Unit-5

Cloud Security
 Cloud computing
• Cloud computing refers to the on demand delivery of computing
services such as applications, computing resources, storage,
database, networking resources etc. through internet and on a
pay as per use basis.
 At the present time the demand for cloud computing services are
increasing with respect to that demand for cloud computing
skills is also increasing. It provides three main types of service
models i.e.SaaS
(Software as a Service), PaaS (Platform as a Service) and IaaS (
Infrastructure as a Service)
✘ With this as starting from small to large organizations have
started using cloud services so depending upon their
requirement they go for the different types of cloud
deployment like Public cloud, Private cloud, Hybrid cloud,
Community cloud.
 Cloud Security Fundamentals
✘ Where there are different types of cloud deployment models are
available and cloud services are provided as per requirement like
that internally and externally security is maintained to keep the
cloud system safe. Cloud computing security or cloud security is
an important concern which refers to the act of protecting cloud
environments, data, information and applications against
unauthorized access, DDOS attacks, malwares, hackers and
other similar attacks.
✘ Community Cloud : These allow to a limited set of organizations or
employees to access a shared cloud computing service environment.
✘ Cloud security is the first and foremost concern of every industry using
cloud services. A cloud vendor must ensure that the customer does not
face any difficulties such as loss of data or data theft. There is a
possibility that a malicious user can go through the cloud by
impersonating a legal user, thereby infecting the cloud services and
hence affecting various customers sharing the malicious cloud services
 Cloud Risk
✘ When infrastructure, applications, data and storage are hosted by cloud
providers, there is a huge chance of risk in each type of service offering.
This is known as cloud risk.
✘ Organizations such as the Cloud Security Alliance (CSA) offer
certification to cloud providers that meet their criteria. The CSA’s Trusted
Cloud Initiative program was created to help cloud service provider enable
industry-recommended standards, secure access, compliance management,
interoperable identity and follow best practices.
 Cloud Risk Division
Cloud Risks can be divided into the following four major
categories:
1. Privacy and organizational risks
2. Technical risks
3. Legal risks
4. Other risks
 Privacy and organizational Risks
1. Lock-in: Cloud lock-in(also known as vendor lock-in or data
lock-in) occurs when transitioning data, products or services
to another vendor’s platform is difficult and costly, making
customers more dependent (locked-in) on a single cloud
storage solution.
2. Loss of governance: The loss of governance in cloud
computing occurs when businesses migrate workloads from
an exclusively on-premises IT infrastructure to the cloud
without a suitable governance policy in place.
3 Compliance challenges: Cloud compliance is the art and
science of complying with regulatory standards of cloud usage
in accordance with industry guidelines and local, national, and
international laws.
4. Cloud service termination or failure: There must be 24x7 support and high
availability of all services, but in the competitive world of IT, an adequate
business strategy, lack of financial support and other factors could lead some
providers to go out of business or shut down their service portfolio offering.
And it is possible that for a short or medium period of time some cloud
computing services could be terminated.
5 Supply Chain Failure: Supply chain failure as a breakdown caused by either
the internal operations or external suppliers that cause significant quality,
delivery or cost impact to your company and/or customers. Many times, blame
is place on outside suppliers or contract manufacturers without proper root
cause analysis.
 Technical Risks
1. Isolation failure: multi-tenancy and shared resources are
defining characteristics of cloud computing. This risk
category covers the failure of mechanisms separating storage,
memory, routing and even reputation between different
tenants.
2. Resource exhaustions : Resource exhaustion attacks generally
exploit a software bug or design deficiency. In software with
manual memory management (most commonly written in C
or C++), memory leaks are a very common bug exploited for
resource exhaustion.
3. Cloud provider malicious insider: malicious insider is an insider who
intends to cause damage to the organization for personal gain. Because of
their access and knowledge of the organization's most valuable assets, attacks
involving malicious insiders are harder to identify and remediate than those that
originate from outside the organization.
4.Intercepting data in transit: The data is vulnerable while it is being
transmitted. Data can be intercepted and compromised as it travels across the
network where it is out of a user's direct control. For this reason, data should be
encrypted when in transit. Encryption makes the data unreadable if it falls into
the hands of unauthorized users.
5 Insecure or ineffective deletion of data: When it comes to deleting or
completely destroying old data from your computer, laptop, hard drive or
other media devices, it is vital to keep safety and security the main
priorities. Many people and even companies often use unsafe methods to
destroy or erase confidential data. Simply deleting or reformatting your
computer may not be secure or safe enough. Continuing to practice poor
data destruction methods will inevitably lead to identity theft and data
breaches.
6 Conflicts between customer hardening procedures and cloud environment:
Cloud providers follows different servers or different hardening
mechanisms that are little different from traditional server hardening
procedures.
7 Loss of encryption keys: This includes disclosure of secret
keys( e.g file encryption, Customer private keys) or
passwords to malicious parties, the loss or corruption of those
keys.
8 Malicious probes or scams: Malicious probes or scams are
indirect threats to the assets being considered. They can be
used to collect information in the context of a hacking effort.
A probable impact could be a loss of confidentiality, integrity
and availability of service and data.
9 Compromise service engine: cloud provider rely on specific
service engine that is placed on top of physical hardware. For
IaaS, this can be hypervisor. For PaaS, it can be hosted
application. Hacking the service engine may be useful to
escape the isolation.
 Legal Risks
1. Risk from changes of jurisdiction:Customer data may be kept
in several jurisdictions, some of which may be high risk. If
data centres are located in high-risks countries, sites could be
attacked by local authorities and data or systems subject to
enforced disclosure or seizure.
2. Licensing risks:Licensing conditions, such as per-seat
agreements and online licensing checks unstable in a cloud
environment.
3. Data protection risks: It can be tough for the cloud customer
to efficiently check the data processing that the cloud provider
brings out and hence be sure that data is handled in a lawful
way.
 Other Risks
1. Backup lost or stolen: This risk is possible due to inadequate
physical security procedures, AAA vulnerabilities, user
provisioning vulnerabilities and user de-provisioning
vulnerabilities.
2. Unauthorized access to premises: Because of inadequate
physical security procedures, unauthorized access in datacentres
is possible is possible. Generally, cloud providers have large
datacentres; therefore, physical control of a datacentre must be
stronger because the impact of a breach of this issue could be
higher.
3. Theft of computer equipment: This risk is possible because of inadequate
physical security procedures. This risk is mainly related to the datacentres, and
dual authentication mechanism should be followed to accesses those machines.
4. Natural disasters: Natural disasters are possible any time so there must be a
perfect disaster recovery plan. Although, the risk from natural disasters is quite
less compared to traditional infrastructures because cloud providers offer
redundancy and fault tolerance by default; for examples, AWS has various
physical regions and multiple availability zone option within a region also.
 Cloud Computing Security Architecture:
Architecture view of the security issues to be
addressed in a cloud computing environment for
providing security to the customer. This architecture
defined four layers on the basis of cloud computing
services categorization.
Four Layers of security Architecture:
User Layer
[User authentication, Browser security]

Service provider layer

VM Layer
[VM level security, hypervisor security,
isolation management]

Data Centre
[Physical Hardware security, network
security]
 Layers
✘ Data Centre Layer: This layer is related to traditional
infrastructure security concerns. It consists of physical
hardware security, theft protection, network security and all
physical assets security.
✘ VM Layer: This layer involves VM level security issues, VM
monitoring, hypervisor-related security issues and VM
isolation management issues.
✘ Service provider layer: This layer is responsible for identity
and access management, service level agreement (SLA),
metering, compliance and audit- related issues.
✘ User layer: This is the first layer of user interaction. It is
responsible for user authentication and authorization and all
browser- related security issues.
VM Security Challenges:
 VM Security Challenges contd..
 Virtual machine escape:- It is an exploit in which the attacker
runs code on a VM that allows an operating system running within
it to break out and interact directly with the hypervisor. Such an
exploit could give the attacker access to the host operating system.
 VM Security Challenges contd..
o VM Hoping: VM hopping is a common attack mode in
virtualization security attacks. It means that an attacker attempts to
gain access to other virtual devices on the same Hypervisor based
on one virtual machine, and then attacks it.
o Virtualization sprawl: It is a phenomenon that occurs when the
number of virtual machines (VMs) on a network reaches a point
where administrators can no longer manage them effectively.
Virtualization sprawl is also referred to as virtual machine sprawl,
VM sprawl or virtual server sprawl.
 VM Security Challenges contd..
✘ Insecure VM migration: A workload cannot migrate to a destination
server if it does not have the computing resources required to support
it. Migration problems can occur when the destination server lacks
adequate processor cores, memory space or NIC ports or has a storage
shortage, and cannot reserve resources for the new workload.
✘ Sniffing and Spoofing: Spoofing is when an attacker creates TCP/IP
using another person's IP address. A sniffer software is placed between
two interactive endpoints in packet Sniffing, where the attacker
pretends to be one end of the connection to the target and snoops on
data sent between the two points.