Cloud Computing

Presented By:
Dr. Sukhwinder Sharma
Associate Professor
Department of Data Science and Engineering
Manipal University Jaipur, Jaipur
Syllabus

•Introduction to Cloud Computing: Definition, Characteristics, History, Deployment Models (Public, Private,
Hybrid, Community), Service Models (IaaS, PaaS, SaaS), Cloud Architecture, Cloud Providers and Services,
Cost Benefit Analysis of Cloud Adoption.

•Virtual Machines Provisioning and Migration Services: Virtualization Concepts, Types of Virtualization,
Hypervisors, Creating and Managing Virtual Machines, Containerization (Docker, Kubernetes), High
Availability and Disaster Recovery, Cloud Migration Concepts, Cloud Migration Techniques.

•SLA Management, Cloud Security and AWS Services: Service Level Agreement (SLA), SLA Management
in Cloud, Automated Policy-based Management, Cloud Security Fundamentals, Security Challenges in the
Cloud, Vulnerability Assessment, Security and Privacy, Cloud Computing Security Architecture, Amazon Web
Services (AWS), AWS Services - Identity and Access Management (IAM), and Virtual Private Cloud (VPC).

•Advanced Topics: Serverless Computing, Edge Computing, Managed databases (RDS, NoSQL), Data
Warehousing Solutions (Redshift, BigQuery), AI/ML services in the cloud (AWS SageMaker, Google AI
Platform), Real-world Cloud Computing Case Studies, Discussion on Cloud Adoption in Various Industries.
 What is a “Secure” Computer
System?
• To decide whether a computer system is “secure”, you must first
decide what “secure” means to you, then identify the threats you
care about.

You Will Never Own a Perfectly Secure System!

• Threats - examples
• Viruses, trojan horses, etc.
• Denial of Service
• Stolen Customer Data
• Modified Databases
• Identity Theft and other threats to personal privacy
• Equipment Theft
• Hack-tivism
• Cyberterrorism
• …
 Basic Components of Security:
Confidentiality, Integrity, Availability
(CIA)
• CIA
• Confidentiality: Who is authorized to use data? C I
• Integrity: Is data “good”? S
• Availability: Can access data whenever need it?
A

S = Secure
 CIA or CIAAAN… 
(other security components added to CIA)
 Authentication
 Authorization
 Non-repudiation
 …
 Need to Balance
CIA
 Example 1: C vs. I+A
 Disconnect computer from Internet to increase
confidentiality
 Availability suffers, integrity suffers due to lost
updates

 Example 2: I vs. C+A

 Have extensive data checks by different
people/systems to increase integrity
 Confidentiality suffers as more people see data,
availability suffers due to locks on data under
verification
 Confidentiality
• “Need to know” basis for data access
• How do we know who needs what data?
Approach: access control specifies who can access what
• How do we know a user is the person she claims to be?
Need her identity and need to verify this identity
Approach: identification and authentication

• Analogously: “Need to access/use” basis for physical

assets
• E.g., access to a computer room, use of a desktop

• Confidentiality is:
• difficult to ensure
• easiest to assess in terms of success (binary in nature: Yes / No)
 Integrity
• Integrity vs. Confidentiality
• Concerned with unauthorized modification of assets (= resources)
Confidentiality - concered with access to assets
• Integrity is more difficult to measure than confidentiality
Not binary – degrees of integrity
Context-dependent - means different things in different contexts
Could mean any subset of these asset properties:
{ precision / accuracy / currency / consistency /
meaningfulness / usefulness / ...}
• Types of integrity—an example
• Quote from a politician
• Preserve the quote (data integrity) but misattribute (origin
integrity)
 Availability (1)

• Not understood very well yet

„[F]ull implementation of availability is security’s next challenge”
E.g. Full implemenation of availability for Internet users (with ensuring
security)

• Complex
Context-dependent
Could mean any subset of these asset (data or service)
properties :
{ usefulness / sufficient capacity /
progressing at a proper pace /
completed in an acceptable period of time / ...}
[Pfleeger & Pfleeger]
 Availability (2)

• We can say that an asset (resource) is available if:

• Timely request response
• Fair allocation of resources (no starvation!)
• Fault tolerant (no total breakdown)
• Easy to use in the intended way
• Provides controlled concurrency (concurrency control, deadlock
control, ...)

[Pfleeger & Pfleeger]

 4. Vulnerabilities, Threats, and
Controls
• Understanding Vulnerabilities, Threats, and Controls
• Vulnerability = a weakness in a security system
• Threat = circumstances that have a potential to cause harm
• Controls = means and ways to block a threat, which tries to exploit
one or more vulnerabilities
• Attack (materialization of a vulnerability/threat combination)
• = exploitation of one or more vulnerabilities by a threat; tries to defeat
controls
• Attack may be:
• Successful (a.k.a. an exploit)
• resulting in a breach of security, a system penetration, etc.
• Unsuccessful
• when controls block a threat trying to exploit a vulnerability
[Pfleeger & Pfleeger]
 What is Cloud Security?
• Cloud security refers to the protection of information, applications, data, platforms,
and infrastructure that operate or exist within the cloud.
• It consists of a variety of tools, policies, architectures, strategies, controls, and
technologies designed to reduce the likelihood of theft, inappropriate access,
deletion, exposure, or leakage.
• Cloud security is applicable to all types of cloud computing infrastructures,
including public clouds, private clouds, and hybrid clouds.
•Cloud security solutions offer protection from different types of threats, such as:
 Malicious activity caused by cybercriminals and nation states, including
ransomware, malware, phishing; denial of service (DoS) attacks; advanced
persistent threats; cryptojacking; brute force hacking; man-in-the-middle attacks;
zero-day attacks; and data breaches.
 Insider threats caused by rogue or disgruntled staff members; human error; staff
negligence; and infiltration by external threat actors who have obtained legitimate
credentials without authorization.
 Vulnerabilities such as flaws or weaknesses in systems, applications, procedures,
and internal controls that can accidentally or intentionally trigger a security breach
or violation.
 Modern threats targeting new technologies. Cloud security frameworks and third
party cloud security tools can help keep up with the evolving landscape of new
technologies that when implemented into an ecosystem can potentially introduce
new threats.
Vulnerability Assesment Life
Cycle
• Steps in the Vulnerability Management Life Cycle
• Discover: Inventory all assets across the network and identify host details including
operating system and open services to identify vulnerabilities. Develop a network
baseline. Identify security vulnerabilities on a regular automated schedule.
• Prioritize Assets: Categorize assets into groups or business units, and assign a
business value to asset groups based on their criticality to your business operation.
• Assess: Determine a baseline risk profile so you can eliminate risks based on asset
criticality, vulnerability threat, and asset classification.
• Report: Measure the level of business risk associated with your assets according to
your security policies. Document a security plan, monitor suspicious activity, and
describe known vulnerabilities.
• Remediate: Prioritize and fix vulnerabilities in order according to business risk.
Establish controls and demonstrate progress.
• Verify: Verify that threats have been eliminated through follow-up audits.
Privacy Security

Privacy defines the ability to secure personally identifiable data. Security define protecting against unauthorized access.

Privacy denotes anyone who feels free from some unwanted Security is some state of being free through possible threats or private
attention. freedom.

The security programs defines the set of regulations and protocols to

Privacy programs concentrate on protection personal information just
secure each confidential information resources and assets that an
like passwords, log-in credentials, etc.
enterprise owns and collects.

Privacy defines protecting sensitive information associated to Security supports protection for some types of data and information such
individuals and organisations. as the ones that are saved electronically.

To a few extent, privacy is implemented with the initiatives of security The three primary security principles are enhancing the accessibility of
and security depends on the phpMyAdmin privacy of access and information and data, maintaining the integrity of data assets, and
credentials of information. protecting confidentiality.

The security programs defines the set of regulations and protocols to

Privacy programs concentrate on protection personal information only
secure each confidential information resources and assets that an
like passwords, log-in credentials, etc.
enterprise owns and collects.

Privacy can't be adept without security. Security can be adept without privacy.
AWS
• With over 200 fully-featured services available across the world,
Amazon Web Services (AWS) is the most widely used cloud platform
globally.
Key
differentiat
ors for AWS
• Gartner named AWS as a leader for the 12th year in a row in the 2022 Gartner Magic
Quadrant for Cloud Infrastructure & Platform Services.
• AWS is innovating fast, especially in new areas such as machine learning and artificial
intelligence, the Internet of Things (IoT), serverless computing, blockchain, and even
quantum computing.
• It’s not always possible to move all workloads into the cloud, and for that purpose, AWS
provides a broad set of hybrid capabilities in the areas of networking, data, access,
management, and application services.
• For example, VMware Cloud on AWS allows customers to seamlessly run existing VMware
workloads on AWS with the skills and toolsets they already have without additional
hardware investment.
• If you want to run your workload on-premise, then AWS Outposts enables you to utilize
native AWS services, infrastructure, and operating models in almost any data center, co-
location space, or on-premises facility if you prefer to run your workload on-premise.
AWS Solution
• Amazon Web Services offers purpose-built services, ready-to-deploy
software packages, and customizable architectures with instructional
information to rapidly solve business challenges.
• Solutions are built by AWS and AWS Partners to address specific
industry, cross-industry, and technology use cases.
• The AWS Solution Provider Program (SPP) helps you to resell and
deliver AWS Services to end customers as part of your unique
offerings. This program is designed for system integrators (SIs),
Managed Service Providers (MSPs), value-added resellers (VARs), and
public sector organizations.
• As an AWS Solution Provider, you will increase your technical expertise
and access funding benefits to manage, service, support, and directly
bill your customers.
AWS Services (IAM, VPC, etc.)
• Amazon Web Services offers a broad set of global cloud-based products
including compute, storage, databases, analytics, networking, mobile,
developer tools, management tools, IoT, security, and enterprise
applications: on-demand, available in seconds, with pay-as-you-go pricing.
• From data warehousing to deployment tools, directories to content delivery,
over 200 AWS services are available.
• New services can be provisioned quickly, without the upfront fixed expense.
• This allows enterprises, start-ups, small and medium-sized businesses, and
customers in the public sector to access the building blocks they need to
respond quickly to changing business requirements.
• https://mindmajix.com/top-aws-services
• Amazon Identity and Access Management (IAM)
• Amazon Virtual Private Cloud (VPC)
Amazon Identity and Access
Management (IAM)
• AWS Identity and Access Management (IAM) is a web service that helps you
securely control access to AWS resources.
• With IAM, you can centrally manage permissions that control which AWS
resources users can access. You use IAM to control who is authenticated (signed
in) and authorized (has permissions) to use resources.
• When you create an AWS account, you begin with one sign-in identity that has
complete access to all AWS services and resources in the account. This identity is
called the AWS account root user and is accessed by signing in with the email
address and password that you used to create the account.
• We strongly recommend that you don't use the root user for your everyday tasks.
Safeguard your root user credentials and use them to perform the tasks that only
the root user can perform.
IAM features
• Shared access to your AWS account
• You can grant other people permission to administer and use resources in your AWS account without having
to share your password or access key.
• Granular permissions
• You can grant different permissions to different people for different resources. For example, you might allow
some users complete access to Amazon Elastic Compute Cloud (Amazon EC2), Amazon Simple Storage Service
(Amazon S3), Amazon DynamoDB, Amazon Redshift, and other AWS services. For other users, you can allow
read-only access to just some S3 buckets, or permission to administer just some EC2 instances, or to access
your billing information but nothing else.
• Secure access to AWS resources for applications that run on Amazon EC2
• You can use IAM features to securely provide credentials for applications that run on EC2 instances. These
credentials provide permissions for your application to access other AWS resources. Examples include S3
buckets and DynamoDB tables.
• Multi-factor authentication (MFA)
• You can add two-factor authentication to your account and to individual users for extra security. With MFA
you or your users must provide not only a password or access key to work with your account, but also a code
from a specially configured device. If you already use a FIDO security key with other services, and it has an
AWS supported configuration, you can use WebAuthn for MFA security.
• Identity federation
• You can allow users who already have passwords elsewhere—for example, in your corporate network or with an internet
identity provider—to get temporary access to your AWS account.
• Identity information for assurance
• If you use AWS CloudTrail, you receive log records that include information about those who made requests for resources in
your account. That information is based on IAM identities.
• PCI DSS Compliance
• IAM supports the processing, storage, and transmission of credit card data by a merchant or service provider, and has been
validated as being compliant with Payment Card Industry (PCI) Data Security Standard (DSS). For more information about PCI
DSS, including how to request a copy of the AWS PCI Compliance Package, see PCI DSS Level 1.
• Integrated with many AWS services
• For a list of AWS services that work with IAM, see AWS services that work with IAM.
• Eventually Consistent
• IAM, like many other AWS services, is eventually consistent. IAM achieves high availability by replicating data across multiple
servers within Amazon's data centers around the world. If a request to change some data is successful, the change is committed
and safely stored. However, the change must be replicated across IAM, which can take some time. Such changes include creating
or updating users, groups, roles, or policies. We recommend that you do not include such IAM changes in the critical, high-
availability code paths of your application. Instead, make IAM changes in a separate initialization or setup routine that you run
less frequently. Also, be sure to verify that the changes have been propagated before production workflows depend on them.
For more information, see Changes that I make are not always immediately visible.
• Free to use
• AWS Identity and Access Management (IAM) and AWS Security Token Service (AWS STS) are features of your AWS account
offered at no additional charge. You are charged only when you access other AWS services using your IAM users or AWS STS
temporary security credentials.
How Amazon IAM works?
• With AWS Identity and Access Management (IAM), you can specify
who or what can access services and resources in AWS, centrally
manage fine-grained permissions, and analyze access to refine
permissions across AWS.
When do I use IAM?
• When you are performing different job functions
• You use IAM every time you access your AWS account.
• Service user, administrator or IAM administrator
• When you are authorized to access AWS resources
• signed in to AWS as the AWS account root user, as an IAM user, or by assuming an IAM role.
• When you sign-in as an IAM user
• IAM user is an identity within your AWS account that has specific permissions for a single person or
application
• When you assume an IAM role
• IAM role is an identity within your AWS account that has specific permissions
• It is similar to an IAM user, but is not associated with a specific person
• You can temporarily assume an IAM role in the AWS Management Console by switching roles
• When you create policies and permissions
• You grant permissions to a user by creating a policy, which is a document that lists the
actions that a user can perform and the resources those actions can affect.
 Amazon Virtual Private Cloud (VPC)
• Amazon Virtual Private Cloud (VPC) is a service that lets you launch AWS resources in a logically
isolated virtual network that you define. You have complete control over your virtual networking
environment, including selection of your own IP address range, creation of subnets, and
configuration of route tables and network gateways. You can use both IPv4 and IPv6 for most
resources in your VPC, helping to ensure secure and easy access to resources and applications.
• As one of AWS's foundational services, Amazon VPC makes it easy to customize your VPC's network
configuration. You can create a public-facing subnet for your web servers that have access to the
internet.
• It also lets you place your backend systems, such as databases or application servers, in a private-
facing subnet with no internet access. Amazon VPC lets you to use multiple layers of security,
including security groups and network access control lists, to help control access to Amazon Elastic
Compute Cloud (Amazon EC2) instances in each subnet.
• Amazon Virtual Private Cloud is a commercial cloud computing service that provides a virtual private
cloud, by provisioning a logically isolated section of Amazon Web Services Cloud. Enterprise
customers can access the Amazon Elastic Compute Cloud over an IPsec based virtual private
network.
Benefits of Amazon VPC
• Increased Security
• Secure and monitor connections, screen traffic, and restrict
instance access inside your virtual network.
• Save Time
• Spend less time setting up, managing, and validating your
virtual network.
• Manage and Control your Environment
• Customize your virtual network by choosing your own IP
address range, creating subnets, and configuring route tables.
How Amazon VPC works?
• Amazon Virtual Private Cloud (Amazon VPC) gives you
full control over your virtual networking environment,
including resource placement, connectivity, and
security.
• Get started by setting up your VPC in the AWS service console.
• Next, add resources to it such as Amazon Elastic Compute Cloud (EC2) and
Amazon Relational Database Service (RDS) instances.
• Finally, define how your VPCs communicate with each other across accounts,
Availability Zones, or AWS Regions.
Example VPC
• The VPC has one subnet in each of the Availability
Zones in the Region, EC2 instances in each subnet, and
an internet gateway to allow communication between
the resources in your VPC and the internet.
• In the example below, network traffic is being shared between two
VPCs within each Region.
Features
• Virtual private clouds (VPC)
• A VPC is a virtual network that closely resembles a traditional network that you'd operate in your own
data center. After you create a VPC, you can add subnets.
• Subnets
• A subnet is a range of IP addresses in your VPC. A subnet must reside in a single Availability Zone. After
you add subnets, you can deploy AWS resources in your VPC.
• IP addressing
• You can assign IP addresses, both IPv4 and IPv6, to your VPCs and subnets. You can also bring your public
IPv4 and IPv6 GUA addresses to AWS and allocate them to resources in your VPC, such as EC2 instances,
NAT gateways, and Network Load Balancers.
• Routing
• Use route tables to determine where network traffic from your subnet or gateway is directed.
• Gateways and endpoints
• A gateway connects your VPC to another network. For example, use an internet gateway to connect your
VPC to the internet. Use a VPC endpoint to connect to AWS services privately, without the use of an
internet gateway or NAT device.
• Peering connections
• Use a VPC peering connection to route traffic between the resources in two VPCs.
• Traffic Mirroring
• Copy network traffic from network interfaces and send it to security and
monitoring appliances for deep packet inspection.
• Transit gateways
• Use a transit gateway, which acts as a central hub, to route traffic between your
VPCs, VPN connections, and AWS Direct Connect connections.
• VPC Flow Logs
• A flow log captures information about the IP traffic going to and from network
interfaces in your VPC.
• VPN connections
• Connect your VPCs to your on-premises networks using AWS Virtual Private
Network (AWS VPN).
Working with Amazon VPC
• You can create and manage your VPCs using any of the following interfaces:
• AWS Management Console: Provides a web interface that you can use to access your
VPCs.
• AWS Command Line Interface (AWS CLI): Provides commands for a broad set of AWS
services, including Amazon VPC, and is supported on Windows, Mac, and Linux. For
more information, see AWS Command Line Interface.
• AWS SDKs: Provides language-specific APIs and takes care of many of the connection
details, such as calculating signatures, handling request retries, and error handling. For
more information, see AWS SDKs.
• Query API: Provides low-level API actions that you call using HTTPS requests. Using the
Query API is the most direct way to access Amazon VPC, but it requires that your
application handle low-level details such as generating the hash to sign the request,
and error handling. For more information, see Amazon VPC actions in the Amazon EC2
API Reference.
Pricing for Amazon VPC
• There's no additional charge for using a VPC.
• There are charges for some VPC components, such as NAT gateways,
IP Address Manager, traffic mirroring, Reachability Analyzer, and
Network Access Analyzer.
• Public IPv4 addresses are charged.
Use Cases
• Launch a Simple Website or Blog
• Improve your web application
security posture by enforcing rules
on inbound and outbound
connections.
• Host Multi-tier Web Applications
• Define network connectivity and
restrictions between your web
servers, application servers, and
databases.
• Create Hybrid Connections
• Build and manage a compatible VPC
network across your AWS services