CLOUD COMPUTING [3170717]

Unit-5: Security

7TH SEMESTER
COMPUTER ENGINEERING (07)
FACULTY: PROF. Gunjani J. Vaghela
Security Overview
• Cloud security is the protection of data stored online via cloud computing
platforms from theft, leakage, and deletion.
• Methods of providing cloud security include firewalls, penetration testing,
tokenization, Virtual Private Networks (VPN), and avoiding public internet
connections.
• Cloud security refers to an array of policies, technological procedures,
services. and solutions designed to support safe functionality when building,
deploying and managing cloud-based applications and associated data.
Cloud Security Challenges and Risks
• Cloud computing security challenges fall into three broad categories:
1. Data protection: Securing your data both at rest and in transit.
2. User authentication: Limiting access to data and monitoring who accesses
the data.
3. Disaster and data breach: Contingency planning.
• Data protection : Data needs to be encrypted at all times, with clearly
defined roles when it comes to who will be managing the encryption
keys.

• User authentication: Data resting in the cloud needs to be accessible

only by those authorized to do so, making it critical to both restrict and
monitor who will be accessing the company's data through the cloud. In
order to ensure the integrity of user authentication, companies need to
be able to view data access logs and audit trails to verify that only
authorized users are accessing the data.

• Contingency planning : With the cloud serving as a single centralized

repository for a company's mission-critical data, the risks of having that
data compromised due to a data breach or temporarily made
unavailable due to a natural disaster are real concerns.
• Confidentiality: Confidentiality refers to limiting information access.
Sensitive information should be kept secret from individuals who are
not authorized to see the information.

Some common cloud security threats include :

a) Risks of cloud-based infrastructure including incompatible legacy IT

frameworks, and third-party data storage service disruptions.

b) Internal threats due to human error such as misconfiguration of user

access controls.

c) External threats caused almost exclusively by malicious actors, such as

malware, phishing, and DDoS attacks.
Software-as-a Service Security
• Software-as-a-Service is a model of software deployment in which an
application is licensed for use as a service provided to customers on demand.
• On-demand licensing and use relieves the customer of the burden of
equipping a device with every application to be used.
• SaaS Security refers to securing user privacy and corporate data
subscription-based cloud applications.
• Saas applications carry a large amount of sensitive data and can be accessed
from almost any device by a mass of users, thus posing a risk to privacy and
sensitive information.
Saas Security Challenges
a. Data Security: In SaaS scenario, data resides in the database which is outside
the boundary of the enterprise and depends on the provider for proper
security measures.
b. Application Security: SaaS applications are mostly used and managed over
the web. They are presented to users in a browser. This makes it inevitable to
confront the security challenges such as SQL injection, Cross-site scripting and
Cross-site Request Forgery.
c. Software-as-a-Service Deployment Security: Virtualization refers to the act
of creating different instances on hardware and on each instance a guest OS is
installed.
Saas Security Challenges
• Risk Management: Effective risk management entails identification of
technology assets; identification of data and its links to business processes,
applications, and data stores; and assignment of ownership.
• Risk Assessment: Security risk assessment is critical to helping the
information Security organization make informed decisions when balancing
the dueling priorities of business utility and protection of assets.
• Security Portfolio Management : Lack of portfolio and project management
discipline can lead to projects never being completed; unsustainable and
unrealistic workloads and expectations because projects are not prioritized
according to strategy, goals, and resource capacity.
Cloud Security Architecture
• Cloud security architecture describes all the hardware and technologies
designed to protect data, workloads, and systems within cloud platforms.
• NIST cloud computing security reference architecture approach. The
reference architecture identifies the five major cloud actors; consumer,
provider, broker, carrier, and auditor.
Cloud Security Architecture
 Cloud Security Architecture
cloud computing architecture encompasses three core capabilities:
confidentiality, integrity, and availability.
1. Confidentiality is the ability to keep information secret and unreadable to
the people who shouldn't have access to that data.
2. Integrity is the idea that the systems and applications are exactly what you
expect them to be and function exactly as you expect them to function.
3. Availability speaks to Denial-of-Service (DoS) attacks. Perhaps an attacker
can't see or change your data. But if an attacker can make systems
unavailable to you or your customers, then you can't carry out tasks that
are essential to maintain your business.
 General Issues Securing the Cloud
The common security issues around cloud computing divided into four main
categories:
a) Cloud infrastructure, platform and hosted code : This comprises concems related
to possible virtualization, storage and networking vulnerabilities.
b) Data : This category comprises the concerns around data integrity, data lock in
data remanence, provenance, and data confidentiality and user privacy specific
concerns.
c) Access: This comprises the concern around cloud access (authentication,
authorization and access control or AAA), encrypted data communication, and user
identity management.
d) Compliance : Because of its size and disruptive influence, the cloud attracting
attention from regulatory agencies, especially around security audit, data location;
operation trace- ability and compliance concerns.
Challenges to Data Security in Cloud
1. Data residency: Many companies face legislation by their country of origin
or the local country that the business entity is operating in, requiring certain
types of data to be kept within defined geographic borders. There are
specific regulations that must be followed, centered around data access,
management and control.
2. Data privacy: Business data often needs to be guarded and protected more
stringently than non-sensitive data. The enterprise is responsible for any
breaches to data and must be able ensure strict cloud security in order to
protect sensitive information.
3. Industry and regulation compliance: Organizations often have access to and
are responsible for data that is highly regulated and restricted.
Virtual Machine Security
• Virtual Machine (VM) Security is the practice of protecting virtual machines,
hypervisors, and their data from unauthorized access, malware, and attacks.
• Since multiple VMs share the same physical hardware, a vulnerability in one
VM can affect others — making security a critical concern in cloud computing.
• Risks / Challenges
• VM Escape → Attacker jumps from VM to hypervisor or other VMs.
• VM Sprawl → Unmonitored VMs increase attack surface.
• Data Leakage → Sensitive VM data can be exposed.
• Hypervisor Attacks → If compromised, all VMs are at risk.
• Snapshot Vulnerability → Insecure VM backups can be stolen.
Identity and Presence
• Identity : Unique digital representation of a user, device, or service in the
cloud.
• Presence : The ability to detect and confirm the availability of that identity in
real time.
• Ensures that only authorized identities can access cloud services.
Identity Management (IdM)
• Framework for managing digital identities in cloud.
• Tasks:
• Authentication (verify identity).
• Authorization (grant permissions).
• User provisioning and de-provisioning.
• Examples: Azure Active Directory, Okta
Access Control
• Ensures only authorized users/resources can access cloud data.
• Models:
• DAC (Discretionary Access Control) – resource owner decides.
• MAC (Mandatory Access Control) – strict, policy-driven (used in military).
• RBAC (Role-Based Access Control) – permissions assigned to roles (common in
cloud).
Discretionary Access Control (DAC)
• In DAC, the owner of a resource (like a file, database, or VM) decides who can
access it and what they can do (read, write, execute).
• Very flexible but less secure → because users can grant access to others.
• Example:
• In Windows OS → If you create a folder, you (owner) can give “read” access to
your friend or “full control” to another user.
• Pros: Easy to manage, user-friendly.
• Cons: Risky if owners give permissions too freely data leakage.
Mandatory Access Control (MAC)
• In MAC, access rights are strictly controlled by a central authority based on
predefined security policies.
• Users cannot change permissions.
• Strongest model, used in highly secure environments.
• Example:
• Military and government systems use MAC.
• Files may be marked as Top Secret, Confidential, Public.
• A user with “Confidential clearance” cannot access “Top Secret” files.
• Pros: Very secure, prevents accidental data sharing.
• Cons: Inflexible, harder to manage in dynamic environments.
Role-Based Access Control (RBAC)
• In RBAC, access is given based on the role of a user in an organization, not
individual discretion.
• Roles → predefined groups with specific permissions.
• Most common in enterprises and cloud computing.
• Example:
• In a company’s cloud system:
• Admin role → Can create/delete VMs, manage users.
• Developer role → Can deploy apps but not manage users.
• Viewer role → Can only view logs, no modifications.
• Pros: Scalable, easy to manage for large organizations.
• Cons: Misconfigured roles can still cause security issues.
Autonomic Security
• Self-managing security system detects, analyzes, and responds automatically
to threats.
• Inspired by human nervous system “self-protecting, self-healing.”
• Examples: Intrusion detection systems that automatically block malicious IPs.
Establishing Trusted Cloud Computing
• Trust = ensuring security, privacy, and reliability of cloud services.
• Methods:
• Data encryption
• Trusted Platform Modules (TPM)
• Secure SLAs (Service Level Agreements)
• Builds confidence for enterprises to adopt cloud.
Secure Execution Environments
• Environments where applications run safely and isolated from malicious code.
• Examples:
• VM isolation
• Containers (Docker, Kubernetes).
• Trusted Execution Environment (Intel SGX).
Secure Communications
• Protects data while in transit.
• Mechanisms:
• SSL/TLS (HTTPS).
• VPNs.
• End-to-end encryption.
• Ensures confidentiality and integrity of cloud communication.
Storage Area Networks (SAN) in Cloud
• High-speed network of storage devices.
• Used in cloud data centers for large-scale storage.
• Benefits:
• Centralized storage management.
• High availability.
• Fast data access.
Disaster Recovery in Clouds
• Cloud-based strategy for recovering data & apps after failure.
• Benefits:
• Low cost compared to traditional DR sites.
• Faster recovery time (RTO).
• Geographic redundancy.
• Examples: AWS Disaster Recovery, Azure Site Recovery.
Thank You