Module: Security

Upon completion of this module, you should be able to:

• Describe key security terminologies
• Describe key security threats in the cloud
• Discuss key security mechanisms deployed in the cloud
• Describe the role of GRC in the cloud

Module: Security
Cloud Computing Reference Model
Security Cross-layer Function

Module: Security
Lesson: Introduction to Cloud Security
This lesson covers the following topic:
• Key information security terminologies

Module: Security
Drivers for Securing Cloud Infrastructure

• Information is an organization’s most valuable asset

• Various tools are deployed to protect the assets
• Trust is one of the key concerns of consumers adopting cloud

Trust = Visibility + Control

• Managing security has become increasingly important for cloud service

providers

Module: Security
 Information Security
Information Security
A term that includes a set of practices that protect information and information systems from
unauthorized access, use, information disclosure, disruption, modification, or destruction.
— US Federal law (Title 38 Part IV, Chapter 57, Subchapter III USC 5727)

• Goal of information security is to provide:

– Confidentiality, integrity, and availability
• Security mechanisms ensure right users have access to right resources at
the right time
• Auditing enables assessing effectiveness of the security mechanisms

Module: Security
Key Terminologies of Information Security

• Confidentiality, Integrity, and • Velocity of attack

Availability (CIA)
• Information assurance
• Authentication, Authorization, and
• Data privacy
Auditing (AAA)
• Data ownership
• Defense-in-depth
• Trusted computing base
• Secure multi-tenancy

Module: Security
Confidentiality, Integrity, and Availability

• Confidentiality
– Provides required secrecy of information
– Ensures only authorized users have access to data
• Integrity
– Ensures unauthorized changes to data are not allowed
• Availability
– Ensures authorized users have reliable and timely access to resources

Module: Security
Authentication, Authorization, and Auditing

• Authentication
– Process to ensure users or assets are who they claim to be
– Two methods: single-factor and multi-factor
• Authorization
– Process of determining access rights of a user, device, application, or process to a
service or resource
– Authorization should be performed only if authentication is successful
• Auditing
– Process to evaluate the effectiveness of security enforcement mechanisms

Module: Security
 Defense-in-depth
Defense-in-depth
A strategy in which multiple layers of defense are deployed throughout the infrastructure to help
mitigate the risk of security threats in case one layer of the defense is compromised.

• Also known as a “layered approach” to

security
• Provides service providers additional time to
detect and respond to an attack
– Reduces the scope of a security breach

Module: Security
 Trusted Computing Base (TCB)
Trusted Computing Base
A set of all those components that are critical to the security of the cloud infrastructure.

• Defines boundary for security-critical and non critical parts of a system

• Vulnerabilities occurring inside TCB might jeopardize security of the
entire system

Module: Security
Secure Multi-tenancy

• Requires mechanisms that prevent a tenant or its process from affecting another
tenant’s information/process
• Providers are responsible for ensuring secure multi-tenancy
Key focus areas Description

Secure separation • Enables isolation of resources and services across consumers

• Example: At storage layer – separation of data at-rest and address space separation

Availability • Ensures that resources are accessible to all consumers by adhering to BC practices

Service assurance • Ensures that SLOs are met by dedicating runtime resources and QoS control

Management • Enables end-to-end infrastructure and service management for service providers
• Provides ability to delegate day-to-day management activities to the consumers

Module: Security
 Velocity-of-attack
Velocity-of-attack
Refers to a situation where an existing security threat in a cloud may spread rapidly and have large
impact.

• Factors amplifying threats and enable them spreading quickly:

– Large number of infrastructure components
– Homogeneity and standardization in platforms and components

• Mitigation requires:
– Strong and robust security enforcement
– Containment mechanisms

Module: Security
Information Assurance

• Ensures CIA of consumers’ data in the cloud

• Consumers need assurance that all the users:
– Operating on the cloud do so legitimately
– Accessing only those data for which they have rights
– Accessing only to the degree their policies and their roles permit
• Mitigation requires:
– Strong authentication and authorization mechanisms to validate:
• Consumers operating in cloud are genuine
• Have right level of access to resources
– Resilient cloud infrastructure

Module: Security
Data Privacy

• Legally protecting unauthorized disclosure of sensitive data of a consumer such

as:
– Personally identifiable information
– Details of services requested by a consumer
– Proprietary data of a consumer
• Mitigation requires deploying mechanisms such as:
– Data encryption (both data at-rest and in-transit)
– Data shredding

Module: Security
Data Ownership

• Two scenarios to determine ownership of data:

Scenarios Description

• Data ownership remains with the creator based on factors such as:
Data created on- – Contractual ownership
premise and then
– Copyright law
stored in the
cloud – Trade secret
– Intellectual property
• Determination of who owns the data depends on:
Data created in – Terms of services (defined in service contract)
the cloud
– Type of information
environment
– Country in which it is generated and stored

• Service provider must ensure that consumers own their data

Module: Security
Security Concepts and Relationships

Module: Security
Lesson Summary
During this lesson the following topics were covered:
• Confidentiality, integrity, and availability
• Authentication, authorization, and auditing
• Defense-in-depth and trusted computing base
• Multi-tenancy and velocity of attack
• Information assurance
• Data ownership and data privacy

Module: Security
Lesson: Cloud Security Threats
This lesson covers the following topic:
• Key threats in a cloud environment

Module: Security
Key Security Threats in a Cloud
Environment
• Key security threats according to CSA and ENISA
– Data leakage
– Data loss
– Account hijacking
– Insecure APIs
– Malicious insiders
– Denial of service
– Abuse of cloud services
– Shared technology vulnerabilities
– Insufficient due diligence
– Loss of governance and compliance

Module: Security
Data Leakage

• Occurs when an attacker gains access to a cloud consumer’s confidential data

• Unauthorized access to confidential data may be gained by:
– Compromising password database
– Exploiting poor application design
– Exploiting poor segregation of network traffic
– Exploiting poor encryption implementation
– Through a malicious insider
• Control measure
– Data encryption (both data at-rest and in-transit)
– Data shredding and multi-factor authentication

Module: Security
Data Loss

• Occurs due to various reasons other than malicious attacks

• Causes of data loss in the cloud include:
– Accidental deletion by the provider
– Destruction resulting from natural disasters
• Providers are often responsible for data loss
• Control measure
– Data backup and replication

Module: Security
Account Hijacking

• Occurs when an attacker gains access to consumers’ accounts

Types of attack Description

• Social engineering attack used to deceive users

Phishing • Carried out by spoofing email containing link to a fake website
• Users credentials entered on the fake site are captured

Installing keystroke- • Attacker installs malware in a consumer’s VM

logging malware • Malware captures users credentials and sends to the attacker

Man-in-the-middle • Attacker eavesdrops on the network to capture credential

• Controls measures: multi-factor authentication, IPSec, IDPS, and firewall

Module: Security
Insecure APIs

• APIs are used to perform activities such as:

– Resource provisioning and configuration
– Resource monitoring and management
– Orchestration
• APIs may be open or proprietary
• Security of cloud services depends on security of APIs
• Control measures
– Design and develop APIs following security best practices
– Perform security review of APIs
– Access to APIs must be restricted to authorized users

Module: Security
Denial of Service (DoS) Attack

• Prevents legitimate users from accessing resources or services

• Could be targeted against compute systems, networks, or storage resources
• Exhaust key resources, preventing production use by legitimate consumers
– Example 1: Exhausting network bandwidth or CPU cycles
– Example 2: Exploiting weaknesses in communication protocols
– Example 3: Corrupting domain name server’s cache

Module: Security
Distributed Denial of Service (DoS) Attack

• DDoS is a variant of DoS attack

• Several systems launch a coordinated DoS attack on target(s)
– DDoS master program is installed on a compute system
– Master program communicates to agents at designated time
– Agents initiate the attack on receiving the command
• Attacker is able to multiply the effectiveness of the DoS attack
• Control measure
– Impose restrictions and limits on resource consumption

Module: Security
 Malicious Insiders
Malicious Insiders

An organization’s current or former employee, contractor, or other

business partner who has or had authorized access to an organization's
compute systems, network, or storage.
— Computer Emergency Response Team (CERT)

• Intentional misuse of access to negatively impact CIA

• Control measures:
– Strict access control policies
– Security audit and data encryption
– Disable employee accounts immediately after separation
– Segregation of duties (role-based access control)
– Background investigation of candidates before hiring

Module: Security
Abuse of Cloud Services

• Cloud resources can be misused to perform unauthorized activities such as

– Cracking an encryption key in minutes or hours
– Distributing pirated software
• Control measures
– Difficult to mitigate merely with the help of tools
– Establish agreement with consumers that have guidelines for acceptable use of
cloud resources

Module: Security
Insufficient Due Diligence

• Understanding the full scope of the undertaking while offering cloud services
• Increase risks if services are offered without complete understanding of
operational responsibilities such as:
– Incident response
– Encryption
– Governance and compliance
– Security monitoring

Module: Security
Shared Technology Vulnerabilities

• An attacker may exploit the vulnerabilities of tools used to enable multi-tenant

environments
• Examples of threats:
– Failure of mechanisms that provide separation of memory and storage
– Hyperjacking attack involves installing a rogue hypervisor that takes control of
compute system
• Control measure
– Securing components that are part of trusted computing base

Module: Security
 Loss of Compliance
Loss of Compliance

Occur when a cloud service provider or cloud broker does not adhere to, and demonstrating
adherence to external laws and regulations as well as corporate policies and procedures.

• Regulations mandate vulnerability assessment when using certain type of data

– Aimed at discovering potential security vulnerabilities
• Example: PCI compliance for handling credit card data
– Participating cloud provider may prohibit through contract terms
– Cloud brokers and consumers have to rely on provider’s vulnerability assessment
results

Module: Security
Loss of Governance

• Causes of loss of governance:

– Provider outsource its services to third-parties
• Impact of outsourcing services to third-parties:
– No control over third-parties, and may impact commitments of the provider
– Security controls of provider may change impacting terms and conditions of
provider
– Provider may not be able to supply evidence of meeting their providers’ compliance
requirements

Module: Security
Lesson Summary
During this lesson the following topics were covered:
• Data leakage and data loss
• Account hijacking and insecure APIs
• Malicious insiders and denial of service
• Abuse of cloud services and shared technology vulnerabilities
• Insufficient due diligence
• Loss of compliance and governance

Module: Security
Lesson: Security Mechanisms – I
This lesson covers the following topics:
• Physical security
• Identity and access management

Module: Security
Introduction to Security Mechanisms

• Security mechanisms can be classified as:

Mechanisms Description
Security and personnel policies or standard procedures to direct the safe execution of
Administrative
various operations
Usually implemented through tools or devices deployed on computer systems, networks,
Technical
or storage

• Technical security mechanisms must be deployed at:

– Compute level
– Network level
– Storage level

Module: Security
Key Security Mechanisms
• Physical security
• Identity and access management
• Role-based access control
• Network monitoring and analysis
• Firewall
• Intrusion detection and prevention system
• Adaptive security
• Port binding and fabric binding
• Virtual private network
• Virtual LAN and virtual SAN
• Zoning and iSNS discovery domain
• Security hypervisor and management server
• Virtual machine hardening
• Securing operating system and applications
• LUN masking
• Data encryption
• Data shredding
Module: Security
Physical Security

• Foundation of overall IT security strategy

• Some of the measures to secure cloud infrastructure are:
– Disabling all unused devices and ports
– 24/7/365 onsite security
– Biometric or security badge-based authentication to grant access to the facilities
– Surveillance cameras to monitor activity throughout the facility
– Sensors and alarms to detect motion and fire

Module: Security
 Identity and Access Management
Identity and Access Management

A process of managing consumers’ identifiers, and their authentication and authorization to access
cloud resources.

• Cloud providers deploy both traditional and new authentication and

authorization mechanisms
Description
Mechanisms Examples

Restricts accessibility and sharing of files Windows ACLs, UNIX permissions, and
Authorization
and folders OAuth

Enables authentication among client and Multi-factor authentication, Kerberos,

Authentication
server CHAP, and OpenID

Module: Security
Windows ACL and UNIX Permission
Windows ACL
• Types of ACLs:
– DACL: determine access control
– SACL: determine what accesses needs
to be audited
• Support object ownership in addition to
ACLs
– Child objects inherit ACL of parent
object
UNIX Permission
• Common permissions:
Read/Write/Execute
• Specify operations by ownership relation
with respect to a file:
– What the owner can do?
– What the owner group can do?
– What everyone else can do?

• Use SID to control object access

– SIDs uniquely identify a user or a user
group

Module: Security
OAuth
OAuth

An open authorization mechanism allows a client to access protected resources from a resource
server on behalf of a resource owner.

• Entities involved in
authorization:
– Resource owner
– Resource server
– Client
– Authorization server

Module: Security
Multi-factor Authentication

• Multiple factors for authentication:

– First factor: What a user knows? For example, a password
– Second factor: What the user has? For example, a token
– Third factor: Who is the user? or What the user did? For example, a unique ID or
user’s past activity
• Access is granted only when all the factors are validated

Module: Security
 Kerberos
Kerberos

A network authentication protocol, which provides strong authentication for client/server

applications by using secret-key cryptography. A client and server can prove their identity to each
other across an insecure network connection.

Module: Security
Challenge Handshake Authentication
Protocol
• Provides a method for initiators and targets to authenticate each other by
utilizing a secret code

Module: Security
OpenID
OpenID

An open standard for authentication in which a service provider uses authentication services from
an OpenID provider.

Module: Security
Lesson Summary
During this lesson the following topics were covered:
• Physical security
• Windows ACLs and UNIX permissions
• OAuth
• Multi-factor authentication
• Kerberos and CHAP
• OpenID

Module: Security
Lesson: Security Mechanisms – II
This lesson covers the following topics:
• Role-based access control
• Network monitoring and analysis
• Firewall and intrusion detection and prevention system
• Adaptive security
• VPN, VLAN, VSAN, zoning and iSNS discovery domain
• Port binding and fabric binding

Module: Security
Key Security Mechanisms
• Physical security
• Identity and access management
• Role-based access control
• Network monitoring and analysis
• Firewall
• Intrusion detection and prevention system
• Adaptive security
• Virtual private network
• Virtual LAN and virtual SAN
• Zoning and iSNS discovery domain
• Port binding and fabric binding
• Security hypervisor and management server
• Virtual machine hardening
• Securing operating system and applications
• LUN masking
• Data encryption
• Data shredding
Module: Security
Role-based Access Control

• An approach to restrict access to authorized users based on their respective roles

– Only those privileges are assigned to a role that are required to perform tasks
associated with that role
• Separation of duties ensure that no single individual can both specify an action
and carry it out

Module: Security
Network Monitoring and Analysis

• A proactive measure to detect and prevent network failure or performance

problems
• Network monitoring can be performed in two ways:
Monitoring Description

Active Monitoring tools transmit data between two endpoints that are monitored

Passive Information about a link or device is collected by probing the link or device

• Mechanisms used to monitor, detect, and prevent attacks are:

– Firewalls, IDPS and network analysis/forensics systems

Module: Security
 Firewall
Firewall
A security mechanism designed to examine data packets traversing a network and
compare them to a set of filtering rules.

• Can be deployed at:

– Network level Examples of filtering parameters:
– Compute level • Source address
• Destination address
– Hypervisor level • Port numbers and protocols

• Can be physical or virtual

• Uses various parameter for traffic filtering

Module: Security
Firewall
Demilitarized Zone

• Secure internal assets while allowing Internet-based access to resources

Module: Security
 Intrusion Detection and Prevention System
Intrusion Detection and Prevention System

A security tool that automates the process of detecting and preventing events that can compromise
the confidentiality, integrity, or availability of IT resources.

• Signature-based detection technique

– Scans for signatures to detect an intrusion Examples of events detected:
• Multiple login failures
– Effective only for known threats • Excessive process failure
• Excessive network bandwidth
• Anomaly-based detection technique consumed by an activity

– Scans and analyzes events to detect if they are

statistically different from normal events
– Has the ability to detect various events

Module: Security
Intrusion Detection and Prevention System
Types of implementations
IDPS Implementation Description

• Analyzes activity such as system logs and running processes

Compute system-based • IDPS software is susceptible to attacks

• Monitors and analyzes network traffic, network devices, network protocol,

and application protocol behavior
• Deployed in the form of appliance or software on compute system
Network-based • Usually isolated from malicious applications on compute systems

• Monitors for anomalies in a hypervisor

Hypervisor-based
• Detection policies are typically kernel-specific

Module: Security
Adaptive Security
Adaptive Security

A mechanism that integrate with the cloud service providers’ standalone mechanisms such as
IDPS and firewalls and use heuristics to learn user behavior and detect fraudulent activity.

• Identifies and blocks anomalies

• Parameters used to learn about a user are:
– Behavioral profile
– Device-related profile
– Type of web browser being used
– Plug-ins used in a browser

Module: Security
Virtual Private Network

• Extends an consumer’s private network across a public network

– Enables to apply internal network’s security and management policies over the VPN
connection
• Two methods to establish a VPN connection:
– Remote access VPN connection
• Remote client initiates a remote VPN connection request
• VPN server authenticates and grants access to cloud network
– Site-to-site VPN connection
• Remote site initiates a site-to-site VPN connection
• VPN server authenticates and grants access to cloud network

Module: Security
Virtual LAN and SAN

• Ensure security by providing isolation over shared infrastructure

• Restricting communication among different consumers
• Zoning provides additional level of security within a VSAN

Module: Security
Zoning

• Logically segments node ports into groups

• Communication occur among node ports within a group
• WWPN-based zoning prevents unauthorized access when node ports are
re-cabled to different fabric ports
• Port zoning reduces the risk of WWPN spoofing

Module: Security
iSNS Discovery Domain

• iSNS Discovery Domain

– Function in the same way as FC zones
– Enables functional groupings of devices
in an IP-SAN
– Devices in the same functional group can
communicate with one another

Module: Security
Port Binding

• Port binding limits the devices that can be attached to a specific switch port

Supported Environment Description

• Maps a WWPN to a switch port
FC SAN • WWPN login is rejected when illegitimate host is
connected
• Maps MAC and IP address of a compute system to a switch
port
Ethernet
• Switch port forwards a packet only if a MAC and IP
address in a packet are mapped to that port

Module: Security
Fabric Binding

• Fabric binding allows only authorized switches to join a fabric

– Ensures unauthorized switches are segmented from a fabric
– Authorized switch can merge into a fabric
– Can be used along with port and port-type locking capabilities

Module: Security
Lesson Summary
During this lesson the following topics were covered:
• Role-based access control
• Network monitoring and analysis
• Firewall, IDPS, and adaptive security
• Port binding and fabric binding
• VPN, VLAN, and VSAN
• Zoning and iSNS discovery domain

Module: Security
Lesson: Security Mechanisms – III
This lesson covers the following topics:
• Security hypervisor and management server
• Virtual machine hardening
• Securing operating system and applications
• LUN masking
• Data encryption
• Data shredding

Module: Security
Key Security Mechanisms
• Physical security
• Identity and access management
• Role-based access control
• Network monitoring and analysis
• Firewall
• Intrusion detection and prevention system
• Adaptive security
• Port binding and fabric binding
• Virtual private network
• Virtual LAN and virtual SAN
• Zoning and iSNS discovery domain
• Security hypervisor and management server
• Virtual machine hardening
• Securing operating system and applications
• LUN masking
• Data encryption
• Data shredding
Module: Security
Securing Hypervisor and Management
Server
• Compromising a hypervisor or management server places all VMs at risk
• Control measures:
– Install security-critical hypervisor updates
– Harden hypervisor using specifications provided by CSI and DISA
– Restrict core functionality to selected administrators
– Encrypt network traffic when managing remotely
– Deploy firewall between management system and rest of the network
– Rotate or delete log files when they reach a certain size

Module: Security
Virtual Machine Hardening

• Process used to change the default configuration of a VM

• Removed or disabled devices that are not required
– Example: disabling USB ports or CD/DVD drives
• Tune configuration of VM features to operate in secure manner:
– Change default passwords
– Set permissions to VM files
– Disallow changes to MAC address assigned to a virtual NIC
• VM templates must be hardened to a known security baseline

Module: Security
Securing Operating Systems and
Applications
• Three key security mechanisms for OS and application:
– Hardening OS and applications
– Malware protection software
– Sandboxing

Module: Security
Hardening OS and Applications

• OS hardening:
– Configure system and network components as per a hardening checklist provided
by CIS and DISA
– Delete unused files and applications, and install current OS updates
– Perform vulnerability scan and penetration test to identify existing vulnerabilities
• Application hardening:
– Design with proper architecture, threat modeling, and secure coding
– Installing current application updates

Module: Security
Malware Protection Software

• Detects, prevents, and removes malware programs

• Common malware detection techniques:
– Signature-based detection
– Heuristics detection
• Protect applications by providing:
– Process spawning control
– Executable file protection
– System tampering protection
• Virus code incorporated into
application’s executable file
• Virus code executed when
infected application runs
Can be prevented by:
• Disallowing modification of
application’s executable file

• Protects OS against attacks that modifies sensitive areas

– Disallows unauthorized modification of sensitive areas

Module: Security
Sandboxing

• Provides a tightly-controlled set of resources on which the application executes

• Used for testing and verifying unproven or untrusted applications
• Isolates execution of an application in order to restrict the resources and
privileges

Module: Security
 LUN Masking
LUN Masking

Refers to the assignment of LUNs to specific host bus adapter world-wide names.

• Protect against unauthorized access to storage

• Can be implemented on:
– Host
– Switch
– Storage system
• Stronger variant of LUN masking uses source Fibre Channel address

Module: Security
 Data Encryption
Data Encryption

A cryptographic technique in which data is encoded and made indecipherable to eavesdroppers or

hackers.

• Enables securing data in-flight and at-rest

• Provides protection from threats, such as data tampering, media theft,
and sniffing attacks
• Data encryption mechanism can be deployed at compute, network, and
storage
• Data should be encrypted as close to its origin as possible

Module: Security
 Data Shredding
Data Shredding

A process of deleting data or residual representations (sometimes called remanence) of data and
making it unrecoverable

• Techniques for shredding data stored on tapes:

– Overwriting tapes with invalid data
– Degaussing media
– Destroying tapes

• Techniques for shredding data stored on disks and flash drives:

– Shredding algorithms

• Shred all copies of data including backup and replicas

Module: Security
 Security as a Service
Security as a Service

Refers to the provision of security applications and services via the cloud either to cloud-based
infrastructure and software or from the cloud to the customers’ on-premise systems. This will
enable enterprises to make use of security services in new ways, or in ways that would not be cost
effective if provisioned locally.
— Cloud Security Alliance, “Security as a Service” Version 1.0 (2011)

• Enables consumers to reduce CAPEX on security deployments

• Enables reducing security management burden on consumers
• Security policies implemented are dictated by consumers

Module: Security
Lesson Summary
During this lesson the following topics were covered:
• Security hypervisor and management server
• Virtual machine hardening
• Securing operating system and applications
• LUN masking and data encryption
• Data shredding and security as a Service

Module: Security
Lesson: Governance, Risk, and
Compliance (GRC)
This lesson covers the following topics:
• Focus areas of cloud governance
• Key steps of risk management
• Types of compliance that control IT operations in cloud
• Key auditing activities in cloud

Module: Security
Introduction to GRC
GRC

A term encompassing processes that help an organization to ensure that their acts are ethically
correct and in accordance with their risk appetite (the risk level an organization chooses to
accept), internal policies and external regulations.

• GRC work together to enforce policies and minimize risks

– Governance is the authority for making policies
– Risk management involves identifying resources that should not be
accessed by certain users to preserve CIA
– Compliance management assures that policies are being enforced by
implementing mechanisms

Module: Security
 Governance
Governance

Determine the purpose, strategy, and operational rules by which companies are directed and
managed.

• Enterprise governance is based on business strategy

– IT governance is a subset discipline of enterprise governance
– Objective of IT governance is to determine desired behavior to achieve IT’s strategic
goals

• IT governance requires defining roles and responsibilities for:

– Directing, controlling, and executing decisions
– Determining information required to make decisions
– Handling exceptions

Module: Security
 Risk Management
Risk and Risk Management

Risk is the effect of uncertainty on business objectives. Risk management is a systematic process
of assessing its assets, placing a realistic valuation on each asset, and creating a risk profile that is
rationalized for each information asset across the business.

Module: Security
 Compliance
Compliance

Act of adhering to, and demonstrating adherence to, external laws and regulations, corporate
policies and procedures, service provider's own demands, consumers' demands, and/or the
demands of participating cloud providers (in case of hybrid cloud and cloud brokers).

• Two types of compliance policies control IT operations:

– Internal policy compliance
• Controls the nature of IT operations within an organization
• Require maintaining same compliance when operating in cloud
– External policy compliance
• Controls the nature of IT operations related to the flow of data out of organization
• May differ based upon the type of information, and business

Module: Security
 Compliance Management
Compliance Management

Ensures that the cloud services, service creation processes, and cloud infrastructure resources
adhere to relevant policies and legal requirements.

• Policies and regulations may be based on:

– Configuration best practices
– Security rules
– Change control processes
• Compliance management activities include:
– Periodic review of compliance enforcement
– Identifying deviations and initiating corrective actions

Module: Security
Auditing
Auditing

A process that determines the validity and reliability of information about the enforcement of
controls presented by a provider. Audit also provides an assessment of the cloud provider’s
control mechanisms and their ability to provide the consumers, the logs required to verify the
mechanisms.

• Performed by internal auditors or external auditors

• Cloud auditor is a role that audits cloud infrastructure
– Evaluates a provider in terms of:
• Security controls
• Privacy

Module: Security
Key Auditing Activities in the Cloud
Security Audit

• Determine how consumers’ data is segregated from each other

• Evaluate security mechanisms and ensure they are in accordance with provider’s
internal policies
• Determine how identity management is performed
• Determine whether adequate DR processes are available
• Evaluate whether appropriate governance processes are available

Module: Security
Key Auditing Activities in the Cloud
Privacy Audit

• Evaluate use of encryption to protect consumers’ data

• Determine level of access provider’s employees have to consumers’ resources
and data
• Evaluate processes for controlling consumers’ access
• Evaluate whether data retention and destruction practices are in accordance with
privacy laws

Module: Security
Lesson Summary
During this lesson the following topics were covered:
• Governance in the cloud
• Risk management for the cloud
• Compliance for the cloud
• Cloud auditing

Module: Security
Concepts in Practice
• RSA SecurID
• RSA Security Analytics
• RSA Archer eGRC
• RSA Adaptive Authentication
• VMware vCloud Networking and Security

Module: Security
RSA Security Products
SecurID
• Provides two-factor
authentication
• To access a resource, a user
must combine their secret PIN
with token code
• New token code is generated
every 60 seconds
Security Analytics
• Enables to detect and
investigate threats often missed
by other security tools
• Single platform captures and
analyzes large amounts of
network, logs, and other data
• Enables analysis of terabytes of
metadata, log data, and
recreated network sessions
Archer eGRC
• Enables organization to:
- Manage risks
- Demonstrate compliance
- Automate business processes
- Gain visibility to corporate risk
and security controls
• Provides a single point of
visibility and coordination for
physical, virtual, and cloud
assets
Module: Security
RSA and VMware Security Products

RSA Adaptive Authentication VMware vCloud Networking and Security

• Provides an authentication and fraud detection • Virtualizes networking and security to enable greater
platform agility, efficiency and, extensibility in the data
center
• Measures login and post-login activities by
evaluating risk indicators • Delivers software-defined networks and security
with a broad range of services including:
• Provides transparent authentication when protecting:
- Virtual firewall
- Web sites and online portals
- Virtual private network
- Mobile applications and browsers
- Load balancer
- ATM, SSL, and VPN
- VXLAN
- Web access management applications

Module: Security
Module Summary
Key points covered in this module:
• Key security terminologies
• Key security threats in the cloud
• Security mechanisms for the cloud
• Governance, risk, and compliance

Module: Security