Cloud Computing

Amandeep Ummat
CSE CEC
  Cloud computing security refers to the
technical discipline and processes that IT
organizations use to secure their cloud-
based infrastructure. Through a cloud
service provider, IT organizations can
outsource management of every aspect
of the technology stack, including
Cloud networking, servers, storage,
virtualization, operating systems,
Security middleware, runtime, data and
applications.
 Cloud computing security includes the
measures that IT organizations take to
secure all of these components against
cyber attacks, data theft and other
threats.
  Cloud security is the set of strategies and
practices for protecting data and
applications that are hosted in the cloud.
Like cyber security, cloud security is a
very broad area, and it is never possible
to prevent every variety of attack.
However, a well-designed cloud security
strategy vastly reduces the risk of cyber
attacks.
Cloud  Even with these risks, cloud computing is
Security often more secure than on-premises
computing. Most cloud providers have
more resources for keeping data secure
than individual businesses do, which lets
cloud providers keep infrastructure up to
date and patch vulnerabilities as soon as
possible. A single business, on the other
hand, may not have enough resources to
perform these tasks consistently.
  As companies continue to migrate to the
cloud, understanding the security
requirements for keeping data safe has
become critical. While third-party cloud
computing providers may take on the
management of this infrastructure, the
Why is responsibility of data asset security and
cloud accountability doesn't necessarily shift
along with it.
security
 By default, most cloud providers follow
important? best security practices and take active
steps to protect the integrity of their
servers. However, organizations need to
make their own considerations when
protecting data, applications, and
workloads running on the cloud.
  Security threats have become more
advanced as the digital landscape
continues to evolve. These threats
explicitly target cloud computing
providers due to an organization's overall
lack of visibility in data access and
movement. Without taking active steps to
Why is improve their cloud security,
cloud organizations can face significant
governance and compliance risks when
security managing client information, regardless
important? of where it is stored.
 Cloud security should be an important
topic of discussion regardless of the size
of your enterprise. Cloud infrastructure
supports nearly all aspects of modern
computing in all industries and across
multiple verticals.
  Lack of visibility
 It's easy to lose track of how your data is
being accessed and by whom, since many
cloud services are accessed outside of
corporate networks and through third
Cloud parties.
security 
Challenges  Multitenancy
?  Public cloud environments house multiple
client infrastructures under the same
umbrella, so it's possible your hosted
services can get compromised by
malicious attackers as collateral damage
when targeting other businesses.
  Access management and shadow IT
 While enterprises may be able to
successfully manage and restrict access
points across on-premises systems,
administering these same levels of
restrictions can be challenging in cloud
environments. This can be dangerous for
organizations that don't deploy bring-
Cloud your-own device (BYOD) policies and
allow unfiltered access to cloud services
security from any device or geolocation.
Challenges 
?  Compliance
 Regulatory compliance management is
oftentimes a source of confusion for
enterprises using public or hybrid cloud
deployments. Overall accountability for
data privacy and security still rests with
the enterprise, and heavy reliance on
third-party solutions to manage this
component can lead to costly compliance
issues.
  Misconfigurations
 Misconfigured assets accounted for 86%
of breached records in 2019, making the
inadvertent insider a key issue for cloud
computing environments.
Misconfigurations can include leaving
default administrative passwords in place,
or not creating appropriate privacy
Cloud settings.
security  Lack of Transparency Between
Challenges Business and Cloud Service Provider
 Transparency is a major issue for
? organizations that
 rely on cloud service providers for data
storage AND
 operate in industries where data security
and privacy is tightly regulated OR
 maintain a certification for information
security
  Today, cloud computing is a very
approachable topic for both small and
large enterprises alike. However, while
cloud computing affords businesses near-
limitless opportunities for scale and
sustainability, it also comes with risks.
Establishing successful cloud security
processes is about understanding
the common threats experienced by
businesses operating in the cloud. These
Risks and threats originate from both inside and
outside sources and vary in severity and
threats complexity.
 The following are some common cloud
security threats:
 Data breaches: With so many
organizations now operating in cloud-
based environments, information
accessibility has never been higher. As
enterprises expand their digital footprint,
cybercriminals can locate new access
points to exploit, gaining access to
private records and other sensitive data.
  Malware injections: Malware injection is
a common risk. Attackers upload these
malicious scripts of code to a cloud
server that hosts various applications and
services. Successfully deployed, these
scripts can cause any number of security
issues to enterprises operating on those
Risks and same servers.
threats  Regulatory compliance: Fines and
penalties for regulatory non-compliance
can be steep. The cloud shared-
responsibility model for security (see
below)—where the cloud provider is
responsible for the security of the cloud
and the cloud customer is responsible for
security in the cloud—must be properly
and diligently managed to demonstrate
and maintain compliance.
  Distributed Denial of Service
(DDoS): DDoS attacks can prevent users
or customers from accessing mission-
critical data and applications, which often
causes significant or even irreparable
financial damage to the business. See the
Risks and following video for more information on
threats DDoS attacks:
 Malicious insiders: Current or former
employees, business partners,
contractors, or anyone who has had
allowed access to systems or networks in
the past could be considered an insider
threat if they intentionally abuse their
access permissions.
  Advanced persistent threats
(APTs): APTs are a form of cyber attack
where an intruder or group of intruders
successfully infiltrate a system and
remain undetected for an extended
period. These stealthy attacks operate
silently, leaving networks and systems
intact so that the intruder can spy on
Risks and business activity and steal sensitive data
threats while avoiding the activation of defensive
countermeasures.
 Insecure APIs: Cloud service providers
commonly use Application Programming
Interfaces (APIs) as a way for customers
to access and extract information from
their cloud-based services. If not
configured properly, these APIs can leak
data and open the door for intrusions and
attacks from outside sources.
  Account hijacking: Stolen and
compromised account login credentials
Risks and are a common threat to cloud computing.
Hackers use sophisticated tools and
threats phishing schemes to hijack cloud
accounts, impersonate authorized users,
and gain access to sensitive business
data.
  IT organizations and the cloud service
providers they do business with share
responsibility for implementing security
controls to protect applications and data
Cloud that are stored or deployed in the cloud.
These controls include a variety of
Computin measures for reducing, mitigating or
g eliminating various types of risk: the
creation of data recovery and business
Security continuity plans, encrypting data, and
controlling cloud access are all security
Controls controls.
 While many types of cloud computing
security controls exist, they generally fall
into one of four categories.
  Deterrent Controls - Deterrent controls
Cloud are designed to discourage nefarious
actors from attacking a cloud system.
Computin These controls may act as a warning that
g an attack will be met with consequences.
Security  Insider attacks are a source of risk for
cloud service providers, so an example of
Controls a deterrent control could be a cloud
service provider conducting criminal
background checks on employees.
  Preventive Controls - Preventive
Cloud controls make the cloud environment
more resilient to attacks by eliminating
Computin vulnerabilities.
g  A preventive control could be writing a
piece of code that disables inactive ports
Security to ensure that there are no available
Controls entry points for hackers. Maintaining a
strong user authentication system is
another way of reducing vulnerability to
attack.
  Detective Controls - The purpose of
detective controls is to identify and react
to security threats and events. Intrusion
detection software and network security
monitoring tools are examples of
Cloud detective controls - their role is to monitor
Computin the network to determine when an attack
could be happening.
g
Security  Corrective Controls - Corrective
Controls controls are activated in the event of a
security attack. Their role is to limit the
damage caused by the incident. A
developer might write a piece of code so
that when a certain type of threat is
detected, data servers are disconnected
from the network to prevent data theft.