Module-5

Cloud Security

1. CSA cloud security architecture,

2. authentication-Single Sign-On (SSO)
3. authorization,identity & access management,
4. data security-securing data at rest - securing data in motion
5. key management,
6. Auditing.
5.1Cloud Computing Security Architecture:
Security in cloud computing is a major concern. Proxy and brokerage services should
be employed to restrict a client from accessing the shared data directly. Data in the
cloud should be stored in encrypted form.

Security Planning:
Before deploying a particular resource to the cloud, one should need to analyze
several aspects of the resource, such as:
 A select resource needs to move to the cloud and analyze its sensitivity to risk.
 Consider cloud service models such as IaaS, PaaS,and These models require the
customer to be responsible for Security at different service levels.
 Consider the cloud type, such as public, private, community, or hybrid
 Understand the cloud service provider's system regarding data storage and its
transfer into and out of the cloud.
The risk in cloud deployment mainly depends upon the service models and cloud
types.

Understanding Security of Cloud:

Security Boundaries:
The Cloud Security Alliance (CSA) stack model defines the boundaries between
each service model and shows how different functional units relate. A particular
service model defines the boundary between the service provider's responsibilities and
the customer. The following diagram shows the CSA stack model:
Key Points to CSA Model:
 IaaS is the most basic level of service, with PaaS and SaaS next two above levels
of services.
 Moving upwards, each service inherits the capabilities and security concerns of
the model .
 IaaS provides the infrastructure, PaaS provides the platform development
environment, and SaaS provides the operating environment.
 IaaS has the lowest integrated functionality and security level, while SaaS has the
highest.
 This model describes the security boundaries at which cloud service providers'
responsibilities end and customers' responsibilities begin.
 Any protection mechanism below the security limit must be built into the system
and maintained by the customer.
 Although each service model has a security mechanism, security requirements
also depend on where these services are located, private, public, hybrid, or
community cloud.

Understanding data security

Since all data is transferred using the Internet, data security in the cloud is a major
concern. Here are the key mechanisms to protect the data.
1. access control
2. certification
3. authority
4. audit trail[trace the detailed transactions]
Broker cloud storage is a way of separating storage in the Access Cloud.
In this approach, two services are created:
1.A broker has full access to the storage but does not have access to the client.
2.A proxy does not have access to storage but has access to both the client and the
broker.
3.Working on a Brocade cloud storage access system
4.When the client issues a request to access data:
5.The client data request goes to the external service interface of the proxy.
6.The proxy forwards the request to the broker.
7.The broker requests the data from the cloud storage system.
8.The cloud storage system returns the data to the broker.
9.The broker returns the data to the proxy.
10.Finally, the proxy sends the data to the client.

Why is cloud security architecture important?

Cloud security architecture is crucial because it provides a structured, threat-based
approach to securing cloud environments. Unlike problem-specific cloud security
measures, cloud security architecture minimizes security gaps by analyzing threats
from users to applications. It reduces redundancy, optimizes costs, and ensures
security measures are consistent and easier to implement. By organizing security
logically, it helps prevent failures caused by complexity and inconsistency, especially
during cloud deployments and redeployments..
Elements of cloud security architecture
Cloud security architecture focuses on three key areas: attack surface (external access
points), protected assets (data and resources), and attack vectors (potential threats).
To address these, it integrates several functional elements:
Access Security – Controls user access.
Network Security – Safeguards cloud infrastructure.
Application Security – Protects cloud-based applications.
Contractual Security – Defines security responsibilities.
Monitoring (Service Security) – Detects and mitigates threats.
Data Protection – Ensures encryption and compliance.

Cloud security architecture and shared responsibility model

Cloud security is a shared responsibility between enterprises and cloud providers.
While businesses maintain part of their IT infrastructure on-premises, the cloud
introduces additional players, requiring a well-defined shared responsibility model.
This model includes both an architecture diagram and a contract, outlining security
responsibilities. Cloud applications are divided into layers, with customers managing
the top layers (such as data and applications) and cloud providers handling the lower
layers (such as infrastructure and networking). The contract specifies how each party
responds to security incidents, ensuring clear accountability.

5.2 authentication-Single Sign-On (SSO)

Authentication is the process that use to confirm that only the right people, services,
and apps with the right permissions can get organizational resources. It’s an important
part of security because a bad actor’s number one priority is to gain unauthorized
access to systems.

The authentication process includes three primary steps:

Identification: Users establish who they are typically through a username.
Authentication: Typically, users prove they are who they say they are by entering a
password
Authorization: The system verifies that the users have permission to the system that
they’re attempting to access.

What is a Single Sign On(SSO)?

Single sign-on (SSO) is an authentication solution that allows users to securely
authenticate to multiple applications and websites using a single set of credentials. For
example, logging in to your Google account once will allow you to access Google
applications such as Google Docs, Gmail, and Google Drive.

How does SSO Login work?

The user enters login credentials on the website and the website checks to see if the
user has already been authenticated by SSO solution. If so, the SSO solution would
give the user access to the website. Otherwise, it presents the user with the SSO
solution for login.

1. The user enters a username and password on the SSO solution.

2. The user’s login credentials are sent to the SSO solution.
3. The SSO solution seeks authentication from the identity provider, such as an
Active Directory, to verify the user’s identity.
4. Once the user’s identity is verified, the identity provider sends a verification to
the SSO solution.
5. The authentication information is passed from the SSO solution to the website
where the user will be granted access to the website.
6. Upon successful login with SSO, the website passes authentication data in the
form of tokens as a form of verification that the user is authenticated as the user
navigates to a different application or web page.

Advantages of SSO
For Users :
Increased convenience for users as they only need to remember and key in login
information once.
Increased security assurance for users as website owners do not store login credentials.
For Businesses :
Increase customer base and satisfaction as SSO provides a lower barrier to entry and
seamless user experience.
Reduce IT costs for managing customer’s usernames and passwords.

Disadvantages of SSO
Increased security risk if login credentials are not securely protected and are exposed
or stolen as adversaries can now access many websites and applications with a single
credential.
5.3 authorization
Authorization is the function of specifying rights/privileges for accessing resources,
which is related to general information security and computer security.
More formally, "to authorize" is to define an access policy during the configuration
of systems and user accounts.

How Authorization Works

Authorization is a critical security component that determines what resources a user
can access and what actions they can perform.
It ensures that only users with the appropriate permissions can interact with specific
resources, maintaining the integrity and confidentiality of data.

Here’s a detailed step-by-step overview of how authorization works:

Step 1: Initial Authentication
Before authorization can occur, a user must first authenticate their identity.
This typically involves entering a username and password, although more secure
methods like biometrics or multi-factor authentication.
Step 2: Authorization Request
Once authenticated, the user requests access to a particular resource. This request
includes the user’s identity details
Step 3: Access Control Evaluation
The access control system receives and evaluates the authorization request against
predefined policies or rules.
The evaluation process typically involves checking:
User Roles: What roles does the user have? For example, are they an employee,
manager, or administrator?
Permissions: What actions are allowed for those roles? For example, read-only or
read-write access.
Conditions: Are there any specific conditions that must be met, such as time-based
access restrictions or location-based conditions?
Step 4: Authorization Decision
Based on the evaluation of access control policies, the system makes an authorization
decision:
Grant Access: If users’ attributes and requests align with the policies, they are
granted access to the resource.
Deny Access: Access is denied if the request does not meet the required conditions or
policies. The user is informed that they cannot access the resource.

Real-World Applications of Authorization

1. Cloud Services
Cloud providers like AWS, Azure, and Google Cloud use IAM services to manage
user access to cloud resources. Users can be assigned roles with specific permissions,
ensuring secure and efficient resource management.
2. Collaboration Tools
Applications like Google Docs and Microsoft Teams use authorization mechanisms to
control user document sharing and editing rights. Owners can specify who can view
or edit documents, enhancing collaboration while maintaining security.
3. E-commerce Platforms
E-commerce platforms implement authorization to manage customer accounts and
transactions securely. They ensure that only authorized users can view personal
information or make purchases.
4. Healthcare Systems
In healthcare systems, authorization controls ensure that only authorized personnel
have access to patient records and sensitive data..
5.4 Identity and access management
Identity and Access Management (IAM) is a framework that ensures the right people
have the right access to resources at the right time, managing digital identities and
controlling user access to critical information and systems.

Here's a more detailed explanation:

Key Concepts:
1.Purpose:
IAM aims to secure data and systems by verifying user identities and granting
appropriate access privileges.
2.Core Functions:
 Authentication: Verifying a user's identity (e.g., through usernames and
passwords, multi-factor authentication).
 Authorization: Determining which resources a user is allowed to access based
on their role or permissions.
 User Management: Creating, updating, and deleting user accounts and managing
their access privileges.
 Auditing and Monitoring: Tracking user activity to detect and prevent security
risks.

Benefits:
Enhanced Security: Protects sensitive data and systems from unauthorized access.
Improved Compliance: Helps organizations meet regulatory requirements and
industry standards.
Streamlined Access Management: Simplifies the process of granting and revoking
access privileges.
Increased Productivity: Allows authorized users to easily access the resources they
need.

Examples:
When a user logs into a system, their identity is verified through authentication.
Once authenticated, the user is granted access to resources based on their role or
permissions.
IAM systems can track user activity and generate reports for auditing purposes.

IAM Frameworks:
Identity Governance and Administration (IGA): Focuses on managing the
lifecycle of digital identities and ensuring compliance with policies.
Access Management (AM): Deals with controlling user access to specific resources
and applications.
Privileged Access Management (PAM): Manages access for users with elevated
privileges, such as administrators.
Active Directory Management (ADMgmt): Manages user accounts and access
permissions within an Active Directory environment.

IAM Tools:
Microsoft Azure Active Directory: A cloud-based identity and access management
service.
AWS IAM: A web service for securely controlling access to AWS resources.
Google Cloud IAM: A service for managing access to Google Cloud resources.
Other IAM tools: IBM Security Identity and Access Assurance, Ping Identity,
ManageEngine ADManager Plus.
5.5 data security
Data security is the process of safeguarding digital information throughout its entire
lifecycle, from creation to storage and disposal, to ensure its confidentiality, integrity,
and availability.

Data exists in three main states:

Data at Rest:This refers to data that is stored and not actively being accessed or
transferred. Examples include data on hard drives, servers, backup tapes, or cloud
storage.
Data in Transit (or Motion):This describes data that is being transferred or moved
from one location to another, such as across a network or the internet.
Data in Use: This is data that is currently being accessed, updated, or processed by a
system or user.

1.Securing data at rest, meaning data stored on devices or in databases, is crucial.

Key methods include encryption, data masking, and strong access controls,
ensuring data remains protected even if unauthorized access occurs.

A. Encryption:
What it is:Encryption transforms data into an unreadable format (ciphertext) that can
only be accessed with a decryption key.
Why it's important:
If unauthorized individuals gain access to the storage infrastructure, encryption
ensures that the data remains unreadable and protected.

Types:
Full Disk Encryption: Encrypts the entire hard drive, protecting all data stored on it.
File-Level Encryption: Encrypts specific files or folders.
Database Encryption: Encrypts data within a database.
Field-Level Encryption: Encrypts specific fields within a database or file.

B. Data Masking:Replaces sensitive data with fake or randomized data, preventing

unauthorized access to the actual data.
Why it's important:Useful for testing and development environments where sensitive
data needs to be protected.
C. Access Controls: Implementing strong authentication and authorization
mechanisms to control who can access data and what they can do with it.
Why it's important: Prevents unauthorized users from accessing sensitive data.
Examples:Strong passwords and multi-factor authentication: Make it harder for
unauthorized users to gain access.
Least privilege access: Grant users only the necessary permissions to perform their
tasks.
D. Other Important Considerations:
Data Authentication: Verifies the integrity of data, ensuring it hasn't been tampered
with.
Physical Security: Protecting the physical infrastructure where data is stored, such as
servers and storage devices.
Regular Backups: Ensure data can be recovered in case of a security breach or
disaster.
Monitoring and Logging: Track activity on systems and network to detect and
respond to security threats.

2. Data in Motion : Data in motion, also known as data in transit or data in flight,
refers to digital information as it flows between different locations, devices, or
networks.
Why Secure Data in Motion?
Data in motion is vulnerable to interception, unauthorized access, and potential
corruption during transmission.
Protecting data in motion is crucial for maintaining data confidentiality, integrity,
and availability.

Methods for Securing Data in Motion:

1.Encryption:
Encryption transforms data into an unreadable format (ciphertext) that can only be
decrypted by authorized parties with the correct key.
2.Secure Connections (VPNs):
Virtual Private Networks (VPNs) create secure, encrypted tunnels between devices
and networks.
This protects data from unauthorized access during transmission.
3.Access Controls:
Implement strong access controls to restrict who can access and transmit data.
This helps prevent unauthorized access and data breaches.
4.Network Security: Implement firewalls, malicious activity detection , and other
network security measures to protect against malicious activity.
5.Data Loss Prevention (DLP):DLP solutions monitor and control data movement to
prevent sensitive information from leaving the organization's control.
6.Secure Communication Protocols:Use secure communication protocols like
HTTPS for web traffic and SSH for secure shell access.
7.Regular Security Audits and Assessments:Conduct regular security audits and
assessments to identify and address vulnerabilities in data in motion security
measures.
8.Employee Training: Educate employees about data security best practices,
including how to handle sensitive data in motion.

5.5 Key management:

key management involves securely generating, storing, and managing cryptographic
keys to protect sensitive data, ensuring data confidentiality and integrity through
encryption and decryption.
Here's a more detailed explanation:
What is Key Management?
Key management is the process of managing cryptographic keys, which are essential
for encrypting and decrypting data.
It encompasses the entire lifecycle of keys, from generation and storage to use,
rotation, and eventual destruction.
Effective key management is crucial for maintaining the security of data stored in the
cloud, as compromised keys can lead to data breaches and unauthorized access.

Why is Key Management Important in Cloud Security?

1.Data Protection:
Encryption, which relies on keys, is a fundamental security measure for protecting
data at rest and in transit.
2.Compliance:Many regulations and industry standards require organizations to
implement robust key management practices.
3.Access Control:Key management systems (KMS) can be used to control access to
sensitive data by implementing fine-grained access policies.
4.centralized Control:KMS allows organizations to have centralized control over the
lifecycle and permissions of their keys.

Key Management Practices in the Cloud

Key Generation:Securely generating strong and unique keys is the first step in the
key management process.
Key Storage:Keys should be stored securely, often in specialized hardware or
software modules, to prevent unauthorized access.
Key Rotation:Regularly rotating keys can reduce the impact of a key compromise, as
it limits the period of time a compromised key can be used.
Key Access Control:Implementing strict access controls to keys ensures that only
authorized personnel can access and use them.
Key Lifecycle Management:Tracking the entire lifecycle of keys, from creation to
destruction, is essential for maintaining security.
Cloud Provider Services:Cloud providers offer KMS services (e.g., AWS KMS,
Azure Key Vault, Google Cloud KMS) to simplify key management.
5.6 Auditing
Cloud security auditing involves a systematic review and assessment of an
organization's cloud infrastructure, security controls, and compliance posture to
identify vulnerabilities and ensure compilance to industry standards and regulations.

What is Cloud Security Auditing?

Comprehensive Evaluation:Cloud audits are comprehensive evaluations that
examine the cloud provider's security practices, data access controls, and overall risk
management strategies.
Third-Party Involvement:These audits are often conducted by independent third-
party auditors who gather evidence through various methods, including physical
inspection, inquiry, observation, re-performance, or analytics.
Focus on Security Controls:The primary goal is to assess the effectiveness of
security controls, identify vulnerabilities, and ensure compliance with relevant
regulations and industry standards.
Risk Assessment:A key aspect of cloud security auditing is risk assessment, which
involves identifying potential threats and vulnerabilities within the cloud environment.

Why is Cloud Security Auditing Important?

Compliance:
Audits help organizations demonstrate compliance with industry regulations and
standards, such as GDPR, HIPAA, and PCI DSS.
Risk Mitigation:
By identifying vulnerabilities and weaknesses, audits enable organizations to take
proactive steps to mitigate risks and improve their overall security posture.
Continuous Improvement:
Audits provide valuable insights into areas where security controls can be improved
and enhanced.
Cost Savings:
By identifying and addressing vulnerabilities early on, organizations can avoid costly
security breaches and data leaks.
Key Areas of Focus in Cloud Security Audits:
Identity and Access Management (IAM):
Assessing the security of user accounts, access permissions, and authentication
mechanisms.
Data Security:
Evaluating data encryption, storage, and access controls to protect sensitive
information.
Network Security:
Reviewing firewalls, network segmentation, and other security controls to ensure
secure network traffic.
Compliance:
Ensuring that cloud infrastructure and security controls meet regulatory requirements
and industry standards.
Configuration Management:
Verifying that cloud resources are configured securely and according to best practices.
Logging and Monitoring:
Assessing the effectiveness of logging and monitoring systems to detect and respond
to security incidents.
Third-Party Access:Evaluating the security controls related to third-party access to
cloud resources.