» UNIT III

• Cloud Computing Infrastructure

• Cloud computing refers to providing on demand services to the customer
anywhere and anytime irrespective of everything where the cloud
infrastructure represents the one who activates the complete cloud
computing system.
• Cloud infrastructure has more capabilities of providing the
same services as the physical infrastructure to the customers.
It is available for private cloud, public cloud, and hybrid cloud
systems with low cost, greater flexibility and scalability.
• Different components of cloud infrastructure supports the computing
requirements of a cloud computing model. Cloud infrastructure has
number of key components but not limited to only server, software,
network and storage devices
1. Hypervisor :Hypervisor is a firmware or a low level program which is a
key to enable virtualization. It is used to divide and allocate cloud
resources between several customers. As it monitors and manages cloud
services/resources that’s why hypervisor is called as VMM (Virtual
Machine Monitor) or (Virtual Machine Manager).
2. Management Software :Management software helps in maintaining
and configuring the infrastructure. Cloud management software monitors
and optimizes resources, data, applications and services.
3. Deployment Software :
Deployment software helps in deploying and integrating the application on
the cloud. So, typically it helps in building a virtual computing
environment.
4. Network :It is one of the key component of cloud infrastructure which
is responsible for connecting cloud services over the internet. For the
transmission of data and resources externally and internally network is
must required.
5. Server :Server which represents the computing portion of the cloud
infrastructure is responsible for managing and delivering cloud services for
various services and partners, maintaining security etc.
6. Storage :Storage represents the storage facility which is provided to
different organizations for storing and managing data. It provides a facility
of extracting another resource if one of the resource fails as it keeps many
copies of storage.
• Infrastructure security
• Cloud computing has become a cornerstone of modern IT operations,
providing scalable, on-demand computing resources over the internet.
However, with this transformation comes significant concern regarding the
security of cloud infrastructure, which is responsible for maintaining the
integrity, confidentiality, and availability of data and services.
• Infrastructure security in cloud computing refers to the practices,
policies, technologies, and controls put in place to safeguard the
underlying systems (physical and virtual) that support cloud services.
• Key Areas of Infrastructure Security
• Physical Security:
• Data Center Security: The physical security of data centers is
crucial to prevent unauthorized access, theft, or damage to the
hardware. This includes restricted access to the facilities,
surveillance, biometric authentication, and security guards.
• Network Security:
• Firewalls: Both hardware and software firewalls are used to control
traffic to and from the cloud infrastructure, protecting against
unauthorized access and denial-of-service (DoS) attacks.
• Virtual Private Networks (VPNs): VPNs encrypt data in transit,
ensuring secure communication between users and the cloud
infrastructure.
• Data Security and Encryption:
• Data at Rest: Data stored in the cloud must be encrypted to protect it from
unauthorized access. Encryption can occur both at the storage level (on
disk) and the database level.
• Data in Transit: Data being transmitted between users and cloud services
should be encrypted using protocols like TLS (Transport Layer Security)
or SSL (Secure Sockets Layer).
• Access Control and Identity Management:
• Authentication: Strong authentication mechanisms such as multi-factor
authentication (MFA) are critical to ensure that only authorized users have
access to the cloud infrastructure.
• Role-Based Access Control (RBAC): RBAC assigns users specific
permissions based on their roles within the organization, minimizing the
risk of unauthorized access to sensitive resources.
• Host-level security refers to the protection and hardening of the individual
machines (or virtual machines) that make up the infrastructure of an IT
environment, including physical servers, virtual hosts, and cloud instances.
It involves securing the host from both internal and external threats,
ensuring that systems are resistant to unauthorized access, malware, and
attacks that could compromise the integrity, confidentiality, and availability
of the system.
• Access control refers to the policies, procedures, and mechanisms used to
manage and regulate who can access cloud resources and what actions they
can perform. It plays a crucial role in ensuring that only authorized users
can access sensitive data and services while preventing unauthorized
access, misuse, and data breaches.
• Isolation ensures that even if one workload (e.g., a virtual machine or container)
is compromised, the attacker cannot easily escalate their privileges to affect other
workloads running on the same host.

• patch management Patch management is a vital component of host-level

security in ensuring that systems remain secure against known vulnerabilities a
critical practice to ensure that the underlying host operating system, virtualization
software, and related infrastructure remain secure from emerging threats and
vulnerabilities.

• Firewall and network security that help protect systems from unauthorized
access, data breaches, and network-based attacks. At the host level, firewalls
control incoming and outgoing network traffic based on predefined security rules,
while network security measures enforce policies to safeguard communication
channels and prevent malicious activity.

• Monitoring and logging allow organizations to detect, investigate, and respond

to security incidents. By continuously monitoring system activities and logging
important events, administrators can identify malicious behavior,
misconfigurations, and other security anomalies on host machines.
• Data encryption is a fundamental aspect of host-level security,
ensuring that sensitive information remains protected both at rest and in
transit. Encryption transforms data into an unreadable format using
algorithms and cryptographic keys, ensuring that unauthorized
individuals cannot access or interpret the data without the proper
decryption key.
• Backup and recovery are critical elements of a host-level security
strategy, ensuring that data is protected from loss or corruption and that
business operations can be resumed after a disaster or security incident.
Backup refers to the process of creating copies of data and storing them
in a secure location, while recovery involves restoring that data or
system from backups in case of failure, data loss, or attack.
• Compliance and standards are essential in host-level security,
ensuring that organizations meet legal, regulatory, and industry-specific
requirements for protecting sensitive data, maintaining operational
integrity, and managing risk. Adhering to these standards helps
organizations avoid legal penalties, minimize security breaches, and
ensure trust with customers and stakeholders.
• Application-level security refers to the security measures and protocols
that protect applications, software, and their associated data from
security threats. This is an essential aspect of cybersecurity, as
applications are a primary target for attackers seeking to exploit
vulnerabilities, gain unauthorized access, or compromise data.
Authentication and Authorization are two fundamental concepts in
security that ensure only authorized users can access a system or
application and that they can only perform the actions or access the
data they are permitted to.
• 1. Authentication
Authentication is the process of verifying the identity of a user, system,
application to confirm that they are who they claim to be.
• 2. Authorization
Authorization is the process that defines what actions or resources a
user can access after authentication has been completed.
Data encryption is a fundamental aspect of host-level security,
ensuring that sensitive information remains protected both at rest and in
transit.
• Input validation It involves verifying and sanitizing data entered by users
or passed between different systems to ensure that it meets expected
formats and is safe to use. When implemented properly, input validation
can prevent a wide range of attacks, such as SQL injection, Cross-Site
Scripting (XSS), command injection, and other forms of malicious
exploits.
• Secure API security encompasses various strategies, tools, and best
practices designed to prevent unauthorized users from exploiting an API,
ensure the integrity of data being exchanged, and protect sensitive
information.
• Application Firewall is a crucial security tool that protects applications
from various types of cyber threats by monitoring and controlling
incoming and outgoing application traffic.
• Regular security testing is a critical component of an effective cloud
security strategy. It involves continuously assessing the security posture of
cloud-based systems, applications, and services through various testing
methods. The goal is to identify vulnerabilities, weaknesses, or potential
points of failure before they can be exploited by attackers
• Data security and Storage
• Cloud data security is the practice of protecting data and other digital
information assets from security threats, human error, and insider threats.
• It leverages technology, policies, and processes to keep your data
confidential and still accessible to those who need it in cloud-based
environments.
• Data privacy, integrity, and accessibility
• Cloud data security best practices follow the same guiding principles of
information security and data governance:
• Data confidentiality: Data can only be accessed or modified by
authorized people or processes. In other words, you need to ensure your
organization’s data is kept private.
• Data integrity: Data is trustworthy—in other words, it is accurate,
authentic, and reliable. The key here is to implement policies or measures
that prevent your data from being tampered with or deleted.
• Data availability: While you want to stop unauthorized access, data still needs
to be available and accessible to authorized people and processes when it’s
needed. You’ll need to ensure continuous uptime and keep systems, networks,
and devices running smoothly.

• What are the challenges of cloud data security?

As more data and applications move out of a central data center and away from
traditional security mechanisms and infrastructure, the higher the risk of exposure
becomes.
• Lack of visibility Companies don’t know where all their data and applications live and
what assets are in their inventory.
• Less control Since data and apps are hosted on third-party infrastructure, they have less
control over how data is accessed and shared.
• Confusion over shared responsibility Companies and cloud providers share cloud
security responsibilities, which can lead to gaps in coverage if duties and tasks are not
well understood or defined.
• Inconsistent coverage Many businesses are finding multicloud and hybrid
cloud to better suit their business needs, but different providers offer varying
levels of coverage and capabilities that can deliver inconsistent protection.
• Growing cybersecurity threats Cloud databases and cloud data storage
make ideal targets for online criminals looking for a big payday, especially
as companies are still educating themselves about data handling and
management in the cloud.
• Strict compliance requirements Organizations are under pressure to
comply with stringent data protection and privacy regulations, which
require enforcing security policies across multiple environments and
demonstrating strong data governance.
• Distributed data storage Storing data on international servers can deliver
lower latency and more flexibility. Still, it can also raise data sovereignty
issues that might not be problematic if you were operating in your own
data center.
 Data in cloud computing involves several key aspects that ensure security, accessibility, and efficiency.
Here are the main aspects:

• Scalability
• Accessibility
• Cost Efficiency
• Data Security
• Data Backup and Recovery
• Compliance
• Multi-Tenancy
• Data Integration
• Performance
• Vendor Lock-In
• Scalability: Scalability refers to the ability of a cloud system to handle increasing
workloads by adding resources (scaling up) or distributing workloads across multiple
resources (scaling out) as demand grows.
• Accessibility: Accessibility in the context of cloud computing means ensuring that
cloud resources and services are available to users wherever they are located, and can
be accessed across different devices or platforms.
• Cost Efficiency: Cost efficiency refers to the ability to optimize expenses by using
only the necessary resources and minimizing waste. In cloud computing, this is often
achieved through flexible pricing models and pay-as-you-go plans.
• Data Security: Data security in cloud computing refers to protecting data from
unauthorized access, loss, or corruption while stored in the cloud or during
transmission.
1.Encryption: Both data at rest (stored) and data in transit (moving over networks)
should be encrypted using robust encryption protocols.
2.Access Control: Role-based access control (RBAC), multi-factor authentication
(MFA), and identity management systems ensure only authorized users can access
sensitive data.
• Data Backup and Recovery :Data backup and recovery in cloud
computing refer to creating copies of data in secure locations and having
plans in place to restore data in case of failure or disaster.
• Automated Backups: Cloud platforms typically offer automated backup
services, where data is backed up periodically, ensuring business
continuity.
• Compliance: Compliance in the cloud refers to adhering to industry-
specific standards and regulatory requirements regarding data handling,
privacy, and security.
• Regulatory Standards: Cloud providers are increasingly compliant with
various international standards, and many offer certifications that
demonstrate their adherence to these standards.
• Multi-Tenancy: Multi-tenancy in cloud computing refers to the ability to
serve multiple customers (tenants) using the same infrastructure, while
ensuring data isolation, security, and privacy between tenants.
• Data Integration: Data integration refers to the process of combining and
harmonizing data from multiple sources into a unified view, enabling
effective analytics and decision-making.
• Performance: Performance refers to the ability of cloud services to deliver
fast, reliable, and consistent response times for users and applications.
• Vendor Lock-In:Vendor lock-in refers to the situation where a customer
becomes dependent on a single cloud provider's tools, services, and
infrastructure, making it difficult to migrate to another provider without
incurring significant cost or effort.
 Data security mitigation focuses on strategies and
practices
Key Elements of Data Security Mitigation
• Risk Assessment
• Data Classification
• Access Controls
• Data Encryption
• Regular Backups
• Incident Response Plan
• Security Monitoring
• Employee Training
• Risk assessment: is the process of identifying, evaluating, and prioritizing
risks associated with an organization's data and information systems. This
is a foundational step in developing a data security strategy.
• Data Classification: Data classification is the process of categorizing
data based on its sensitivity, value, and importance to the organization. It
helps ensure that different types of data are protected according to their
level of risk.
• Access Controls: Access controls are security mechanisms that restrict
access to sensitive data and systems, ensuring that only authorized
individuals can view or modify the data.
1.Role-Based Access Control (RBAC): Assign access rights based on
roles within the organization. For example, a financial analyst may have
access to financial data, but not HR records.
2.Multi-Factor Authentication (MFA): Require multiple forms of
verification (e.g., password and biometrics or a token) to strengthen
authentication and protect access to systems and data.
• Data Encryption : is the process of converting data into a format that is
unreadable without the appropriate decryption key. Encryption helps
protect data both at rest (when stored) and in transit (when being
transmitted over networks).
• Regular Backups: Data backups are copies of critical data that are stored
separately from the original data, ensuring that data can be recovered in
case of a loss or corruption.
Backup Frequency: Establish a regular backup schedule (daily, weekly,
etc.) to ensure that the latest data is always backed up.
• Incident Response Plan: An Incident Response Plan (IRP) outlines the
steps an organization will take to respond to and manage a data security
incident or breach.
Detection and Reporting: Establish clear procedures for detecting and
reporting security incidents, including methods for employees or systems
to alert security teams about potential breaches.
• Security monitoring involves continuously observing systems and
networks for signs of suspicious activity, vulnerabilities, or breaches.
Intrusion Detection Systems (IDS): Implement systems that monitor
network traffic and detect potential unauthorized access or malicious
activity.
• Employee training is a critical element of data security mitigation, as
human error or negligence is often the root cause of security breaches.
Security Awareness: Train employees on common threats like phishing,
social engineering, and malware, and how to recognize and avoid them.
• Identity and Access management (IAM)
• AWS(Amazon Web Services) will allow you to maintain the fine-grained
permissions to the AWS account and the services provided by Amazon Cloud.
You can manage the permissions to the individual users or you can manage
the permissions to certain users as groups and roles will help you to manage
the permissions to the resources.

• Identity and access management (IAM) is a framework of business processes,

policies and technologies that facilitates the management of electronic or
digital identities. With an IAM framework in place, information technology
(IT) managers can control user access to critical information within their
organizations. The AWS IAM is a global service.
• Components of Identity and Access Management (IAM)
Users
• Roles
• Groups
• Policies
• IAM Identities Classified As
• IAM Users
• IAM Groups
• Root User: The root user will automatically be created and granted
unrestricted rights. We can create an admin user with fewer powers to
control the entire Amazon account.
• IAM Users: We can utilize IAM users to access the AWS Console and
their administrative permissions differ from those of the Root user and if
we can keep track of their login information.
Example of IAM
• Systems used for IAM include single sign-on systems, two-factor
authentication, multifactor authentication and privileged access
management.
• On a fundamental level, IAM encompasses the following components:
• how individuals are identified in a system
• how roles are identified in a system and how they are assigned to
individuals.
• Why is IAM important?
• Businesses leaders and IT departments are under increased regulatory and
organizational pressure to protect access to corporate resources. As a result,
they can no longer rely on manual and error-prone processes to assign and
track user privileges.
• Benfits of IAM
• IAM technologies can be used to initiate, capture, record and manage
user identities and their related access permissions in an automated
manner. An organization gains the following IAM benefits:
• Access privileges are granted according to policy, and all individuals and
services are properly authenticated, authorized and audited.
• Companies that properly manage identities have greater control of user
access, which reduces the risk of internal and external data breaches.
• IAM systems help companies better comply with government regulations
by allowing them to show corporate information is not being misused.
• Types of digital authentication
• With IAM, enterprises can implement a range of digital authentication
methods to prove digital identity and authorize access to corporate
resources.
• Unique passwords.
• Pre-shared key (PSK).
• Biometrics
• Trust Boundaries
• sometimes third-party providers under IT supervision). And access to the
network, systems, and applications is secured via network security controls
including virtual private networks (VPNs), intrusion detection systems
(IDSs), intrusion prevention systems (IPSs), and multifactor
authentication.

The major challenges faced by the IAM in the cloud:

1.Identity Provisioning / De-provisioning
2. Maintaining a single ID across multiple platforms and organizations
3. Compliance Visibility: Who has access to what
4. Security when using Third party or vendor network
Standards and Protocols in IAM for Cloud Services
• Given below Identity access management standards will help
companies/organizations to build effective and efficient user access
management into practice in the cloud.
• SAML (Security Assertion Markup Language)
• SAML (Security Assertion Markup Language)
• Security Assertion Markup Language, or SAML, is a standardized way to
tell external applications and services that a user is who they say they are.
SAML makes single sign-on (SSO) technology possible by providing a
way to authenticate a user once and then communicate that authentication
to multiple applications. The most current version of SAML is SAML 2.0.

• How does SAML work?

• A typical SSO authentication process involves these three parties:
• Principal (also known as the "subject")
• Identity provider
• Service provider
• Principal/subject: This is almost always a human user who is trying to
access a cloud-hosted application.

• Identity provider: An identity provider (IdP) is a cloud software service

that stores and confirms user identity, typically through a login process.
Essentially, an IdP's role is to say, "I know this person, and here is what
they are allowed to do." An SSO system may in fact be separate from the
IdP, but in those cases the SSO essentially acts as a representative for the
IdP, so for all intents and purposes they are the same in a SAML workflow.

• Service provider: This is the cloud-hosted application or service the user

wants to use. Common examples include cloud email platforms such as
Gmail and Microsoft Office 365, cloud storage services such as Google
Drive and AWS S3, and communications apps such as Slack and Skype.
Ordinarily a user would just log in to these services directly, but when
SSO is used, the user logs into the SSO instead, and SAML is used to give
them access instead of a direct login.
• SPML (Service Provisioning Markup Language)
• SPML is an XML-based framework that was developed by OASIS for
exchanging user resources and service provisioning information among
cooperating organizations.
• Service Provisioning Markup Language is an emerging standard that can
help organizations in automating the provisioning of identities of users
for cloud services. Whenever SPM is available organizations should use
it to provide accounts of users and profiles with the cloud service.
• SPML allows organizations to securely create, update and delete end-
user accounts for many web services and applications using a single
request from a central point.

• Provisioning, as defined in the standard, is "the automation of all the

steps required to manage (set up, amend and revoke) user or system
access entitlements or data relative to electronically published services."
SPML primarily focuses on user accounts, but can also be relevant for
service or automated account objects.
Spml usecase
• XACML (eXtensible Access Control Markup Language)
• It is an OASIS-certified general-purpose extensible markup
language(XML) based access control language for policy management
and access decisions.
• It uses XML schema for policy language which is used to protect the
resources and protect access decisions over these resources.
• In XACML, access control decisions to be taken are expressed as Rules.
Each Rule comprises a series of conditions which decide whether a given
request is approved or not.
• If a Rule is applicable to a request but the conditions within the Rule fail to
evaluate, the result is Indeterminate. Rules are grouped together in
Policies, and a Policy Set contains Policies and possibly other PolicySets.
Each of these also includes a Target, a simple condition that determines
whether it should be evaluated for a given request.
• XACML separates access control functionality into several components.
Each operating environment in which access control is used has a Policy
Enforcement Point (PEP) which implements the functionality to demand
authorization and to grant or deny access to resources. These refer to an
environment-independent and central Policy Decision Point (PDP) which
actually makes the decision on whether access is granted.
XACML Usecase
• Open Authentication (OAuth)
• OAuth Single Sign-On (SSO) protocol provides the application the
capability for secure designated access. It allows users in an
organization/application to log in using OAuth/OpenID connect providers
like Microsoft Azure AD, AWS Cognito, Google apps, Facebook, etc. &
share their information with enterprise applications.
• It makes use of a token-based authorization mechanism to grant access to
users across enterprise applications. In short, users can log in into multiple
applications and services using a single set of credentials, minimizing the
headache to remember multiple passwords. Set up Single Sign-On
(SSO)on your WordPress website via WordPress SSO plugin.
• How does OAuth work?
• Entities of Open Authorization protocol
• End-User/Resource Owner: Resource Owner is the end-user who wants
to access the protected resource.
• Resource Server: The resource which is requested by the end-user is
present on the resource server. The resource server handles requests to
access/update the resource and also forwards authentication requests to the
Authorization Server.
• Authorization Server: It is the authentication server that handles login
requests and validates the user identity.
OAuth
OAuth
• Cloud IAM Best Practices
1) Define the First Line of Defense
2) Centralize Identity Management
3) Enable Single Sign-on
4) Enable Conditional Access
5) Enforce Multi-Factor Authentication
6) Use Role-based Access Control
7) Limit Privileged Accounts
8) Active Identity Monitoring
1) Define the First Line of Defense
• Organizations must treat ‘identity verification at the user level’ as the first
line of defense. Therefore, center your security controls and detections
around user and service identities.
2) Centralize Identity Management
• In a hybrid identity scenario, organizations must integrate their on-premise
and cloud directories. With this integration, the security teams can manage
accounts from one location, irrespective of where the account is created. It
also enables users to access both cloud and on-premise resources with a
common identity.
3) Enable Single Sign-on
• Organizations should enable Single Sign-On (SSO) to apps, services, and
devices from anywhere so that users can use the same set of login
credentials to access the resources located on-premises or in the cloud .
4) Enable Conditional Access
Users can access the organization’s resources by using various devices and
applications from any location. Hence, the security team must ensure that
these devices meet security and compliance standards.

5) Enforce Multi-Factor Authentication

Organizations must enforce multi-factor authentication for all their users,
including administrators and other privileged users, who can be impacted
significantly if their account is compromised. Organizations that fail to
implement extra layers of identity protection, such as MFA, are more
susceptible to credential theft attacks.

6)Use Role-based Access Control.

Access management for cloud resources is essential for any enterprise that
adopted the cloud. Role-based access control helps manage user access to
cloud resources, what they can do with the resources, and what areas they
have access to.
7) Limit Privileged Accounts
• Privileged Access Management is imperative for organizations to secure
their critical assets and prevent data breaches.
8) Active Identity Monitoring
Organizations must implement monitoring methods to identify:
• Sign-in attempts without being traced
• Sign-in attempts from multiple locations
• Sign-ins from compromised or infected devices
Suspicious IP addresses
• Cloud Authorization Management Authorization services
• In order to manage users on a single platform, it is common to use a single
external authorization service. You give the authorization service
credentials to an account that can create temporary roles or manage your
accounts on each other cloud service you use. With this, users can be
defined on a single platform, but the identity provider needs to be trusted
not to perform malicious actions and, when it does, it may be harder to
track down from where these actions originated.
• APIs
• Each cloud service has its own set of tools, permissions, logging format
and interface, making security a new challenge for each app. It is important
to note the differences between cloud services, and choose the right one
based on your needs. Ensure that you can always tell who is accessing your
sensitive data, and for what reason, and that each access originated from a
legitimate source.
• Zero Trust
• A zero trust architecture is based on the assumption that no service, server,
role or client in your network can be trusted. Always double check access
requests to sensitive data, enforce the use of MFA, monitor changes in
behaviour, and implement a principle-of-least-privileged model. If you can
define how each user is supposed to behave, and what data they can access,
you know how to monitor these users.
• Continuous authorization
• A credential leak can occur anywhere, from a compromised personal
computer to a database server. Therefore, in every step of the way to access
classified information, the user needs to be authorized. If, for example, an
external authorization service is used and that service has a strong account
on a web app, that web app should ensure that the strong account was used
by the service and not by a man-in-the-middle.