, and business process
orchestration.
 Monitoring System Components at Scale: In spite of the distributed
nature of the system’s components, centralized procedures are used for
system management and monitoring. The management of multiple service
queues and a high volume of service requests raises issues with
scalability, performance, and reliability, making centralized approaches
ineffective. Instead, decentralized messaging and indexing models-based
architectures are required, which can be used for service monitoring and
management services.

Resource Provisioning-

The allocation of resources and services from a cloud provider to a customer

is known as resource provisioning in cloud computing, sometimes called
cloud provisioning. Resource provisioning is the process of choosing,
deploying, and managing software (like load balancers and database server
management systems) and hardware resources (including CPU, storage, and
networks) to assure application performance.
To effectively utilize the resources without going against SLA and achieving
the QoS requirements, Static Provisioning/Dynamic Provisioning and
Static/Dynamic Allocation of resources must be established based on the
application needs. Resource over and under-provisioning must be prevented.
Power usage is another significant restriction. Care should be taken to reduce
power consumption, dissipation, and VM placement. There should be
techniques to avoid excess power consumption.
Therefore, the ultimate objective of a cloud user is to rent resources at the
lowest possible cost, while the objective of a cloud service provider is to
maximize profit by effectively distributing resources .

Importance of Cloud Provisioning:

 Scalability: Being able to actively scale up and down with flux in

demand for resources is one of the major points of cloud computing

6
 Speed: Users can quickly spin up multiple machines as per their usage
without the need for an IT Administrator
 Savings: Pay as you go model allows for enormous cost savings for users,
it is facilitated by provisioning or removing resources according to the
demand

Challenges of Cloud Provisioning:

 Complex management: Cloud providers have to use various different

tools and techniques to actively monitor the usage of resources
 Policy enforcement: Organisations have to ensure that users are not able
to access the resources they shouldn’t.
 Cost: Due to automated provisioning costs may go very high if attention
isn’t paid to placing proper checks in place. Alerts about reaching the cost
threshold are required.

Tools for Cloud Provisioning:

 Google Cloud Deployment Manager

 IBM Cloud Orchestrator
 AWS CloudFormation
 Microsoft Azure Resource Manager

Types of Cloud Provisioning:

Static Provisioning or Advance Provisioning: Static provisioning can be

used successfully for applications with known and typically constant demands
or workloads. In this instance, the cloud provider allows the customer with a
set number of resources. The client can thereafter utilize these resources as
required. The client is in charge of making sure the resources aren’t
overutilized. This is an excellent choice for applications with stable and
predictable needs or workloads. For instance, a customer might want to use a
database server with a set quantity of CPU, RAM, and storage.
When a consumer contracts with a service provider for services, the
supplier makes the necessary preparations before the service can begin. Either
a one-time cost or a monthly fee is applied to the client.

7
Resources are pre-allocated to customers by cloud service providers. This
means that before consuming resources, a cloud user must select how much
capacity they need in a static sense. Static provisioning may result in issues
with over or under-provisioning.

 Dynamic provisioning or On-demand provisioning: With dynamic

provisioning, the provider adds resources as needed and subtracts them as
they are no longer required. It follows a pay-per-use model, i.e. the clients
are billed only for the exact resources they use. Consumers must pay for
each use of the resources that the cloud service provider allots to them as
needed and when necessary. The pay-as-you-go model is another name
for this. “Dynamic provisioning” techniques allow VMs to be moved on-
the-fly to new computing nodes within the cloud, in situations where
demand by applications may change or vary.
This is a suitable choice for programs with erratic and shifting
demands or workloads. For instance, a customer might want to use a web
server with a configurable quantity of CPU, memory, and storage. In this
scenario, the client can utilize the resources as required and only pay for
what is really used. The client is in charge of ensuring that the resources
are not oversubscribed; otherwise, fees can skyrocket.
 Self-service provisioning or user self-provisioning: In user self-
provisioning, sometimes referred to as cloud self-service, the customer
uses a web form to acquire resources from the cloud provider, sets up a
customer account, and pays with a credit card. Shortly after, resources are
made accessible for consumer use.
Parameters for Resource Provisioning
i) Response time: The resource provisioning algorithm designed
must take minimal time to respond when executing the task.
ii) Minimize Cost: From the Cloud user point of view cost should
be minimized.
iii) Revenue Maximization: This is to be achieved from the Cloud
Service Provider’s view.
iv) Fault tolerant: The algorithm should continue to provide
service in spite of failure of nodes.
v) Reduced SLA Violation: The algorithm designed must be able
to reduce SLA violation.
vi) Reduced Power Consumption: VM placement & migration
techniques must lower power consumption.
Resource Provisioning Methods-
Static Resource Provisioning provisioning technique is used for scientific
application as scientific applications require large computing power. Aneka
is a cloud application platform which is capable of provisioning resources

8
 which are obtained from various sources such as public and private clouds,
clusters, grids and desktop grids.
This technique efficiently allocates resources thereby reducing application
execution time. Because resource failures are inevitable it is a good idea to
efficiently couple private and public cloud using an architectural framework
for realizing the full potential of hybrid clouds.
Dynamic Resource provisioning Techniques The algorithm proposed in [2]
is suitable for web applications where response time is one of the important
factors. For web applications guaranteeing average response time is difficult
because traffic patterns are highly dynamic and difficult to predict
accurately and also due to the complex nature of the multi-tier web
applications it is difficult to identify bottlenecks and resolving them
automatically. This provisioning technique proposes a working prototype
system for automatic detection and resolution of bottlenecks in a multi-tier
cloud hosted web applications. This improves response time and also
identifies over provisioned resources.

Global exchange of cloud resources

Cloud Exchange (CEx) serves as a market maker, bringing service
providers and users together. The University of Melbourne proposed it
under Intercloud architecture (Cloudbus). It supports brokering and
exchanging cloud resources for scaling applications across multiple
clouds. It aggregates the infrastructure demands from application
brokers and evaluates them against the available supply. It supports the
trading of cloud services based on competitive economic models such as
commodity markets and auctions.
evaluates them against the available supply. It supports the trading of
cloud services based on competitive economic models such as
commodity markets and auctions.

9
 Security Overview

Cloud security is the set of control-based security measures and

technology protection, designed to protect online stored resources
from leakage, theft, and data loss. Protection includes data from cloud
infrastructure, applications, and threats. Security applications uses a software
the same as SaaS (Software as a Service) model.

How to manage security in the cloud?

Cloud service providers have many methods to protect the data.

Firewall is the central part of cloud architecture. The firewall protects the
network and the perimeter of end-users. It also protects traffic between various
apps stored in the cloud.

Access control protects data by allowing us to set access lists for various assets.
For example, you can allow the application of specific employees while
restricting others. It's a rule that employees can access the equipment that they
required. We can keep essential documents which are stolen from malicious
insiders or hackers to maintaining strict access control.

10
Data protection methods include Virtual Private Networks (VPN), encryption,
or masking. It allows remote employees to connect the network.
VPNaccommodates the tablets and smartphone for remote access. Data masking
maintains the data's integrity by keeping identifiable information private. A
medical company share data with data masking without violating
the HIPAA laws.

For example, we are putting intelligence information at risk in order of the

importance of security. It helps to protect mission-critical assets from threats.
Disaster recovery is vital for security because it helps to recover lost or stolen
data.

Benefits of Cloud Security System

o Protecting the Business from Dangers

o Protect against internal threats
o Preventing data loss

o Top threats to the system include Malware, Ransomware, and

o Break the Malware and Ransomware attacks
o Malware poses a severe threat to the businesses

More than 90% of malware comes via email. It is often reassuring that
employee's download malware without analysingit. Malicious software
installs itself on the network to steal files or damage the content once it is
downloaded.

Ransomware is a malware that hijacks system's data and asks for a

financial ransom. Companies are reluctant to give ransom because they
want their data back.

Data redundancy provides the option to pay a ransom for your data. You can get
that was stolen with minimal service interruption.

Many cloud data protection solutions identify malware and ransomware.

Firewalls keep malicious email out of the inbox.

DDoS Security

Distributed Denial of Service (DDoS)is flooded with requests. Website slows

down the downloading until it crashes to handle the number of requests.

11
 DDoS attacks come with many serious side effects. Most of the companies
suffering from DDoS attacks lose $ 10,000 to $ 100,000. Many businesses
damage reputation when customers lose confidence in the brand. If confidential
customer data is lost through any DDoS attack, we may face challenges.

The severity of these side effects, some companies shut down after the DDoS
attacks. It is to be noted that the last DDoS attack lasted for 12 days.

Cloud security service monitors the cloud to identify and prevent attacks. The
cloud service providers protectthe cloud service users in real time.

Threat to detect

Cloud computing detects advanced threats by using endpoint scanning for

threats at the device level.

Difference between Cloud Security and

Traditional IT Security
Cloud security Traditional IT Security

Quick scalable Slow scaling

Efficient resource utilization Lower efficiency

Usage-based cost Higher cost

Third-party data centres In-house data centres

Reduced time to market Longer time to market

Low upfront infrastructure High Upfronts costs

Top 7 Advanced Cloud Security Challenges

It becomes more challenging when adopting modern cloud approaches

Like: automated cloud integration, and continuous deployment
(CI/CD) methods, distributed serverless architecture, and short-term assets for
tasks such as a service and container.
12
Some of the advanced cloud-native security challenge and many layers of risk
faced by today's cloud-oriented organizations are below:

1. Enlarged Surface
Public cloud environments have become a large and highly attractive surface for
hackers and disrupt workloads and data in the cloud. Malware, zero-day,
account acquisition and many malicious threats have become day-to-day more
dangerous.

2. Lack of visibility and tracking

Cloud providers have complete control over the infrastructure layer and cannot
expose it to their customers in the IaaS model. The lack of visibility and control
is further enhanced in the SaaS cloud models. Cloud customers are often unable
to identify their cloud assets or visualize their cloud environments effectively.
3. Ever-changing workload
Cloud assets are dynamically demoted at scale and velocity.
Traditional security tools implement protection policies in a flexible and
dynamic environment with an ever-changing and short-term workload.
4.DevOps, DevSecOps and Automation
Organizations are adopting an automated DevOps CI/CD culture that ensures
the appropriate security controls are identified and embeddedin the
development cycle in code and templates. Security-related changes
implemented after the workload is deployed to production can weaken the
organization's security posture and lengthen the time to market.

5.Granular privileges and critical management

At the application level, configured keys and privileges expose the session to
security risks. Often cloud user roles are loosely configured, providing broad
privileges beyond therequirement. An example is allowing untrained users or
users to delete or write databases with no business to delete or add database
assets.

6. Complex environment
These days the methods and tools work seamlessly on public cloud providers,
private cloud providers, and on-premises manage persistent security in hybrid

13
and multi-cloud environments-it including geographic Branch office edge
security for formally distributed organizations and multi-cloud environments-it
including geographic Branch office edge security for formally distributed
organizations.

7.Cloud Compliance and Governance

All the leading cloud providers have known themselves best, such as PCI 3.2,
NIST 800-53, HIPAA and GDPR.

It gives the poor visibility and dynamics of cloud environments. The

compliance audit process becomes close to mission impossible unless the
devices are used to receive compliance checks and issue real-time alerts.

SAAS Security:

Cloud storage models such as PAAS, IAAS, and SAAS are changing the
way companies conduct themselves in the market and internally. From large
enterprises to small businesses, everybody is shifting gears to understand
and adopt SAAS solutions.

This entails incorporating security policies into their services, products, and
business processes. The sound architecture enables organizations and
companies to primarily focus on their business while a third party takes care
of the security issues.

SECaaS stands for Security as a Service. This type of security safeguards,

monitors, and manages your sensitive data from external threats such as
data breaches. With the increased popularity, scalability, and efficiency of
cloud-based designs, many organizations and corporations have also
become vulnerable to data breaches.

SAAS employs software as a service which is a centrally hosted

subscription-based model of software deployment and licensing. Due to
this, it is also called on-demand software or subscribeware. It is a part of the
term called cloud computing. It is an umbrella term containing other related
expressions, such as infrastructure as a service and platform.

Among the plethora of SAAS applications out in the market, some examples
of SAAS applications are Microsoft office 365, Adobe creative cloud, Cisco
Webex, and Box. The SAAS applications are also called web-based
software, as web browsers usually access them. However, it is equally
common for software as a service to be delivered through installed software.

14
Software as a service maintenance measures includes SAAS security
posture management that ensures the safety of sensitive data such as
personally identifiable information, healthcare, and financial information.
The SAAS vendor is responsible for the operating system, securing the
platform, SAAS applications, network, and physical infrastructure, while
the user is responsible for data and identity management.

To help strengthen the SAAS security measures, many regulatory

boundaries worldwide have issued guidelines such as the GDPR. The SAAS
vendor must follow these security guidelines to offer safe SAAS security
services.

The Benefits Of SAAS

In recent years, a lot of attention has been garnered by SAAS security

globally, and its adoption is expected to grow exponentially. This
encouraging increase in demand is due to the following uses and benefits of
SAAS security.

Low Costs

You only pay for what you use because the companies only purchase on a
need basis, so they have to pay no extras. SAAS environment gives the
option of yearly on monthly subscription fees that are quite cheap, making it
a very reasonable choice for startup businesses

Easy Setup

SAAS security gives easy and quick adoption because there is no waiting
period. Interested organizations can get access to it instantly. However, on-
site applications require more time to deploy.

The guidelines are easy to use for the organization’s security team. You
don’t have to worry about application programming interface integration
because software as a service integrates with different software with
standard application programming interfaces.

Hassle-Free Maintenance

The users have no worries about the maintenance and updates of SAAS.
This is because all these issues are handled by your SAAS provider so that
the company or organization can solely focus on other important problems.

15
Scalability

It is a scalable resource that can be up-scaled or downscaled on demand by

organizations when and as needed.

Easy To Use

You can use SAAS 24/7 from a web browser in a remote manner through
the SAAS platforms. This way, you don’t have to pay for the software
license, in-house hardware, or any other cloud infrastructure. Moreover,
there is no requirement to hire on-site staff to maintain or support the SAAS
systems.

Best Security

SAAS provided security is top quality as they invest in security measures

heavily. They do it by distributing servers across many locations with
automatic backups to ensure high quality cloud security.

Why Is Software As A Service Security Important?

SAAS providers offer and host SAAS services, maintenance and security to
their users. This cloud security design protects the sensitive data and
software that the service carries. It involves any business’s best practices
for gathering data in the cloud to keep the information secure. The provider
is responsible for securing the platform, operating system infrastructure,
and network.

Since the software as a service environment has a lot of confidential data, it

is a common target of cyber criminals. In the case of a security breach, the
integrity and safety are compromised, which can also lead to huge financial
loss.

So, to protect sensitive data and prevent disasters of the highest degree,
SAAS security is required. However, if the SAAS service provider does not
deliver up-to-the-mark services, the businesses may experience security
threats and service disruptions.

The users or business owners must ensure that all the best security practices
are carried out in their organization by employing various SAAS security
solutions. If they do not comply with the best practices or the SAAS
security solutions, the businesses will fail, leading to many legal

16
implications. In a nutshell, if an organization is utilizing a SAAS model, it
must give importance to data security and best practices.

SAAS Security Challenges

Software as a service brings a range of challenges and risks to the table,

such as:

Communication

Lack of communication is one of the root causes of security issues in an

organization. When it comes to any on-site application, communication and
limited interaction between teams can often lead to security issues.

Complexity

As we already know, software as a service resides in the clouds and caters

to various teams of an organization or across the globe. The SAAS
application is used by many people with different roles at different levels
and varying knowledge of the security system and the applications. So this
makes the applications problematic and trickier even for the security
professionals to understand.

Collaboration

Teams in an organization have their functions and goals. Unfortunately, the

emphasis is often more on business requirements and functionality than
security settings. As a result of this imbalance between security and
business needs, software as a service can become challenging.

So this is the responsibility of businesses to educate the security teams to

balance the security requirements and business needs on an ongoing basis.

Less Control

Businesses using sales have to only rely on third-party sellers to get secure
services. Even though providers offer everything to ensure high quality
operation and security, services will often be disrupted. Businesses do not
have full control of the security and need to rely on the SAAS providers for
continuous support.

Cloud Security Governance

17
 Cloud governance is a set of rules and policies adopted by companies that run
services in the cloud. The goal of cloud governance is to enhance data security,
manage risk, and enable the smooth operation of cloud systems.

The cloud makes it easier than ever for teams within the organization to develop
their own systems and deploy assets with a single click. While this promotes
innovation and productivity, it can also cause issues like:

 Poor integration between cloud systems, even within the same organization
 Duplication of effort or data between different parts of the organization
 Lack of alignment between cloud systems and business goals
 New security issues—for example, the risk of deploying cloud systems with
weak or lacking access control

Cloud governance ensures that asset deployment, system integration, data

security, and other aspects of cloud computing are properly planned,
considered, and managed. It is highly dynamic, because cloud systems can be
created and maintained by different groups in the organization, involve third-
party vendors, and can change on a daily basis.

Cloud governance initiatives ensure this complex environment meets

organizational policies, security best practices and compliance obligations.

Why is Cloud Security Governance Important?

Here are a few ways cloud governance can benefit an organization running
critical services in the cloud.

Improves Cloud Resource Management

Cloud governance can help break down cloud systems into individual accounts
that represent departments, projects or cost centers within the organization. This
is a best practice recommended by many cloud providers. Segregating cloud
workloads into separate accounts can improve cost control, visibility, and limits
the business impact of security issues.

18
Reduces Shadow IT

The risks and costs of cloud systems significantly increase if the organization is
unaware which systems and data are deployed where. It is extremely common
nowadays for employees to turn to shadow IT systems when they do not get a
rapid response from traditional IT services.

Cloud Governance Model Principles

The following five principles are a good starting point for building your cloud
governance model:

1. Compliance with policies and standards—cloud usage standards must

be consistent with regulations and compliance standards used by your
organization and others in your industry.
2. Alignment with business objectives—cloud strategy should be an
integral part of the overall business and IT strategy. All cloud systems
and policies should demonstrably support business goals.
3. Collaboration—there should be clear agreements between owners and
users of cloud infrastructure, and other stakeholders in the relevant
organizational units, to ensure they make appropriate and mutually
beneficial use of cloud resources.
4. Change management—all changes to a cloud environment must be
implemented in a consistent and standardized manner, subject to the
appropriate controls.
5. Dynamic response—cloud governance should rely on monitoring and
cloud automation to dynamically respond to events in the cloud
environment.

How to Design and Implement a Cloud Governance Framework

The following are the primary components of a cloud governance framework.

19
 Components of a cloud governance framework

Cloud Financial Management

In many organizations, cloud costs quickly get out of hand. Cloud services often
promise to reduce IT costs, but this only holds true if costs are duly managed.
There are three elements of cloud financial management:

Cloud Operations Management

Operations management involves defining processes for deployment of

services. These processes should include:

 A clear definition of resources allocated to the service over time

 Service-level agreements (SLAs) to define expected performance
 Ongoing monitoring to make sure SLAs are met

20
 Process and required checks before deploying code to production
 Access control requirements

Strong cloud operations management is an excellent way to prevent shadow IT.

It can conserve costs by preventing unnecessary use of cloud resources, and can
dramatically improve the return on investment of cloud expenditure in the long
term.

Cloud Data Management

The cloud makes it easier to collect and analyze huge amounts of data, but this
makes data management a much bigger challenge. Cloud governance should
specify how to manage the entire data lifecycle in the cloud. This includes:

 Building a data classification scheme, and setting policies for data at different
levels of sensitivity
 Ensuring all data is encrypted, at rest and in transit
 Putting in place appropriate access controls for each type of data
 Using data masking to reduce the risk of sensitive data when it is used for
scenarios like development, testing, or training
 Developing a tiering strategy, moving data over time from high cost fast access
systems to lower cost archival systems
 Ensuring that data lifecycle management is automated—this is critical to apply
policies in large scale cloud deployments

Cloud Security and Compliance Management

Cloud governance takes responsibility for all the key topics of enterprise
security. It determines what are the organization’s security and compliance
requirements, and ensuring they are enforced in the cloud environment:

 Risk assessment
 Identity and access management
 Data management and encryption
 Application security
 Disaster recovery

Virtual Machine Security in Cloud

The term “Virtualized Security,” sometimes known as “security
virtualization,” describes security solutions that are software-based and

21
created to operate in a virtualized IT environment. This is distinct from
conventional hardware-based network security, which is static and is
supported by equipment like conventional switches, routers, and firewalls.
Virtualized security is flexible and adaptive, in contrast to hardware-based
security. It can be deployed anywhere on the network and is frequently cloud-
based so it is not bound to a specific device.
In Cloud Computing, where operators construct workloads and applications
on-demand, virtualized security enables security services and functions to
move around with those on-demand-created workloads. This is crucial for
virtual machine security. It’s crucial to protect virtualized security in cloud
computing technologies such as isolating multitenant setups in public cloud
settings. Because data and workloads move around a complex ecosystem
including several providers, virtualized security’s flexibility is useful for
securing hybrid and multi-cloud settings.
Types of Virtualization

Type I Virtualization

In this design, the Virtual Machine Monitor (VMM) sits directly above the
hardware and eavesdrops on all interactions between the VMs and the
hardware. On top of the VMM is a management VM that handles other guest
VM management and handles the majority of a hardware connections. The
Xen system is a common illustration of this kind of virtualization design.

Type II virtualization

In these architectures, like VMware Player, allow for the operation of the
VMM as an application within the host operating system (OS). I/O drivers
and guest VM management are the responsibilities of the host OS.
Service Provider Security
The system’s virtualization hardware shouldn’t be physically accessible to
anyone not authorized. Each VM can be given an access control that can only
be established through the Hypervisor in order to safeguard it against
unwanted access by Cloud administrators. The three fundamental tenets of
access control, identity, authentication, and authorization, will prevent
unauthorized data and system components from being accessed by
administrators.
Hypervisor Security
The Hypervisor’s code integrity is protected via a technology called Hyper
safe. Securing the write-protected memory pages, expands the hypervisor
22
implementation and prohibits coding changes. By restricting access to its
code, it defends the Hypervisor from control-flow hijacking threats. The only
way to carry out a VM Escape assault is through a local physical setting.
Therefore, insider assaults must be prevented in the physical Cloud
environment. Additionally, the host OS and the interaction between the guest
machines need to be configured properly.
Virtual Machine Security
The administrator must set up a program or application that prevents virtual
machines from consuming additional resources without permission.
Additionally, a lightweight process that gathers logs from the VMs and
monitors them in real-time to repair any VM tampering must operate on a
Virtual Machine. Best security procedures must be used to harden the guest
OS and any running applications. These procedures include setting up
firewalls, host intrusion prevention systems (HIPS), anti-virus and anti-
spyware programmers, online application protection, and log monitoring in
guest operating systems.
Guest Image Security
A policy to control the creation, use, storage, and deletion of images must be
in place for organizations that use virtualization. To find viruses, worms,
spyware, and rootkits that hide from security software running in a guest OS,
image files must be analyzed.
Benefits of Virtualized Security
Virtualized security is now practically required to meet the intricate security
requirements of a virtualized network, and it is also more adaptable and
effective than traditional physical security.
 Cost-Effectiveness: Cloud computing’s virtual machine security enables
businesses to keep their networks secure without having to significantly
raise their expenditures on pricey proprietary hardware. Usage-based
pricing for cloud-based virtualized security services can result in
significant savings for businesses that manage their resources effectively.
 Flexibility: It is essential in a virtualized environment that security
operations can follow workloads wherever they go. A company is able to
profit fully from virtualization while simultaneously maintaining data
security thanks to the protection it offers across various data centers, in
multi-cloud, and hybrid-cloud environments.
 Operational Efficiency: Virtualized security can be deployed more
quickly and easily than hardware-based security because it doesn’t require
IT, teams, to set up and configure several hardware appliances. Instead,
they may quickly scale security systems by setting them up using
centralized software. Security-related duties can be automated when
security technology is used, which frees up more time for IT employees.

23
 Regulatory Compliance: Virtual machine security in cloud computing is
a requirement for enterprises that need to maintain regulatory compliance
because traditional hardware-based security is static and unable to keep
up with the demands of a virtualized network.
Virtualization Machine Security Challenges
 As we previously covered, buffer overflows are a common component of
classical network attacks. Trojan horses, worms, spyware, rootkits, and
DoS attacks are examples of malware.
 In a cloud context, more recent assaults might be caused via VM rootkits,
hypervisor malware, or guest hopping and hijacking. Man-in-the-middle
attacks against VM migrations are another form of attack. Typically,
passwords or sensitive information are stolen during passive attacks.
Active attacks could alter the kernel’s data structures, seriously harming
cloud servers.
 HIDS or NIDS are both types of IDSs. To supervise and check the
execution of code, use programmed shepherding. The RIO dynamic
optimization infrastructure, the v Safe and v Shield tools from
VMware, security compliance for hypervisors, and Intel vPro technology
are some further protective solutions.
Four Steps to ensure VM Security in Cloud Computing

Protect Hosted Elements by Segregation

To secure virtual machines in cloud computing, the first step is to segregate

the newly hosted components. Let’s take an example where three features that
are now running on an edge device may be placed in the cloud either as part
of a private subnetwork that is invisible or as part of the service data plane,
with addresses that are accessible to network users.

All Components are Tested and Reviewed

Before allowing virtual features and functions to be implemented, you must

confirm that they comply with security standards as step two of cloud-virtual
security. Virtual networking is subject to outside attacks, which can be
dangerous, but insider attacks can be disastrous. When a feature with a
backdoor security flaw is added to a service, it becomes a part of the
infrastructure of the service and is far more likely to have unprotected attack
paths to other infrastructure pieces.

24
Separate Management APIs to Protect the Network

The third step is to isolate service from infrastructure management and

orchestration. Because they are created to regulate features, functions, and
service behaviors, management APIs will always pose a significant risk. All
such APIs should be protected, but the ones that keep an eye on infrastructure
components that service users should never access must also be protected.

Keep Connections Secure and Separate

The fourth and last aspect of cloud virtual network security is to make sure
that connections between tenants or services do not cross over into virtual
networks. Virtual Networking is a fantastic approach to building quick
connections to scaled or redeployed features, but each time a modification
is made to the virtual network, it’s possible that an accidental connection will
be made between two distinct services, tenants, or feature/function
deployments. A data plane leak, a link between the actual user networks, or a
management or control leak could result from this, allowing one user to affect
the service provided to another.

Identity and Access Management (IAM)

Identity and Access Management (IAM) is a combination of policies and

technologies that allows organizations to identify users and provide the right
form of access as and when required. There has been a burst in the market
with new applications, and the requirement for an organization to use these
applications has increased drastically. The services and resources you want to
access can be specified in IAM. IAM doesn’t provide any replica or backup.
IAM can be used for many purposes such as, if one want’s to control access
of individual and group access for your AWS resources. With IAM policies,
managing permissions to your workforce and systems to ensure least-privilege
permissions becomes easier. The AWS IAM is a global service.

Components of Identity and Access Management (IAM)

Users
1. Roles
2. Groups
3. Policies
With these new applications being created over the cloud, mobile and on-
premise can hold sensitive and regulated information. It’s no longer acceptable
and feasible to just create an Identity server and provide access based on the

25
requests. In current times an organization should be able to track the flow of
information and provide least privileged access as and when required, obviously
with a large workforce and new applications being added every day it becomes
quite difficult to do the same. So organizations specifically concentrate on
managing identity and its access with the help of a few IAM tools. It’s quite
obvious that it is very difficult for a single tool to manage everything but there
are multiple IAM tools in the market that help the organizations with any of the
few services given below.
IAM Identities Classified As
1. IAM Users
2. IAM Groups
3. IAM Roles
Root user
The root user will automatically be created and granted unrestricted rights. We
can create an admin user with fewer powers to control the entire Amazon
account.
IAM Users
We can utilize IAM users to access the AWS Console and their administrative
permissions differ from those of the Root user and if we can keep track of their
login information.
Example
With the aid of IAM users, we can accomplish our goal of giving a specific
person access to every service available in the Amazon dashboard with only a
limited set of permissions, such as read-only access. Let’s say user-1 is a user
that I want to have read-only access to the EC2 instance and no additional
permissions, such as create, delete, or update. By creating an IAM user and
attaching user-1 to that IAM user, we may allow the user access to the EC2
instance with the required permissions.
IAM Groups
A group is a collection of users, and a single person can be a member of several
groups. With the aid of groups, we can manage permissions for many users
quickly and efficiently.
Example
Consider two users named user-1 and user-2. If we want to grant user-1 specific
permissions, such as the ability to delete, create, and update the auto-calling
group only, and if we want to grant user-2 all the necessary permissions to
maintain the auto-scaling group as well as the ability to maintain EC2,S3 we
can create groups and add this user to them. If a new user is added, we can add
that user to the required group with the necessary permissions.
IAM Roles
While policies cannot be directly given to any of the services accessible through
the Amazon dashboard, IAM roles are similar to IAM users in that they may be

26
assumed by anybody who requires them. By using roles, we can provide AWS
Services access rights to other AWS Services.
Example
Consider Amazon EKS. In order to maintain an autoscaling group, AWS eks
needs access to EC2 instances. Since we can’t attach policies directly to the eks
in this situation, we must build a role and then attach the necessary policies to
that specific role and attach that particular role to EKS.
IAM Policies
IAM Policies can manage access for AWS by attaching them to the IAM
Identities or resources IAM policies defines permissions of AWS identities and
AWS resources when a user or any resource makes a request to AWS will
validate these policies and confirms whether the request to be allowed or to be
denied. AWS policies are stored in the form of Jason format the number of
policies to be attached to particular IAM identities depends upon no.of
permissions required for one IAM identity. IAM identity can have multiple
policies attached to them.
Access management for AWS resourcesIdentity management
 Access management
 Federation
 RBAC/EM
 Multi-Factor authentication
 Access governance
 Customer IAM
 API Security
 IDaaS – Identity as a servic
 Granular permissions
 Privileged Identity management – PIM (PAM or PIM is the same)

27
 Figure – Services under IAM
More About the Services: Looking into the services on brief, Identity
management is purely responsible for managing the identity lifecycle. Access
management is responsible for the access to the resources, access governance is
responsible for access request grant and audits. PIM or PAM is responsible for
managing all the privileged access to the resources. The remaining services
either help these services or help in increasing the productivity of these
services.
Market for IAM: Current situation of the market, there are three market
leaders (Okta, SailPoint and Cyberark) who master one of the three domains
(Identity Management, Identity Governance and Privilege access management),
according to Gartner and Forrester reports. These companies have developed
solutions and are still developing new solutions that allow an organization to
manage identity and its access securely without any hindrances in the workflow.
There are other IAM tools, Beyond Trust, Ping, One login, Centrify, Azure
Active Directory, Oracle Identity Cloud Services and many more.
Use cases Identity and Access Management(IAM)
1. Resource Access Control: Identity and access management (IAM) will
allows you to manage the permissions to the resources in the AWS cloud
like users who can access particular serivce to which extent and also instead
of mantaing the permissions individually you can manage the permissions
to group of users at a time.

28
 2. Managing permissions: For example you want to assign an permission to
the user that he/her can only perform restart the instance task on AWS EC2
instance then you can do using AWS IAM.
3. Implemneting role-based access control(RBAC): Identity and Access
Management(IAM) will helps you to manage the permissions based on
roles Roles will helps to assign the the permissions to the resourcesw in the
AWS like which resources can access the another resource according to the
requirement.
4. Enabling single sign-on (SSO): Identity and Access Management will
helps you to maintain the same password and user name which will reduce
the effort of remembering the different password.
IAM Features
Shared Access to your Account: A team working on a project can easily share
resources with the help of the shared access feature.
1. Free of cost: IAM feature of the AWS account is free to use & charges are
added only when you access other Amazon web services using IAM users.
2. Have Centralized control over your AWS account: Any new creation of
users, groups, or any form of cancellation that takes place in the AWS
account is controlled by you, and you have control over what & how data
can be accessed by the user.
3. Grant permission to the user: As the root account holds administrative
rights, the user will be granted permission to access certain services by
IAM.
4. Multifactor Authentication: Additional layer of security is implemented
on your account by a third party, a six-digit number that you have to put
along with your password when you log into your accounts.
Accessing IAM
1. AWS Console: Access the AWS IAM through the GUI. It is an web
application provided by the AWS(Amazon Web Application) it is an
console where users can access the aws console
2. AWS Command Line Tools: Instead of accessing the console you can
access y the command line interface (CLI) to access the AWS web
application. You can autiomate the process by using the Scripts.
3. IAM Query API: Programmatic access to IAM and AWS by allowing you
to send HTTPS requests directly to the service.

4 four major components of identity Access Management are

 Identity
 Authentication
 Authorization
 Auditing

29
 Role Of Identity Access Management
Identity and access management (IAM) is a security discipline that enables
organizations to manage digital identities and control user access to critical
information and systems.

Cloud Security Standards

It was essential to establish guidelines for how work is done in the cloud due
to the different security dangers facing the cloud. They offer a thorough
framework for how cloud security is upheld with regard to both the user and
the service provider.
 Cloud security standards provide a roadmap for businesses transitioning
from a traditional approach to a cloud-based approach by providing the
right tools, configurations, and policies required for security in cloud
usage.
 It helps to devise an effective security strategy for the organization.
 It also supports organizational goals like privacy, portability, security, and
interoperability.
 Certification with cloud security standards increases trust and gives
businesses a competitive edge.
Need for Cloud Security Standards
 Ensure cloud computing is an appropriate
environment: Organizations need to make sure that cloud computing is
the appropriate environment for the applications as security and
mitigating risk are the major concerns.
 To ensure that sensitive data is safe in the cloud: Organizations need a
way to make sure that the sensitive data is safe in the cloud while
remaining compliant with standards and regulations.
 No existing clear standard: Cloud security standards are essential as
earlier there were no existing clear standards that can define what
constitutes a secure cloud environment. Thus, making it difficult for cloud
providers and cloud users to define what needs to be done to ensure a
secure environment.
 Need for a framework that addresses all aspects of cloud
security: There is a need for businesses to adopt a
Lack of Cloud Security Standards
 Enterprises and CSPs have been forced to fumble while relying on an
endless variety of auditing needs, regulatory requirements, industry
mandates, and data Centre standards to offer direction on protecting their
cloud environments due to the lack of adequate cloud security standards.

30
 Because of this, the Cloud Security Alliance is more difficult to
understand than it first appears, and its fragmented strategy does not meet
the criteria for “excellent security”.

Common Cloud Security Standards

1. NIST (National Institute of Standards and Technology)

NIST is a federal organization in the US that creates metrics and standards to

boost competition in the scientific and technology industries. The National
Institute of Regulations and Technology (NIST) developed the Cybersecurity
Framework to comply with US regulations such as the Federal Information
Security Management Act and the Health Insurance Portability and
Accountability Act (HIPAA) (FISMA). NIST places a strong emphasis on
classifying assets according to their commercial value and adequately
protecting them.

2. ISO-27017

A development of ISO-27001 that includes provisions unique to cloud-based

information security. Along with ISO-27001 compliance, ISO-27017
compliance should be taken into account. This standard has not yet been
introduced to the marketplace. It attempts to offer further direction in the
cloud computing information security field. Its purpose is to supplement the
advice provided in ISO/IEC 27002 and various other ISO27k standards, such
as ISO/IEC 27018 on the privacy implications of cloud computing, and
ISO/IEC 27031 on business continuity.

3. ISO-27018

The protection of personally identifiable information (PII) in public clouds

that serve as PII processors is covered by this standard. Despite the fact that
this standard is especially aimed at public-cloud service providers like AWS
or Azure, PII controllers (such as a SaaS provider processing client PII in
AWS) nevertheless bear some accountability. If you are a SaaS provider
handling PII, you should think about complying with this standard.

31
4. CIS controls

Organizations can secure their systems with the help of Internet Security
Center (CIS) Controls, which are open-source policies based on consensus.
Each check is rigorously reviewed by a number of professionals before a
conclusion is reached.
To easily access a list of evaluations for cloud security, consult the CIS
Benchmarks customized for particular cloud service providers. For instance,
you can use the CIS-AWS controls, a set of controls created especially for
workloads using Amazon Web Services (AWS).

5. FISMA

In accordance with the Federal Information Security Management Act

(FISMA), all federal agencies and their contractors are required to safeguard
information systems and assets. NIST, using NIST SP 800-53, was given
authority under FISMA to define the framework security standards (see
definition below).

6. Cloud Architecture Framework

These frameworks, which frequently cover operational effectiveness, security,

and cost-value factors, can be viewed as best parties standards for cloud
architects. This framework, developed by Amazon Web Services, aids
architects in designing workloads and applications on the Amazon cloud.
Customers have access to a reliable resource for architecture evaluation
thanks to this framework, which is based on a collection of questions for the
analysis of cloud environments.

7. General Data Protection Regulation (GDPR)

For the European Union, there are laws governing data protection and
privacy. Even though this law only applies to the European Union, it is
something you should keep in mind if you store or otherwise handle any
personal information of residents of the EU.

32
8. SOC Reporting

A form of audit of the operational processes used by IT businesses offering

any service is known as a “Service and Organization Audits 2” (SOC 2). A
worldwide standard for cybersecurity risk management systems is SOC 2
reporting. Your company’s policies, practices, and controls are in place to
meet the five trust principles, as shown by the SOC 2 Audit Report. The SOC
2 audit report lists security, availability, processing integrity, confidentiality,
and confidentiality as security principles. If you offer software as a service,
potential clients might request proof that you adhere to SOC 2 standards.

9. PCI DSS

For all merchants who use credit or debit cards, the PCI DSS (Payment Card
Industry Data Security Standard) provides a set of security criteria. For
businesses that handle cardholder data, there is PCI DSS. The PCI DSS
specifies fundamental technological and operational criteria for safeguarding
cardholder data. Cardholders are intended to be protected from identity theft
and credit card fraud by the PCI DSS standard.

10. HIPAA

The Health Insurance Portability and Accountability Act (HIPAA), passed by

the US Congress to safeguard individual health information, also has parts
specifically dealing with information security. Businesses that handle
medical data must abide by HIPAA law. The HIPAA Security Rule (HSR)
is the best choice in terms of information security. The HIPAA HSR specifies
rules for protecting people’s electronic personal health information that a
covered entity generates, acquires, makes use of or maintains.

33
34