Cloud Computing

Notes
Unit 5
Prof.Vrushali Wankhede

Risk in Cloud Computing:

Data breaches, limited network visibility, data loss and insider threats are a few security risks of
cloud computing.
Top 7 Risks of Cloud Computing:

1. Data Breach - Data breach stands for unauthorized access to the confidential data of the
organization by a third party such as hackers. In cloud computing, the data of the
organization is stored outside the premise, that is at the endpoint of the cloud
service provider(CSP). Thus any attack to target data stored on the CSP servers may affect
all of its customers.
2. Cloud Vendor Security Risk - Every organization takes services offered by differe nt
cloud vendors. The inefficiency of these cloud vendors to provide data security and risk
mitigation directly affects the organization’s business plan and growth. Also, migrating
from one vendor to another is difficult due to different interfaces and services provided by
these cloud vendors.
3. Availability - Any internet connection loss disrupts the cloud provider's services, making
the services inoperative. It can happen at both the user's and the cloud service provider's
end. An effective risk management plan should focus on availability of services by creating
redundancy in servers on cloud such that other servers can provide those services if one
fails.
4. Compliance - The service provider might not follow the external audit process, exposing
the end user to security risks. If a data breach at the cloud service provider's end exposes
personal data, the organization may be held accountable due to improper protection and
agreements.

Apart from these risks, cloud computing possesses various security risks bound under 2 main
categories.

 Internal Security Risks

 External Security Risks
Internal Security Risks

Internal security risks in cloud computing include the challenges that arise due to mismanage me nt
by the organization or the cloud service provide. Some internal security risks involve:

1. Misconfiguration of settings - Misconfiguration of cloud security settings, either by the

organization workforce or by the cloud service provider, exposes the risk of a data breach. Most
small businesses cloud security and risk management are inadequate for protecting their cloud
infrastructure.
2. Malicious Insiders - A malicious insider is a person working in the organization and therefore
already has authorized access to the confidential data and resources of the organization. With
cloud deployments, organizations lack control over the underlying infrastructure; making it very
hard to detect malicious insiders.

External Security Risks

External security risks are threats to an organization arising from the improper handling of the
resources by its users and targeted attacks by hackers. Some of the external security risks involve :

1. Unauthorized Access - The cloud-based deployment of the organization’s infrastructure is outside

the network perimeter and directly accessible from the public internet. Therefore, it is easier for
the attacker to get unauthorized access to the server with the compromised credentials.
2. Accounts Hijacking - The use of a weak or repetitive password allows attackers to gain control
over multiple accounts using a single stolen password. Moreover, organizations using cloud
infrastructure cannot often identify and respond to such threats.
3. Insecure APIs - The Application Programming Interfaces(APIs) provided by the cloud service
provider to the user are well-documented for ease of use. A potential attacker might use this
documentation to attack the data and resources of the organization.

Risk Mangenement in CC:

Cloud computing is a technology that allows its user to access resources such as storage, memory,
network, and computing; these resources are physically present at any geographical location, but
can be accessed over the internet from anywhere in the globe. This advancement in technology has
revolutionised the working of businesses and organizations. More and more organizations are
investing in cloud deployment infrastructure rather than on-premise infrastructure. This
mobilization of technology introduces new risks associated with cloud computing, which needs to
be treated with foresight. To manage these risks, risk management plans are implemented by
organizations. Risk management is the process of identifying, assessing, and controlling threats to
an organization’s system security, capital and resources. Effective risk management means
attempting to control future outcomes proactively rather than reactively. In the context of cloud
computing, risk management plans are curated to deal with the risks or threats associated with the
cloud security. Every business and organization faces the risk of unexpected, harmful events that
can cost the organization capital or cause it to permanently close. Risk management allows
organizations to prevent and mitigate any threats, service disruptio ns, attacks or compromises by
quantifying the risks below the threshold of acceptable level of risks.
Process of Risk Management

Risk management is a cyclically executed process comprised of a set of activities for overseeing
and controlling risks. Risk management follows a series of 5 steps to manage risk, it drives
organizations to formulate a better strategy to tackle upcoming risks. These steps are referred to
as Risk Management Process and are as follows:

 Identify the risk

 Analyze the risk
 Evaluate the risk
 Treat the risk
 Monitor or Review the risk

1. Identify the risk - The inception of the risk management process starts with the
identification of the risks that may negatively influence an organization’s strategy or
compromise cloud system security. Operational, performance, security, and privacy
requirements are identified. The organization should uncover, recognise and describe risks
that might affect the working environment. Some risks in cloud computing include cloud
vendor risks, operational risks, legal risks, and attacker risks.
2. Analyze the risk - After the identification of the risk, the scope of the risk is analyzed. The
likelihood and the consequences of the risks are determined. In cloud computing, the
likelihood is determined as the function of the threats to the system, the vulnerabilities, and
consequences of these vulnerabilities being exploited. In analysis phase, the organiza tio n
develops an understanding of the nature of risk and its potential to affect organization goals
and objectives.
3. Evaluate the risk - The risks are further ranked based on the severity of the impact they
create on information security and the probability of actualizing. The organization then
decides whether the risk is acceptable or it is serious enough to call for treatment.
4. Treat the risk - In this step, the highest-ranked risks are treated to eliminate or modified
to achieve an acceptable level. Risk mitigation strategies and preventive plans are set out
to minimize the probability of negative risks and enhance opportunities. The security
controls are implemented in the cloud system and are assessed by proper assessment
procedures to determine if security controls are effective to produce the desired outcome.
5. Monitor or Review the risk - Monitor the security controls in the cloud infrastructure on
a regular basis including assessing control effectiveness, documenting changes to the
system and the working environment. Part of the mitigation plan includes following up on
risks to continuously monitor and track new and existing risks.

Enterprise Risk Management:

Enterprise risk management (ERM) is the process of planning, organizing, directing and
controlling the activities of an organization to minimize the harmful effects of risk on its capital
and earnings. Enterprise risk management can include financial, strategic and operational risks as
well as risks associated with accidental losses.

ERM is an organization-wide strategy enacted to identify and prepare for potential hazards.
Because risk management requires the understanding and analysis of the possible risks an
organization might face, the ERM process must be proportionate to the size or complexity of the
organization. ERM is designed to manage and identify risks across an organization and its
extended networks.

The components of enterprise risk management:

The following components make up ERM:

 Business and IT objectives. An organization's planned strategic initiatives must be included in

all risk analysis and decision-making. A migration into cloud services, for example,
definitively changes many controls and risk paradigms.
 Risk appetite. To maintain business continuity, an enterprise needs to assess its tolerance in
pursuit of strategic goals.
 Culture and governance. Some organizations are generally risk-averse, while others promote
risk cultures to pursue strategic initiatives. In addition, internal governance models and
 collaborative team structures differ widely across enterprises, affecting the way organizatio ns
make decisions and implement controls.
 Compliance and control requirements. Internal standards as well as external regulatory and
compliance requirements must be factored into risk and control decisions.

 Measurement and reporting. All ERM programs need to provide timely and consistent
output to a cross-section of stakeholders, ranging from corporate executives to operations
professionals. The metrics used to measure progress as well as the reporting mechanisms and
styles are important considerations.

ERM provides organizations with a host of potential benefits:

 By creating a more risk-focused culture, organizations can integrate risk evaluation into
business and IT practices, improving risk management across the organization.

 Enterprises can implement more standardized risk reporting that helps with long-term metrics
and measurement.

 Organizations can improve focus and increase their perspective on risk in various categories.

 Companies focusing on risk associated with business objectives might discover more effic ie nt
ways to use resources. For example, they might apply limited endpoint security licenses to the
most exposed and critical systems.

 Highly regulated organizations can improve the coordination of regulatory and compliance
issues across a diverse set of business objectives.

Cloud data security

Cloud data security protects data that is stored (at rest) or moving in and out of the cloud (in
motion) from security threats, unauthorized access, theft, and corruption. It relies on physical
security, technology tools, access management and controls, and organizational policies.

Today, we’re living in the era of big data, with companies generating, collecting, and storing vast
amounts of data by the second, ranging from highly confidential business or personal customer
data to less sensitive data like behavioral and marketing analytics.

Beyond the growing volumes of data that companies need to be able to access, manage, and
analyze, organizations are adopting cloud services to help them achieve more agility and faster
times to market, and to support increasingly remote or hybrid workforces.
 Common challenges:
 Lack of visibility. Companies don’t know where all their data and applications live and what
assets are in their inventory.
 Less control. Since data and apps are hosted on third-party infrastructure, they have less control
over how data is accessed and shared.
 Confusion over shared responsibility. Companies and cloud providers share cloud security
responsibilities, which can lead to gaps in coverage if duties and tasks are not well understood or
defined.
 Inconsistent coverage. Many businesses are finding multicloud and hybrid cloud to better suit
their business needs, but different providers offer varying levels of coverage and capabilities that
can deliver inconsistent protection.
 Growing cybersecurity threats. Cloud databases and cloud data storage make ideal targets for
online criminals looking for a big payday, especially as companies are still educating themselves
about data handling and management in the cloud.
Security Disadvantages of Cloud Computing:

1. Loss of Control: The enterprise’s loss of control in enhancing the network’s security is the most
significant disadvantage of cloud computing security. The responsibility of securing the network
is shared between the cloud service provider (CSP) and the enterprise. Depending on which server
model an enterprise uses, the enterprise may have little to almost no control over the cloud
security. Infrastructure-as-a-Service (IaaS) allows the enterprise to have the most control as the
CSP only provides the infrastructure. It falls under the enterprise’s jurisdiction to build the
remainder of the stack and maintain its security. A stack built, operated, and managed entirely by
the CSP is known as the cloud service offering, Software-as-a-Service (SaaS). The enterprise has
the least amount of control over cloud security in a SaaS environment. Enterprises need to review
the CSP’s service level agreement (SLA) to understand its security obligations and to identify gaps
in security coverage.
2. Vendor Lock-in: Describes the “an anticipated fear of difficulty in switching from one alternative
to another.” Lock-in often happens when enterprises neglect to read the CSP’s SLA.
3. Data Loss: Can occur via a natural disaster or company error.
4. Insider Theft: When an employee intentionally steals data with mal-intent.
5. Data Breaches: Forcepoint lists consequences of data breaches in the cloud in its white paper,
“Deploying and Managing Security in the Cloud.” It states that “while cloud providers generally
have better security capabilities than most organizations and suffer fewer data breaches as a result,
a successful data breach can open an organization to stiff financial penalties, regulatory fines, loss
of customer confidence, and declining competitive market positioning, among other significa nt
consequences.”
6. Unsecured Application Programming Interfaces (APIs): The open APIs are readily
exploitable as “CSPs expose a set of application programming interfaces (APIs) that customers
use to manage and interact with cloud services (also known as the management plane). ”
7 Benefits of Cloud Security Solutions:
1. Enhanced Data Protection
At the core of cloud security lies the protection of sensitive data. Cloud security solutions employ
advanced encryption techniques to safeguard data both in transit and at rest, ensuring its
confidentiality and integrity.
By leveraging robust access controls and identity management mechanisms, organizations can
mitigate the risk of unauthorized access and data breaches, safeguarding their most valuab le
assets.
2. Scalability and Flexibility
An essential benefit of cloud security is it unparalleled scalability and flexibility, allowing
organizations to adapt rapidly to changing security requirements and evolving threats.
With cloud-based security services, businesses can scale resources up or down based on demand,
ensuring optimal performance and cost-efficiency. This scalability empowers organizations to
meet the dynamic needs of their operations while maintaining a strong security posture.
3. Cost-Effectiveness
Traditional on-premise security solutions often require substantial investments in hardware,
software, and personnel. In contrast, cloud security solutions offer a more cost-effective
alternative, eliminating the need for upfront capital expenditure and reducing ongoing
operational costs.
With pay-as-you-go pricing models and subscription-based services, organizations can align
their security investments with actual usage, optimizing cost-effectiveness and maximizing ROI.
4. Global Coverage and Resilience
Cloud computing security solutions leverage a global network of data centers and points of
presence (PoPs) to provide comprehensive coverage and resilience against cyber threats.
By distributing security resources across geographically diverse locations, cloud security
providers can mitigate the impact of localized disruptions, such as DDoS attacks or natural
disasters, ensuring uninterrupted service availability and business continuity.
5. Managed Services and Expertise
Many cloud security providers offer managed services and expertise to complement their
technology offerings. By partnering with experienced security professionals, organizations can
offload the burden of managing security infrastructure and personnel, allowing internal teams to
focus on core business activities.

Content Level Security (CLS)

The need for Content Level Security
For certain businesses, there is information that should not be shared or be editable between
divisions. There are two key scenarios corresponding to different levels of access:

 Completely confidential content: Content can be accessed only from some business units.
Other units are not aware that the content exists.
 Safety Reuse: A business unit can share content to other business units but only in read-
only mode.

CLS uses a hierarchy of security levels, ranging from the most-permissive/open to the most-
restrictive/closed. These security levels determine what users can see.

The content security levels are (from most-permissive to most-restrictive):

 Read-write: Content is viewable and editable

 Read-only: Content is viewable, but cannot be edited
 Invisible: Content is not visible

For example, if you have read-only access to a Branch, you can view topics in it. But you
cannot edit them. A topic in an invisible Branch does not appear anywhere for you.

pros and cons of content level security.

Content level security is a type of data security that focuses on securing the content
of a file or document, rather than just the file itself. Here are some potential pros and
cons of content level security:
Pros:
1. Granular control: With content level security, it is possible to provide more
granular control over who can access specific parts of a document or file,
which can be particularly useful in regulated industries or when dealing with
sensitive data.
2. Increased security: By focusing on securing the content of a file or document,
content level security can provide a higher level of security than traditional
file-level security approaches, which only protect the file itself.
3. Easy to implement: Many modern content management systems and other
enterprise applications include built-in content level security features that are
easy to configure and manage.

Cons:

1. Performance overhead: Content level security can add an overhead in terms

of performance, particularly when dealing with large files or complex
documents. This can impact the speed and responsiveness of applications
and systems that need to process these files.
2. Complexity: Implementing and managing content level security can be more
complex than traditional file-level security approaches. It may require
additional expertise, training, and resources.
3. Risk of overcomplication: With content level security, it can be easy to

overcomplicate the security measures and make it difficult to access, edit, o the files or documents,

Confidentiality

When talking about any cloud service, the confidentiality of your data is not something you can
control. Instead, it’s up to the service provider to tell you what they are doing to keep your data
confidential. What you as an end-user need to think about is how the loss of confidentiality impacts
your business.

There are a couple of things to consider here. Are you handling data that requires compliance to
some standard? Does the cloud service provider adhere to said standard? And if they claim they
do, how can you actually prove it? Also, what are the steps you need to take to get certified? It's
probably not as easy as just using a service that is already certified.

Integrity

Here’s where things get a bit easier. Compared to confidentiality, the integrity of your data is
simpler to achieve. For example, you can use multiple providers and have redundant backups. All
with tight access control in place.

There is one significant caveat, though: using multiple providers is understandably considerably
more expensive. It’s not enough to just account for the cost of the service itself. You will also have
to factor in the cost of development and integration.

Availability

Unless you try to host everything yourself, availability is usually guaranteed. Services usually have
an SLA (Service Level Agreement) and a CSA (Cloud Services Agreement). SLA guarantees a
significant amount of uptime, the service might be available 99.999% of the time. That means you
only get a couple of minutes of downtime a year.

However, sometimes stuff happens, the service goes down and the provider downtime might cost
you more than the insurance covers. For such eventualities having a multi-cloud solution is
preferable. Keep in mind, though, that double the availability means also double the risk to
confidentiality.

Secure Cloud Software Testing:

Cloud-based software testing is a set of procedures, tools, and processes that are leveraged by
testers inefficiently and precisely testing software. With the utilization of Cloud service models,
enterprises can implement testing as a service, without the need to completely invest in testing labs,
tools, or infrastructure. Cloud services deal with not just testing but also everything from cloud
security, software development, resource utilization, etc.
Benefits of Cloud-Based Software Testing

The majority of the IT companies and software developers are now migrating their legacy systems

to a cloud ecosystem for better test automation services. With cloud-based testing, their applications

are scalable, flexible, and easily adaptable. Here are some reasons why enterprises are

adopting cloud-based software testing over traditional or manual application testing.

1. It significantly reduces the expenses and the process cycles by sharing the resources when the

testing strategy is performed. This is because cloud-based Testing as a Service (TaaS) enables IT

and software developers to initialize practical experimental tests on cloud platforms without the

necessity to possess licenses or purchase the resource. This reduces the expenses of testing and

improves sharing of resources and the use of services.

2. Better testing environment of testing and virtual infrastructures. The flexibility of cloud

technology enables enterprises to leverage TaaS from any part of the globe as long as the place has

a good internet connection. Also, the cloud provides a better virtual environment for testing and

SaaS solutions that support the entire testing life cycle, including development. With these virtual

infrastructures, enterprises will not have to spend a lot on real labs or traffic generators but just lease

the resources from the cloud.

4. The Pay per use policy of cloud services is the most notable factor for enterprises. As opposed

to traditional software testing, in cloud-based software testing, enterprises can choose the resource,

tools, or technologies for just the time they need. They will have to only pay for the service based

on the utilization time and can stop leveraging cloud services once the testing is complete.