Unit-4

What is cloud security?

Cloud security is the set of control-based security measures and
technology protection, designed to protect online stored resources
from leakage, theft, and data loss. Protection includes data from cloud
infrastructure, applications, and threats. Security applications uses a
software the same as SaaS (Software as a Service) model.

How to manage security in the cloud?

Cloud service providers have many methods to protect the data.

Firewall is the central part of cloud architecture. The firewall protects the
network and the perimeter of end-users. It also protects traffic between
various apps stored in the cloud.

Access control protects data by allowing us to set access lists for various
assets. For example, you can allow the application of specific
employees while restricting others. It's a rule that employees can access
the equipment that they required. We can keep essential documents which
are stolen from malicious insiders or hackers to maintaining strict access
control.

Data protection methods include Virtual Private Networks (VPN), encryption,

or masking. It allows remote employees to connect the network.
VPNaccommodates the tablets and smartphone for remote access. Data
masking maintains the data's integrity by keeping identifiable information
private. A medical company share data with data masking without violating
the HIPAA laws.

For example, we are putting intelligence information at risk in order of the

importance of security. It helps to protect mission-critical assets from
threats. Disaster recovery is vital for security because it helps to recover lost
or stolen data.

Benefits of Cloud Security System

We understand how the cloud computing security operates to find ways to
benefit your business.

Cloud-based security systems benefit the business by:

 o Protecting the Business from Dangers
o Protect against internal threats
o Preventing data loss
o Top threats to the system include Malware, Ransomware, and
o Break the Malware and Ransomware attacks
o Malware poses a severe threat to the businesses.

More than 90% of malware comes via email. It is often reassuring that
employee's download malware without analysingit. Malicious software
installs itself on the network to steal files or damage the content once it is
downloaded.

Ransomware is a malware that hijacks system's data and asks for a

financial ransom. Companies are reluctant to give ransom because they want
their data back.

Data redundancy provides the option to pay a ransom for your data. You can
get that was stolen with minimal service interruption.

Many cloud data protection solutions identify malware and ransomware.

Firewalls keep malicious email out of the inbox.

DDoS Security
Distributed Denial of Service (DDoS)is flooded with requests. Website
slows down the downloading until it crashes to handle the number of
requests.

DDoS attacks come with many serious side effects. Most of the companies
suffering from DDoS attacks lose $ 10,000 to $ 100,000. Many businesses
damage reputation when customers lose confidence in the brand. If
confidential customer data is lost through any DDoS attack, we may face
challenges.

The severity of these side effects, some companies shut down after the
DDoS attacks. It is to be noted that the last DDoS attack lasted for 12 days.

Cloud security service monitors the cloud to identify and prevent attacks.
The cloud service providers protectthe cloud service users in real time.
Threat to detect
Cloud computing detects advanced threats by using endpoint scanning for
threats at the device level.

Difference between Cloud Security and Traditional IT

Security

Cloud security Traditional IT Security

Quick scalable Slow scaling

Efficient resource utilization Lower efficiency

Usage-based cost Higher cost

Third-party data centres In-house data centres

Reduced time to market Longer time to market

Low upfront infrastructure High Upfronts costs

Top 7 Advanced Cloud Security Challenges

It becomes more challenging when adopting modern cloud approaches
Like: automated cloud integration, and continuous deployment
(CI/CD) methods, distributed serverless architecture, and short-term assets
for tasks such as a service and container.

Some of the advanced cloud-native security challenge and many layers of

risk faced by today's cloud-oriented organizations are below:

1. Enlarged Surface

Public cloud environments have become a large and highly attractive surface
for hackers and disrupt workloads and data in the cloud. Malware, zero-day,
account acquisition and many malicious threats have become day-to-day
more dangerous.

2. Lack of visibility and tracking

Cloud providers have complete control over the infrastructure layer and
cannot expose it to their customers in the IaaS model. The lack of visibility
and control is further enhanced in the SaaS cloud models. Cloud customers
are often unable to identify their cloud assets or visualize their cloud
environments effectively.

3. Ever-changing workload

Cloud assets are dynamically demoted at scale and velocity. Traditional

security tools implement protection policies in a flexible and dynamic
environment with an ever-changing and short-term workload.

4. DevOps, DevSecOps and Automation

Organizations are adopting an automated DevOps CI/CD culture that

ensures the appropriate security controls are identified and embeddedin
the development cycle in code and templates. Security-related changes
implemented after the workload is deployed to production can weaken the
organization's security posture and lengthen the time to market.

5. Granular privileges and critical management

At the application level, configured keys and privileges expose the session to
security risks. Often cloud user roles are loosely configured, providing broad
privileges beyond therequirement. An example is allowing untrained users or
users to delete or write databases with no business to delete or add
database assets.

6. Complex environment

These days the methods and tools work seamlessly on public cloud
providers, private cloud providers, and on-premises manage persistent
security in hybrid and multi-cloud environments-it including geographic
Branch office edge security for formally distributed organizations.

7. Cloud Compliance and Governance

All the leading cloud providers have known themselves best, such as PCI
3.2, NIST 800-53, HIPAA and GDPR.

7 Fundamentals of Cloud Security

Don’t just migrate to the cloud – prevent security threats by following these tips:

1. Understand what you’re responsible for – different cloud services

require varying levels of responsibility. For instance, while software-as-a-service
(SaaS) providers ensure that applications are protected and that data security is
guaranteed, IaaS environments may not have the same controls. To ensure
security, cloud customers need to double check with their IaaS providers to
understand who’s in charge of each security control.

2. Control user access – a huge challenge for enterprises has been

controlling who has access to their cloud services. Too often, organizations
accidently publically expose their cloud storage service despite warnings from
cloud providers to avoid allowing storage drive contents to be accessible to
anyone with an internet connection. CSO advises that only load balancers and
bastion hosts should be exposed to the internet. Further, do not allow Secure
Shell (SSH) connections directly from the internet as this will allow anyone who
finds the server location to bypass the firewall and directly access the data.
Instead, use your cloud provider’s identity and access control tools while also
knowing who has access to what data and when. Identity and access control
policies should grant the minimum set of privileges needed and only grant other
permissions as needed. Configure security groups to have the narrowest focus
possible and where possible, use reference security group IDs. Finally, consider
tools that let you set access controls based on user activity data.

3. Data protection – data stored on cloud infrastructures should never be

unencrypted. Therefore, maintain control of encryption keys where possible.
Even though you can hand the keys over to cloud service providers, it is still your
responsibility to protect your data. By encrypting your data, you ensure that if a
security configuration fails and exposes your data to an unauthorized party, it
cannot be used.

4. Secure credentials – AWS access keys can be exposed on public

websites, source code repositories, unprotected Kubernetes dashboards, and
other such platforms. Therefore, you should create and regularly rotate keys for
each external service while also restricting access on the basis of IAM roles.
Never use root user accounts – these accounts should only be used for specific
account and service management tasks. Further, disable any user accounts that
aren’t being used to further limit potential paths that hackers can compromise.

5. Implement MFA – your security controls should be so rigorous that if one

control fails, other features keep the application, network, and data in the cloud
safe. By tying MFA (multi-factor authentication) to usernames and passwords,
attackers have an even harder time breaking in. Use MFA to limit access to
management consoles, dashboards, and privileged accounts.
6. Increase visibility – to see issues like unauthorized access attempts, turn
on security logging and monitoring once your cloud has been set up. Major cloud
providers supply some level of logging tools that can be used for change
tracking, resource management, security analysis, and compliance audits.

7. Adopt a shift–left approach – with a shift-left approach, security

considerations are incorporated early into the development process rather than
at the final stage. Before an IaaS platform goes live, enterprises need to check all
the code going into the platform while also auditing and catching potential
misconfigurations before they happen. One tip – automate the auditing and
correction process by choosing security solutions that integrate with Jenkins,
Kubernetes, and others. Just remember to check that workloads are compliant
before they’re put into production. Continuously monitoring your cloud
environment is key here.

What is Vulnerability Assessment

In information technology, a vulnerability evaluation is the systematic
analysis of security vulnerabilities. It examines if the system is vulnerable to
any security vulnerabilities, defines severity levels to such vulnerabilities,
and, if and whenever appropriate, recommends abatement or mitigation.

In any device that fixes possible vulnerabilities, vulnerability testing or

vulnerability evaluation is a systematic method of discovering security
loopholes.

Here, we have some examples of threats that vulnerability assessment can

eliminate are:

1. SQL injection, XSS or other attacks with code injection.

2. Privilege escalation is caused by faulty user authentication.
3. Unprotected defaults, such as a discoverable admin password, are
applications that arrive with vulnerable configurations.

Purpose of Vulnerability Assessment

The objective of vulnerability analysis is to prohibit unauthorized access to
an information system from being possible. The confidentiality, credibility,
and availability of the system are protected by vulnerability checking. The
method extends to all machines, networks, network devices, apps, cloud
computing, web applications, etc.
Categories of Vulnerability Scanner
Scanners of vulnerabilities contain their methods of working. Based on how
they work, we can categorize the vulnerability scanners into three
categories. They are defined below.

1. Vulnerability Scanner based on Host

It is used on a dedicated server or machine to identify vulnerabilities such as
an individual computer or a local network such as a connection or core-
router

Analysis of sensitive systems which, if not adequately tested or not created

from a validated device image, can be susceptible to the attacks.

2. Vulnerability Scanner based on Cloud

It is used inside cloud-based frameworks such as enterprise applications,
WordPress, and Joomla to identify vulnerabilities.
Detection of privacy risks in web applications and their encryption keys by
means of robotic front-end or static/dynamic system software reviews are
scanned.

3. Vulnerability Scanner based on Database

This type of vulnerability scanner used for identifying bugs in applications for
database management. Databases are the foundation of every confidential
information processing system. To avoid attacks like SQL Injection,
vulnerability scanning is implemented on database management systems.

Analysis of vulnerabilities and configuration issues of databases or big data

systems, detection of unauthorized databases or vulnerable dev/test
settings, and classification of sensitive data across the infrastructure of an
enterprise is analyzed.

4. Vulnerability Scanner based on Network

This type of vulnerability scanner is used when you're searching for open
ports to identify vulnerabilities in a local network. With the support of the
method, services running on open ports decide whether or not vulnerabilities
occur.

Evaluation of policies and procedures aimed at preventing unauthorized

access to private or public networks and services available by the network.

Vulnerability Assessment Tools

Vulnerability assessment tools lead to multiple methods of detecting
vulnerabilities in application domains. Vulnerability tools for code analysis
analyze coding glitches. Excellently-known rootkits, backdoors, and Trojan
Horses can be discovered in audit vulnerability toolkits.

In the industry, there are several vulnerability scanners obtainable. They can
be freely accessible, charged, or open-source. On GitHub, many free and
open-source tools have been developed. Choosing which tool to use depends
on a variety of variables, such as the category of security vulnerabilities, the
cost estimate, how often the tool is modified, etc.

Here, we have discussed some of the best vulnerability scanning tools. They
are-
1. OpenVAS
OpenVAS is a valuable tool for detecting vulnerabilities that endorses
massive scale scans that are appropriate for companies. This tool can be
used not only in web applications or application server, but also in
databases, programming systems, networks, and virtualization software to
diagnose vulnerabilities problems.

OpenVAS provides frequent updates, which widens the exposure of

vulnerability detection. It also assists in assessing the risk and demonstrates
preventive measures for the identified vulnerabilities.

2. Nikto2
Nikto2 is a screening program for open-source exploits that emphasizes on
web application security. Nikto2 will discover about 6700 hazardous archives
that cause web server problems and evaluate iterations based on inaccurate
servers. In addition, Nikto2 can immediately notify you to server installation
problems and improve virtual server audits in a minimal amount of time.

Nikto2 might not offer any preventative measures for potential vulnerabilities
that include risk management functionality. Nikto2, after all, is a constant
accessed tool that allows vulnerabilities to be covered more broadly.

3. Netsparker
Netsparker is also a vulnerability assessment tool for web applications with
an optimization feature provided for vulnerability seeking. This tool is also
smart enough to find vulnerabilities within the next few hours in millions of
web application domains.

It has many additional features, but it is a charged enterprise-level

vulnerability tool. It has slithering innovation that, through crawling into the
system, discovers vulnerabilities. Netsparker will identify and recommend
mitigation strategies for vulnerabilities reported. Also, security tools are
available for comprehensive vulnerability evaluation.

4. Acunetix
Acunetix is a commercial (open-source edition also obtainable) web
application vulnerability scanner with several features offered. With the help
of this tool, there is a mapping range of about 6500 vulnerabilities. It can
also discover network vulnerabilities as well, in additament to web services.
Acunetix offers the opportunity for your scan to be streamlined. It is suitable
for large-scale organizations because several systems can be controlled by
it. HSBC, NASA, USA air force are few industrial titans that use the Arachni
scanning tool for vulnerability testing.

5. Arachni
For application development, Arachni is also a deeply committed
vulnerability tool. A number of vulnerabilities are protected by this tool and
are inspected periodically. Arachni offers risk management services and
recommends suggestions and defensive measures for vulnerabilities that
have been identified.

Linux, Windows, and macOS are supported by Arachni, a freely used and
open-source security vulnerabilities tool. With its capacity to adapt with
recently discovered vulnerabilities, Arachni also aims to assist in penetration
testing.

6. Nmap
Among many cybersecurity experts, Nmap is one of the possibly the best-
known, freely used and open-source testing tools for networks. To explore
hosts in the domain and for software exploration, Nmap uses the penetrating
technique.

In two or more distinct networks, this function aims to detect exploits. If you
really are a beginner or trying to learn to search for vulnerabilities, then the
Nmap scanning tool is a great starting point.

7. W3AF
W3AF is a platform also called Web Software Attack and Framework, open
and free-source. This software is an open-source web application analysis for
vulnerabilities. By identifying and evaluating the bugs, it provides a
mechanism that is useful to protect the web application. This software is
recognized for user-friendliness. W3AF also has infiltration services used for
vulnerability assessment work, along with penetration testing options.

W3AF contains a broad-scale set of vulnerabilities. This tool can be selected

for networks that are attacked repeatedly, particularly with previously
unrecognized vulnerabilities.
8. GoLismero
GoLismero is a tool used for intrusion prevention that is free and open-
source. GoLismero aims to identify web application threats and
vulnerabilities, but can also search for network vulnerabilities. GoLismero is
an efficient tool that works with outcomes obtained by other vulnerability
tools such as OpenVAS, then consolidates the findings and gives feedback.

A broad variety of vulnerabilities, including storage and network

vulnerabilities, are protected by GoLismero. GoLismero also supports
preventative measures for discovered vulnerabilities.

9. Intruder
The Intruder is a paid vulnerability scanner explicitly designed for cloud-
based storage scanning. Immediately after a vulnerability is released,
intruder software begins to search. The scanning mechanism in Intruder is
automated and constantly monitors for vulnerabilities.

Since it can sustain many equipment, Intruder is appropriate for enterprise-

level intrusion detection. In contrast to cloud-based testing, Intruder can help
to identify network vulnerabilities and also provide feedback and
recommendations on efficiency.

10. OpenSCAP
OpenSCAP is an application of tools that help search for vulnerabilities,
analyze vulnerabilities, calculate vulnerabilities, and build protection
measures. OpenSCAP is a platform developed by groups that are free and
open source. Only the Linux operating system supports OpenSCAP.

The OpenSCAP platform supports web apps, web-based applications,

databases, operating systems, networks, and virtualization software for
vulnerability scanning. In addition, it provides a risk evaluation service and
endorses to counterbalance the threats.

11. Aircrack
Aircrack, also called Aircrack-NG, is a series of software used to test the
security of the wireless network. These tools may be used to inspect
networks and enable different operating systems, such as Linux, OS X,
Solaris, NetBSD, Windows, and much more.

The tool will concentrate on several areas of Wi-Fi privacy, such as traffic and
data management, driver and card screening, hacking, attack response, etc.
By collecting the data packets, this method helps you to recover the missing
keys.

12. Comodo HackerProof

You are able to minimize network downtime with Comodo Hackerproof,
conduct regular intrusion detection, and use the integrated PCI scanning
tools. The drive-by detection and mitigation feature can also be used, and
you can create valuable trust with your guests. Many organizations will turn
more tourists into customers, thanks to the advantage of Comodo
Hackerproof.

When purchasing a product with the business, customers appear to feel

better, and you should consider that this drives up your sales. You'll enjoy a
new level of protection with the patent-pending tracking technology,
SiteInspector.

13. MBSA (Microsoft Baseline Security Analyzer)

It is a completely independent vulnerability analyzer developed by Microsoft
used to search for vulnerabilities on the Windows server or Windows device.
There are many exotic features in the Microsoft Baseline Security Analyzer,
such as scanning of the core network frames, searching for security patches
and other Windows updates, and much more. It is a helpful platform for
Windows users.

It's important in helping you find missed upgrades or fixes for protection. To
install new security patches on the system, use the tool. Small to medium-
sized organizations render the software most valuable, and with its
capabilities, it may save the security of the organization's money. To fix the
bugs which the tool detects, you would not need to consult a security
specialist.

14. Nexpose
Nexpose is an open-source platform that can be used without any cost. For
security assessments, intelligence analysts frequently use this method.
Credit goes to the Github network, all the latest vulnerabilities are included
in the Nexpose repository. With the Metasploit System, people can use this
tool and also can focus on it to provide a thorough scan of your web service.
Different sections will be taken into consideration before producing the
report.

Vulnerabilities are graded as per their level of risk by the instrument and
rated from minimum to maximum. It will scan new apps, so the entire
network is secured. Every week, Nexpose is modified so you know it and can
find the new threats.

15. Retina CS Community

Retina CS Community is a web-based open-source dashboard that allows you
to build a more structured and streamlined framework for risk mitigation.
Retina CS Group has functions such as compliance monitoring, reconfiguring,
and compliance with configuration, and you can do a multi-platform
vulnerability evaluation just because of this.

If it comes to maintaining network security, the tool is incredible for

minimizing time, expense, and determination. For DBs, web apps,
workspaces, and servers, it provides an automated vulnerability scanning.
With items such as virtual app screening and vCenter implementation,
companies and organizations can get full support for virtual worlds.

16. SolarWinds Network Configuration Manager

Users have continuously received glowing ratings from SolarWinds
configuration management. The vulnerability evaluation tool provides a
particular form of insecurity that most other strategies do not fix, such as
malfunctioning network infrastructure. It places it apart from the rest with
this function. The predominant usefulness is the verification of network
equipment implementations for inconsistencies as a vulnerability assessment
tool.

To exploit vulnerabilities in the cisco routers, it consolidates with the

National Vulnerability Database and has access to the latest CVE's. Any Cisco
program running ASA, IOS, or Nexus OS can operate with it.

17. Nessus Professional

Nessus, developed by Tenable Network Security, is an emblazoned and
copyrighted vulnerability scanner. Nessus can stop attacker attempts on the
networks, and it check vulnerabilities that allow sensitive information to be
hacked remotely.

The tool provides a wide variety of cloud infrastructure, digital and physical
networks, including OS, DBs, programs, and many other tools. Nessus is
trusted by millions of customers for their vulnerability assessment and
configuration problems.

Network Security with Vulnerability Assessment

When an attack begins by altering the structure of the system network, the
tools will be able to detect and prevent it. They facilitate you with
environmental regulations with their ability to spot out-of-process shifts,
compliance modifications, and even appropriate deficiencies.

You must follow a predetermined method, like the one illustrated below, to
execute a vulnerability assessment. There are four phases to the
vulnerability scanning process: scanning, assessment, analysis and
remediation. Each of these are discussed below.

1. Vulnerability Identification (Scanning)

The goal of this phase is to formulate a detailed list of the vulnerabilities of a
program. Cybersecurity experts test and assess the security performance of
databases, repositories or other structures by testing them with automated
software. To determine safety vulnerabilities, analysts often depend on
vulnerability databases, manufacturer vulnerability notifications, wealth
management systems, and threat detection feeds.

2. Analysis
The aim of this phase is to determine the cause and root cause of the
established vulnerabilities in level one.

It includes the description and the root cause of the insecurity of sensing
devices essential for the vulnerabilities. For instance, a previous version of a
free software repository might be the root cause of a vulnerability. This
offers a straightforward direction for updating the library for remediation.
3. Risk Assessment
Prioritization of exploits is the purpose of this stage. It implies security
analysts granting each vulnerability a rank or intensity ranking, predicated
on such considerations as:

1. The systems that are influenced.

2. What data is at risk.
3. Which are at risk for business activities.
4. Attack or surrender convenience.
5. The Severity of an assault.
6. Additional damage from the security vulnerabilities as a consequence.

4. Remediation
The purpose of this move is to close security loopholes. It's usually a
collaborative effort between security personnel, management and operations
leaders, who decide the most appropriate route for abatement or
containment of each vulnerability.

Specific steps for remediation can include:

1. Identification of new methodologies, initiatives or tools for security.

2. Reviewing of alterations to functional or configuration.
3. Advancement of a security vulnerabilities bug fix and deployment.

You can follow a predetermined method, as the one illustrated below, to

execute a vulnerability assessment.

Step 1: Start the process by recording, determining what resources to use,

and obtaining the appropriate stakeholder approval.

Step 2: Conduct vulnerability scanning using the required instruments.

Make sure all the outputs of those vulnerability tools are saved.

Step 3: Analyze the output and determine which vulnerabilities may be a

possible threat. The risks can also be prioritized, and a plan to minimize
them can be identified.

Step 4: Ensure that you log all the findings and compile stakeholder reports.
Advantages of Vulnerability Assessment
The screening of vulnerabilities ensures devices safety from external threats.
Some advantages of vulnerability scanning are given below:

o Inexpensive- Many security software are available for free online.

o Rapid- Evaluation takes a couple of hours to execute.
o Streamline- It also can use the advanced features available in the security
tools to routinely conduct scans without manual participation.
o Achievement- Almost all possibly best-known vulnerability scans are
performed by vulnerability scanners.
o Cost / Benefit- The optimization of security risks decreases costs and
improves benefits.

7 Privacy Challenges in Cloud Computing

Cloud computing is a widely well-discussed topic today with interest from all
fields, be it research, academia, or the IT industry. It has seen suddenly
started to be a hot topic in international conferences and other opportunities
throughout the whole world. The spike in job opportunities is attributed to
huge amounts of data being processed and stored on the servers. The cloud
paradigm revolves around convenience and easy the provision of a huge
pool of shared computing resources.
The rapid development of the cloud has led to more flexibility, cost-cutting,
and scalability of products but also faces an enormous amount of privacy
and security challenges. Since it is a relatively new concept and is evolving
day by day, there are undiscovered security issues that creep up and need
to be taken care of as soon as discovered. Here we discuss the top 7 privacy
challenges encountered in cloud computing:

1. Data Confidentiality Issues

Confidentiality of the user’s data is an important issue to be considered when

externalizing and outsourcing extremely delicate and sensitive data to the
cloud service provider. Personal data should be made unreachable to users
who do not have proper authorization to access it and one way of making
sure that confidentiality is by the usage of severe access control policies and
regulations. The lack of trust between the users and cloud service providers
or the cloud database service provider regarding the data is a major security
concern and holds back a lot of people from using cloud services.

2. Data Loss Issues

Data loss or data theft is one of the major security challenges that the cloud
providers face. If a cloud vendor has reported data loss or data theft of
critical or sensitive material data in the past, more than sixty percent of the
users would decline to use the cloud services provided by the vendor.
Outages of the cloud services are very frequently visible even from firms
such as Dropbox, Microsoft, Amazon, etc., which in turn results in an
absence of trust in these services during a critical time. Also, it is quite easy
for an attacker to gain access to multiple storage units even if a single one is
compromised.

3. Geographical Data Storage Issues

Since the cloud infrastructure is distributed across different geographical

locations spread throughout the world, it is often possible that the user’s data
is stored in a location that is out of the legal jurisdiction which leads to the
user’s concerns about the legal accessibility of local law enforcement and
regulations on data that is stored out of their region. Moreover, the user fears
that local laws can be violated due to the dynamic nature of the cloud makes
it very difficult to delegate a specific server that is to be used for trans-border
data transmission.

4. Multi-Tenancy Security Issues

Multi-tenancy is a paradigm that follows the concept of sharing

computational resources, data storage, applications, and services among
different tenants. This is then hosted by the same logical or physical platform
at the cloud service provider’s premises. While following this approach, the
provider can maximize profits but puts the customer at a risk. Attackers can
take undue advantage of the multi-residence opportunities and can launch
various attacks against their co-tenants which can result in several privacy
challenges.
5. Transparency Issues

In cloud computing security, transparency means the willingness of a cloud

service provider to reveal different details and characteristics on its security
preparedness. Some of these details compromise policies and regulations
on security, privacy, and service level. In addition to the willingness and
disposition, when calculating transparency, it is important to notice how
reachable the security readiness data and information actually are. It will not
matter the extent to which the security facts about an organization are at
hand if they are not presented in an organized and easily understandable
way for cloud service users and auditors, the transparency of the
organization can then also be rated relatively small.

6. Hypervisor Related Issues

Virtualization means the logical abstraction of computing resources from

physical restrictions and constraints. But this poses new challenges for
factors like user authentication, accounting, and authorization. The
hypervisor manages multiple Virtual Machines and therefore becomes the
target of adversaries. Different from the physical devices that are
independent of one another, Virtual Machines in the cloud usually reside in a
single physical device that is managed by the same hypervisor. The
compromise of the hypervisor will hence put various virtual machines at risk.
Moreover, the newness of the hypervisor technology, which includes
isolation, security hardening, access control, etc. provides adversaries with
new ways to exploit the system.

7. Managerial Issues

There are not only technical aspects of cloud privacy challenges but also
non-technical and managerial ones. Even on implementing a technical
solution to a problem or a product and not managing it properly is eventually
bound to introduce vulnerabilities. Some examples are lack of control,
security and privacy management for virtualization, developing
comprehensive service level agreements, going through cloud service
vendors and user negotiations, etc.
Cloud Computing Security Architecture
Security in cloud computing is a major concern. Proxy and brokerage
services should be employed to restrict a client from accessing the shared
data directly. Data in the cloud should be stored in encrypted form.

Security Planning
Before deploying a particular resource to the cloud, one should need to
analyze several aspects of the resource, such as:

o A select resource needs to move to the cloud and analyze its sensitivity to
risk.
o Consider cloud service models such as IaaS, PaaS,and These models require
the customer to be responsible for Security at different service levels.
o Consider the cloud type, such as public, private, community, or
o Understand the cloud service provider's system regarding data storage and
its transfer into and out of the cloud.
o The risk in cloud deployment mainly depends upon the service models and
cloud types.

Understanding Security of Cloud

Security Boundaries
The Cloud Security Alliance (CSA) stack model defines the boundaries
between each service model and shows how different functional units relate.
A particular service model defines the boundary between the service
provider's responsibilities and the customer. The following diagram shows
the CSA stack model:
Key Points to CSA Model
o IaaS is the most basic level of service, with PaaS and SaaS next two above
levels of services.
o Moving upwards, each service inherits the capabilities and security concerns
of the model beneath.
o IaaS provides the infrastructure, PaaS provides the platform development
environment, and SaaS provides the operating environment.
o IaaS has the lowest integrated functionality and security level, while SaaS has
the highest.
o This model describes the security boundaries at which cloud service
providers' responsibilities end and customers' responsibilities begin.
o Any protection mechanism below the security limit must be built into the
system and maintained by the customer.

Although each service model has a security mechanism, security

requirements also depend on where these services are located, private,
public, hybrid, or community cloud.
Understanding data security
Since all data is transferred using the Internet, data security in the cloud is a
major concern. Here are the key mechanisms to protect the data.

o access control
o audit trail
o certification
o authority

The service model should include security mechanisms working in all of the
above areas.

Separate access to data

Since the data stored in the cloud can be accessed from anywhere, we need
to have a mechanism to isolate the data and protect it from the client's
direct access.

Broker cloud storage is a way of separating storage in the Access Cloud. In

this approach, two services are created:

1. A broker has full access to the storage but does not have access to the client.
2. A proxy does not have access to storage but has access to both the client
and the broker.
3. Working on a Brocade cloud storage access system
4. When the client issues a request to access data:
5. The client data request goes to the external service interface of the proxy.
6. The proxy forwards the request to the broker.
7. The broker requests the data from the cloud storage system.
8. The cloud storage system returns the data to the broker.
9. The broker returns the data to the proxy.
10.Finally, the proxy sends the data to the client.

All the above steps are shown in the following diagram:

Encoding
Encryption helps to protect the data from being hacked. It protects the data
being transferred and the data stored in the cloud. Although encryption helps
protect data from unauthorized access, it does not prevent data loss.

Why is cloud security architecture important?

The difference between "cloud security" and "cloud security architecture" is
that the former is built from problem-specific measures while the latter is
built from threats. A cloud security architecture can reduce or eliminate the
holes in Security that point-of-solution approaches are almost certainly about
to leave.

It does this by building down - defining threats starting with the users,
moving to the cloud environment and service provider, and then to the
applications. Cloud security architectures can also reduce redundancy in
security measures, which will contribute to threat mitigation and increase
both capital and operating costs.

The cloud security architecture also organizes security measures, making

them more consistent and easier to implement, particularly during cloud
deployments and redeployments. Security is often destroyed because it is
illogical or complex, and these flaws can be identified with the proper cloud
security architecture.

Elements of cloud security architecture

The best way to approach cloud security architecture is to start with a
description of the goals. The architecture has to address three things: an
attack surface represented by external access interfaces, a protected asset
set that represents the information being protected, and vectors designed to
perform indirect attacks anywhere, including in the cloud and attacks the
system.

The goal of the cloud security architecture is accomplished through a series

of functional elements. These elements are often considered separately
rather than part of a coordinated architectural plan. It includes access
security or access control, network security, application security, contractual
Security, and monitoring, sometimes called service security. Finally, there is
data protection, which are measures implemented at the protected-asset
level.

A complete cloud security architecture addresses the goals by unifying the

functional elements.

Cloud security architecture and shared responsibility model

The security and security architectures for the cloud are not single-player
processes. Most enterprises will keep a large portion of their IT workflow
within their data centers, local networks, and VPNs. The cloud adds
additional players, so the cloud security architecture should be part of a
broader shared responsibility model.

A shared responsibility model is an architecture diagram and a contract

form. It exists formally between a cloud user and each cloud provider and
network service provider if they are contracted separately.

Each will divide the components of a cloud application into layers, with the
top layer being the responsibility of the customer and the lower layer being
the responsibility of the cloud provider. Each separate function or component
of the application is mapped to the appropriate layer depending on who
provides it. The contract form then describes how each party responds.

Identity and Access Management

In a recent study by Verizon, 63% of the confirmed data breaches are due to
either weak, stolen, or default passwords used. There is a saying in
the cybersecurity world that goes like this “No matter how good your chain is
it’s only as strong as your weakest link.” and exactly hackers use the
weakest links in the organization to infiltrate. They usually use phishing
attacks to infiltrate an organization and if they get at least one person to fall
for it, it’s a serious turn of events from thereon. They use the stolen
credentials to plant back doors, install malware or exfiltrate confidential data,
all of which will cause serious losses for an organization.
How Identity and Access Management Works?
AWS(Amazon Web Services) will allows you to maintain the fine-grained
permissions to the AWS account and the services provided Amazon cloud.
You can manage the permissions to the individual users or you can manage
the permissions to certain users as group and roles will helps you to manage
the permissions to the resources.
What Is Identity and Access Management(IAM)?
Identity and Access Management (IAM) is a combination of policies and
technologies that allows organizations to identify users and provide the right
form of access as and when required. There has been a burst in the market
with new applications, and the requirement for an organization to use these
applications has increased drastically. The services and resources you want
to access can be specified in IAM. IAM doesn’t provide any replica or
backup. IAM can be used for many purposes such as, if one want’s to
control access of individual and group access for your AWS resources. With
IAM policies, managing permissions to your workforce and systems to
ensure least-privilege permissions becomes easier. The AWS IAM is a global
service.
Components of Identity and Access Management
(IAM)
Users
1. Roles
2. Groups
3. Policies
With these new applications being created over the cloud, mobile and on-
premise can hold sensitive and regulated information. It’s no longer
acceptable and feasible to just create an Identity server and provide access
based on the requests. In current times an organization should be able to
track the flow of information and provide least privileged access as and when
required, obviously with a large workforce and new applications being added
every day it becomes quite difficult to do the same. So organizations
specifically concentrate on managing identity and its access with the help of
a few IAM tools. It’s quite obvious that it is very difficult for a single tool to
manage everything but there are multiple IAM tools in the market that help
the organizations with any of the few services given below.
IAM Identities Classified As
1. IAM Users
2. IAM Groups
3. IAM Roles
Root user
The root user will automatically be created and granted unrestricted rights.
We can create an admin user with fewer powers to control the entire Amazon
account.
IAM Users
We can utilize IAM users to access the AWS Console and their
administrative permissions differ from those of the Root user and if we can
keep track of their login information.
Example
With the aid of IAM users, we can accomplish our goal of giving a specific
person access to every service available in the Amazon dashboard with only
a limited set of permissions, such as read-only access. Let’s say user-1 is a
user that I want to have read-only access to the EC2 instance and no
additional permissions, such as create, delete, or update. By creating an IAM
user and attaching user-1 to that IAM user, we may allow the user access to
the EC2 instance with the required permissions.
IAM Groups
A group is a collection of users, and a single person can be a member of
several groups. With the aid of groups, we can manage permissions for
many users quickly and efficiently.
Example
Consider two users named user-1 and user-2. If we want to grant user-1
specific permissions, such as the ability to delete, create, and update the
auto-calling group only, and if we want to grant user-2 all the necessary
permissions to maintain the auto-scaling group as well as the ability to
maintain EC2,S3 we can create groups and add this user to them. If a new
user is added, we can add that user to the required group with the necessary
permissions.
IAM Roles
While policies cannot be directly given to any of the services accessible
through the Amazon dashboard, IAM roles are similar to IAM users in that
they may be assumed by anybody who requires them. By using roles, we
can provide AWS Services access rights to other AWS Services.
Example
Consider Amazon EKS. In order to maintain an autoscaling group, AWS eks
needs access to EC2 instances. Since we can’t attach policies directly to the
eks in this situation, we must build a role and then attach the necessary
policies to that specific role and attach that particular role to EKS.
IAM Policies
IAM Policies can manage access for AWS by attaching them to the IAM
Identities or resources IAM policies defines permissions of AWS identities
and AWS resources when a user or any resource makes a request to AWS
will validate these policies and confirms whether the request to be allowed or
to be denied. AWS policies are stored in the form of Jason format the
number of policies to be attached to particular IAM identities depends upon
no.of permissions required for one IAM identity. IAM identity can have
multiple policies attached to them.
Access management for AWS resourcesIdentity
management
 Access management
 Federation
 RBAC/EM
 Multi-Factor authentication
 Access governance
 Customer IAM
 API Security
 IDaaS – Identity as a service
 Granular permissions
 Privileged Identity management – PIM (PAM or PIM is the same)
 Figure – Services under IAM
More About the Services: Looking into the services on brief, Identity
management is purely responsible for managing the identity lifecycle. Access
management is responsible for the access to the resources, access
governance is responsible for access request grant and audits. PIM or PAM
is responsible for managing all the privileged access to the resources. The
remaining services either help these services or help in increasing the
productivity of these services.
Market for IAM: Current situation of the market, there are three market
leaders (Okta, SailPoint and Cyberark) who master one of the three domains
(Identity Management, Identity Governance and Privilege access
management), according to Gartner and Forrester reports. These companies
have developed solutions and are still developing new solutions that allow an
organization to manage identity and its access securely without any
hindrances in the workflow. There are other IAM tools, Beyond Trust, Ping,
One login, Centrify, Azure Active Directory, Oracle Identity Cloud Services
and many more.
Use cases Identity and Access Management(IAM)
1. Resource Access Control: Identity and access management (IAM) will
allows you to manage the permissions to the resources in the AWS cloud
like users who can access particular serivce to which extent and also
instead of mantaing the permissions individually you can manage the
permissions to group of users at a time.
2. Managing permissions: For example you want to assign an permission
to the user that he/her can only perform restart the instance task on AWS
EC2 instance then you can do using AWS IAM.
3. Implemneting role-based access control(RBAC): Identity and Access
Management(IAM) will helps you to manage the permissions based on
roles Roles will helps to assign the the permissions to the resourcesw in
the AWS like which resources can access the another resource according
to the requirement.
4. Enabling single sign-on (SSO): Identity and Access Management will
helps you to maintain the same password and user name which will
reduce the effort of remembering the different password.
IAM Features
Shared Access to your Account: A team working on a project can easily
share resources with the help of the shared access feature.
1. Free of cost: IAM feature of the AWS account is free to use & charges
are added only when you access other Amazon web services using IAM
users.
2. Have Centralized control over your AWS account: Any new creation of
users, groups, or any form of cancellation that takes place in the AWS
account is controlled by you, and you have control over what & how data
can be accessed by the user.
3. Grant permission to the user: As the root account holds administrative
rights, the user will be granted permission to access certain services by
IAM.
4. Multifactor Authentication: Additional layer of security is implemented
on your account by a third party, a six-digit number that you have to put
along with your password when you log into your accounts.
Accessing IAM
1. AWS Console: Access the AWS IAM through the GUI. It is an web
application provided by the AWS(Amazon Web Application) it is an
console where users can access the aws console
2. AWS Command Line Tools: Instead of accessing the console you can
access y the command line interface (CLI) to access the AWS web
application. You can autiomate the process by using the Scripts.
3. IAM Query API: Programmatic access to IAM and AWS by allowing you
to send HTTPS requests directly to the service.

Virtual Machine Security in Cloud

The term “Virtualized Security,” sometimes known as “security
virtualization,” describes security solutions that are software-based and
created to operate in a virtualized IT environment. This is distinct from
conventional hardware-based network security, which is static and is
supported by equipment like conventional switches, routers, and firewalls.
Virtualized security is flexible and adaptive, in contrast to hardware-based
security. It can be deployed anywhere on the network and is frequently
cloud-based so it is not bound to a specific device.
In Cloud Computing, where operators construct workloads and applications
on-demand, virtualized security enables security services and functions to
move around with those on-demand-created workloads. This is crucial for
virtual machine security. It’s crucial to protect virtualized security in cloud
computing technologies such as isolating multitenant setups in public cloud
settings. Because data and workloads move around a complex ecosystem
including several providers, virtualized security’s flexibility is useful for
securing hybrid and multi-cloud settings.
Types of Hypervisors
Type-1 Hypervisors

Its functions are on unmanaged systems. Type 1 hypervisors include Lynx

Secure, RTS Hypervisor, Oracle VM, Sun xVM Server, and Virtual Logic
VLX. Since they are placed on bare systems, type 1 hypervisor do not have
any host operating systems.

Type-2 Hypervisor

It is a software interface that simulates the hardware that a system typically

communicates with. Examples of Type 2 hypervisors include containers,
KVM, Microsoft Hyper V, VMWare Fusion, Virtual Server 2005 R2,
Windows Virtual PC, and VMware workstation 6.0.

Type I Virtualization

In this design, the Virtual Machine Monitor (VMM) sits directly above the
hardware and eavesdrops on all interactions between the VMs and the
hardware. On top of the VMM is a management VM that handles other guest
VM management and handles the majority of a hardware connections. The
Xen system is a common illustration of this kind of virtualization design.
Type II virtualization

In these architectures, like VMware Player, allow for the operation of the
VMM as an application within the host operating system (OS). I/O drivers
and guest VM management are the responsibilities of the host OS.

Service Provider Security

The system’s virtualization hardware shouldn’t be physically accessible to
anyone not authorized. Each VM can be given an access control that can
only be established through the Hypervisor in order to safeguard it against
unwanted access by Cloud administrators. The three fundamental tenets of
access control, identity, authentication, and authorization, will prevent
unauthorized data and system components from being accessed by
administrators.
Hypervisor Security
The Hypervisor’s code integrity is protected via a technology called Hyper
safe. Securing the write-protected memory pages, expands the hypervisor
implementation and prohibits coding changes. By restricting access to its
code, it defends the Hypervisor from control-flow hijacking threats. The only
way to carry out a VM Escape assault is through a local physical setting.
Therefore, insider assaults must be prevented in the physical Cloud
environment. Additionally, the host OS and the interaction between the guest
machines need to be configured properly.
Virtual Machine Security
The administrator must set up a program or application that prevents virtual
machines from consuming additional resources without permission.
Additionally, a lightweight process that gathers logs from the VMs and
monitors them in real-time to repair any VM tampering must operate on a
Virtual Machine. Best security procedures must be used to harden the
guest OS and any running applications. These procedures include setting up
firewalls, host intrusion prevention systems (HIPS), anti-virus and anti-
spyware programmers, online application protection, and log monitoring in
guest operating systems.
Guest Image Security
A policy to control the creation, use, storage, and deletion of images must be
in place for organizations that use virtualization. To find viruses, worms,
spyware, and rootkits that hide from security software running in a guest OS,
image files must be analyzed.

Benefits of Virtualized Security

Virtualized security is now practically required to meet the intricate security
requirements of a virtualized network, and it is also more adaptable and
effective than traditional physical security.
 Cost-Effectiveness: Cloud computing’s virtual machine security enables
businesses to keep their networks secure without having to significantly
raise their expenditures on pricey proprietary hardware. Usage-based
pricing for cloud-based virtualized security services can result in
significant savings for businesses that manage their resources effectively.
 Flexibility: It is essential in a virtualized environment that security
operations can follow workloads wherever they go. A company is able to
profit fully from virtualization while simultaneously maintaining data
security thanks to the protection it offers across various data centers, in
multi-cloud, and hybrid-cloud environments.
 Operational Efficiency: Virtualized security can be deployed more
quickly and easily than hardware-based security because it doesn’t
require IT, teams, to set up and configure several hardware appliances.
Instead, they may quickly scale security systems by setting them up using
centralized software. Security-related duties can be automated when
security technology is used, which frees up more time for IT employees.
 Regulatory Compliance: Virtual machine security in cloud computing is
a requirement for enterprises that need to maintain regulatory compliance
because traditional hardware-based security is static and unable to keep
up with the demands of a virtualized network.
Virtualization Machine Security Challenges
 As we previously covered, buffer overflows are a common component of
classical network attacks. Trojan horses, worms, spyware, rootkits,
and DoS attacks are examples of malware.
 In a cloud context, more recent assaults might be caused via VM rootkits,
hypervisor malware, or guest hopping and hijacking. Man-in-the-middle
attacks against VM migrations are another form of attack. Typically,
passwords or sensitive information are stolen during passive attacks.
Active attacks could alter the kernel’s data structures, seriously harming
cloud servers.
 HIDS or NIDS are both types of IDSs. To supervise and check the
execution of code, use programmed shepherding. The RIO dynamic
optimization infrastructure, the v Safe and v Shield tools from VMware,
security compliance for hypervisors, and Intel vPro technology are some
further protective solutions.
Four Steps to ensure VM Security in Cloud
Computing
Protect Hosted Elements by Segregation

To secure virtual machines in cloud computing, the first step is to segregate

the newly hosted components. Let’s take an example where three features
that are now running on an edge device may be placed in the cloud either as
part of a private subnetwork that is invisible or as part of the service data
plane, with addresses that are accessible to network users.

All Components are Tested and Reviewed

Before allowing virtual features and functions to be implemented, you must

confirm that they comply with security standards as step two of cloud-virtual
security. Virtual networking is subject to outside attacks, which can be
dangerous, but insider attacks can be disastrous. When a feature with a
backdoor security flaw is added to a service, it becomes a part of the
infrastructure of the service and is far more likely to have unprotected attack
paths to other infrastructure pieces.

Separate Management APIs to Protect the Network

The third step is to isolate service from infrastructure management and

orchestration. Because they are created to regulate features, functions, and
service behaviors, management APIs will always pose a significant risk. All
such APIs should be protected, but the ones that keep an eye on
infrastructure components that service users should never access must also
be protected.

Keep Connections Secure and Separate

The fourth and last aspect of cloud virtual network security is to make sure
that connections between tenants or services do not cross over into virtual
networks. Virtual Networking is a fantastic approach to building quick
connections to scaled or redeployed features, but each time a
modification is made to the virtual network, it’s possible that an accidental
connection will be made between two distinct services, tenants, or
feature/function deployments. A data plane leak, a link between the actual
user networks, or a management or control leak could result from this,
allowing one user to affect the service provided to another.