Module: Security

Upon completion of this module, you should be able to:

• Describe key security threats in the cloud
• Discuss key security mechanisms deployed in the cloud
• Describe infrastructure security(network, host, application)
• Discuss data security and storage

Module: Security
Cloud Computing Reference Model
Security Cross-layer Function

Module: Security
Drivers for Securing Cloud Infrastructure
• Information is an organization’s most valuable asset
• Various tools are deployed to protect the assets
• Trust is one of the key concerns of consumers adopting cloud

Trust = Visibility + Control

• Managing security has become increasingly important for cloud

service providers

Module: Security
Information Security
Information Security
A term that includes a set of practices that protect information and information
systems from unauthorized access, use, information disclosure, disruption,
modification, or destruction.
— US Federal law (Title 38 Part IV, Chapter 57, Subchapter III USC 5727)

• Goal of information security is to provide:

– Confidentiality, integrity, and availability
• Security mechanisms ensure right users have access to
right resources at the right time
• Auditing enables assessing effectiveness of the security
mechanisms

Module: Security
Key Security Threats in a Cloud Environment
• Key security threats according to CSA and ENISA
– Data leakage
– Data loss
– Account hijacking
– Insecure APIs
– Malicious insiders
– Denial of service
– Abuse of cloud services
– Shared technology vulnerabilities
– Insufficient due diligence
– Loss of governance and compliance

Module: Security
Data Leakage
• Occurs when an attacker gains access to a cloud consumer’s
confidential data
• Unauthorized access to confidential data may be gained by:
– Compromising password database
– Exploiting poor application design
– Exploiting poor segregation of network traffic
– Exploiting poor encryption implementation
– Through a malicious insider
• Control measure
– Data encryption (both data at-rest and in-transit)
– Data shredding and multi-factor authentication
Module: Security
Data Loss
• Occurs due to various reasons other than malicious attacks
• Causes of data loss in the cloud include:
– Accidental deletion by the provider
– Destruction resulting from natural disasters
• Providers are often responsible for data loss
• Control measure
– Data backup and replication

Module: Security
Account Hijacking
• Occurs when an attacker gains access to consumers’ accounts
Types of attack Description

• Social engineering attack used to deceive users

Phishing • Carried out by spoofing email containing link to a fake website
• Users credentials entered on the fake site are captured

Installing keystroke- • Attacker installs malware in a consumer’s VM

logging malware
• Malware captures users credentials and sends to the attacker

Man-in-the-middle • Attacker eavesdrops on the network to capture credential

• Controls measures: multi-factor authentication, IPSec, IDPS, and

firewall

Module: Security
Insecure APIs
• APIs are used to perform activities such as:
– Resource provisioning and configuration
– Resource monitoring and management
– Orchestration
• APIs may be open or proprietary
• Security of cloud services depends on security of APIs
• Control measures
– Design and develop APIs following security best practices
– Perform security review of APIs
– Access to APIs must be restricted to authorized users

Module: Security
Denial of Service (DoS) Attack
• Prevents legitimate users from accessing resources or services
• Could be targeted against compute systems, networks, or
storage resources
• Exhaust key resources, preventing production use by legitimate
consumers
– Example 1: Exhausting network bandwidth or CPU cycles
– Example 2: Exploiting weaknesses in communication protocols
– Example 3: Corrupting domain name server’s cache

Module: Security
Distributed Denial of Service (DoS) Attack
• DDoS is a variant of DoS attack
• Several systems launch a coordinated DoS attack on target(s)
– DDoS master program is installed on a compute system
– Master program communicates to agents at designated time
– Agents initiate the attack on receiving the command
• Attacker is able to multiply the effectiveness of the DoS attack
• Control measure
– Impose restrictions and limits on resource consumption

Module: Security
Malicious Insiders
Malicious Insiders

An organization’s current or former employee, contractor, or other business

partner who has or had authorized access to an organization's compute
systems, network, or storage.
— Computer Emergency Response Team (CERT)

• Intentional misuse of access to negatively impact CIA

• Control measures:
– Strict access control policies
– Security audit and data encryption
– Disable employee accounts immediately after separation
– Segregation of duties (role-based access control)
– Background investigation of candidates before hiring

Module: Security
Abuse of Cloud Services
• Cloud resources can be misused to perform unauthorized
activities such as
– Cracking an encryption key in minutes or hours
– Distributing pirated software
• Control measures
– Difficult to mitigate merely with the help of tools
– Establish agreement with consumers that have guidelines for
acceptable use of cloud resources

Module: Security
Insufficient Due Diligence
• Understanding the full scope of the undertaking while offering
cloud services
• Increase risks if services are offered without complete
understanding of operational responsibilities such as:
– Incident response
– Encryption
– Governance and compliance
– Security monitoring

Module: Security
Shared Technology Vulnerabilities
• An attacker may exploit the vulnerabilities of tools used to
enable multi-tenant environments
• Examples of threats:
– Failure of mechanisms that provide separation of memory and
storage
– Hyperjacking attack involves installing a rogue hypervisor that
takes control of compute system
• Control measure
– Securing components that are part of trusted computing base

Module: Security
Loss of Compliance
Loss of Compliance

Occur when a cloud service provider or cloud broker does not adhere to, and
demonstrating adherence to external laws and regulations as well as
corporate policies and procedures.

• Regulations mandate vulnerability assessment when using

certain type of data
– Aimed at discovering potential security vulnerabilities
• Example: PCI compliance for handling credit card data
– Participating cloud provider may prohibit through contract terms
– Cloud brokers and consumers have to rely on provider’s
vulnerability assessment results

Module: Security
Loss of Governance
• Causes of loss of governance:
– Provider outsource its services to third-parties
• Impact of outsourcing services to third-parties:
– No control over third-parties, and may impact commitments of the
provider
– Security controls of provider may change impacting terms and
conditions of provider
– Provider may not be able to supply evidence of meeting their
providers’ compliance requirements

Module: Security
Lesson Summary
During this lesson the following topics were covered:
• Data leakage and data loss
• Account hijacking and insecure APIs
• Malicious insiders and denial of service
• Abuse of cloud services and shared technology
vulnerabilities
• Insufficient due diligence
• Loss of compliance and governance

Module: Security
Lesson: Security Mechanisms – I
This lesson covers the following topics:
• Physical security
• IAM concepts

Module: Security
Introduction to Security Mechanisms
• Security mechanisms can be classified as:

Mechanisms Description
Security and personnel policies or standard procedures to direct the
Administrative
safe execution of various operations
Usually implemented through tools or devices deployed on computer
Technical
systems, networks, or storage

• Technical security mechanisms must be deployed at:

– Compute level
– Network level
– Storage level

Module: Security
• Physical security
• IAM concepts as given below:-
• OAuth
• Multi-factor authentication
• Kerberos and CHAP
• OpenID

Module: Security
Physical Security
• Foundation of overall IT security strategy
• Some of the measures to secure cloud infrastructure are:
– Disabling all unused devices and ports
– 24/7/365 onsite security
– Biometric or security badge-based authentication to grant access
to the facilities
– Surveillance cameras to monitor activity throughout the facility
– Sensors and alarms to detect motion and fire

Module: Security
Identity and Access Management concepts :Slide 25 to 31

Identity and Access Management

A process of managing consumers’ identifiers, and their authentication and

authorization to access cloud resources.

• Cloud providers deploy both traditional and new authentication

and authorization mechanisms
Description
Mechanisms Examples

Restricts accessibility and sharing Windows ACLs, UNIX permissions,

Authorization
of files and folders and OAuth

Enables authentication among Multi-factor authentication,

Authentication
client and server Kerberos, CHAP, and OpenID

Module: Security
OAuth
OAuth

An open authorization mechanism allows a client to access protected

resources from a resource server on behalf of a resource owner.

• Entities involved in
authorization:
– Resource owner
– Resource server
– Client
– Authorization server

Module: Security
Multi-factor Authentication
• Multiple factors for authentication:
– First factor: What a user knows? For example, a password
– Second factor: What the user has? For example, a token
– Third factor: Who is the user? or What the user did? For example, a
unique ID or user’s past activity
• Access is granted only when all the factors are validated

Module: Security
Kerberos
Kerberos

A network authentication protocol, which provides strong authentication for

client/server applications by using secret-key cryptography. A client and server
can prove their identity to each other across an insecure network connection.

Module: Security
Challenge Handshake Authentication Protocol
• Provides a method for initiators and targets to authenticate
each other by utilizing a secret code

Module: Security
OpenID
OpenID

An open standard for authentication in which a service provider uses

authentication services from an OpenID provider.

Module: Security
Lesson Summary
During this lesson the following topics were covered:
• Physical security
• IAM concepts as given below:-
• OAuth
• Multi-factor authentication
• Kerberos and CHAP
• OpenID

Module: Security
Lesson: Security Mechanisms – I
This lesson covers the following topics:
• Role-based access control
• Network monitoring and analysis
• Firewall and intrusion detection and prevention system

Module: Security
Key Security Mechanisms -II
• Role-based access control • Data related security---
• Network monitoring and analysis • Data encryption
• Firewall • Data shredding
• Intrusion detection and prevention
system

Module: Security
Role-based Access Control
• An approach to restrict access to authorized users based on
their respective roles
– Only those privileges are assigned to a role that are required to
perform tasks associated with that role
• Separation of duties ensure that no single individual can both
specify an action and carry it out

Module: Security
Network Monitoring and Analysis
• A proactive measure to detect and prevent network failure or
performance problems
• Network monitoring can be performed in two ways:
Monitoring Description

Active Monitoring tools transmit data between two endpoints that are monitored

Passive Information about a link or device is collected by probing the link or device

• Mechanisms used to monitor, detect, and prevent attacks are:

– Firewalls, IDPS and network analysis/forensics systems

Module: Security
 Firewall
Firewall
A security mechanism designed to examine data packets traversing a network and
compare them to a set of filtering rules.

• Can be deployed at:

– Network level Examples of filtering parameters:
– Compute level • Source address
• Destination address
– Hypervisor level • Port numbers and protocols

• Can be physical or virtual

• Uses various parameter for traffic filtering

Module: Security
Firewall
Demilitarized Zone

• Secure internal assets while allowing Internet-based access to

resources

Module: Security
Intrusion Detection and Prevention System
Intrusion Detection and Prevention System

A security tool that automates the process of detecting and preventing events
that can compromise the confidentiality, integrity, or availability of IT
resources.

• Signature-based detection technique

– Scans for signatures to detect an intrusion
– Effective only for known threats
• Anomaly-based detection technique
Examples of events detected:
• Multiple login failures
• Excessive process failure
• Excessive network bandwidth
consumed by an activity

– Scans and analyzes events to detect if they

are statistically different from normal events
– Has the ability to detect various events

Module: Security
Intrusion Detection and Prevention System
Types of implementations
IDPS Implementation Description

• Analyzes activity such as system logs and running

Compute system-based processes
• IDPS software is susceptible to attacks
• Monitors and analyzes network traffic, network devices,
network protocol, and application protocol behavior
• Deployed in the form of appliance or software on compute
Network-based system
• Usually isolated from malicious applications on compute
systems

• Monitors for anomalies in a hypervisor

Hypervisor-based • Detection policies are typically kernel-specific

Module: Security
Lesson: Security Mechanisms – III
This lesson covers the following topics:
• Data encryption
• Data shredding
• -Security controls

Module: Security
Data Encryption
Data Encryption

A cryptographic technique in which data is encoded and made indecipherable

to eavesdroppers or hackers.

• Enables securing data in-flight and at-rest

• Provides protection from threats, such as data tampering,
media theft, and sniffing attacks
• Data encryption mechanism can be deployed at compute,
network, and storage
• Data should be encrypted as close to its origin as possible

Module: Security
Data Shredding
Data Shredding

A process of deleting data or residual representations (sometimes called

remanence) of data and making it unrecoverable

• Techniques for shredding data stored on tapes:

– Overwriting tapes with invalid data
– Degaussing media
– Destroying tapes

• Techniques for shredding data stored on disks and flash drives:

– Shredding algorithms

• Shred all copies of data including backup and replicas

Module: Security
Security Controls – Host Level

Threat outlook High

Preventive Host firewall, access control, patching, hardening of
controls system, strong authentication
Detective Security event logs, host-based IDS/IPS
controls

Module: Security
Identity and Access management-Challenges
and standards
1- Why IAM?
2- Challenges in IAM
3- IAM standards
4 –Securing virtual servers
5-Securing virtual servers

Module: Security
Module: Identity and Access Management
Upon completion of this module, you should be able to:
• Describe trust boundaries and IAM
• Discuss IAM challenges
• Describe IAM standards and protocols for cloud services

Module: Security
Why IAM ?
• Accelerates adoption of new cloud services and migration of IT
applications from trusted corporate networks into a trusted
cloud service model.
• Improves operational efficiency
• Regulatory compliance management
• Enables new IT delivery and deployment models (cloud
services)
• Enables enterprises and CSP to bridge security domains
through web single sign-on and federated user provisioning

Module: Security
IAM Challenges
• Managing access for diverse user populations (employees,
contractors, partners, etc.) accessing internal and externally
hosted services
• Turnover of users within the organization
• Access policies for information are seldom centrally and
consistently applied
• Initiatives to improve IAM can span several years and incur
considerable cost

Module: Security
IAM Standards and Protocols

Module: Security
Securing Virtual Servers
• Do not allow password-based authentication for shell access.
• Run a host firewall and open only ports necessary to support the
services on an instance.
• Run only the required services and turn off the unused services (e.g.,
turn off FTP, print services, network file services, and database
services if they are not required).
• Install a host-based IDS such as OSSEC or Samhain.
• Enable system auditing, event logging and log the security events to a
dedicated log server. Isolate the log server with higher security
protection, including accessing controls

Module: Security
RSA algorithm

The RSA algorithm is named after Ron Rivest, Adi Shamir and Len Adleman,
who invented it in 1977 The RSA cryptosystem is the most widely-used
public key cryptography algorithm in the world. It can be used to encrypt a
message without the need to exchange a secret key separately.
The RSA algorithm can be used for both public key encryption and digital
signatures. Its security is based on the difficulty of factoring large integers.
Party A can send an encrypted message to party B without any prior exchange
of secret keys. A just uses B's public key to encrypt the message and B decrypts
it using the private key, which only he knows. RSA can also be used to sign a
message, so A can sign a message using their private key and B can verify it
using A's public key.

Module: Security
Key Generation Algorithm

1. Generate two large random primes, p and q, of approximately equal

size such that their product n = pq is of the required bit length, e.g.
1024 bits. [See note 1].
2. Compute n = pq and (phi) φ = (p-1)(q-1). [See note 6].
3. Choose an integer e, 1 < e < phi, such that gcd(e, phi) = 1. [See note 2].
4. Compute the secret exponent d, 1 < d < phi, such that ed ≡ 1 (mod
phi). [See note 3].
5. The public key is (n, e) and the private key (d, p, q). Keep all the
values d, p, q and phi secret. [We prefer sometimes to write the
private key as (n, d) because you need the value of n when using d.
Other times we might write the key pair as ((N, e), d).]
n is known as the modulus.
e is known as the public exponent or encryption exponent or just
the exponent.
d is known as the secret exponent or decryption exponent.

Module: Security
Encryption
Sender A does the following:-
1. Obtains the recipient B's public key (n, e).
2. Represents the plaintext message as a positive integer m, 1 < m <
n [see note 4].
3. Computes the ciphertext c = me mod n.
4. Sends the ciphertext c to B.

Decryption
Recipient B does the following:-
1. Uses his private key (n, d) to compute m = cd mod n.
2. Extracts the plaintext from the message representative m.

Module: Security
Example:
 Key Generation :
1. Select 2 prime numbers -> p=17 and q=11
2. Calculate n = p×q =17 ×11=187
3. Calculate = 16 × 10= 160 Select ‘e’ such that e is relatively
prime to (n)=160 and 1 < e < phi
4. Determine d such that :
D*e =1 mod (n)
d × 7 = 1 mod 160
↓↓
161161
d=e−1 mod (n)[161/7= div.(d)23 and remainder (mod) =1d=23

Then the resulting keys are public key:

PU = {7, 187 }
PR = {23, 187 }

Module: Security
encryption process

Module: Security
decryption process

Module: Security
• AES Algorithm

Module: Security
AES is an Advanced Encryption Standard algorithm. It is a type of symmetric, block
cipher encryption and decryption algorithm. It works with key size 128, 192, and 256
bits. It uses a valid and similar secret key for both encryption and decryption.

In AES, the block cipher is used. It means that the data to be encrypted is converted
into blocks for encryption. The original data value is encrypted using different bits of
padding such as 128, 192, or 256 bits.

Module: Security
Advantages of AES

o The encrypted data cannot be decrypted without a valid secret key.

o AES is the most common security algorithm used worldwide for various
purposes like wireless communication, financial transactions, encrypted data
storage, etc.
o The companies who want to transfer their data safely and without breaking it
can always use the AES algorithm.

Module: Security
Disadvantages of AES

o AES algorithm uses very simple algebraic formulae.

o Each block is encrypted using a similar kind of encryption.
o AES can be difficult to implement with the software.

Module: Security
Module: Security
• AES is a block cipher.
• The key size can be 128/192/256 bits.
• Encrypts data in blocks of 128 bits each.
• That means it takes 128 bits as input and outputs 128 bits of
encrypted cipher text as output. AES relies on substitution-
permutation network principle which means it is performed
using a series of linked operations which involves replacing and
shuffling of the input data.

Module: Security
• ES performs operations on bytes of data rather than in bits.
Since the block size is 128 bits, the cipher processes 128 bits
(or 16 bytes) of the input data at a time.

• The number of rounds depends on the key length as follows :

• 128 bit key – 10 rounds

• 192 bit key – 12 rounds
• 256 bit key – 14 rounds
• Creation of Round keys : Module: Security
Module: Security
• A Key Schedule algorithm is used to calculate all the round keys
from the key. So the initial key is used to create many different
round keys which will be used in the corresponding round of the
encryption.

Module: Security
• AES considers each block as a 16 byte (4 byte x 4 byte = 128 )
grid in a column major arrangement.

• [ b0 | b4 | b8 | b12 |
• | b1 | b5 | b9 | b13 |
• | b2 | b6 | b10| b14 |
• | b3 | b7 | b11| b15 ]

Module: Security
Each round comprises of 4 steps :

SubBytes
ShiftRows
MixColumns
Add Round Key
The last round doesn’t have the
MixColumns round.

Module: Security
• SubBytes :
• This step implements the substitution.

• In this step each byte is substituted by another byte. Its

performed using a lookup table also called the S-box. This
substitution is done in a way that a byte is never substituted by
itself and also not substituted by another byte which is a
compliment of the current byte. The result of this step is a 16
byte (4 x 4 ) matrix like before.

Module: Security
• ShiftRows :
• This step is just as it sounds. Each row is shifted a particular
number of times.

• The first row is not shifted

• The second row is shifted once to the left.
• The third row is shifted twice to the left.
• The fourth row is shifted thrice to the left.

Module: Security
left circular shift is performed.)

[ b0 | b1 | b2 | b3 ] [ b0 | b1 | b2 | b3 ]
| b4 | b5 | b6 | b7 | -> | b5 | b6 | b7 | b4 |
| b8 | b9 | b10 | b11 | | b10 | b11 | b8 | b9 |
[ b12 | b13 | b14 | b15 ] [ b15 | b12 | b13 | b14 ]

Module: Security
• MixColumns :

• This step is basically a matrix multiplication. Each column is

multiplied with a specific matrix and thus the position of each
byte in the column is changed as a result.

• This step is skipped in the last round.

• [ c0 ] [ 2 3 1 1 ] [ b0 ]

• | c1 | = |1 2 3 1| | b1 |

• | c2 | |1 1 2 3| | b2 |

• [ c3 ] [3 1 1 2] [ b3 ]
Module: Security
Add round keys

Module: Security
• After all these rounds 128 bits of encrypted data is given back
as output. This process is repeated until all the data to be
encrypted undergoes this process.

Module: Security
 Decryption
• Decryption :

• The stages in the rounds can be easily undone as these stages have an opposite to it which when
performed reverts the changes.Each 128 blocks goes through the 10,12 or 14 rounds depending on the
key size.

• The stages of each round in decryption is as follows :

• Add round key

• Inverse MixColumns

• ShiftRows

• Inverse SubByte

Module: Security
• Inverse MixColumns :

• This step is similar to the MixColumns step in encryption, but differs in the matrix used to
carry out the operation.

• [ b0 ] [ 14 11 13 9 ] [ c0 ]

• | b1 | = | 9 14 11 13 | | c1 |

• | b2 | | 13 9 14 11 | | c2 |

• [ b3 ] [ 11 13 9 14 ] [ c3 ]

• Inverse SubBytes :

• Inverse S-box is used as a lookup table and using which the bytes are substituted during
decryption.

Module: Security
Applications:

AES is widely used in many applications which require secure data storage and
transmission. Some common use cases include:

Wireless security: AES is used in securing wireless networks, such as Wi-Fi

networks, to ensure data confidentiality and prevent unauthorized access.
Database Encryption: AES can be applied to encrypt sensitive data stored in
databases. This helps protect personal information, financial records, and other
confidential data from unauthorized access in case of a data breach.
Secure communications: AES is widely used in protocols like such as internet
communications, email, instant messaging, and voice/video calls.It ensures that
the data remains confidential.
Data storage: AES is used to encrypt sensitive data stored on hard drives, USB
drives, and other storage media, protecting it from unauthorized access in case
of loss or theft.
Virtual Private Networks (VPNs): AES is commonly used in VPN protocols to
secure the communication between a user’s device and a remote server. It
ensures that data sent and received through the VPN remains private and cannot
be deciphered by eavesdroppers.

Module: Security
URL
• https://www.geeksforgeeks.org/advanced-encryption-standard-a
es/

Module: Security
• THANK YOU

Module: Security