Unit-V

Cloud Computing Security

Unit-V
Cloud Security: Data, Network and host security,
Cloud security services and cloud security
possible solutions.
Cloud Disaster Recovery: Disaster recovery
planning, Disasters in the cloud, Disaster
management, Capacity planning and cloud scale.
 Cloud Security: With the increase in data volumes, data
handling has become the talk of the town. As
companies begin to move to the cloud, there is a higher
emphasis ensuring everything is safe and secure, and
that there is no risk of data hacking or breaches. Since
the cloud allows people to work without hardware and
software investments, users can gain flexibility and
data agility. However, since the Cloud is often shared
between a lot of users, security becomes an immediate
concern for Cloud owners.
 Security Issues Within The Cloud
Cloud vendors provide a layer of security to user’s
data. However, it is still not enough since the
confidentiality of data can often be at risk. There are
various types of attacks, which range from password
guessing attacks and man-in-the-middle attacks to
insider attacks, shoulder surfing attacks, and phishing
attacks.
 When different organizations use the cloud to store their data,
there is often a risk of data misuse. To avoid this risk, there is an
imminent need to secure the data repositories. To achieve this
task, one can use authentication and restrict access control for
the cloud’s data.
 within the cloud world, data is often distributed over a series of
regions; it is quite challenging to find the exact location of the
data storage. However, as data is moved from one country to
another, the rules governing the data storage also change; this
brings compliance issues and data privacy laws into the picture,
which pertain to the storage of data within the cloud. As a cloud
service provider, the service provider has to inform the users of
their data storage laws, and the exact location of the data storage
server.:
 Integrity: The system needs to be rigged in such a manner so as to
provide security and access restrictions. In other words, data access
should lie with authorized personnel only. In a cloud environment,
data integrity should be maintained at all times to avoid any inherent
data loss. Apart from restricting access, the permissions to make
changes to the data should be limited to specific people, so that there
is no widespread access problem at a later stag
 Access: Data security policies concerning the access and control of
data are essential in the long run. Authorized data owners are
required to give part access to individuals so that everyone gets only
the required access for parts of the data stored within the data mart.
By controlling and restricting access, there is a lot of control and
data security which can be levied to ensure maximums security for
the stored data.
 Confidentiality: There is a lot of sensitive data which might be
stored in the cloud. This data has to have extra layers of
security on it to reduce the chances of breaches and phishing
attacks; this can be done by the service provider, as well as the
organization. However, as a precaution, data confidentiality
should be of utmost priority for sensitive material.
 Breaches: Breaches within the cloud are not unheard. Hackers
can breach security parameters within the cloud, and steal the
data which might otherwise be considered confidential for
organizations. On the contrary, a breach can be an internal
attack, so organizations need to lay particular emphasis in
tracking employee actions to avoid any unwanted attacks on
stored data. Storage: For organizations, the data is being stored
and made available virtually. However, for service providers, it
is necessary to store the data in physical infrastructures, which
makes the data vulnerable and conducive to physical attacks.
Cloud Security
 Data Security
 Data Control
 When the Cloud Provider goes down
 When a subpoena cloud provider to turn over user data
 When cloud provider fails to adequately provide their

network
Network Security :Achieving network security in cloud
computing requires network visibility and monitoring, multiple
layers of firewalls, traffic controls, end-to-end encryption, and
encapsulation protocols for virtual private clouds.
1.Tools that organizations can use to ensure network security
with the cloud include encrypting data, using multi-factor
authentication, installing firewalls, and enabling data loss
prevention.
2.Four principles that organizations can follow include using
layers of firewalls to isolate the zones of a cloud environment,
end-to-end encryption for application traffic on the network,
and using standardized security protocols like IPsec, SSH, or
SSL for virtual private clouds.
3.Organizations should also use 
network performance management tools so they can ensure
their cloud service providers are meeting service level
agreements.
 A few best practices for Network Security:
 Run only one network service on each virtual server
 Don not open up direct access to sensitive data
 Open only the ports absolutely necessary to support a

server’s service
 Limit access to your services to clients who need

access to them
 Even if you are not doing load balancing use a reverse

proxy
 Use the dynamic nature of the cloud to automate your

security embarrassments
 Network Intrusion Detection:
• Port Scans:A port scan is a method for determining which ports on
a network are open. As ports on a computer are the place where
information is sent and received, port scanning is analogous to
knocking on doors to see if someone is home. Running a port scan
on a network or server reveals which ports are open and listening
(receiving information), as well as revealing the presence of security
devices such as firewalls that are present between the sender and the
target. This technique is known as fingerprinting. It is also valuable
for testing network security and the strength of the system’s firewall.
Due to this functionality, it is also a popular reconnaissance tool for
attackers seeking a weak point of access to break into a computer.
• Denial of Service Attacks
• Known vulnerability exploit attempts
 The purpose of a Network Intrusion Detection
 Implementing Network Intrusion Detection in the cloud
Host Security
 It describes how to set up server
 Tasks:
 Preventing attacks

 Minimizing the impact of a successful attack on the

overall system
 Responding to attacks when they occur

Rolling out a patch across the infrastructure in three steps

 Patch AMI with the new security fixes

 Test the results

 Relaunch the virtual servers
Host Security
 System Hardening
 Antivirus protection
 Host intrusion Detection
 Data Segmentation
 Credential Management
 Compromise Response
System Hardening
 It is the process of disabling or removing unnecessary
services and eliminating user accounts
 No network services are running except those

necessary to support the server’s function

 Run services in a restricted file system
 No user accounts are enabled on the server
 Run all necessary services under a non privileged role

user account
Antivirus Protection

 Some regulations and standards are require to implementation

of antivirus system on servers.
 To critical features are required :
 How wide is the protection it provides? What percentage of
known exploits does it cover?
 What is the median delta between the time when a virus is
released into the wild and the time the AV product provides
protection against it?
Host Intrusion Detection

 OSSEC monitors the state of server for anything

unusual
 It has two configuration files
 Standalone in which each server scans itself and sends

alerts
 Centralized
Data Segmentation

 Minimizing the impact of a successful attack

 Access to your most sensitive data requires full system

breach
 The compromise of the entire system requires multiple

attack vectors with potentially different skill sets

 The downtime must be negligible
Credential Management

 Do not allow password based shell access to virtual

servers
 Dynamic delivery of public SSH key to target servers
Compromise Response

 After detecting a compromise on a physical server

 Remove intruder access to the system by cutting the server off
from the rest of the network
 Identify the attack vector
 Wipe the server clean and startover. It includes patching the
original vulnerability and rebuilding the system from the most
uncompromised backup
 Launch the server back into the service
 Quicker response to a vulnerability with little downtime
Disaster Recovery: is the practice of making a system capable of surviving
unexpected failures

 Disasters can be the result of three broad categories of threats

and hazards.
 The first category is natural hazards that include acts of nature
such as floods, hurricanes, tornadoes, earthquakes, and
epidemics.
 The second category is technological hazards that include
accidents or the failures of systems and structures such as
pipeline explosions, transportation accidents, utility disruptions,
dam failures, and accidental hazardous material releases.
 The third category is human-caused threats that include
intentional acts such as active assailant attacks, chemical or
biological attacks, cyber attacks against data or infrastructure,
and sabotage. Preparedness measures for all categories and types
of disasters fall into the five mission areas of prevention,
protection, mitigation, response, and recovery
 Common strategies for data protection include:
 backups made to tape and sent off-site at regular intervals
 backups made to disk on-site and automatically copied to off-
site disk, or made directly to off-site disk
 replication of data to an off-site location, which overcomes the
need to restore the data (only the systems then need to be
restored or synchronized), often making use of 
storage area network (SAN) technology
 Private Cloud solutions which replicate the management data
(VMs, Templates and disks) into the storage domains which
are part of the private cloud setup. These management data are
configured as an xml representation called OVF (Open
Virtualization Format), and can be restored once a disaster
occurs.
 Hybrid Cloud solutions that replicate both on-site and to off-
site data centers. These solutions provide the ability to
instantly fail-over to local on-site hardware, but in the event of
a physical disaster, servers can be brought up in the cloud data
centers as well.
 the use of high availability systems which keep both the data
and system replicated off-site, enabling continuous access to
systems and data, even after a disaster (often associated with 
cloud storage)[
Disaster Recovery: is the practice of making
a system capable of surviving unexpected failures
 Disaster Recovery Planning
 Recovery Point Objective
 Recovery Time Objective
The Recovery Point Objective

 Recovery Point Objective (RPO) describes the interval of time

that might pass during a disruption before the quantity of data
lost during that period exceeds the Business Continuity Plan’s
maximum allowable threshold or “tolerance.”
 Weekly off site backups will survive the loss of data with a
week of data loss
 Daily on-site backups will survive the loss of production
environment with a day of data loss plus replicating
transactions during the recovery period after the loss of the
system
 A NAS/SAN will survive the loss of any server
 Clustered database
 Clustered database across multiple data centers
The Recovery Time Objective

 The Recovery Time Objective (RTO) is the duration of time

and a service level within which a business process must be
restored after a disaster in order to avoid unacceptable
consequences associated with a break in continuity. In other
words, the RTO is the answer to the question: “How much
time did it take to recover after notification of business
process disruption?“
 The ability to assemble a replacement infrastructure
for disasters including the data restore time
 Traditional RTO is very expensive
 Service provider has to provide either a backup

infrastructure or SLA for setting up a replacement

infrastructure
Disasters in the Cloud

 Backups and data retention

 Geographic redundancy
 Organizational redundancy
Backup Management

Kind of data Description

Fixed data OS and common utilities-no need
Transient data File Caches no need
Configuration data Should be backed up regularly
Persistent data Requires backup