SlideShare a Scribd company logo

cloud computer security fundamentals Unit-5.pptx

Download as PPTX, PDF
S
SuryaBasnet3

The document provides an overview of cloud security, emphasizing the importance of protecting data in cloud environments against cyberattacks and data breaches. It outlines key concepts such as shared responsibility among cloud service providers and customers, and identifies common threats like misconfiguration and cyberattacks. Additionally, the document discusses various aspects of cloud security monitoring, architecture design, and the need for organizations to prioritize security throughout the cloud adoption process.

Education
Related topics:
Cloud Computing Insights
1 of 68
Download to read offline
1
2
3
4
5
6
7
Most read
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
Most read
28
Most read
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
Unit 5: Cloud Security
• “Security in the Cloud is much like security in your on-premises data centers - only without the costs of maintaining facilities and hardware. In the Cloud, you don’t have to manage physical servers or storage devices. Instead, you use software-based security tools to monitor and protect the flow of information into and of out of your Cloud resources.” • (The Beginner’s Guide to Cloud Security, Amazon Web Services 2019) • https://www.whizlabs.com/blog/cloud- security-for-beginners/
• The objective of Cloud security is keeping your data secure in the Cloud. • Although Cloud projects are becoming widely popular, an increasing number of executives and business owners is concerned with how to secure their Cloud environment against cyberattacks, data breaches and intrusions – and that, rightfully so. • According to Gartner, organizations should never assume that using a Cloud service automatically means that whatever they do within this Cloud environment will be secure. • As opposed to traditional IT security, Cloud security solutions typically use third-party data centers, require less upfront investments and are extremely scalable and efficient
5.1 Introduction to Security • Cloud security, also known as cloud computing security, consists of a set of policies, controls, procedures and technologies that work together to protect cloud-based systems, data, and infrastructure. • These security measures are configured to protect cloud data, support regulatory compliance and protect customers' privacy as well as setting authentication rules for individual users and devices. • From authenticating access to filtering traffic, cloud security can be configured to the exact needs of the business. • And because these rules can be configured and managed in one place, administration overheads are reduced and IT teams empowered to focus on other areas of the business.
• The way cloud security is delivered will depend on the individual cloud provider or the cloud security solutions in place. • However, implementation of cloud security processes should be a joint responsibility between the business owner and solution provider.
In fact, business owners and IT executives need to make Cloud security a priority during the three main stages of a Cloud adoption project. • Before Cloud Migration: Before going to the Cloud, organizations must assess their readiness to the Cloud aligned with their business risks, legal and technical considerations. During this phase, organizations must understand their objectives of moving to the Cloud, possible risks and expected outcomes. • During Cloud Migration: As the Cloud environment is ever-evolving, it is important to prioritize security all while moving your data to the Cloud. During the Cloud migration phase, it is important to adopt a risk-based approach to secure Cloud adoption to avoid potential pitfalls. • After Cloud Migration: Just because a Cloud migration project has been completed doesn’t mean that your Cloud environment is secure. Instead, organizations must continue to evaluate their Cloud security posture on a regular basis, monitor their Cloud environment and be vigilant about documenting any changes or potential Cloud risks.
Cloud security offers many benefits, including: • Centralized security: Just as cloud computing centralizes applications and data, cloud security centralizes protection. • Cloud-based business networks consist of numerous devices and endpoints that can be difficult to manage. • Disaster recovery plans can also be implemented and actioned easily when they are managed in one place.
• Reduced costs: One of the benefits of utilizing cloud storage and security is that it eliminates the need to invest in dedicated hardware. Not only does this reduce capital expenditure, but it also reduces administrative overheads. Where once IT teams were firefighting security issues reactively, cloud security delivers proactive security features that offer protection 24/7 with little or no human intervention. • Reduced Administration: When you choose a reputable cloud services provider or cloud security platform, you can kiss goodbye to manual security configurations and almost constant security updates. These tasks can have a massive drain on resources, but when you move them to the cloud, all security administration happens in one place and is fully managed on your behalf.
• Reliability: Cloud computing services offer the ultimate in dependability. • With the right cloud security measures in place, users can safely access data and applications within the cloud no matter where they are or what device they are using. • More and more organizations are realizing the many business benefits of moving their systems to the cloud. • Cloud computing allows organizations to operate at scale, reduce technology costs and use agile systems that give them the competitive edge.
Secure Data in the Cloud • Cloud data security becomes increasingly important as we move our devices, data centers, business processes, and more to the cloud. • Ensuring quality cloud data security is achieved through comprehensive security policies, an organizational culture of security, and cloud security solutions. • Selecting the right cloud security solution for your business is imperative if you want to get the best from the cloud and ensure your organization is protected from unauthorized access, data breaches and other threats. • Forcepoint Cloud Access Security Broker (CASB) is a complete cloud security solution that protects cloud apps and cloud data, prevents compromised accounts and allows you to set security policies on a per-device basis.
5.2 Cloud Security challenges and Risks • Many organizations are moderately to extremely concerned about cloud security. • When asked about what are the biggest security threats facing public clouds, organizations ranked:  misconfiguration  unauthorized access  insecure interfaces and  hijacking of accounts
The Top Security Issues in Cloud Computing Misconfiguration • Misconfiguration of cloud infrastructure is a leading contributor to data breaches. If an organization’s cloud environment is not configured properly, critical business data and applications may become susceptible to an attack. • misconfiguration poses serious cloud security issues to businesses and the fallout can detrimentally impact day-to-day operations. • To prevent misconfigurations, those responsible for overseeing their organization’s cloud solution should be familiar with the security controls provided by their cloud service provider.
• Cyberattacks • Cybercriminals and threat actors are constantly practicing and perfecting their hacking capabilities, and cloud environments are quickly becoming one of their primary targets. • It’s important for organizations to understand their cyber risk so they can make the necessary adjustments to proactively protect their business from cyberattacks.
Malicious Insiders • Cyberattacks don’t just occur from external threats – insider threats are a major concern for businesses, too. • In fact, according to the 2020 Verizon Data Breach Investigations Report, 30% of data breaches involved internal actors. • Organizations must have the proper security controls in place to identify malicious insider activity and mitigate risks before there are any significant impacts to business operations.
Lack of Visibility • A report by Forcepoint states that only 7% of cybersecurity professionals have extremely good visibility as to how employees use critical business data across company-owned and employee-owned devices, company- approved services (e.g., Microsoft Exchange), and employee services, while 58% say they have only moderate or slight visibility. • In a cloud environment, this lack of visibility can lead to cloud computing security issues that put organizations at risk, including malicious insider threats and cyberattacks that we discussed above. • It is imperative organizations have comprehensive visibility into their cloud environment on a continuous basis.
Insecure Application & Configurations • According to a recent report from McAfee, 99% of IaaS misconfigurations go unnoticed, one of the most common entry points for cloud-native breaches. • As these misconfigurations are client-side, this underscores the need for shared responsibility and to consider cloud-native tools such as data loss prevention (DLP) that can help audit configurations to ensure data is being stored and protected against breach and non-compliance.
• Data Leakage • By sharing public links – or changing the settings of a cloud-based file to “public” – anyone with knowledge of the link can access the information stored within them. • Additionally, hackers leverage tools to actively search the internet for instances of unsecured cloud deployments just like these. • If these resources contain proprietary company data or sensitive information and wind up in the wrong hands, there is an immediate threat of a potentially serious data breach, which can impact an organization.
How to Mitigate Cloud Security Concerns and Issues • Although the cloud is full of benefits, there are cloud computing challenges and related security issues, and through 2025, 99% of cloud security failures will be the customer’s fault according to Gartner. • To help mitigate risks, it is best to work with a managed cloud service provider that you trust and have full confidence in protecting your data. The trust you build with your partner will go a long way to help expand and secure your business in the cloud. • When searching for a provider, you should investigate what cybersecurity framework they use or recommend. It’s an easy question to ask, but it’s surprising how many managed service companies won’t have an answer for you.
cloud computer security fundamentals Unit-5.pptx
5.3 Software-as-a-Service Security • SaaS Security refers to securing user privacy and corporate data in subscription- based cloud applications. • SaaS applications carry a large amount of sensitive data and can be accessed from almost any device by a mass of users, thus posing a risk to privacy and sensitive information.
• SaaS is the dominant cloud service model for the foreseeable future and the area where the most critical need for security practices and oversight will reside. • Just as with a managed service provider, corporations or end users will need to research vendors’ policies on data security before using vendor services to avoid losing or not being able to access their data. • The technology analyst and consulting firm Gartner lists [6] seven security risks which one should discuss with a cloud-computing vendor:  Privileged user access  Regulatory compliance  Data location  Data segregation  Recovery  Investigative support  Long-term viability
• To address the security issues listed above, SaaS providers will need to incorporate and enhance security practices used by the managed service providers and develop new ones as the cloud computing environment evolves. Vulnerability assessment Security image testing Data governance Data security Application security Virtual machine security Identity Access Management (IAM) Change management Physical security Disaster recovery Data privacy Security management Security governance Risk management Risk assessment Security awareness Education and training Policies and standards Third party risk management
• SaaS is exposed by attacks on API’s(Application Programming Interface), publishers, web portals and interfaces. • The attacks on the SaaS are categorized into two broad groups: attacks on development tools and attacks on management tools. • Most popular services on SaaS are web services, web portals and APIs. • Intruders’ attempt un-authorized access and gain of services by attacking web portals and APIs. • These attacks affect data privacy. • Intruders try to extract the sensitive information of API Keys, private keys, and credentials of publishers via different kinds of attacks and automated tools. • Another possibility of attack on this layer is exposure of secure shell for extracting key credentials.
cloud computer security fundamentals Unit-5.pptx
• Data protection • In cloud computing applications are deployed in shared resource environments; therefore, data privacy is an important aspect. • Data privacy has three major challenges: integrity, authorized access and availability (backup/ replication). • Data integrity ensures that the data are not corrupted or tampered during communication. • Authorized access prevents data from intrusion attacks while backups and replicas allow data access efficiently even in case of a technical fault or disaster at some cloud location.
• Attacks on interfaces • A successful attack on the cloud interfaces can result in a root level access of a machine without initiating a direct attack on the cloud infrastructure. • Two different kinds of attacks are launched on authentication mechanism of clouds. • The control interfaces are vulnerable to signature wrapping and advanced cross site scripting (XSS) techniques.
• Attacks on SSH (Secure Shell) • Attacks on Secure Shell (SSH), the basic mechanism used to establish trust and connection with cloud services, are the most alarming threat that compromises control trust. • According to Ponemon 2014 SSH security Vulnerability Report , 74 percent organizations have no control to provision, rotate, track and remove SSH keys. • Cybercriminals take full advantage of these vulnerabilities and use cloud computing to launch different attacks.
5.4 Security Monitoring • Monitoring is a critical component of cloud security and management. • Typically relying on automated solutions, cloud security monitoring supervises virtual and physical servers to continuously assess and measure data, application, or infrastructure behaviors for potential security threats. • This assures that the cloud infrastructure and platform function optimally while minimizing the risk of costly data breaches.
BENEFITS OF CLOUD SECURITY MONITORING • Cloud monitoring provides an easier way to identify patterns and pinpoint potential security vulnerabilities in cloud infrastructure. • As there’s a general perception of a loss of control when valuable data is stored in the cloud, effective cloud monitoring can put companies more at ease with making use of the cloud for transferring and storing data. • When customer data is stored in the cloud, cloud monitoring can prevent loss of business and frustrations for customers by ensuring that their personal data is safe. • The use of web services can increase security risks, yet cloud computing offers many benefits for businesses, from accessibility to a better customer experience. • Cloud monitoring is one initiative that enables companies to find the balance between the ability to mitigate risks and taking advantage of the benefits of the cloud – and it should do so without hindering business processes.
CHALLENGES OF CLOUD SECURITY MONITORING • Virtualization poses challenges for monitoring in the cloud, and traditional configurations involving log management, log correlation, and event management (SIEM) tools aren’t routinely configured to adapt to dynamic environments where virtual machines may come and go in response to sharp increases or decreases in demand. • Visibility can also be a concern when it comes to cloud monitoring. Many companies rely on third-party cloud services providers and may not have access to every layer in the cloud computing stack, and therefore can’t gain full visibility to monitor for potential security flaws and vulnerabilities. • Finally, shifts in scope are another common challenge when dealing with cloud environments, as assets and applications may move between systems which may not necessarily have the same level of security monitoring.
HOW CLOUD SECURITY MONITORING WORKS • There are several approaches to cloud security monitoring. Cloud monitoring can be done in the cloud platform itself, on premises using an enterprise’s existing security management tools, or via a third party service provider. Some of the key capabilities of cloud security monitoring software include: • Scalability: tools must be able to monitor large volumes of data across many distributed locations • Visibility: the more visibility into application, user, and file behavior that a cloud monitoring solution provides, the better it can identify potential attacks or compromises
• Timeliness: the best cloud security monitoring solutions will provide constant monitoring, ensuring that new or modified files are scanned in real time • Integration: monitoring tools must integrate with a wide range of cloud storage providers to ensure full monitoring of an organization’s cloud usage • Auditing and Reporting: cloud monitoring software should provide auditing and reporting capabilities to manage compliance requirements for cloud security
5.5 Security Architecture Design • Cloud security architecture (also sometimes called a “cloud computing security architecture”) is defined by the security layers, design, and structure of the platform, tools, software, infrastructure, and best practices that exist within a cloud security solution. • A cloud security architecture provides the written and visual model to define how to configure and secure activities and operations within the cloud, including such things as:  identity and access management;  methods and controls to protect applications and data;  approaches to gain and maintain visibility into compliance, threat posture, and overall security;  processes for instilling security principles into cloud services development and operations;  policies and governance to meet compliance standards; and  physical infrastructure security components.
Key Elements of a Cloud Security Architecture • When developing a cloud security architecture several critical elements should be included:  Security at Each Layer  Centralized Management of Components  Redundant & Resilient Design  Elasticity & Scalability  Appropriate Storage for Deployments  Alerts & Notifications  Centralization, Standardization, & Automation
Shared Responsibility within Cloud Security Architectures • The types of service models in use by a business define the types of cloud security architectures that are most applicable. • The service models are: Infrastructure as a Service (IaaS), Software as a Service (SaaS), and Platform as a Service (PaaS). • Organizations that offer cloud services typically adhere to a shared responsibility model—that is, the cloud service provider is responsible for the security of the components necessary to operate the cloud service (software, computing, storage, database, networking, hardware, infrastructure, etc.). • The customer is responsible for protecting the data and information that is stored in the cloud, as well as how they may access that data (identity and access management). • Responsibilities vary slightly depending on the type of service (IaaS, SaaS, or PaaS)
Infrastructure as a Service (IaaS) Shared Responsibility • With an IaaS, a business purchases the infrastructure from a cloud provider and the business typically installs their own operating systems, applications, and middleware. • An example of an IaaS is Azure (Microsoft). • In an IaaS, the customer is usually responsible for the security associated with anything they own or install on the infrastructure. Software as a Service (SaaS) Shared Responsibility • With a SaaS, an organization purchases the use of a cloud- based application from a provider. Examples of SaaS include Office 365 or Salesforce. • In a SaaS, the customer is typically only responsible for the security components associated with accessing the software, such identity management, customer network security, etc. • The software provider manages the security backend.
Platform as a Service (PaaS) Shared Responsibility • With a PaaS, a business purchases a platform from a cloud provider to develop, run, and manage applications without developing or managing the underlying platform infrastructure required for the applications. • An example of a PaaS would be Amazon Web Services (AWS). • In a PaaS, the customer is responsible for the security associated with application implementation, configurations, and permissions.
Types of Cloud Security Architectures • A cloud security architecture typically includes components and best practices relevant to the types of cloud security services the business wishes to secure. • Examples include an AWS cloud security architecture, Google infrastructure security, or an Azure security architecture. • Additional key components of a cloud security architecture include the cloud “shared responsibility model” and the principles of “zero trust architecture.”
Principles of Cloud Security Architecture • A well-designed cloud security architecture should be based on the following key principles: • Identification—Knowledge of the users, assets, business environment, policies, vulnerabilities and threats, and risk management strategies (business and supply chain) that exist within your cloud environment. • Security Controls—Defines parameters and policies implemented across users, data, and infrastructure to help manage the overall security posture. • Security by Design—Defines the control responsibilities, security configurations, and security baseline automations. Usually standardized and repeatable for deployment across common use cases, with security standards, and in audit requirements.
• Compliance—Integrates industry standards and regulatory components into the architecture and ensures standards and regulatory responsibilities are met. • Perimeter Security—Protects and secures traffic in and out of organization’s cloud-based resources, including connection points between corporate network and public internet. • Segmentation—Partitions the architecture into isolated component sections to prevent lateral movement in the case of a breach. Often includes principles of ‘least privilege’. • User Identity and Access Management—Ensures understanding, visibility, and control into all users (people, devices, and systems) that access corporate assets. Enables enforcement of access, permissions, and protocols.
• Data encryption—Ensures data at rest and traveling between internal and external cloud connection points is encrypted to minimize breach impact. • Automation—Facilitates rapid security and configuration provisioning and updates as well as quick threat detection. • Logging and Monitoring—Captures activities and constant observation (often automated) of all activity on connected systems and cloud-based services to ensure compliance, visibility into operations, and awareness of threats. • Visibility—Incorporates tools and processes to maintain visibility across an organization’s multiple cloud deployments. • Flexible Design—Ensuring architecture design is sufficiently agile to develop and incorporate new components and solutions without sacrificing inherent security.
Cloud Security Architecture Threats Cloud services are affected by the most common types of concerns and threats: • including data breaches, • malware injections, • regulatory non-compliance, • insider threats, • insecure application programming interfaces (APIs), • account hijacking through stolen or compromised credentials, • phishing, and • service disruptions due to denial-of-service attacks or misconfigurations. If a breach occurs, liability for the breach is based on the shared responsibility model.
IaaS Cloud Security Threats • Availability disruption through denial-of-service attacks • Broken authentication • Sensitive data exposure • XML external entities • Broken access control • Security misconfigurations • Using components with known vulnerabilities • Insufficient logging and monitoring • Data leakage (through inadequate ACL) • Privilege escalation through misconfiguration • DoS attack via API • Weak privileged key protection • Virtual machine (VM) weaknesses • Insider data theft
PaaS Cloud Security Threats • Authorization weaknesses in platform services • Run-time engine vulnerabilities • Availability disruption through denial-of-service attacks • Broken authentication • Sensitive data exposure • XML external entities • Broken access control • Security misconfigurations • Using components with known vulnerabilities • Insufficient logging and monitoring • Data leakage (through inadequate ACL) • Privilege escalation through misconfiguration • DoS attack via API • Privilege escalation via API • Weak privileged key protection • Virtual machine (VM) weaknesses • Insider data theft
• SaaS Cloud Security Threats – Weak or immature identity and access management – Weak cloud security standards – Shadow IT/unsanctioned cloud applications/software – Service disruption through denial-of-service attacks – Phishing – Weak compliance and auditing oversight – Stolen or compromised credentials – Weak vulnerability monitoring
5.6 Data Security • Data security is the practice of protecting digital information from unauthorized access, corruption, or theft throughout its entire lifecycle. • When properly implemented, robust data security strategies will protect an organization’s information assets against cybercriminal activities, but they also guard against insider threats and human error, which remains among the leading causes of data breaches today.
Types of data security Encryption Using an algorithm to transform normal text characters into an unreadable format, encryption keys scramble data so that only authorized users can read it. File and database encryption solutions serve as a final line of defense for sensitive volumes by obscuring their contents through encryption or tokenization. Most solutions also include security key management capabilities. Data Erasure More secure than standard data wiping, data erasure uses software to completely overwrite data on any storage device. It verifies that the data is unrecoverable.
• Data Masking By masking data, organizations can allow teams to develop applications or train people using real data. It masks personally identifiable information (PII) where necessary so that development can occur in environments that are compliant. Data Resiliency Resiliency is determined by how well a data center is able to endure or recover any type of failure – from hardware problems to power shortages and other disruptive events.
Data security strategies • Physical security of servers and user devices Regardless of whether your data is stored on-premises, in a corporate data center, or in the public cloud, you need to ensure that facilities are secured against intruders and have adequate fire suppression measures and climate controls in place. A cloud provider will assume responsibility for these protective measures on your behalf. • Access management and controls The principle of “least-privilege access” should be followed throughout your entire IT environment. This means granting database, network, and administrative account access to as few people as possible, and only those who absolutely need it to get their jobs done.
Application security and patching All software should be updated to the latest version as soon as possible after patches or new versions are released. Backups Maintaining usable, thoroughly tested backup copies of all critical data is a core component of any robust data security strategy. In addition, all backups should be subject to the same physical and logical security controls that govern access to the primary databases and core systems. Network and endpoint security monitoring and controls Implementing a comprehensive suite of threat management, detection, and response tools and platforms across your on-premises environment and cloud platforms can mitigate risks and reduce the probability of a breach.
5.7 Application Security • Application security describes security measures at the application level that aim to prevent data or code within the app from being stolen or hijacked. • Application security may include hardware, software, and procedures that identify or minimize security vulnerabilities. • Cloud application security is a series of defined policies, processes, controls, and technology governing all information exchanges that happen in collaborative cloud environments like Microsoft Office 365, Google G Suite, etc.
CLOUD APPLICATION SECURITY THREATS • Misconfiguration of application setup is the single biggest threat to cloud security because data breaches tend to happen when services are accidentally exposed to the public internet. • Unauthorized access to a website, server, service, or other system is also an area for great concern because once they’re in, there’s no telling what unauthorized users will do to create chaos. • Insecure APIs and interfaces present easy opportunities for attackers to breach systems because they are the only asset(s) outside of the organizational boundary with a public IP address. • Account hijacking is feared because so much sensitive data and resources is stored and accessed on devices shared by many different users—and because keeping tabs on rogue employees is difficult.
Types of application security • Authentication: When software developers build procedures into an application to ensure that only authorized users gain access to it. Authentication procedures ensure that a user is who they say they are. This can be accomplished by requiring the user to provide a user name and password when logging in to an application. • Authorization: After a user has been authenticated, the user may be authorized to access and use the application. The system can validate that a user has permission to access the application by comparing the user’s identity with a list of authorized users. Authentication must happen before authorization so that the application matches only validated user credentials to the authorized user list.
• Encryption: After a user has been authenticated and is using the application, other security measures can protect sensitive data from being seen or even used by a cybercriminal. In cloud-based applications, where traffic containing sensitive data travels between the end user and the cloud, that traffic can be encrypted to keep the data safe. • Logging: If there is a security breach in an application, logging can help identify who got access to the data and how. Application log files provide a time-stamped record of which aspects of the application were accessed and by whom. • Application security testing: A necessary process to ensure that all of these security controls work properly.
5.8 Virtual Machine Security • Virtualized security, or security virtualization, refers to security solutions that are software-based and designed to work within a virtualized IT environment. • This differs from traditional, hardware-based network security, which is static and runs on devices such as traditional firewalls, routers, and switches. • In contrast to hardware-based security, virtualized security is flexible and dynamic. • Instead of being tied to a device, it can be deployed anywhere in the network and is often cloud-based.
• In the cloud environment, physical servers are consolidated to multiple virtual machine instances on virtualized servers. • Not only can data center security teams replicate typical security controls for the data center at large to secure the virtual machines, they can also advise their customers on how to prepare these machines for migration to a cloud environment when appropriate. • Firewalls, intrusion detection and prevention, integrity monitoring, and log inspection can all be deployed as software on virtual machines to increase protection and maintain compliance integrity of servers and applications as virtual resources move from on- premises to public cloud environments.
Benefits of virtualized security • Cost-effectiveness: Virtualized security allows an enterprise to maintain a secure network without a large increase in spending on expensive proprietary hardware. Pricing for cloud-based virtualized security services is often determined by usage, which can mean additional savings for organizations that use resources efficiently. • Flexibility: Virtualized security functions can follow workloads anywhere, which is crucial in a virtualized environment. It provides protection across multiple data centers and in multi-cloud and hybrid cloud environments, allowing an organization to take advantage of the full benefits of virtualization while also keeping data secure.
• Operational efficiency: Quicker and easier to deploy than hardware-based security, virtualized security doesn’t require IT teams to set up and configure multiple hardware appliances. Instead, they can set up security systems through centralized software, enabling rapid scaling. Using software to run security technology also allows security tasks to be automated, freeing up additional time for IT teams. • Regulatory compliance: Traditional hardware- based security is static and unable to keep up with the demands of a virtualized network, making virtualized security a necessity for organizations that need to maintain regulatory compliance.
Risks of virtualized security • The increased complexity of virtualized security can be a challenge for IT, which in turn leads to increased risk. • It’s harder to keep track of workloads and applications in a virtualized environment as they migrate across servers, which makes it more difficult to monitor security policies and configurations. • And the ease of spinning up virtual machines can also contribute to security holes.
How is physical security different from virtualized security? • Traditional physical security is hardware-based, and as a result, it’s inflexible and static. • The traditional approach depends on devices deployed at strategic points across a network and is often focused on protecting the network perimeter (as with a traditional firewall). • However, the perimeter of a virtualized, cloud- based network is necessarily porous and workloads and applications are dynamically created, increasing the potential attack surface.
• Traditional security also relies heavily upon port and protocol filtering, an approach that’s ineffective in a virtualized environment where addresses and ports are assigned dynamically. • In such an environment, traditional hardware-based security is not enough; a cloud-based network requires virtualized security that can move around the network along with workloads and applications.
Different types of virtualized security • Segmentation, or making specific resources available only to specific applications and users. This typically takes the form of controlling traffic between different network segments or tiers. • Micro-segmentation, or applying specific security policies at the workload level to create granular secure zones and limit an attacker’s ability to move through the network. Micro- segmentation divides a data center into segments and allows IT teams to define security controls for each segment individually, bolstering the data center’s resistance to attack. • Isolation, or separating independent workloads and applications on the same network. This is particularly important in a multitenant public cloud environment, and can also be used to isolate virtual networks from the underlying physical infrastructure, protecting the infrastructure from attack.
5.9 Identity Management and Access Control • Identity management and access control is the discipline of managing access to enterprise resources to keep systems and data secure. • As a key component of security architecture, it can help verify the user’s identities before granting them the right level of access to workplace systems and information. • While people might use the terms identity management, authentication, and access control interchangeably, each of these individually serve as distinct layers for enterprise security processes.
• Identity management—also referred to as identity and access management (IAM)—is the overarching discipline for verifying a user’s identity and their level of access to a particular system. • Within that scope, both authentication and access control—which regulates each user’s level of access to a given system—play vital roles in securing user data. • We interact with authentication mechanisms every day. • When you enter a username and password, use a PIN, scan your fingerprint, or tap your bank card, your identity is being verified for authentication purposes.
• Once your identity is verified, access control is implemented to determine your level of access. • This is important for applications and services that have different levels of authorization for different users. • Access control, for instance, will allow software administrators to add users or edit profiles while also barring lower-tier users from accessing certain features and information.
Types of Access Controls 1. Mandatory Access Control: This is a system-enforced access control that is based on a subject’s clearance and an object’s labels. It is usually associated with multilevel security labels such as Top Secret, Confidential, and Secret. 2. Discretionary Access Control: This is a type of access control that restricts access to objects based on the identity of subjects and groups to which they belong. The controls are discretionary in the sense that a subject with a certain access permission is capable of passing that permission. 3. Rule Based Access Control: In this model, access rules are pre-defined (for example, via an ACL) and are evaluated to determine access permissions. Rule-based access defines specific and detailed situations in which a subject can or cannot access an object, and what that subject can do once access is granted.
4. Physical Access Control: Physical access controls restrict access to a physical space within an organization. This type of access control limits access to rooms, buildings and physical IT assets. One benefit of implementing these controls, is that you have a record of everyone who is entering and leaving restricted areas. 5. Role Based Access Control: This is a type of control that uses a user’s role as a basis to restrict access. Custom roles are usually created such that the least privilege policy is maintained, and the access is revoked when no longer needed. 6. Attribute Based Access Control: This is a form of access control that governs the access based on the attributes. These can be user attributes, resource of object attributes, and environmental attributes. 7. Policy Based Access Control: This is a strategy used to manage access based on the policies which determine what access role each person must have.
Identity Management best practices: Listed below are the best practices to maintain the integrity of user and device identities based on the security controls: • Perform a SWOT (Strengths, Weaknesses, Opportunities, Threats) analysis based on the risk appetite of your company • Least Privilege – be aware of any ‘allow all’ type or roles and where/when those are being used • Protect root level of access and restrict privilege abuse • Detail and assess the out of the box roles before assigning these • Control groups for permission assignments and monitor the access • Be sure to have good password policies configured into applications and processes • Remove unused credentials

More Related Content

PPTX
I am sharing 'Unit-2' with youuuuuu.PPTX
padhaipadhai639
 
PPTX
Chapter_5_Security_CC.pptx
LokNathRegmi1
 
PPTX
Cloud Security Issues and Challenge.pptx
infosec train
 
PPTX
I am sharing 'unit 4' with youuuuuu.PPTX
padhaipadhai639
 
PPTX
I am sharing 'unit 4' with youuuuuu.PPTX
padhaipadhai639
 
PPTX
Bil Harmer - Myths of Cloud Security Debunked!
centralohioissa
 
PDF
Security and Privacy Issues of Cloud Computing; Solutions and Secure Framework
IOSR Journals
 
PDF
Module 5-cloud computing-SECURITY IN THE CLOUD
Sweta Kumari Barnwal
 
I am sharing 'Unit-2' with youuuuuu.PPTX
padhaipadhai639
 
Chapter_5_Security_CC.pptx
LokNathRegmi1
 
Cloud Security Issues and Challenge.pptx
infosec train
 
I am sharing 'unit 4' with youuuuuu.PPTX
padhaipadhai639
 
I am sharing 'unit 4' with youuuuuu.PPTX
padhaipadhai639
 
Bil Harmer - Myths of Cloud Security Debunked!
centralohioissa
 
Security and Privacy Issues of Cloud Computing; Solutions and Secure Framework
IOSR Journals
 
Module 5-cloud computing-SECURITY IN THE CLOUD
Sweta Kumari Barnwal
 

Similar to cloud computer security fundamentals Unit-5.pptx (20)

PPTX
Company concern risk migration
Raj Raj
 
PPTX
What is the significance of cybersecurity in cloud.pptx
infosec train
 
PDF
MBT Webinar: Does the security of your business data keep you up at night?
Jorge García
 
PPTX
Cloud Computing
Allwyn24
 
PDF
Cloud Security
Pyingkodi Maran
 
PPTX
Cloud Security: A matter of trust?
Mark Williams
 
PDF
Cloud security risks
Revital Lapidot
 
PDF
Cloud security risks
Revital Lapidot
 
PPTX
Cloud Migration PPT -final.pptx
Rivarshin
 
PPTX
Cloud Computing Security Essentials for beginners
ssuser1e89a0
 
PDF
Cloud Security Network – Definition and Best Practices.pdf
qualysectechnology98
 
PDF
Pillars Of Cloud Computing: Decoding The Fundamentals
Ciente
 
PPTX
Extending security in the cloud network box - v4
Valencell, Inc.
 
PPTX
Ph d abstract
Bapuji Valaboju
 
PPTX
cloud abstract
Bapuji Valaboju
 
PDF
Cloud Security Challenges, Types, and Best Practises.pdf
manoharparakh
 
PDF
Is it an internal affair
George Delikouras
 
PPTX
Pros And Cons Of Cloud-Based Security Solutions.pptx
Metaorange
 
PPTX
chapitre1-cloud security basics-23 (1).pptx
GhofraneFerchichi2
 
PDF
Whitepaper: Security of the Cloud
CloudSmartz
 
Company concern risk migration
Raj Raj
 
What is the significance of cybersecurity in cloud.pptx
infosec train
 
MBT Webinar: Does the security of your business data keep you up at night?
Jorge García
 
Cloud Computing
Allwyn24
 
Cloud Security
Pyingkodi Maran
 
Cloud Security: A matter of trust?
Mark Williams
 
Cloud security risks
Revital Lapidot
 
Cloud security risks
Revital Lapidot
 
Cloud Migration PPT -final.pptx
Rivarshin
 
Cloud Computing Security Essentials for beginners
ssuser1e89a0
 
Cloud Security Network – Definition and Best Practices.pdf
qualysectechnology98
 
Pillars Of Cloud Computing: Decoding The Fundamentals
Ciente
 
Extending security in the cloud network box - v4
Valencell, Inc.
 
Ph d abstract
Bapuji Valaboju
 
cloud abstract
Bapuji Valaboju
 
Cloud Security Challenges, Types, and Best Practises.pdf
manoharparakh
 
Is it an internal affair
George Delikouras
 
Pros And Cons Of Cloud-Based Security Solutions.pptx
Metaorange
 
chapitre1-cloud security basics-23 (1).pptx
GhofraneFerchichi2
 
Whitepaper: Security of the Cloud
CloudSmartz
 
Ad

More from SuryaBasnet3 (20)

PPT
Operating System task and sub task system call ch2 system call.ppt
SuryaBasnet3
 
PDF
Operating System File Management disk_management.pdf
SuryaBasnet3
 
PPTX
Management Information system laudon_ess10e_pp_3.pptx
SuryaBasnet3
 
PPT
business information system CRM and Supply chain management .ppt
SuryaBasnet3
 
PPTX
A modern approach to AI AI_02_agents_Strut.pptx
SuryaBasnet3
 
PPTX
Introduction to Artificial Intelligence 01_intro.pptx
SuryaBasnet3
 
PPTX
Operating System File System IMpl lecture19.pptx
SuryaBasnet3
 
PPTX
Laudon and Traver Unit 3 17th edition.pptx
SuryaBasnet3
 
PPTX
cryptography and Network Security AES.pptx
SuryaBasnet3
 
PPT
crypto Digital Signature Diffie Hell man.ppt
SuryaBasnet3
 
PPT
Block Cipher Stream Cipher DESUnit 3.ppt
SuryaBasnet3
 
PPTX
E-governance framework and its evolutions Chapter 2.pptx
SuryaBasnet3
 
PPTX
[CS161 FA23] Lecture 1_ Introduction and Security Principles.pptx
SuryaBasnet3
 
PPTX
introduction to information technology Chapter I.pptx
SuryaBasnet3
 
PPTX
Information system within organization Chapter VI.pptx
SuryaBasnet3
 
PPTX
Business Information SystemChapter VI.pptx
SuryaBasnet3
 
PPTX
Adhit_presentation_Searching_Algorithm(BFS,DFS).pptx
SuryaBasnet3
 
PPTX
Cloud computing and different and its types Unit-2.pptx
SuryaBasnet3
 
DOCX
E-Democracy.docx E Governance and digital Governance in AI era
SuryaBasnet3
 
PPTX
Machine Learning Presentation uses of AI in Agriculture.pptx
SuryaBasnet3
 
Operating System task and sub task system call ch2 system call.ppt
SuryaBasnet3
 
Operating System File Management disk_management.pdf
SuryaBasnet3
 
Management Information system laudon_ess10e_pp_3.pptx
SuryaBasnet3
 
business information system CRM and Supply chain management .ppt
SuryaBasnet3
 
A modern approach to AI AI_02_agents_Strut.pptx
SuryaBasnet3
 
Introduction to Artificial Intelligence 01_intro.pptx
SuryaBasnet3
 
Operating System File System IMpl lecture19.pptx
SuryaBasnet3
 
Laudon and Traver Unit 3 17th edition.pptx
SuryaBasnet3
 
cryptography and Network Security AES.pptx
SuryaBasnet3
 
crypto Digital Signature Diffie Hell man.ppt
SuryaBasnet3
 
Block Cipher Stream Cipher DESUnit 3.ppt
SuryaBasnet3
 
E-governance framework and its evolutions Chapter 2.pptx
SuryaBasnet3
 
[CS161 FA23] Lecture 1_ Introduction and Security Principles.pptx
SuryaBasnet3
 
introduction to information technology Chapter I.pptx
SuryaBasnet3
 
Information system within organization Chapter VI.pptx
SuryaBasnet3
 
Business Information SystemChapter VI.pptx
SuryaBasnet3
 
Adhit_presentation_Searching_Algorithm(BFS,DFS).pptx
SuryaBasnet3
 
Cloud computing and different and its types Unit-2.pptx
SuryaBasnet3
 
E-Democracy.docx E Governance and digital Governance in AI era
SuryaBasnet3
 
Machine Learning Presentation uses of AI in Agriculture.pptx
SuryaBasnet3
 
Ad

Recently uploaded (20)

PPTX
Cell Types and Its function , kingdom of life
ClaireMangundayao1
 
PPTX
BOWEL ELIMINATION FACTORS AFFECTING AND TYPES
PreetiSawant10
 
PDF
Mark Klimek Lecture Notes_240423 revision books _173037.pdf
pascalgumisiriza1
 
PDF
Microbial disease of the cardiovascular and lymphatic systems
KeyaSharma
 
PPTX
The Healthy Child – Unit II | Child Health Nursing I | B.Sc Nursing 5th Semester
RAKESH SAJJAN
 
PPTX
Week 4 Term 3 Study Techniques revisited.pptx
mansk2
 
PDF
102 student loan defaulters named and shamed – Is someone you know on the list?
Kweku Zurek
 
PPTX
human mycosis Human fungal infections are called human mycosis..pptx
shilpa939953
 
PPTX
Final Presentation General Medicine 03-08-2024.pptx
ZaheerAhmad228692
 
PDF
Abdominal Access Techniques with Prof. Dr. R K Mishra
mohitsuren827
 
PDF
Basic Mud Logging Guide for educational purpose
wdandworks
 
PDF
Saundersa Comprehensive Review for the NCLEX-RN Examination.pdf
sreejithcareers
 
PDF
O5-L3 Freight Transport Ops (International) V1.pdf
labyankof
 
PPTX
school management -TNTEU- B.Ed., Semester II Unit 1.pptx
NihumathunnisaH
 
PDF
O7-L3 Supply Chain Operations - ICLT Program
labyankof
 
PPTX
master seminar digital applications in india
ananyaray35
 
PDF
STATICS OF THE RIGID BODIES Hibbelers.pdf
pascualasturiaskaye4
 
PPTX
PPT- ENG7_QUARTER1_LESSON1_WEEK1. IMAGERY -DESCRIPTIONS pptx.pptx
KMDee
 
PDF
Pre independence Education in Inndia.pdf
goofy5603
 
PPTX
PPH.pptx obstetrics and gynecology in nursing
SrideviDevaraj5
 
Cell Types and Its function , kingdom of life
ClaireMangundayao1
 
BOWEL ELIMINATION FACTORS AFFECTING AND TYPES
PreetiSawant10
 
Mark Klimek Lecture Notes_240423 revision books _173037.pdf
pascalgumisiriza1
 
Microbial disease of the cardiovascular and lymphatic systems
KeyaSharma
 
The Healthy Child – Unit II | Child Health Nursing I | B.Sc Nursing 5th Semester
RAKESH SAJJAN
 
Week 4 Term 3 Study Techniques revisited.pptx
mansk2
 
102 student loan defaulters named and shamed – Is someone you know on the list?
Kweku Zurek
 
human mycosis Human fungal infections are called human mycosis..pptx
shilpa939953
 
Final Presentation General Medicine 03-08-2024.pptx
ZaheerAhmad228692
 
Abdominal Access Techniques with Prof. Dr. R K Mishra
mohitsuren827
 
Basic Mud Logging Guide for educational purpose
wdandworks
 
Saundersa Comprehensive Review for the NCLEX-RN Examination.pdf
sreejithcareers
 
O5-L3 Freight Transport Ops (International) V1.pdf
labyankof
 
school management -TNTEU- B.Ed., Semester II Unit 1.pptx
NihumathunnisaH
 
O7-L3 Supply Chain Operations - ICLT Program
labyankof
 
master seminar digital applications in india
ananyaray35
 
STATICS OF THE RIGID BODIES Hibbelers.pdf
pascualasturiaskaye4
 
PPT- ENG7_QUARTER1_LESSON1_WEEK1. IMAGERY -DESCRIPTIONS pptx.pptx
KMDee
 
Pre independence Education in Inndia.pdf
goofy5603
 
PPH.pptx obstetrics and gynecology in nursing
SrideviDevaraj5
 

cloud computer security fundamentals Unit-5.pptx

  • 2. • “Security in the Cloud is much like security in your on-premises data centers - only without the costs of maintaining facilities and hardware. In the Cloud, you don’t have to manage physical servers or storage devices. Instead, you use software-based security tools to monitor and protect the flow of information into and of out of your Cloud resources.” • (The Beginner’s Guide to Cloud Security, Amazon Web Services 2019) • https://www.whizlabs.com/blog/cloud- security-for-beginners/
  • 3. • The objective of Cloud security is keeping your data secure in the Cloud. • Although Cloud projects are becoming widely popular, an increasing number of executives and business owners is concerned with how to secure their Cloud environment against cyberattacks, data breaches and intrusions – and that, rightfully so. • According to Gartner, organizations should never assume that using a Cloud service automatically means that whatever they do within this Cloud environment will be secure. • As opposed to traditional IT security, Cloud security solutions typically use third-party data centers, require less upfront investments and are extremely scalable and efficient
  • 4. 5.1 Introduction to Security • Cloud security, also known as cloud computing security, consists of a set of policies, controls, procedures and technologies that work together to protect cloud-based systems, data, and infrastructure. • These security measures are configured to protect cloud data, support regulatory compliance and protect customers' privacy as well as setting authentication rules for individual users and devices. • From authenticating access to filtering traffic, cloud security can be configured to the exact needs of the business. • And because these rules can be configured and managed in one place, administration overheads are reduced and IT teams empowered to focus on other areas of the business.
  • 5. • The way cloud security is delivered will depend on the individual cloud provider or the cloud security solutions in place. • However, implementation of cloud security processes should be a joint responsibility between the business owner and solution provider.
  • 6. In fact, business owners and IT executives need to make Cloud security a priority during the three main stages of a Cloud adoption project. • Before Cloud Migration: Before going to the Cloud, organizations must assess their readiness to the Cloud aligned with their business risks, legal and technical considerations. During this phase, organizations must understand their objectives of moving to the Cloud, possible risks and expected outcomes. • During Cloud Migration: As the Cloud environment is ever-evolving, it is important to prioritize security all while moving your data to the Cloud. During the Cloud migration phase, it is important to adopt a risk-based approach to secure Cloud adoption to avoid potential pitfalls. • After Cloud Migration: Just because a Cloud migration project has been completed doesn’t mean that your Cloud environment is secure. Instead, organizations must continue to evaluate their Cloud security posture on a regular basis, monitor their Cloud environment and be vigilant about documenting any changes or potential Cloud risks.
  • 7. Cloud security offers many benefits, including: • Centralized security: Just as cloud computing centralizes applications and data, cloud security centralizes protection. • Cloud-based business networks consist of numerous devices and endpoints that can be difficult to manage. • Disaster recovery plans can also be implemented and actioned easily when they are managed in one place.
  • 8. • Reduced costs: One of the benefits of utilizing cloud storage and security is that it eliminates the need to invest in dedicated hardware. Not only does this reduce capital expenditure, but it also reduces administrative overheads. Where once IT teams were firefighting security issues reactively, cloud security delivers proactive security features that offer protection 24/7 with little or no human intervention. • Reduced Administration: When you choose a reputable cloud services provider or cloud security platform, you can kiss goodbye to manual security configurations and almost constant security updates. These tasks can have a massive drain on resources, but when you move them to the cloud, all security administration happens in one place and is fully managed on your behalf.
  • 9. • Reliability: Cloud computing services offer the ultimate in dependability. • With the right cloud security measures in place, users can safely access data and applications within the cloud no matter where they are or what device they are using. • More and more organizations are realizing the many business benefits of moving their systems to the cloud. • Cloud computing allows organizations to operate at scale, reduce technology costs and use agile systems that give them the competitive edge.
  • 10. Secure Data in the Cloud • Cloud data security becomes increasingly important as we move our devices, data centers, business processes, and more to the cloud. • Ensuring quality cloud data security is achieved through comprehensive security policies, an organizational culture of security, and cloud security solutions. • Selecting the right cloud security solution for your business is imperative if you want to get the best from the cloud and ensure your organization is protected from unauthorized access, data breaches and other threats. • Forcepoint Cloud Access Security Broker (CASB) is a complete cloud security solution that protects cloud apps and cloud data, prevents compromised accounts and allows you to set security policies on a per-device basis.
  • 11. 5.2 Cloud Security challenges and Risks • Many organizations are moderately to extremely concerned about cloud security. • When asked about what are the biggest security threats facing public clouds, organizations ranked:  misconfiguration  unauthorized access  insecure interfaces and  hijacking of accounts
  • 12. The Top Security Issues in Cloud Computing Misconfiguration • Misconfiguration of cloud infrastructure is a leading contributor to data breaches. If an organization’s cloud environment is not configured properly, critical business data and applications may become susceptible to an attack. • misconfiguration poses serious cloud security issues to businesses and the fallout can detrimentally impact day-to-day operations. • To prevent misconfigurations, those responsible for overseeing their organization’s cloud solution should be familiar with the security controls provided by their cloud service provider.
  • 13. • Cyberattacks • Cybercriminals and threat actors are constantly practicing and perfecting their hacking capabilities, and cloud environments are quickly becoming one of their primary targets. • It’s important for organizations to understand their cyber risk so they can make the necessary adjustments to proactively protect their business from cyberattacks.
  • 14. Malicious Insiders • Cyberattacks don’t just occur from external threats – insider threats are a major concern for businesses, too. • In fact, according to the 2020 Verizon Data Breach Investigations Report, 30% of data breaches involved internal actors. • Organizations must have the proper security controls in place to identify malicious insider activity and mitigate risks before there are any significant impacts to business operations.
  • 15. Lack of Visibility • A report by Forcepoint states that only 7% of cybersecurity professionals have extremely good visibility as to how employees use critical business data across company-owned and employee-owned devices, company- approved services (e.g., Microsoft Exchange), and employee services, while 58% say they have only moderate or slight visibility. • In a cloud environment, this lack of visibility can lead to cloud computing security issues that put organizations at risk, including malicious insider threats and cyberattacks that we discussed above. • It is imperative organizations have comprehensive visibility into their cloud environment on a continuous basis.
  • 16. Insecure Application & Configurations • According to a recent report from McAfee, 99% of IaaS misconfigurations go unnoticed, one of the most common entry points for cloud-native breaches. • As these misconfigurations are client-side, this underscores the need for shared responsibility and to consider cloud-native tools such as data loss prevention (DLP) that can help audit configurations to ensure data is being stored and protected against breach and non-compliance.
  • 17. • Data Leakage • By sharing public links – or changing the settings of a cloud-based file to “public” – anyone with knowledge of the link can access the information stored within them. • Additionally, hackers leverage tools to actively search the internet for instances of unsecured cloud deployments just like these. • If these resources contain proprietary company data or sensitive information and wind up in the wrong hands, there is an immediate threat of a potentially serious data breach, which can impact an organization.
  • 18. How to Mitigate Cloud Security Concerns and Issues • Although the cloud is full of benefits, there are cloud computing challenges and related security issues, and through 2025, 99% of cloud security failures will be the customer’s fault according to Gartner. • To help mitigate risks, it is best to work with a managed cloud service provider that you trust and have full confidence in protecting your data. The trust you build with your partner will go a long way to help expand and secure your business in the cloud. • When searching for a provider, you should investigate what cybersecurity framework they use or recommend. It’s an easy question to ask, but it’s surprising how many managed service companies won’t have an answer for you.
  • 20. 5.3 Software-as-a-Service Security • SaaS Security refers to securing user privacy and corporate data in subscription- based cloud applications. • SaaS applications carry a large amount of sensitive data and can be accessed from almost any device by a mass of users, thus posing a risk to privacy and sensitive information.
  • 21. • SaaS is the dominant cloud service model for the foreseeable future and the area where the most critical need for security practices and oversight will reside. • Just as with a managed service provider, corporations or end users will need to research vendors’ policies on data security before using vendor services to avoid losing or not being able to access their data. • The technology analyst and consulting firm Gartner lists [6] seven security risks which one should discuss with a cloud-computing vendor:  Privileged user access  Regulatory compliance  Data location  Data segregation  Recovery  Investigative support  Long-term viability
  • 22. • To address the security issues listed above, SaaS providers will need to incorporate and enhance security practices used by the managed service providers and develop new ones as the cloud computing environment evolves. Vulnerability assessment Security image testing Data governance Data security Application security Virtual machine security Identity Access Management (IAM) Change management Physical security Disaster recovery Data privacy Security management Security governance Risk management Risk assessment Security awareness Education and training Policies and standards Third party risk management
  • 23. • SaaS is exposed by attacks on API’s(Application Programming Interface), publishers, web portals and interfaces. • The attacks on the SaaS are categorized into two broad groups: attacks on development tools and attacks on management tools. • Most popular services on SaaS are web services, web portals and APIs. • Intruders’ attempt un-authorized access and gain of services by attacking web portals and APIs. • These attacks affect data privacy. • Intruders try to extract the sensitive information of API Keys, private keys, and credentials of publishers via different kinds of attacks and automated tools. • Another possibility of attack on this layer is exposure of secure shell for extracting key credentials.
  • 25. • Data protection • In cloud computing applications are deployed in shared resource environments; therefore, data privacy is an important aspect. • Data privacy has three major challenges: integrity, authorized access and availability (backup/ replication). • Data integrity ensures that the data are not corrupted or tampered during communication. • Authorized access prevents data from intrusion attacks while backups and replicas allow data access efficiently even in case of a technical fault or disaster at some cloud location.
  • 26. • Attacks on interfaces • A successful attack on the cloud interfaces can result in a root level access of a machine without initiating a direct attack on the cloud infrastructure. • Two different kinds of attacks are launched on authentication mechanism of clouds. • The control interfaces are vulnerable to signature wrapping and advanced cross site scripting (XSS) techniques.
  • 27. • Attacks on SSH (Secure Shell) • Attacks on Secure Shell (SSH), the basic mechanism used to establish trust and connection with cloud services, are the most alarming threat that compromises control trust. • According to Ponemon 2014 SSH security Vulnerability Report , 74 percent organizations have no control to provision, rotate, track and remove SSH keys. • Cybercriminals take full advantage of these vulnerabilities and use cloud computing to launch different attacks.
  • 28. 5.4 Security Monitoring • Monitoring is a critical component of cloud security and management. • Typically relying on automated solutions, cloud security monitoring supervises virtual and physical servers to continuously assess and measure data, application, or infrastructure behaviors for potential security threats. • This assures that the cloud infrastructure and platform function optimally while minimizing the risk of costly data breaches.
  • 29. BENEFITS OF CLOUD SECURITY MONITORING • Cloud monitoring provides an easier way to identify patterns and pinpoint potential security vulnerabilities in cloud infrastructure. • As there’s a general perception of a loss of control when valuable data is stored in the cloud, effective cloud monitoring can put companies more at ease with making use of the cloud for transferring and storing data. • When customer data is stored in the cloud, cloud monitoring can prevent loss of business and frustrations for customers by ensuring that their personal data is safe. • The use of web services can increase security risks, yet cloud computing offers many benefits for businesses, from accessibility to a better customer experience. • Cloud monitoring is one initiative that enables companies to find the balance between the ability to mitigate risks and taking advantage of the benefits of the cloud – and it should do so without hindering business processes.
  • 30. CHALLENGES OF CLOUD SECURITY MONITORING • Virtualization poses challenges for monitoring in the cloud, and traditional configurations involving log management, log correlation, and event management (SIEM) tools aren’t routinely configured to adapt to dynamic environments where virtual machines may come and go in response to sharp increases or decreases in demand. • Visibility can also be a concern when it comes to cloud monitoring. Many companies rely on third-party cloud services providers and may not have access to every layer in the cloud computing stack, and therefore can’t gain full visibility to monitor for potential security flaws and vulnerabilities. • Finally, shifts in scope are another common challenge when dealing with cloud environments, as assets and applications may move between systems which may not necessarily have the same level of security monitoring.
  • 31. HOW CLOUD SECURITY MONITORING WORKS • There are several approaches to cloud security monitoring. Cloud monitoring can be done in the cloud platform itself, on premises using an enterprise’s existing security management tools, or via a third party service provider. Some of the key capabilities of cloud security monitoring software include: • Scalability: tools must be able to monitor large volumes of data across many distributed locations • Visibility: the more visibility into application, user, and file behavior that a cloud monitoring solution provides, the better it can identify potential attacks or compromises
  • 32. • Timeliness: the best cloud security monitoring solutions will provide constant monitoring, ensuring that new or modified files are scanned in real time • Integration: monitoring tools must integrate with a wide range of cloud storage providers to ensure full monitoring of an organization’s cloud usage • Auditing and Reporting: cloud monitoring software should provide auditing and reporting capabilities to manage compliance requirements for cloud security
  • 33. 5.5 Security Architecture Design • Cloud security architecture (also sometimes called a “cloud computing security architecture”) is defined by the security layers, design, and structure of the platform, tools, software, infrastructure, and best practices that exist within a cloud security solution. • A cloud security architecture provides the written and visual model to define how to configure and secure activities and operations within the cloud, including such things as:  identity and access management;  methods and controls to protect applications and data;  approaches to gain and maintain visibility into compliance, threat posture, and overall security;  processes for instilling security principles into cloud services development and operations;  policies and governance to meet compliance standards; and  physical infrastructure security components.
  • 34. Key Elements of a Cloud Security Architecture • When developing a cloud security architecture several critical elements should be included:  Security at Each Layer  Centralized Management of Components  Redundant & Resilient Design  Elasticity & Scalability  Appropriate Storage for Deployments  Alerts & Notifications  Centralization, Standardization, & Automation
  • 35. Shared Responsibility within Cloud Security Architectures • The types of service models in use by a business define the types of cloud security architectures that are most applicable. • The service models are: Infrastructure as a Service (IaaS), Software as a Service (SaaS), and Platform as a Service (PaaS). • Organizations that offer cloud services typically adhere to a shared responsibility model—that is, the cloud service provider is responsible for the security of the components necessary to operate the cloud service (software, computing, storage, database, networking, hardware, infrastructure, etc.). • The customer is responsible for protecting the data and information that is stored in the cloud, as well as how they may access that data (identity and access management). • Responsibilities vary slightly depending on the type of service (IaaS, SaaS, or PaaS)
  • 36. Infrastructure as a Service (IaaS) Shared Responsibility • With an IaaS, a business purchases the infrastructure from a cloud provider and the business typically installs their own operating systems, applications, and middleware. • An example of an IaaS is Azure (Microsoft). • In an IaaS, the customer is usually responsible for the security associated with anything they own or install on the infrastructure. Software as a Service (SaaS) Shared Responsibility • With a SaaS, an organization purchases the use of a cloud- based application from a provider. Examples of SaaS include Office 365 or Salesforce. • In a SaaS, the customer is typically only responsible for the security components associated with accessing the software, such identity management, customer network security, etc. • The software provider manages the security backend.
  • 37. Platform as a Service (PaaS) Shared Responsibility • With a PaaS, a business purchases a platform from a cloud provider to develop, run, and manage applications without developing or managing the underlying platform infrastructure required for the applications. • An example of a PaaS would be Amazon Web Services (AWS). • In a PaaS, the customer is responsible for the security associated with application implementation, configurations, and permissions.
  • 38. Types of Cloud Security Architectures • A cloud security architecture typically includes components and best practices relevant to the types of cloud security services the business wishes to secure. • Examples include an AWS cloud security architecture, Google infrastructure security, or an Azure security architecture. • Additional key components of a cloud security architecture include the cloud “shared responsibility model” and the principles of “zero trust architecture.”
  • 39. Principles of Cloud Security Architecture • A well-designed cloud security architecture should be based on the following key principles: • Identification—Knowledge of the users, assets, business environment, policies, vulnerabilities and threats, and risk management strategies (business and supply chain) that exist within your cloud environment. • Security Controls—Defines parameters and policies implemented across users, data, and infrastructure to help manage the overall security posture. • Security by Design—Defines the control responsibilities, security configurations, and security baseline automations. Usually standardized and repeatable for deployment across common use cases, with security standards, and in audit requirements.
  • 40. • Compliance—Integrates industry standards and regulatory components into the architecture and ensures standards and regulatory responsibilities are met. • Perimeter Security—Protects and secures traffic in and out of organization’s cloud-based resources, including connection points between corporate network and public internet. • Segmentation—Partitions the architecture into isolated component sections to prevent lateral movement in the case of a breach. Often includes principles of ‘least privilege’. • User Identity and Access Management—Ensures understanding, visibility, and control into all users (people, devices, and systems) that access corporate assets. Enables enforcement of access, permissions, and protocols.
  • 41. • Data encryption—Ensures data at rest and traveling between internal and external cloud connection points is encrypted to minimize breach impact. • Automation—Facilitates rapid security and configuration provisioning and updates as well as quick threat detection. • Logging and Monitoring—Captures activities and constant observation (often automated) of all activity on connected systems and cloud-based services to ensure compliance, visibility into operations, and awareness of threats. • Visibility—Incorporates tools and processes to maintain visibility across an organization’s multiple cloud deployments. • Flexible Design—Ensuring architecture design is sufficiently agile to develop and incorporate new components and solutions without sacrificing inherent security.
  • 42. Cloud Security Architecture Threats Cloud services are affected by the most common types of concerns and threats: • including data breaches, • malware injections, • regulatory non-compliance, • insider threats, • insecure application programming interfaces (APIs), • account hijacking through stolen or compromised credentials, • phishing, and • service disruptions due to denial-of-service attacks or misconfigurations. If a breach occurs, liability for the breach is based on the shared responsibility model.
  • 43. IaaS Cloud Security Threats • Availability disruption through denial-of-service attacks • Broken authentication • Sensitive data exposure • XML external entities • Broken access control • Security misconfigurations • Using components with known vulnerabilities • Insufficient logging and monitoring • Data leakage (through inadequate ACL) • Privilege escalation through misconfiguration • DoS attack via API • Weak privileged key protection • Virtual machine (VM) weaknesses • Insider data theft
  • 44. PaaS Cloud Security Threats • Authorization weaknesses in platform services • Run-time engine vulnerabilities • Availability disruption through denial-of-service attacks • Broken authentication • Sensitive data exposure • XML external entities • Broken access control • Security misconfigurations • Using components with known vulnerabilities • Insufficient logging and monitoring • Data leakage (through inadequate ACL) • Privilege escalation through misconfiguration • DoS attack via API • Privilege escalation via API • Weak privileged key protection • Virtual machine (VM) weaknesses • Insider data theft
  • 45. • SaaS Cloud Security Threats – Weak or immature identity and access management – Weak cloud security standards – Shadow IT/unsanctioned cloud applications/software – Service disruption through denial-of-service attacks – Phishing – Weak compliance and auditing oversight – Stolen or compromised credentials – Weak vulnerability monitoring
  • 46. 5.6 Data Security • Data security is the practice of protecting digital information from unauthorized access, corruption, or theft throughout its entire lifecycle. • When properly implemented, robust data security strategies will protect an organization’s information assets against cybercriminal activities, but they also guard against insider threats and human error, which remains among the leading causes of data breaches today.
  • 47. Types of data security Encryption Using an algorithm to transform normal text characters into an unreadable format, encryption keys scramble data so that only authorized users can read it. File and database encryption solutions serve as a final line of defense for sensitive volumes by obscuring their contents through encryption or tokenization. Most solutions also include security key management capabilities. Data Erasure More secure than standard data wiping, data erasure uses software to completely overwrite data on any storage device. It verifies that the data is unrecoverable.
  • 48. • Data Masking By masking data, organizations can allow teams to develop applications or train people using real data. It masks personally identifiable information (PII) where necessary so that development can occur in environments that are compliant. Data Resiliency Resiliency is determined by how well a data center is able to endure or recover any type of failure – from hardware problems to power shortages and other disruptive events.
  • 49. Data security strategies • Physical security of servers and user devices Regardless of whether your data is stored on-premises, in a corporate data center, or in the public cloud, you need to ensure that facilities are secured against intruders and have adequate fire suppression measures and climate controls in place. A cloud provider will assume responsibility for these protective measures on your behalf. • Access management and controls The principle of “least-privilege access” should be followed throughout your entire IT environment. This means granting database, network, and administrative account access to as few people as possible, and only those who absolutely need it to get their jobs done.
  • 50. Application security and patching All software should be updated to the latest version as soon as possible after patches or new versions are released. Backups Maintaining usable, thoroughly tested backup copies of all critical data is a core component of any robust data security strategy. In addition, all backups should be subject to the same physical and logical security controls that govern access to the primary databases and core systems. Network and endpoint security monitoring and controls Implementing a comprehensive suite of threat management, detection, and response tools and platforms across your on-premises environment and cloud platforms can mitigate risks and reduce the probability of a breach.
  • 51. 5.7 Application Security • Application security describes security measures at the application level that aim to prevent data or code within the app from being stolen or hijacked. • Application security may include hardware, software, and procedures that identify or minimize security vulnerabilities. • Cloud application security is a series of defined policies, processes, controls, and technology governing all information exchanges that happen in collaborative cloud environments like Microsoft Office 365, Google G Suite, etc.
  • 52. CLOUD APPLICATION SECURITY THREATS • Misconfiguration of application setup is the single biggest threat to cloud security because data breaches tend to happen when services are accidentally exposed to the public internet. • Unauthorized access to a website, server, service, or other system is also an area for great concern because once they’re in, there’s no telling what unauthorized users will do to create chaos. • Insecure APIs and interfaces present easy opportunities for attackers to breach systems because they are the only asset(s) outside of the organizational boundary with a public IP address. • Account hijacking is feared because so much sensitive data and resources is stored and accessed on devices shared by many different users—and because keeping tabs on rogue employees is difficult.
  • 53. Types of application security • Authentication: When software developers build procedures into an application to ensure that only authorized users gain access to it. Authentication procedures ensure that a user is who they say they are. This can be accomplished by requiring the user to provide a user name and password when logging in to an application. • Authorization: After a user has been authenticated, the user may be authorized to access and use the application. The system can validate that a user has permission to access the application by comparing the user’s identity with a list of authorized users. Authentication must happen before authorization so that the application matches only validated user credentials to the authorized user list.
  • 54. • Encryption: After a user has been authenticated and is using the application, other security measures can protect sensitive data from being seen or even used by a cybercriminal. In cloud-based applications, where traffic containing sensitive data travels between the end user and the cloud, that traffic can be encrypted to keep the data safe. • Logging: If there is a security breach in an application, logging can help identify who got access to the data and how. Application log files provide a time-stamped record of which aspects of the application were accessed and by whom. • Application security testing: A necessary process to ensure that all of these security controls work properly.
  • 55. 5.8 Virtual Machine Security • Virtualized security, or security virtualization, refers to security solutions that are software-based and designed to work within a virtualized IT environment. • This differs from traditional, hardware-based network security, which is static and runs on devices such as traditional firewalls, routers, and switches. • In contrast to hardware-based security, virtualized security is flexible and dynamic. • Instead of being tied to a device, it can be deployed anywhere in the network and is often cloud-based.
  • 56. • In the cloud environment, physical servers are consolidated to multiple virtual machine instances on virtualized servers. • Not only can data center security teams replicate typical security controls for the data center at large to secure the virtual machines, they can also advise their customers on how to prepare these machines for migration to a cloud environment when appropriate. • Firewalls, intrusion detection and prevention, integrity monitoring, and log inspection can all be deployed as software on virtual machines to increase protection and maintain compliance integrity of servers and applications as virtual resources move from on- premises to public cloud environments.
  • 57. Benefits of virtualized security • Cost-effectiveness: Virtualized security allows an enterprise to maintain a secure network without a large increase in spending on expensive proprietary hardware. Pricing for cloud-based virtualized security services is often determined by usage, which can mean additional savings for organizations that use resources efficiently. • Flexibility: Virtualized security functions can follow workloads anywhere, which is crucial in a virtualized environment. It provides protection across multiple data centers and in multi-cloud and hybrid cloud environments, allowing an organization to take advantage of the full benefits of virtualization while also keeping data secure.
  • 58. • Operational efficiency: Quicker and easier to deploy than hardware-based security, virtualized security doesn’t require IT teams to set up and configure multiple hardware appliances. Instead, they can set up security systems through centralized software, enabling rapid scaling. Using software to run security technology also allows security tasks to be automated, freeing up additional time for IT teams. • Regulatory compliance: Traditional hardware- based security is static and unable to keep up with the demands of a virtualized network, making virtualized security a necessity for organizations that need to maintain regulatory compliance.
  • 59. Risks of virtualized security • The increased complexity of virtualized security can be a challenge for IT, which in turn leads to increased risk. • It’s harder to keep track of workloads and applications in a virtualized environment as they migrate across servers, which makes it more difficult to monitor security policies and configurations. • And the ease of spinning up virtual machines can also contribute to security holes.
  • 60. How is physical security different from virtualized security? • Traditional physical security is hardware-based, and as a result, it’s inflexible and static. • The traditional approach depends on devices deployed at strategic points across a network and is often focused on protecting the network perimeter (as with a traditional firewall). • However, the perimeter of a virtualized, cloud- based network is necessarily porous and workloads and applications are dynamically created, increasing the potential attack surface.
  • 61. • Traditional security also relies heavily upon port and protocol filtering, an approach that’s ineffective in a virtualized environment where addresses and ports are assigned dynamically. • In such an environment, traditional hardware-based security is not enough; a cloud-based network requires virtualized security that can move around the network along with workloads and applications.
  • 62. Different types of virtualized security • Segmentation, or making specific resources available only to specific applications and users. This typically takes the form of controlling traffic between different network segments or tiers. • Micro-segmentation, or applying specific security policies at the workload level to create granular secure zones and limit an attacker’s ability to move through the network. Micro- segmentation divides a data center into segments and allows IT teams to define security controls for each segment individually, bolstering the data center’s resistance to attack. • Isolation, or separating independent workloads and applications on the same network. This is particularly important in a multitenant public cloud environment, and can also be used to isolate virtual networks from the underlying physical infrastructure, protecting the infrastructure from attack.
  • 63. 5.9 Identity Management and Access Control • Identity management and access control is the discipline of managing access to enterprise resources to keep systems and data secure. • As a key component of security architecture, it can help verify the user’s identities before granting them the right level of access to workplace systems and information. • While people might use the terms identity management, authentication, and access control interchangeably, each of these individually serve as distinct layers for enterprise security processes.
  • 64. • Identity management—also referred to as identity and access management (IAM)—is the overarching discipline for verifying a user’s identity and their level of access to a particular system. • Within that scope, both authentication and access control—which regulates each user’s level of access to a given system—play vital roles in securing user data. • We interact with authentication mechanisms every day. • When you enter a username and password, use a PIN, scan your fingerprint, or tap your bank card, your identity is being verified for authentication purposes.
  • 65. • Once your identity is verified, access control is implemented to determine your level of access. • This is important for applications and services that have different levels of authorization for different users. • Access control, for instance, will allow software administrators to add users or edit profiles while also barring lower-tier users from accessing certain features and information.
  • 66. Types of Access Controls 1. Mandatory Access Control: This is a system-enforced access control that is based on a subject’s clearance and an object’s labels. It is usually associated with multilevel security labels such as Top Secret, Confidential, and Secret. 2. Discretionary Access Control: This is a type of access control that restricts access to objects based on the identity of subjects and groups to which they belong. The controls are discretionary in the sense that a subject with a certain access permission is capable of passing that permission. 3. Rule Based Access Control: In this model, access rules are pre-defined (for example, via an ACL) and are evaluated to determine access permissions. Rule-based access defines specific and detailed situations in which a subject can or cannot access an object, and what that subject can do once access is granted.
  • 67. 4. Physical Access Control: Physical access controls restrict access to a physical space within an organization. This type of access control limits access to rooms, buildings and physical IT assets. One benefit of implementing these controls, is that you have a record of everyone who is entering and leaving restricted areas. 5. Role Based Access Control: This is a type of control that uses a user’s role as a basis to restrict access. Custom roles are usually created such that the least privilege policy is maintained, and the access is revoked when no longer needed. 6. Attribute Based Access Control: This is a form of access control that governs the access based on the attributes. These can be user attributes, resource of object attributes, and environmental attributes. 7. Policy Based Access Control: This is a strategy used to manage access based on the policies which determine what access role each person must have.
  • 68. Identity Management best practices: Listed below are the best practices to maintain the integrity of user and device identities based on the security controls: • Perform a SWOT (Strengths, Weaknesses, Opportunities, Threats) analysis based on the risk appetite of your company • Least Privilege – be aware of any ‘allow all’ type or roles and where/when those are being used • Protect root level of access and restrict privilege abuse • Detail and assess the out of the box roles before assigning these • Control groups for permission assignments and monitor the access • Be sure to have good password policies configured into applications and processes • Remove unused credentials