1.

Cloud security from a user’s perspective

Cloud security from a user's perspective refers to the measures and practices implemented by cloud
service providers to ensure the protection of user data and resources stored in the cloud. As a user, it is
essential to understand the security features and considerations offered by the cloud service provider to
ensure the confidentiality, integrity, and availability of your data.
Here are some key aspects of cloud security from a user's perspective:
Data Encryption: Cloud service providers should offer strong encryption mechanisms to protect data
both in transit and at rest. Encryption ensures that even if the data is intercepted or compromised, it
remains unreadable without the decryption keys. Users should ensure that their data is encrypted using
robust algorithms and that they retain control over the encryption keys.
Access Control: Access control mechanisms play a crucial role in cloud security. Users should have
granular control over who can access their resources and data in the cloud. This includes features like user
authentication, role-based access control (RBAC), and the ability to define access policies and
permissions.
Security Compliance: Cloud service providers should adhere to relevant security standards and
compliance requirements, such as ISO 27001, SOC 2, GDPR, HIPAA, etc. Users should verify that the
provider has appropriate certifications and can demonstrate compliance with applicable regulations to
ensure the protection of their sensitive data.
Vulnerability Management: Cloud providers should have robust vulnerability management programs in
place to identify, assess, and mitigate security vulnerabilities. Users should inquire about the provider's
vulnerability management processes, including regular security patching, vulnerability scanning, and
penetration testing.
Incident Response and Disaster Recovery: Users should understand the cloud provider's incident
response and disaster recovery procedures. This includes mechanisms for detecting and responding to
security incidents promptly, as well as data backup and recovery strategies to ensure business continuity
in case of disruptions or data loss.
Security Monitoring and Logging: Cloud service providers should have robust monitoring and logging
mechanisms to track and analyze user activity, detect anomalies, and respond to security events. Users
should inquire about the provider's security monitoring capabilities and access to audit logs for
compliance and forensic purposes.
Transparency and Auditing: Users should have visibility into the security practices of the cloud
provider. This includes transparency regarding their data handling practices, security controls, and regular
audits by third-party assessors. Users should also have the ability to conduct their own audits or
assessments, if necessary.
When evaluating cloud service providers, it is recommended to review their security documentation,
terms of service, and service-level agreements (SLAs) to understand the security measures they have
implemented. Additionally, seeking references or recommendations from other users or industry experts
can provide valuable insights into a provider's security capabilities.
2. Understanding security and privacy in Cloud Computing:
Cloud technology has given opportunities to many businesses to showcase their potential in the business
world. Cloud technology has opened a door for small & medium scale companies to acquire market share
by entering the yard of bigger players. As the business requirements have become on-demand and need-
based, it gave many companies a significant edge and allow them to complete in a much larger business
space.

At the same time, cloud computing has raised multiple eyebrows with IT management, especially when it
comes to data security in the cloud computing. Data security and privacy protection are two major
factors. These two factors are becoming more important for the future development of cloud computing
technology in business, industry, and government. While addressing this fear, Google claimed that data
stored in the cloud are much safer.

What are the Challenges?

Data Replication

Every business faces this challenge. Snapshots and data backups are taken on a daily basis. They
automatically stored in the cloud. Are you aware where they have been stored and who can see and access
them? Can you identify and control unauthorised copying of your data?
Data Loss

Data loss can be a disaster for any business. Virtual data can be easily lost or exposed as it moves
between VMs or in the cloud. Are you sure that authorised users are accessing your data within
predefined policies? Do you have the authority to block any user who is violating data use policies?
New Class of Users

Cloud computing need cooperation between security, storage, application, and security admins. They all
manage your sensitive business data. With more number of users, the risk also increases. If one admin
went wrong, entire data in the system will be at risk.
Insecure APIs

Application Programming Interfaces (API) allow users to customize their cloud computing practices.
APIs can be a threat to cloud security because of their nature. APIs give developers the tools to build
solutions to integrate their applications with other software. The vulnerability of an API depends on the
communication that takes place between applications. While this can help developers and businesses, they
also issue serious security concerns.

Internal Threat

Never keep this point out of your mind. You may be thinking data is safe inside. But this is one of the
biggest challenge company’s face. Employees can use their access to an organisation’s cloud-based
services to misuse or access information related to finance, customer details etc.
How to Protect your Data?

You can protect your business data in the cloud from unauthorised access. All you need is a sharp eye and
an extra effort. Here are few practical tips to keep your cloud data safe and secure.
Always keep backup locally

When it comes to business data, you have to be extra conscious. Always have a backup for your data. It is
always good to create hard copies of your business data and keep it with yourself so that you can have
access them even if you lost the original one. You can use any cloud storage solutions to store your data.
You can set up a cloud account & can keep the backup copies.
Don’t store sensitive data
Technology is changing. Businesses are also changing as per the technology. Data is playing an important
role in businesses today. So, data privacy is one of the primary aspects of any business. But if something
is there on the internet, it is hard to trust it is safe. So, one should avoid storing the most sensitive files or
information in the cloud.
Data encryption
This is the best form of security because you need decryption before accessing the data. This will protect
data against service providers and users also. To make it more protected, you can also ensure cloud
encryption during uploading and downloading phases. But, this will make data sharing and sync in the
cloud platform little slow.
Encrypted cloud service
There are few cloud services which provide local encryption and decryption of your files and information
inside that other than storage and backup. This means the service takes care of both encrypting your files
and storing them safely in the cloud.
Using password

You can opt for 2-step verification for login if your cloud service offers that option. Google drive use 2
phase log in option, consist of password & code sent to the registered number. This added security will
make your data much safer.
Keep an eye on what you do online

The security of your cloud data largely depends on your online behaviour. While using a public computer,
never save your password, and always ensure that you logged out properly. Another biggest concern is
accessing cloud data in unsecured or open Wi-Fi hotspots. Such connections are unencrypted, hackers can
target your data easily. Never save your password in any of the public forum or social media. Change Wi-
Fi passwords frequently.
Anti-virus is a must

If you expose yourself to bugs and viruses, hackers can access your system easily. You need to choose a
very effective and robust anti-virus system for your system, which will protect all the files and
information inside that. If your system isn’t well protected, and if the system is not encrypted and secured
from bugs, hackers can get hold of your information.
Read your user agreement

Initially, it will be difficult to understand and at times it will test your patience, but you need to face this.
User agreements always carry essential information which can help you understand things in detail.
Access limitation
Give access to those users who really need. Internal users and third party vendors should only get access
to those files which will help them to do their jobs.
Platform, control & service monitoring

Platform, control & services monitoring is usually performed as a dashboard interface and makes it
possible to identify the operational status of the platform being monitored at any time. Each operational
element which is monitored provides an operational status indicator.
Continuous system updating
Cloud data security is enhanced with regular patching and upgrading of systems and application software
in the cloud platform. New patches, updates, and service packs for the operating system are required to
maintain high-end security levels and support new versions of installed products.
Legal & regulatory challenges
This should be the primary focus for cloud service providers. There are many legal & regulatory
challenges which needs to be addressed when data moves from one country to another.
Multinational Framework on privacy and security :

To ensure every business and country get full advantage of cloud computing, different countries have to
cooperate to develop a multinational framework on data privacy and security in the cloud. As cloud
computing evolves, and data flows from one country to another
Rules on Cross-border data transfers :
To enhance the efficiency and security of cloud solutions and deliver quick results, cloud service
providers must be able to operate datacentres in multiple locations and transfer data freely between them.
Conflicting legal obligations:
Different governments have different policies when it comes to data flow in their country. Cloud
providers will be in legal trouble if they won’t follow the predefined cyber laws. Divergent rules on
privacy, data retention, law enforcement access and other issues can lead to ambiguity.
3. Risk issues in cloud: (7 principles that support security assurance)
Confidentiality:
Risk: Inadequate protection of sensitive data stored in the cloud can lead to unauthorized access and
exposure of confidential information to unauthorized parties.
Impact: Loss of confidentiality can result in financial losses, reputational damage, and regulatory non-
compliance.
Mitigation: Implement strong encryption techniques, access controls, and secure data transmission
protocols to protect data confidentiality in the cloud.
Integrity:
Risk: The risk of data tampering or alteration during storage, transmission, or processing in the cloud.
Impact: Unauthorized modification or corruption of data can lead to data integrity violations, loss of trust,
and incorrect decision-making.
Mitigation: Implement data integrity checks, such as checksums or digital signatures, to detect and
prevent unauthorized modifications. Regularly monitor and audit data for integrity violations.
Availability:
Risk: The risk of service disruptions or unavailability of cloud services due to various factors such as
system failures, network outages, or cyber-attacks.
Impact: Downtime or unavailability of cloud services can result in business disruptions, financial losses,
and damage to customer trust.
Mitigation: Implement robust disaster recovery and business continuity plans, redundant infrastructure,
and proactive monitoring to ensure high availability of cloud services.
Other Important Concepts:
Privacy and Compliance Risks: Inadequate protection of personal information and non-compliance with
privacy regulations can result in legal consequences and reputational damage.
The Payment Card Industry Data Security Standard (PCI DSS): Non-compliance with PCI DSS
requirements can lead to financial penalties, loss of customer trust, and increased risk of payment card
data breaches.
Information Privacy and Privacy Laws: Failure to comply with privacy laws and regulations can result in
legal liabilities and damage to an organization's reputation.
Threats to Infrastructure, Data, and Access Control: Cloud environments face various threats such as
unauthorized access, data breaches, and compromised infrastructure that can lead to significant risks and
losses.
Common Threats and Vulnerabilities: Various threats such as logon abuse, eavesdropping, network
intrusion, and denial-of-service (DoS) attacks pose risks to cloud environments.
Cloud Access Control Issues: Inadequate access control mechanisms in the cloud can lead to
unauthorized access to sensitive data and resources.
Database Integrity Issues: Data integrity risks arise when databases in the cloud are not properly
secured and protected against unauthorized modifications or corruption.
Cloud Service Provider Risks: Risks associated with the reliance on cloud service providers include
vendor lock-in, service disruptions, and inadequate security practices.
Specific Threats:
Back-Door: Unauthorized access points or hidden functionalities in cloud systems that can be exploited
for malicious purposes.
Spoofing: Impersonating another entity or user to gain unauthorized access to cloud services.
Man-in-the-Middle: Interception and alteration of communication between cloud users and services,
allowing unauthorized access or data tampering.
Replay: Capturing and retransmitting network communications to perform unauthorized actions or gain
unauthorized access.
TCP Hijacking: Unauthorized takeover of a TCP connection between cloud users and services.
Social Engineering: Manipulating individuals to disclose sensitive information or perform actions that
compromise cloud security.
Dumpster Diving: Unauthorized access or retrieval of discarded physical or digital documents containing
sensitive information.
Password Guessing: Repeated attempts to guess or crack passwords to gain unauthorized access to cloud
accounts or systems.
Trojan Horses and Malware: Malicious software or code that can infect cloud systems, compromise
security, and steal or manipulate data.
4. Security challenges in cloud:
1. External data breaches.
1. A data breach is an incident where information is stolen or taken from a system without
the knowledge or authorization of the system’s owner. A small company or large
organization may suffer a data breach.
2. These attacks may be due to the provider’s failure to properly secure its network or the
customer’s failure to properly patch its operating systems and applications, which open
the organization up to external attacks, such as DDoS and other malware.
2. Misconfiguration.
1. Cloud security is naturally complex, and the risk of configuring something incorrectly is
high, particularly when an organization engages with a new service provider or expands
their cloud user base.
3. Poor authentication controls.
1. Controlling access to cloud resources is more complex than on an internal network,
creating more opportunities for misconfigurations.
4. Account hijacking via phishing.
1. The risk of data theft from a phishing attack targeted at stealing usernames and passwords
intensifies in cloud applications.
5. API insecurities.
1. Insecure APIs used to access cloud resources are increasingly common avenues for cyber
attackers attempting to gain access.
External Sharing of Data
 External data sharing is one of the leading cloud security challenges businesses face.
 This issue arises when data is shared with third-party providers who have to be examined and
approved by the organization.
 As a result, external data sharing can lead to the loss of critical business information and theft and
fraud.
 To prevent these risks, companies must implement robust security measures,
 Encryption
 Data management practices.
Unsecure Third-party Resources
 Third-party resources are applications, websites, and services outside the cloud provider’s
control.
  These resources may have security vulnerabilities, and unauthorized access to your data is
possible.
 Additionally, unsecured third-party resources may allow hackers to access your cloud data.
 These vulnerabilities can put your security at risk.
 Therefore, it is essential to ensure that only trusted, and secure resources are used for cloud
computing.

Security Policy Implementation: Implementing security policies in cloud computing involves defining
and enforcing guidelines, rules, and practices to protect data and ensure the secure operation of cloud-
based systems. It typically includes the following steps:

Figure 1: Security Policy Hierarchy

1. Policy Types: Different types of policies can be implemented, including senior management
statements, regulatory policies, advisory policies, and informative policies (as mentioned below).
2. Policy Development: Security policies should be developed based on organizational
requirements, industry best practices, and compliance obligations.
3. Policy Communication: Policies need to be effectively communicated to all stakeholders,
including employees, contractors, and cloud service providers.
4. Policy Enforcement: Policies should be actively enforced through appropriate technical and
administrative controls.
5. Policy Review and Updates: Security policies should be regularly reviewed, updated, and
aligned with changing threats, technologies, and business requirements.
Policy Types:
1. Senior Management Statement of Policy: This is a high-level policy statement that outlines the
organization's commitment to information security and sets the overall security objectives.
 2. Regulatory Policies: These policies ensure compliance with applicable laws, regulations, and
industry standards that govern data protection, privacy, and security.
3. Advisory Policies: Advisory policies provide guidance, best practices, and recommendations to
help stakeholders make informed decisions regarding security measures.
4. Informative Policies: Informative policies provide information about security practices,
procedures, and guidelines without imposing strict requirements.
Computer Security Incident Response Team (CSIRT): A Computer Security Incident Response Team
(CSIRT) is a dedicated team responsible for responding to and managing security incidents in an
organization's computing environment, including cloud-based systems. The CSIRT typically performs the
following functions:
1. Incident Detection and Analysis: Monitoring systems and networks to detect security incidents
and analyzing their impact.
2. Incident Response: Responding to security incidents promptly, containing their impact, and
minimizing further damage.
3. Forensic Investigation: Conducting investigations to determine the cause, scope, and extent of
security incidents.
4. Incident Reporting and Communication: Reporting incidents to relevant stakeholders,
including senior management, legal authorities, and affected parties.
5. Lessons Learned and Continuous Improvement: Conducting post-incident reviews to identify
areas for improvement in security controls, policies, and response procedures.

Virtualization Security Management:

Virtualization security management focuses on securing virtualized environments, which are common in
cloud computing. It involves addressing the unique security challenges associated with virtualization
technologies. Some key aspects include:

Figure 2: Basic VM System Vulnerability

Virtual Threats: Virtual threats refer to security risks specific to virtualized environments. These threats
can include attacks targeting virtual machines (VMs), hypervisors, or vulnerabilities within the
virtualization infrastructure.
Hypervisor Risks: The hypervisor, a software layer that enables virtualization, can be a potential target
for attackers. Exploiting vulnerabilities in the hypervisor can allow unauthorized access to VMs or
compromise the integrity and availability of virtualized resources.
Increased Denial of Service Risk: Virtualization can amplify the impact of Denial of Service (DoS)
attacks. An attacker targeting a single virtualization server can potentially disrupt multiple VMs, affecting
the performance and availability of cloud services.
VM Security Recommendations: To enhance VM security, it is recommended to implement the
following measures:
 Regularly apply security updates and patches to VMs and their underlying software.
 Use secure configurations and access controls for VMs.
 Employ network segmentation and isolation to restrict communication between VMs.
 Implement strong authentication and authorization mechanisms for VM access.
 Use encryption for sensitive data stored within VMs and during transmission.
Best Practice Security Techniques: Adopting best practices for security in virtualized environments can
help mitigate risks. These practices include:
 Implementing strict access controls and authentication mechanisms for VM management.
 Regularly updating and patching hypervisors, virtualization management systems, and VMs.
 Monitoring and auditing VM activity to detect suspicious behavior or unauthorized access.
 Implementing network security controls such as firewalls and intrusion detection systems to
protect VMs.
 Using encryption for VM data at rest and in transit.
VM-Specific Security Techniques: Some security techniques are specifically designed for VMs, such as:
 Employing virtual firewalls or security appliances to protect VMs from network-based attacks.
 Using host-based intrusion detection/prevention systems (IDS/IPS) within VMs to detect and
prevent unauthorized activity.
 Implementing VM isolation techniques to prevent VM-to-VM attacks and limit the impact of
compromised VMs.
Hardening the Virtual Machine: Hardening a virtual machine involves reducing its attack surface and
strengthening its security posture. This can include:
 Disabling unnecessary services and protocols.
 Removing or disabling unnecessary software components.
  Applying security patches and updates.
 Configuring strong access controls and user authentication mechanisms.
 Implementing file integrity monitoring to detect unauthorized changes.
Securing VM Remote Access: Securing remote access to VMs is crucial to prevent unauthorized access.
Best practices for securing VM remote access include:
 Using secure protocols like SSH (Secure Shell) or VPN (Virtual Private Network) for remote
access.
 Enforcing strong authentication mechanisms, such as two-factor authentication.
 Restricting remote access to authorized users and implementing access controls.
 Monitoring and logging remote access activities for detection and response purposes.
 Encrypting remote access sessions to protect against eavesdropping and data interception.

Security requirements for the cloud architecture:

1. Data Encryption: Encrypt sensitive data both in transit and at rest to ensure confidentiality. Use
strong encryption algorithms and secure key management practices.
2. Identity and Access Management (IAM): Implement robust user authentication and
authorization mechanisms to control access to cloud resources. Use techniques like multi-factor
authentication (MFA), role-based access control (RBAC), and least privilege principles.
3. Network Security: Protect the cloud network by implementing firewalls, intrusion detection and
prevention systems (IDS/IPS), and virtual private networks (VPNs). Segment the network into
security zones to control traffic flow.
4. Vulnerability Management: Regularly scan for vulnerabilities in the cloud infrastructure and
applications. Patch and update systems promptly to address any identified vulnerabilities.
Perform penetration testing to evaluate security posture.
5. Security Monitoring and Logging: Implement comprehensive logging and monitoring
mechanisms to detect and respond to security incidents promptly. Use security information and
event management (SIEM) tools to collect and analyze logs from various sources.
6. Security Auditing and Compliance: Regularly audit the cloud environment to ensure
compliance with relevant security standards and regulations. Maintain an audit trail of activities
for accountability and forensic analysis.
7. Disaster Recovery and Backup: Implement robust backup and disaster recovery mechanisms to
ensure data availability and business continuity. Regularly test and validate the recovery process.
8. Secure Development Practices: Follow secure coding practices and conduct regular security
code reviews to mitigate vulnerabilities in cloud-based applications. Implement secure software
development lifecycle (SDLC) processes.
 9. Incident Response and Forensics: Establish an incident response plan to effectively handle
security incidents. Define roles, responsibilities, and communication channels. Preserve evidence
for forensic analysis if needed.
10. Physical Security: Ensure physical security measures are in place at data centers and facilities
hosting cloud infrastructure. This includes access controls, surveillance systems, and
environmental controls.
11. Data Privacy: Comply with data privacy laws and regulations applicable to the cloud
architecture. Implement mechanisms to protect personally identifiable information (PII) and other
sensitive data.
12. Regular Training and Awareness: Educate employees and users about security best practices,
policies, and potential threats. Conduct security awareness training and simulate phishing attacks
to promote a security-conscious culture.
Some of the elements to keep in mind when designing cloud infrastructure or as you navigate the cloud as
a whole are:
 Security at Each Layer
 Centralized Management of Components
 Design for Redundancy in Case of Failures
 Design for Elasticity & Scalability
 Choose the Right Storage for Your Deployments
 Plan for Alerts & Notifications
 Centralization, Standardization & Automation
Security at Each Layer:
 Ensure that each layer of the cloud’s security stack is “self-defending.”
 There may be multiple components in each layer, so having defense-in-depth is critical.
 This goes into having things like automatic updates on operating systems, secure coding
and monitoring logs.
Centralized Management of Components:
 This is taking the concept of multiple components in each layer and managing each —
especially security — from one place, making sure to incorporate efficiency
opportunities.
Design for Redundancy in Case of Failures:
 Even though most of us hate the concept of failure, we have to design our cloud
infrastructure for the possibility that it will happen.
 This means building out disaster recovery plans and having backups on hand to re-
establish operations.
  Another aspect of this is making sure you have resiliency built into all components, or at
least the ones that continuously need to be online.
Design for Elasticity & Scalability:
 When it comes to elasticity, we have to keep in mind specific design options.
 When scaling, should it be a horizontal or vertical scale? In other words, can you make
the server bigger or add more servers/services? You need to keep in mind what images
you will use to deploy new systems or services.
 What are the thresholds that dictate the scaling up or down? What is the location or
region that the new components will operate in? All of these need to be answered before
you build out your architecture.
Choose the Right Storage for Your Deployments:
 When choosing storage, it comes down to your organization’s use cases and needs.
 Take time to look at the options available as they are not created equal. Each has its
security controls and different performance specifications.
 This is a time to revisit data security strategies and make sure you are following the
company’s guidelines.
Plan for Alerts & Notifications :
 This is one of the most critical aspects of security architecture design. While designing
how the components will talk to each other and how users interact with those
components.
 you need to ensure that you are being alerted and notified.
 This keeps you in the loop on what is happening in your cloud infrastructure.
 Your primary source of information are the logs created, so it is vital to enable logging
wherever you can, such as instance, network, identity, access and service activity.
Centralization, Standardization & Automation:
 Centralization, Standardization and Automation (CSA) is something that needs to be
thought about during design.
 Centralization is using services and tools that can be integrated into a single dashboard
for viewing.
 Standardization is creating consistent architectural security models across the vast
amount of services offered in the cloud, reducing the burden of implementation of those
new services.
 Finally, Automation, the more you can automate your infrastructure, the quicker you can
scale and respond to incidents and issues.
Securing private and public clouds
It is crucial for maintaining the integrity, confidentiality, and availability of data and resources in cloud
environments. Here are some important measures to consider for cloud security:
1. Data Encryption: Encrypt sensitive data at rest and in transit to protect it from unauthorized
access. Use strong encryption algorithms and ensure proper key management.
2. Access Control: Implement robust access controls to limit who can access cloud resources and
data. Use strong authentication mechanisms such as multi-factor authentication (MFA) and
enforce the principle of least privilege, granting users only the permissions they need.
3. Network Security: Deploy firewalls, intrusion detection/prevention systems, and network
segmentation to secure the cloud network infrastructure. Apply security groups and network
access control lists (ACLs) to control inbound and outbound traffic.
4. Patch Management: Regularly apply security patches and updates to the cloud infrastructure,
including operating systems, virtualization software, and applications. Promptly address any
vulnerabilities to mitigate the risk of exploitation.
5. Security Monitoring and Logging: Implement comprehensive logging and monitoring solutions
to detect and respond to security incidents. Monitor cloud resources, network traffic, and user
activities for any suspicious behavior.
6. Security Auditing and Compliance: Perform regular security audits to ensure compliance with
relevant industry standards and regulations. Conduct vulnerability assessments and penetration
testing to identify weaknesses in the cloud environment.
7. Identity and Access Management (IAM): Utilize IAM solutions to manage user identities,
roles, and permissions in the cloud environment. Use centralized authentication and authorization
mechanisms to streamline access control.
8. Data Backup and Disaster Recovery: Implement a robust backup and recovery strategy to
protect against data loss and ensure business continuity. Regularly back up critical data and test
the restoration process to validate its effectiveness.
9. Vendor Security Assessment: If using a public cloud provider, assess their security practices and
capabilities. Review their certifications, security controls, and compliance with industry
standards.
10. Employee Training and Awareness: Educate employees about cloud security best practices,
including strong password hygiene, identifying phishing attempts, and adhering to security
policies. Foster a culture of security awareness throughout the organization.
11. Incident Response Planning: Develop a comprehensive incident response plan to address
security breaches and other incidents. Define roles and responsibilities, establish communication
channels, and conduct periodic drills to ensure an effective response.
Security patterns in cloud security
1. Shared Responsibility Model: This pattern defines the security responsibilities between cloud
service providers (CSPs) and customers. It helps clarify which security aspects are managed by
the CSP and which are the customer's responsibility. This pattern ensures transparency and
accountability in cloud security.
2. Identity and Access Management (IAM): IAM patterns focus on establishing strong user
authentication, authorization, and access control mechanisms. This includes implementing multi-
factor authentication (MFA), role-based access control (RBAC), and fine-grained access policies
to protect resources and prevent unauthorized access.
3. Data Encryption: Encryption patterns ensure that data is protected both in transit and at rest.
This involves using strong encryption algorithms and secure key management practices to
safeguard sensitive information stored in the cloud. Encryption can be applied to data at various
levels, including storage, database, and application layers.
4. Network Segmentation: This pattern involves dividing a cloud network into isolated segments or
virtual private clouds (VPCs) to create security boundaries. Network segmentation helps prevent
lateral movement and restricts unauthorized access between different components or services
within the cloud environment.
5. Logging and Monitoring: Logging and monitoring patterns enable the collection, analysis, and
alerting of security-relevant events and activities within the cloud infrastructure. This includes
implementing centralized logging, real-time monitoring, and security information and event
management (SIEM) solutions to detect and respond to security incidents.
6. Infrastructure as Code (IaC) Security: IaC security patterns focus on secure provisioning and
management of cloud resources using automated configuration management tools. This ensures
that cloud infrastructure is deployed with security controls in place, such as secure network
configurations, properly configured firewalls, and secure baseline configurations.
7. Disaster Recovery and Business Continuity: These patterns involve implementing backup and
disaster recovery mechanisms to protect data and ensure continuous operation of critical services
in case of disruptions or failures. This includes regular data backups, replication across multiple
regions, and automated failover mechanisms.
8. DevSecOps: patterns integrate security practices into the software development and deployment
lifecycle. This includes incorporating security testing, vulnerability scanning, and code analysis
tools into the continuous integration and continuous deployment (CI/CD) pipelines to identify
and address security issues early in the development process.
9. Threat Intelligence and Intrusion Detection: These patterns involve using threat intelligence
feeds, anomaly detection algorithms, and intrusion detection systems (IDS) to identify and
respond to potential security threats in real-time. This helps in proactively mitigating attacks and
minimizing the impact of security incidents.
 10. Compliance and Governance: These patterns focus on meeting regulatory requirements and
ensuring adherence to security best practices. This includes implementing security controls and
conducting regular audits to assess compliance, as well as establishing robust governance
processes to monitor and manage security risks.

Cloud Security Architecture

o IaaS is the most basic level of service, with PaaS and SaaS next two above levels of services.

o Moving upwards, each service inherits the capabilities and security concerns of the model
beneath.
o IaaS provides the infrastructure, PaaS provides the platform development environment, and SaaS
provides the operating environment.
o IaaS has the lowest integrated functionality and security level, while SaaS has the highest.

o This model describes the security boundaries at which cloud service providers' responsibilities
end and customers' responsibilities begin.
o Any protection mechanism below the security limit must be built into the system and maintained
by the customer.
What is Cloud Security Architecture?
A cloud security architecture is defined by the
 Security layers
 Design, and
  Structure of the platform,
 Tools,
 Software
 infrastructure, and
 Best practices that exist within a Cloud Security Architecture
A cloud security architecture provides the written and visual model to define how to configure and secure
activities and operations within the cloud.
Security Planning
Before deploying a particular resource to the cloud, one should need to analyze several aspects of the
resource, such as:
 A select resource needs to move to the cloud and analyze its sensitivity to risk.
 Consider cloud service models such as IaaS, PaaS,and These models require the customer to be
responsible for Security at different service levels.
 Consider the cloud type, such as public, private, community, or
 Understand the cloud service provider's system regarding data storage and its transfer into and
out of the cloud.
 The risk in cloud deployment mainly depends upon the service models and cloud types.

Infrastructure security in cloud security

 Cloud infrastructure security is the practice of securing resources deployed in a cloud
environment and supporting systems.

 Cloud infrastructure is made up of at least 7 basic components, including user accounts, servers,
storage systems, and networks.

 Cloud environments are dynamic, with short-lived resources created and terminated many
times per day.

 This means each of these building blocks must be secured in an automated and systematic
manner.
Securing 7 Key Components of Your Cloud Infrastructure

Here are key best practices to securing the key components of a typical cloud environment.

1.Accounts

 Service accounts in the cloud are typically privileged accounts, which may have access to critical
infrastructure.

 Once compromised, attackers have access to cloud networks and can access sensitive resources
and data.

 Use identity and access management (IAM) to set policies controlling access and authentication
to service accounts.

 Use a cloud configuration monitoring tool to automatically detect and remediate non-secured
accounts.

 Finally, monitor usage of sensitive accounts to detect suspicious activity and respond.

2.Servers

 While a cloud environment is virtualized, behind the scenes it is made up of physical hardware
deployed at multiple geographical locations.

 This includes physical servers, storage devices, load balancers, and network equipment like
switches and routers.

 Here are a few ways to secure a cloud server, typically deployed using a compute service like
Amazon EC2:

 Control inbound and outbound communication—your server should only be allowed to connect
to networks, and specific IP ranges needed for its operations.
  For example, a database server should not have access to the public internet, or any other IP,
except those of the application instances it serves.

 Encrypt communications—whether communications go over public networks or within a secure

private network, they should be encrypted to avoid man in the middle (MiTM) attacks. Never use
unsecured protocols like Telnet or FTP. Transmit all data over HTTPS, or other secure protocols
like SCP (Secure Copy) or SFTP (Secure FTP).

 Use SSH keys—avoid accessing cloud servers using passwords, because they are vulnerable to
brute force attacks and can easily be compromised.

 Use SSH(Shell or Secure Socket Shell) keys, which leverage public/private key cryptography for
more secure access.

 Minimize privileges—only users or service roles that absolutely need access to a server should
be granted access.

 Carefully control the access level of each account to ensure it can only access the specific files
and folders, and perform specific operations, needed for their role.

 Avoid using the root user—any operation should be performed using identified user accounts.

3.Hypervisors

A hypervisor runs on physical hardware, and makes it possible to run several virtual machines (VMs),
each with a separate operating system.

All cloud systems are based on hypervisors.

Therefore, hypervisors are a key security concern, because compromise of the hypervisor (an attack
known as hyperjacking) gives the attacker access to all hosts and virtual machines running on it.

Here are a few ways to ensure your hypervisor is secure:

 Ensure machines running hypervisors are hardened, patched, isolated from public networks,
and physically secured in your data center

 Assign least privileges to local user accounts, carefully controlling access to the hypervisor

 Harden, secure, and closely monitor machines running the virtual machine monitor (VMM)
and virtualization management software, such as VMware vSphere

 Secure and monitor shared hardware caches and networks used by the hypervisor

 Pay special attention to hypervisors in development and testing environments—ensure

appropriate security measures are applied when a new hypervisor is deployed to production

4.Storage

In cloud systems, virtualization is used to abstract storage from hardware systems.

Storage systems become elastic pools of storage, or virtualized resources that can be provisioned and
scaled automatically.
Here are a few ways to secure your cloud storage services:

 Identify which devices or applications connect to cloud storage, which cloud storage services
are used throughout the organization, and map data flows.

 Block access to cloud storage for internal users who don’t need it

 Classify data into sensitivity levels—a variety of automated tools are available. This can help you
focus on data stored in cloud storage that has security or compliance implications.

 Remove unused data—cloud storage can easily scale and it is common to retain unnecessary
data, or entire data volumes or snapshots that are no longer used.

 Carefully control access to data using identity and access management (IAM) systems, and
applying consistent security policies for cloud and on-premises systems.

 Use cloud data loss prevention (DLP) tools to detect and block suspicious data transfers

5.Databases

Databases in the cloud can easily be exposed to public networks, and almost always contain sensitive
data, making them an imminent security risk.

Here are a few ways to improve security of databases in the cloud:

 Hardening configuration and instances—if you deploy a database yourself in a compute

instance, it is your responsibility to harden the instance and securely configure the database.

If you use a managed database service, these concerns are typically handled by the cloud provider.

 Database security policies—ensure database settings are in line with your organization’s security
and compliance policies. Map your security requirements and compliance obligations to specific
settings on cloud database systems.

 Network access—as a general rule, databases should never be exposed to public networks and
should be isolated from unrelated infrastructure.

 Permissions—grant only the minimal level of permissions to users, applications and service
roles. Avoid “super users” and administrative users with blanket permissions. Each administrator
should have access to the specific databases they work on.

 End user device security—security is not confined to the cloud environment. You should be
aware what endpoint devices administrators are using to connect to your database.

6.Network

Here are a few ways you can secure cloud networks:

 Use security groups to define rules that define what traffic can flow between cloud resources.

 Use Network Access Control Lists (ACL) to control access to virtual private networks. ACLs
provide both allow and deny rules.
  Use additional security solutions such as firewalls as a service (FWaaS) and web application
firewalls (WAF) to actively detect and block malicious traffic.

 Deploy Cloud Security Posture Management (CSPM) tools to automatically review cloud
networks, detect non-secure or vulnerable configurations and remediate them.

7.Kubernetes

• Code—ensuring code in containers is not malicious and uses secure coding practices

• Containers—scanning container images for vulnerabilities, and protecting containers at runtime

to ensure they are configured securely according to best practices

• Clusters—protecting Kubernetes master nodes and ensuring cluster configuration is in line with
security best practices

• Cloud—using cloud provider tools to secure the underlying infrastructure, including compute
instances and virtual private clouds (VPC)

Developing secure software is based on applying the secure software design principles that form the
fundamental basis for software assurance.

The Data and Analysis Center for Software (DACS) Suggest three important properties are required to
ensure the security,

 Dependability

 Trustworthiness

 Survivability (Resilience)

Dependability

Software that executes predictably and operates correctly under a variety of conditions, including when
under attack or running on a malicious host

Trustworthiness

Software that contains a minimum number of vulnerabilities or no vulnerabilities or weaknesses that

could interrupt the software’s dependability.

It must also be resistant to malicious logic

Survivability (Resilience)

Software that is resistant to or tolerant of attacks and has the ability to recover as quickly as possible
with as little harm as possible
Confidentiality, Integrity, and Availability (CIA)

Confidentiality, integrity, and availability are sometimes known as the CIA triad of information system
security, and are important pillars of cloud software assurance.

1. Confidentiality

Confidentiality refers to the prevention of intentional or unintentional unauthorized disclosure of

information.

Confidentiality in cloud systems is related to the areas of

 Intellectual property rights,

 Covert channels

 Traffic analysis

 Encryption

 Inference:

1.1 Intellectual property rights

 Intellectual property (IP) includes inventions, designs, and creative, musical, and literary works.

 Rights to intellectual property are covered by copyright laws, which protect creations of the
mind, and patents, which are granted for new inventions.

1.2 Covert channels

 A covert channel is an unauthorized and unintended communication path that enables the
exchange of information.

 Covert channels can be accomplished through timing of messages or inappropriate use of

storage mechanisms.

1.3 Traffic analysis

 Traffic analysis is a form of confidentiality breach that can be accomplished by analyzing the
volume, rate, source, and destination of message traffic, even if it is encrypted.

 Increased message activity and high bursts of traffic can indicate a major event is occurring.

 Countermeasures to traffic analysis include maintaining a near-constant rate of message traffic

and hiding the source and destination locations of the traffic.

1.4 Encryption

 Encryption involves scrambling messages so that they cannot be read by an unauthorized

entity, even if they are intercepted.

 The amount of effort (work factor) required to decrypt the message is a function of the strength
of the encryption key and the robustness and quality of the encryption algorithm.
1.5 Inference

 Inference is usually associated with database security.

 Inference is the ability of an entity to use and correlate information protected at one level of
security to uncover information that is protected at a higher security level.

2.Integrity

Integrity requires that the following three principles are met:

 Modifications are not made to data by unauthorized personnel or processes.

 Unauthorized modifications are not made to data by authorized personnel or processes.

 The data is internally and externally consistent in other words, the

internal information is consistent both among all sub-entities and with the real-world, external situation

3.Availability

 Availability ensures the reliable and timely access to cloud data or cloud computing resources
by the appropriate personnel.

 Availability guarantees that the systems are functioning properly when needed.

 A denial-of-service attack is an example of a threat against availability.

Cloud Security Services

Additional factors that directly affect cloud software assurance include

 Authentication

 Authorization

 Auditing

 Accountability

Authentication

 Authentication is the testing or understanding of evidence of a user’s identity.

 It establishes the user’s identity and ensures that users are who they claim to be.

 For example, a user presents an identity (user ID) to a computer login screen and

then has to provide a password.

1.Authorization

 Authorization refers to rights and privileges granted to an individual or process that enable
access to computer resources and information assets.
  Once a user’s identity and authentication are established, authorization levels determine the
extent of system rights a user can hold.

2.Auditing

To maintain operational assurance, organizations use two basic methods:

 System audits

 Monitoring.

These methods can be employed by the cloud customer, the cloud provider, or both, depending on
asset architecture and deployment.

 A system audit is a one-time or periodic event to evaluate security.

 Monitoring refers to an ongoing activity that examines either the system or the users, such as
intrusion detection.

Information technology (IT) auditors are often divided into two types:

 Internal

 External

Internal auditors typically work for a given organization, whereas

external auditors do not.

IT auditors typically audit the following functions:

 System and transaction controls

 Systems development standards

 Backup controls

 Data library procedures

 Data center security

 Contingency plans

Audit logs should record the following:

 The transaction’s date and time

 Who processed the transaction

 At which terminal the transaction was processed

 Various security events relating to the transaction

In addition, an auditor should examine the audit logs for the following:

 Amendments to production jobs

  Production job reruns

 Computer operator practices

 All commands directly initiated by the user

 All identification and authentication attempts

 Files and resources accessed

3.Accountability

 Accountability is the ability to determine the actions and behaviors of a single individual
within a cloud system and to identify that particular individual.

 Audit trails and logs support accountability and can be used to conduct examination studies in
order to analyze historical events and the individuals or processes associated with those events.

Understanding data security

Since all data is transferred using the Internet, data security in the cloud is a major concern.

Here are the key mechanisms to protect the data.

 access control

 audit trail

 certification

 authority

The service model should include security mechanisms working in all of the above areas.

Separate access to data

Since the data stored in the cloud can be accessed from anywhere, we need to have a mechanism to
isolate the data and protect it from the client's direct access.

Broker cloud storage is a way of separating storage in the Access Cloud.

In this approach, two services are created:

A broker has full access to the storage but does not have access to the client.

A proxy does not have access to storage but has access to both the client and the broker.

1. When the client issues a request to access data:

2. The client data request goes to the external service interface of the proxy.

3. The proxy forwards the request to the broker.

4. The broker requests the data from the cloud storage system.
5. The cloud storage system returns the data to the broker.

6. The broker returns the data to the proxy.

7. Finally, the proxy sends the data to the client.