Cloud Computing

(PECO8013T)
Unit-VI
Cloud Security
By:- Dr. D. R. Patil

1
2
Syllabus

3
Syllabus

4
Books

5
Scheme

6
• Cloud Security reference model
• Security in cloud computing is a major concern.
• Proxy and brokerage services should be employed to
restrict a client from accessing the shared data directly.
• Data in the cloud should be stored in encrypted form.

7
• Security Planning
• Before deploying a particular resource to the cloud, one should
need to analyze several aspects of the resource, such as:
• A select resource needs to move to the cloud and analyze
its sensitivity to risk.
• Consider cloud service models such as IaaS, PaaS,and
These models require the customer to be responsible for
Security at different service levels.
• Consider the cloud type, such as public, private,
community, or
• Understand the cloud service provider's system regarding
data storage and its transfer into and out of the cloud.
8
• Understanding Security of Cloud
• The Cloud Security Alliance (CSA) stack model defines
the boundaries between each service model and shows
how different functional units relate.
• A particular service model defines the boundary
between the service provider's responsibilities and the
customer.
• The following diagram shows the CSA stack model:

9
10
• Key Points to CSA Model
• IaaS is the most basic level of service, with PaaS and SaaS
next two above levels of services.
• Moving upwards, each service inherits the capabilities and
security concerns of the model beneath.
• IaaS provides the infrastructure, PaaS provides the platform
development environment, and SaaS provides the operating
environment.
• IaaS has the lowest integrated functionality and security
level, while SaaS has the highest.

11
• Key Points to CSA Model
• This model describes the security boundaries at which cloud
service providers' responsibilities end and customers'
responsibilities begin.
• Any protection mechanism below the security limit must be
built into the system and maintained by the customer.

12
• Understanding Data Security
• Since all the data is transferred using Internet, data security is of
major concern in the cloud.
• Here are key mechanisms for protecting data.
• Access Control
• Auditing
• Authentication
• Authorization
• All of the service models should incorporate security
mechanism operating in all above-mentioned areas.

13
• Understanding Data Security
• Since all the data is transferred using Internet, data security is of
major concern in the cloud.
• Here are key mechanisms for protecting data.
• Access Control
• Auditing
• Authentication
• Authorization
• All of the service models should incorporate security
mechanism operating in all above-mentioned areas.

14
• Governance and enterprise risk management
• Why Cloud Security Governance Is Needed?
• Enterprises are increasingly pursuing the business
advantages of migrating technology platforms and services
into the cloud environment leveraging one or more of the
three main cloud service areas – Infrastructure as a Service
(IaaS), Platform as a Service (PaaS), and Software as a
Service (SaaS).
• These advantages include but are not limited to rapid
information system deployment, significantly reduced
operating costs, massive economies of scale,
processing speed, and agility. 15
• Governance and enterprise risk management
• Why Cloud Security Governance Is Needed?
• Data breaches, system vulnerabilities, insufficient identity,
and credential and access management are some of the
typical security challenges in the cloud environment that
subscriber enterprises must address.
• In some situations, an enterprise may lack adequate
operationalization and enforcement of policies, procedures,
a formal operating model, or even a properly constituted
organizational function to effectively manage security in the
cloud.

16
• Governance and enterprise risk management
• Why Cloud Security Governance Is Needed?
• In other situations, the enterprise may also not sufficiently
exercise its responsibility to protect data in the cloud or may
lack the means for senior management visibility into cloud
security performance and risks.
• These issues may prevail even when an enterprise stands to
gain significant business benefits from transforming its
service delivery model via the use of cloud computing
platforms.

17
• What Is Cloud Security Governance?
• Cloud security governance refers to the management model
that facilitates effective and efficient security management
and operations in the cloud environment so that an
enterprise’s business targets are achieved.
• This model incorporates a hierarchy of executive mandates,
performance expectations, operational practices, structures,
and metrics that, when implemented, result in the
optimization of business value for an enterprise.
• Cloud security governance helps answer leadership
questions such as:

18
• What Is Cloud Security Governance?
• Are our security investments yielding the desired returns?
• Do we know our security risks and their business impact?
• Are we progressively reducing security risks to acceptable
levels?
• Have we established a security-conscious culture within the
enterprise?

19
• What Is Cloud Security Governance?
• Strategic alignment, value delivery, risk mitigation, effective
use of resources, and performance measurement are key
objectives of any IT-related governance model, security
included.
• To successfully pursue and achieve these objectives, it is
important to understand the operational culture and
business and customer profiles of an enterprise, so that an
effective security governance model can be customized for
the enterprise.

20
• What Is Cloud Security Governance?
• Strategic alignment, value delivery, risk mitigation, effective
use of resources, and performance measurement are key
objectives of any IT-related governance model, security
included.
• To successfully pursue and achieve these objectives, it is
important to understand the operational culture and
business and customer profiles of an enterprise, so that an
effective security governance model can be customized for
the enterprise.

21
• Information Management and Data Security
• Cloud data security is the practice of protecting data
and other digital information assets from security
threats, human error, and insider threats.
• It leverages technology, policies, and processes to keep
your data confidential and still accessible to those who
need it in cloud-based environments.
• Cloud computing delivers many benefits, allowing you to
access data from any device via an internet connection to
reduce the chance of data loss during outages or incidents
and improve scalability and agility.

22
• Information Management and Data Security
• At the same time, many organizations remain hesitant to
migrate sensitive data to the cloud as they struggle to
understand their security options and meet regulatory
demands.
• Understanding how to secure cloud data remains one of the
biggest obstacles to overcome as organizations transition
from building and managing on-premises data centers.

23
• Data privacy, integrity, and accessibility
• Cloud data security best practices follow the same guiding
principles of information security and data governance:
• Data confidentiality: Data can only be accessed or
modified by authorized people or processes.
• In other words, you need to ensure your organization’s data
is kept private.
• Data integrity: Data is trustworthy—in other words, it is
accurate, authentic, and reliable.
• The key here is to implement policies or measures that
prevent your data from being tampered with or deleted.

24
• Data privacy, integrity, and accessibility
• Data availability: While you want to stop unauthorized
access, data still needs to be available and accessible to
authorized people and processes when it’s needed.
• You’ll need to ensure continuous uptime and keep systems,
networks, and devices running smoothly.

25
• Challenges of Cloud Data Security
• As more data and applications move out of a central data
center and away from traditional security mechanisms and
infrastructure, the higher the risk of exposure becomes.
• While many of the foundational elements of on-premises
data security remain, they must be adapted to the cloud.
• Common challenges with data protection in cloud or hybrid
environments include:
• Lack of visibility. Companies don’t know where all their
data and applications live and what assets are in their
inventory.

26
• Challenges of Cloud Data Security
• Less control. Since data and apps are hosted on third-party
infrastructure, they have less control over how data is
accessed and shared.
• Confusion over shared responsibility. Companies and
cloud providers share cloud security responsibilities, which
can lead to gaps in coverage if duties and tasks are not well
understood or defined.
• Inconsistent coverage. Many businesses are finding
multicloud and hybrid cloud to better suit their business
needs, but different providers offer varying levels of
coverage and capabilities that can deliver inconsistent
27
protection.
• Challenges of Cloud Data Security
• Growing cybersecurity threats. Cloud databases and
cloud data storage make ideal targets for online criminals
looking for a big payday, especially as companies are still
educating themselves about data handling and management
in the cloud.
• Strict compliance requirements. Organizations are under
pressure to comply with stringent data protection and
privacy regulations, which require enforcing security policies
across multiple environments and demonstrating strong data
governance.

28
• Challenges of Cloud Data Security
• Distributed data storage. Storing data on international
servers can deliver lower latency and more flexibility.
• Still, it can also raise data sovereignty issues that might not
be problematic if you were operating in your own data
center.

29
• The Benefits of Cloud Data Security
• Greater visibility
• Strong cloud data security measures allow you to maintain
visibility into the inner workings of your cloud, namely what
data assets you have and where they live, who is using your
cloud services, and the kind of data they are accessing.
• Easy backups and recovery
• Cloud data security can offer a number of solutions and
features to help automate and standardize backups, freeing
your teams from monitoring manual backups and
troubleshooting problems.
• Cloud-based disaster recovery also lets you restore and
30
recover data and applications in minutes.
• The Benefits of Cloud Data Security
• Cloud data compliance
• Robust cloud data security programs are designed to meet
compliance obligations, including knowing where data is
stored, who can access it, how it’s processed, and how it’s
protected.
• Cloud data loss prevention (DLP) can help you easily
discover, classify, and de-identify sensitive data to reduce
the risk of violations.

31
• The Benefits of Cloud Data Security
• Data encryption
• Organizations need to be able to protect sensitive data
whenever and wherever it goes.
• Cloud service providers help you tackle secure cloud data
transfer, storage, and sharing by implementing several
layers of advanced encryption for securing cloud data, both
in transit and at rest.

32
• The Benefits of Cloud Data Security
• Lower costs
• Cloud data security reduces total cost of ownership (TCO)
and the administrative and management burden of cloud
data security.
• In addition, cloud providers offer the latest security features
and tools, making it easier for security professionals to do
their jobs with automation, streamlined integration, and
continuous alerting.

33
• The Benefits of Cloud Data Security
• Advanced incident detection and response
• An advantage of cloud data security is that providers invest
in cutting-edge AI technologies and built-in security analytics
that help you automatically scan for suspicious activity to
identify and respond to security incidents quickly.

34
• Who is responsible for securing your data?
• Cloud providers and customers share responsibility for cloud
security.
• The exact breakdown of responsibilities will depend on your
deployment and whether you choose IaaS, PaaS, or SaaS
as your cloud computing service model.
• In general, a cloud provider takes responsibility for the
security of the cloud itself, and you are responsible for
securing anything inside of the cloud, such as data, user
identities, and their access privileges (identity and access
management).

35
• Who is responsible for securing your data?
• Google Cloud, follow a shared fate model.
• That means we are active partners in ensuring our
customers deploy securely on our platform.
• It can help you implement best practices by offering secure-
by-default configurations, blueprints, policy hierarchies, and
advanced security features to help develop security
consistency across your platforms and tools.

36
37
• Why is Cloud Compliance Important?
• When companies consider the importance of cloud
compliance, they know that these days, access to users
requires some type of cloud audit certification (ISO) or
attestation report with an opinion by a third party before
many user organizations will entertain the use of a
service.
• While this is true, oftentimes other benefits occur that help
as a company grows.
• Going through a cloud compliance audit will require a
consistent process to be put into place.

38
• Why is Cloud Compliance Important?
• These processes are meant to aid in the security posture of
an organization.
• While some companies have staff or founders who layer
security into their processes, other companies may be
implementing cloud controls for the first time.
• These controls are how an auditor evaluates cloud service
provider security.

39
• What are Auditing & Compliance in Cloud Computing?
• Cloud computing is best defined by the National Institute of
Standards and Technology (NIST).
• NIST is a portion of the U.S. Department of Commerce with
the mission of encouraging innovation through science,
technology, and standards – including cloud computing.

40
• What are Auditing & Compliance in Cloud Computing?
• According to NIST, “Cloud computing is a model for
enabling ubiquitous, convenient, on-demand network access
to a shared pool of configurable computing resources (e.g.,
networks, servers, storage, applications, and services) that
can be rapidly provisioned and released with minimal
management effort or service provider interaction.
• This cloud model is composed of five essential
characteristics, three service models, and four deployment
models.”

41
• What are Auditing & Compliance in Cloud Computing?
• This definition was created to set a baseline for the
discussion around cloud computing.
• As defined, cloud computing includes the following:
• Five Essential Characteristics – On-demand self-service,
broad network access, resource pooling, rapid elasticity, and
measured service.
• Three Service Models – Software-as-a-Service (SaaS),
Platform-as-a-Service (PaaS), and infrastructure-as-a-
Service (Iaas).
• Four Deployment Models – Private cloud, community
cloud, public cloud, and hybrid cloud.
42
• Auditing in Cloud Computing
• In general, an audit is when a third-party independent group
is engaged to obtain evidence through inquiry, physical
inspection, observation, confirmation, analytics
procedures, and/or re-performance.
• In a cloud computing audit, a variation of these steps is
completed in order to form an opinion over the design
and operational effectiveness of controls identified in
the following areas:

43
• Auditing in Cloud Computing
• Communication
• Security incidents
• Network security
• System development or change management
• Risk management
• Data management
• Vulnerability and remediation management
• Tone at the top or leaderships commitment to transparency
and ethical behavior

44
• What is Cloud Compliance?
• Cloud compliance is meeting the requirements or
criteria needed to meet a certain type of certification or
framework.
• There are a variety of different types of compliance that may
be required by the industry, including requests for proposals,
clients, etc.
• The type of cloud security and compliance requirements will
help determine the cloud compliance that is right for an
organization.

45
• What is Cloud Compliance?
• For example, SOC 2 does not have any specific requirements
around cloud compliance but does have criteria, such as CC6.1
• “The entity implements logical access security software,
infrastructure, and architectures over protected information
assets to protect them from security events to meet the entity’s
objectives.”
• To provide users assurance that the criteria have been met,
certain controls are enabled to show evidence of cloud
compliance.
• Some of these include security groups to control access to
sensitive information, encryption of information, and regular
patching. 46
• What is Cloud Compliance?
• Some other cloud compliance programs include:
• FedRAMP
• Cloud Security Alliance (CSA)
• HITRUST
• ISO 27017
• PCI

47
• Cloud Audit Objectives

48
• Cloud Audit Objectives
• Auditors use objectives as a way of concluding the evidence
they obtain.
• Below is a sample list of cloud computing objectives that can
be used by auditors and businesses alike.
• Define a Strategic IT Plan: The use of IT resources should
align with company business strategies.
• When defining this objective, some key considerations
should include whether IT investments are supported by a
strong business case and what education will be required
during the rollout of new IT investments.

49
• Cloud Audit Objectives
• Define the Information Architecture: The information
architecture includes the network, systems, and security
requirements needed to safeguard the integrity and security
of information.
• Whether the information is at rest, in transit, or being
processed.

50
• Cloud Audit Objectives
• Define the IT Processes, Organization, and
Relationships: Creating processes that are documented,
standardized, and repeatable creates a more stable IT
environment.
• Businesses should focus on creating policies and
procedures that include organization structure, roles and
responsibilities, system ownership, risk management,
information security, segregation of duties, change
management, incident management, and disaster recovery.

51
• Cloud Audit Objectives
• Communicate Management Aims and Direction:
Management should make sure its policies, mission, and
objectives are communicated across the organization.
• Assess and Manage IT Risks: Management should
document those risks that could affect the objectives of the
company.
• These could include security vulnerabilities, laws and
regulations, access to customers or other sensitive
information, etc.

52
• Cloud Audit Objectives
• Identify Vendor Management Security Controls:
• As companies are relying on other vendors such as AWS to
host their infrastructure or ADP for payroll processing,
companies need to identify those risks that could affect the
reliability, accuracy, and safety of sensitive information.

53
• What is the Scope of a Cloud Computing Audit?
• The scope of a cloud computing audit will include the
procedures specific to the subject of the audit.
• Additionally, it will include the IT general controls related to
the following:
• Organization and Administration
• Communication
• Risk Assessment
• Monitoring Activities
• Logical and Physical Access
• Systems Operations
• Change Management
54
• What is the Scope of a Cloud Computing Audit?
• An auditor is free to review and require evidence for any of
the controls identified within these areas to gain the required
assurance that controls are designed and operate
effectively.
• It is also important to note that the controls that are
maintained by a vendor are not included in the scope of a
cloud computing audit.

55
• What is the Responsibility of a Cloud Auditor?
• The role of an auditor is to provide an objective opinion
based on facts and evidence that a company has controls in
place to meet a certain objective, criteria, or requirement.
• Additionally, in many cases, the auditor will also provide an
opinion on whether or not those controls operated over a
period of time.
• Auditing the cloud for compliance is no different.
• In instances where the audit requires cloud compliance to
satisfy the criteria, the auditor will ask for evidence that
controls are enabled (i.e. security groups, encryption, etc).

56
• What is the Responsibility of a Cloud Auditor?
• The role of an auditor is to provide an objective opinion
based on facts and evidence that a company has controls in
place to meet a certain objective, criteria, or requirement.
• Additionally, in many cases, the auditor will also provide an
opinion on whether or not those controls operated over a
period of time.
• Auditing the cloud for compliance is no different.
• In instances where the audit requires cloud compliance to
satisfy the criteria, the auditor will ask for evidence that
controls are enabled (i.e. security groups, encryption, etc).

57
• What Factors Should be Included as Part of Your
Cloud Audit Checklist?
• As mentioned before, auditors rely on different types of
procedures such as inquiry, physical inspection, observation,
confirmation, analytics procedures, and/or re-performance to
collect evidence.
• These test procedures will be used in combination to obtain
evidence to provide an opinion on the service being audited.
• While a checklist for an audit doesn’t really exist as every
environment is a little different, below are example tests
performed for each of the IT general control areas identified
above.
58
• What Factors Should be Included as Part of Your
Cloud Audit Checklist?
• Organization and Administration
• Inspect the company’s organizational structure
• Inspect job positions with employee roles and
responsibilities
• Observe interviews to determine whether the company’s test
technical competencies
• Inspect evidence of completed background checks

59
• What Factors Should be Included as Part of Your
Cloud Audit Checklist?
• Communication
• Inspect policies and procedures
• Inspect evidence that policies and procedures are available
to all employees for reference
• Inspect company Terms of Use or Privacy documentation to
determine whether or not they identify responsibilities and
commitments
• Inquire of management about their commitment to ethical
values

60
• What Factors Should be Included as Part of Your
Cloud Audit Checklist?
• Risk Assessment
• Inspect the company’s documented risk assessment
• Inspect the risk assessment to determine whether mitigation
activities are identified, as required

61
• What Factors Should be Included as Part of Your
Cloud Audit Checklist?
• Monitoring Activities
• Inspect documentation which identifies system
vulnerabilities
• Inspect system configurations to determine whether
notifications are provided when vulnerabilities or failures are
identified
• Inspect evidence that identified vulnerabilities are
remediated

62
• What Factors Should be Included as Part of Your
Cloud Audit Checklist?
• Logical and Physical Access
• Observe that the office requires a badge to enter
• Inspect evidence that individuals with administrator level
access are authorized
• Inspect the password policy used to enter the network

63
• What Factors Should be Included as Part of Your
Cloud Audit Checklist?
• Systems Operations
• Inspect monitoring tools used to monitor traffic and alert on
suspicious activity
• Inspect evidence that the tools successfully send alerts, as
required
• Inspect evidence that notifications are followed-up on and
remediated as necessary

64
• What Factors Should be Included as Part of Your
Cloud Audit Checklist?
• Change Management
• Inspect evidence to confirm that changes are defined and
documented, approved for development, tested, and
approved for implementation

65