SlideShare a Scribd company logo

Chapter_5_Security_CC.pptx

ā€¢Download as PPTX, PDFā€¢
ā€¢
L
LokNathRegmi1

Cloud computing

Engineering
1 of 55
Cloud Computing Chapter -5 Er. Loknath Regmi Asst. Prof. IOE Pulchowk Campus 1
Chapter 5 Security in Cloud Computing
Cloud Computing Security ā€¢ Cloud computing security is the set of control-based technologies and policies designed to adhere to regulatory compliance rules and protect information, data applications and infrastructure associated with cloud computing use. ā€¢ Cloud computing security processes should address the security controls the cloud provider will incorporate to maintain the customer's data security, privacy and compliance with necessary regulations.
Cloud Computing Security Cloud Security Simplified as: ļ±Access Control ļ±System Protection ļ±Personal Security ļ±Information Integrity ļ±Cloud Security Management ļ±Network Protection ļ±Identity Management
Security Issues in Cloud Computing ļ±There is no doubt that Cloud Computing provides various Advantages but there are also some security issues in cloud computing. ļ±Security Issues in Cloud Computing as follows. ļƒ¼ Data Loss ļƒ¼Interference of Hackers and Insecure APIā€™s ļƒ¼User Account Hijacking ļƒ¼Changing Service Provider(Vender Lockin) ļƒ¼Lack of Skill ļƒ¼Denial of Service (DoS) attack
Cloud Security Challenges ā€¢ Can you trust your data to your service provider? ā€¢ With the cloud model, you lose control over physical security. In a public cloud, you are sharing computing resources with other companies. ā€¢ Exposing your data in an environment shared with other companies could give the government ā€œreasonable causeā€ to seize your assets because another company has violated the law. Simply because you share the environment in the cloud, may put your data at risk of seizure. ā€¢ If information is encrypted while passing through the cloud, who controls the encryption/decryption keys? Is it the customer or the cloud vendor?
Cloud Security Challenges
Data Control Security When the cloud provider goes down ā€¢ This scenario has a number of variants: bankruptcy, deciding to take the business in another direction, or a widespread and extended outage. Whatever is going on, you risk losing access to your production systems due to the actions of another company. You also risk that the organization controlling your data might not protect it in accordance with the service levels to which they may have been previously committed. When a subpoena compels your cloud provider to turn over your data ā€¢ If the subpoena is directed at you, obviously you have to turn over the data to the courts, regardless of what precautions you take, but these legal requirements apply whether your data is in the cloud or on your own internal IT infrastructure. What weā€™re dealing with here is a subpoena aimed at your cloud provider that results from court action that has nothing to do with you. ā€¢ To get at the data, the court will have to come to you and subpoena you. As a result, you will end up with the same level of control you have in your private data center.
Data Control Security When your cloud provider fails to adequately protect their network ā€¢ When you select a cloud provider, you absolutely must understand how they treat physical, network, and host security. Though it may sound counterintuitive, the most secure cloud provider is one in which you never know where the physical server behind your virtual instance is running. ā€¢ Chances are that if you cannot figure it out, a determined hacker who is specifically targeting your organization is going to have a much harder time breaching the physical environment in which your data is hosted. ā€¢ Nothing guarantees that your cloud provider will, in fact, live up to the standards and processes they profess to support.
Data Control Security: Vulnerabilities and threats/Risks 1.Data Breaches/Data Loss 2.Denial of Service Attacks/Malware Injection 3.Hijacking Account 4.Inadequate Change Control and Misconfiguration 5.Insecure Interfaces and Poor APIs implementation 6.Insider Threats 7.Insufficient Credentials and Identity/Compromised accounts 8.Weak control plane/Insufficient Due Diligence 9.Shared Vulnerabilities 10.Nefarious use or Abuse of Cloud Services 11.Lack of cloud security strategy/Regulatory violations 12.Limited cloud usage visibility
Software as a service security The technology analyst and consulting firm Gartner lists seven security issues which one should discuss with a cloud-computing vendor: ā€¢ Privileged user access ā€”inquire about who has specialized access to data, and about the hiring and management of such administrators. ā€¢ Regulatory complianceā€”make sure that the vendor is willing to undergo external audits and/or security certifications. ā€¢ Data locationā€”does the provider allow for any control over the location of data? ā€¢ Data segregation ā€”make sure that encryption is available at all stages, and that these encryption schemes were designed and tested by experienced professionals. ā€¢ Recovery ā€”Find out what will happen to data in the case of a disaster. Do they offer complete restoration? If so, how long would that take? ā€¢ Investigative support ā€”Does the vendor have the ability to investigate any inappropriate or illegal activity? ā€¢ Long-term viability ā€”What will happen to data if the company goes out of business? How will data be returned, and in what format?
Risk Management ā€¢ Effective risk management entails identification of technology assets; identification of data and its links to business processes, applications, and data stores; and assignment of ownership and custodial responsibilities. ā€¢ To minimize risk in cloud ā€¢ Develop a SaaS security strategy and build a SaaS Security reference architecture that reflects that strategy. ā€¢ Balance risk and productivity. ā€¢ Implement SaaS security controls.
Security Monitoring and Incident response Security Monitoring ā€¢ Supervises virtual and physical servers to continuously assess and measure data, application, or infrastructure behaviors for potential security threats. ā€¢ Assures that the cloud infrastructure and platform function optimally while minimizing the risk of costly data breaches.
How Security Monitoring Works ā€¢ Cloud monitoring can be done in the cloud platform itself, on premises using an enterpriseā€™s existing security management tools, or via a third party service provider. ā€¢ Some of the key capabilities of cloud security monitoring software include: ā€¢ Scalability ā€¢ Tools must be able to monitor large volumes of data across many distributed locations ā€¢ Visibility ā€¢ The more visibility into application, user, and file behavior that a cloud monitoring solution provides, the better it can identify potential attacks or compromises ā€¢ Timeliness ā€¢ The best cloud security monitoring solutions will provide constant monitoring, ensuring that new or modified files are scanned in real time 15
How Security Monitoring Works ā€¢ Integration ā€¢ Monitoring tools must integrate with a wide range of cloud storage providers to ensure full monitoring of an organizationā€™s cloud usage ā€¢ Auditing and Reporting ā€¢ Cloud monitoring software should provide auditing and reporting capabilities to manage compliance requirements for cloud security 16
Some Cloud Security Tools 17
Incident Response ā€¢ Incident response is a term used to describe the process by which an organization handles a data breach or cyberattack, including the way the organization attempts to manage the consequences of the attack or breach (the ā€œincidentā€). Ultimately, the goal is to effectively manage the incident so that the damage is limited and both recovery time and costs, as well as collateral damage such as brand reputation, are kept at a minimum. ā€¢ Incident Response (IR) is one of the cornerstones of information security management: even the most diligent planning, implementation, and execution of preventive security controls cannot completely eliminate the possibility of an attack on the Confidentiality, Integrity, or Availability of information assets.
Steps for incident response ā€¢ Preparation - The most important phase of incident response is preparing for an inevitable security breach. Preparation helps organizations determine how well their CIRT will be able to respond to an incident and should involve policy, response plan/strategy, communication, documentation, determining the CIRT members, access control, tools, and training. ā€¢ Identification - Identification is the process through which incidents are detected, ideally promptly to enable rapid response and therefore reduce costs and damages. For this step of effective incident response, IT staff gathers events from log files, monitoring tools, error messages, intrusion detection systems, and firewalls to detect and determine incidents and their scope. ā€¢ Containment - Once an incident is detected or identified, containing it is a top priority. The main purpose of containment is to contain the damage and prevent further damage from occurring (as noted in step number two, the earlier incidents are detected, the sooner they can be contained to minimize damage). Itā€™s important to note that all of SANSā€™ recommended steps within the containment phase should be taken, especially to ā€œprevent the destruction of any evidence that may be needed later for prosecution.ā€ These steps include short-term containment, system back-up, and long-term containment.
Steps for incident response ā€¢ Eradication - Eradication is the phase of effective incident response that entails removing the threat and restoring affected systems to their previous state, ideally while minimizing data loss. Ensuring that the proper steps have been taken to this point, including measures that not only remove the malicious content but also ensure that the affected systems are completely clean, are the main actions associated with eradication. ā€¢ Recovery - Testing, monitoring, and validating systems while putting them back into production in order to verify that they are not re-infected or compromised are the main tasks associated with this step of incident response. This phase also includes decision making in terms of the time and date to restore operations, testing and verifying the compromised systems, monitoring for abnormal behaviour's, and using tools for testing, monitoring, and validating system behaviour. ā€¢ Lessons Learned - Lessons learned is a critical phase of incident response because it helps to educate and improve future incident response efforts. This is the step that gives organizations the opportunity to update their incident response plans with information that may have been missed during the incident, plus complete documentation to provide information for future incidents. Lessons learned reports give a clear review of the entire incident and may be used during recap meetings, training materials for new CIRT members, or as benchmarks for comparison.
Security Architecture Design ā€¢ A security architecture framework should be established with consideration of processes (enterprise authentication and authorization, access control, confidentiality, integrity, nonrepudiation, security management, etc.), operational procedures, technology specifications, people and organizational management, and security program compliance and reporting. ā€¢ Technology and design methods should be included, as well as the security processes necessary to provide the following services across all technology layers: 1. Authentication 2. Authorization 3. Availability 4. Confidentiality 5. Integrity 6. Accountability 7. Privacy
Security Architecture Design ā€¢ The creation of a secure architecture provides the engineers, data center operations personnel, and network operations personnel a common blueprint to design, build, and test the security of the applications and systems. Design reviews of new changes can be better assessed against this architecture to assure that they conform to the principles described in the architecture, allowing for more consistent and effective design reviews.
SaaS Security Architecture Goals ā€¢ Protection of information. It deals with prevention and detection of unauthorized actions and ensuring confidentiality, integrity of data. ā€¢ Robust tenant data isolation ā€¢ Flexible RBAC ā€“ Prevent unauthorized action ā€¢ Proven Data Security ā€¢ Prevention of Web related top threats as per OWASP ā€¢ Strong Security Audit Logs
Vulnerability Assessment ā€¢ Vulnerability assessment classifies network assets to more efficiently prioritize vulnerability-mitigation programs, such as patching and system upgrading. ā€¢ It measures the effectiveness of risk mitigation by setting goals of reduced vulnerability exposure and faster mitigation. ā€¢ Vulnerability management should be integrated with discovery, patch management, and upgrade management processes to close vulnerabilities before they can be exploited.
Vulnerability Assessment ā€¢ Vulnerability assessment is not Penetration Testing i.e. it does not simulate the external or internal cyber attacks that aims to breach the information security of the organization ā€¢ A vulnerability assessment attempts to ā€¢ identify the exposed vulnerabilities of a specific host, ā€¢ or possibly an entire network
Data Privacy and Security ā€¢ What is Data Privacy? ā€¢ To preserve and protect any personal information, collected by any organization, from being accessed by a third party. ā€¢ Determine what data within a system can be shared with others and which should be restricted. ā€¢ What is Data Security? ā€¢ Data Security refers to protecting data from unauthorized access and data corruption throughout its lifecycle. ā€¢ Data security refers to data encryption, tokenization and key management practices that protect data across all applications and platforms.
Intrusions in Cloud ā€¢ Virtual Machine Attacks: Attackers effectively control the virtual machines by compromising the hypervisor. The most common attacks on virtual layer are SubVir, BLUEPILL, and DKSM which allow hackers to manage host through hypervisor. Attackers easily target the virtual machines to access them by exploiting the zero-day vulnerabilities in virtual machines this may damage the several websites based on virtual server ā€¢ U2R (User to root attacks): The attacker may hack password to access a genuine userā€™s account which enables him to obtain information about a system by exploiting vulnerabilities. This attack violates the integrity of cloud based system. ā€¢ Insider Attacks: The attackers can be authorized users who try to obtain and misuse the rights that are assigned to them or not assigned to them.
Intrusions in Cloud ā€¢ Denial of Service (DoS) attack: In cloud computing, the attackers may send huge number of requests to access virtual machines thus disabling their availability to valid users which is called DoS attack. This attack targets the availability of cloud resources. ā€¢ Port Scanning : Different methods of port scanning are SYN, ACK, TCP, FIN, UDP scanning etc. In cloud computing environment, attackers can determine the open ports using port scanning and attack the services running on the same ports. This attack may loss the confidentiality and integrity on cloud. ā€¢ Backdoor path attacks: Hackers continuously access the infected machines by exploiting passive attack to compromise the confidentiality of user information. Hacker can use backdoor path to get control of infected resource launches DDoS attack. This attack targets the privacy and availability of cloud users.
Network Intrusion Detection ā€¢ Perimeter security often involves network intrusion detection systems (NIDS), such as Snort, which monitor local traffic for anything that looks irregular. Examples of irregular traffic include: ā€¢ Port scans ā€¢ Denial-of-service attacks ā€¢ Known vulnerability exploit attempts ā€¢ You perform network intrusion detection either by routing all traffic through a system that analyzes it or by doing passive monitoring from one box on local traffic on your network.
The purpose of a network intrusion detection system ā€¢ Network intrusion detection exists to alert you of attacks before they happen and, in some cases, foil attacks as ā€¢ NIDS typically alerts you to port scans as evidence of a precursor to a potential future attack. they happen. ā€¢ As with port scans, Amazon network intrusion systems are actively looking for denial-of-service attacks and would likely identify any such attempts long before your own intrusion detection software. ā€¢ One place in which an additional network intrusion detection system is useful is its ability to detect malicious payloads coming into your network.
Implementing network intrusion detection in the cloud ā€¢ cloud that does not expose LAN traffic so cannot implement a network intrusion detection system in cloud directly. ā€¢ Instead, you must run the NIDS on your load balancer or on each server in your infrastructure. ā€¢ The simplest approach is to have a dedicated NIDS server in front of the network as a whole that watches all incoming traffic and acts accordingly. ā€¢ The load balancer approach creates a single point of failure for your network intrusion detection system because, in general, the load balancer is the most exposed component in your infrastructure.
Implementing network intrusion detection in the cloud ā€¢ Alternately implement intrusion detection on a server behind the load balancer that acts as an intermediate point between the load balancer and the rest of the system. This design is generally superior to the previously described design, except that it leaves the load balancer exposed (only traffic passed by the load balancer is examined) and reduces the overall availability of the system. ā€¢ Another approach is to implement network intrusion detection on each server in the network. This approach creates a very slight increase in the attack profile of the system as a whole because you end up with common software on all servers.
Types of intrusion detection in cloud
Types of IDs in cloud ā€¢ Network based IDS (NIDSs) NIDS capture the traffic from network and analyse that traffic to detect possible intrusions like DoS attacks, port scanning, etc. NIDS collects the network packets and find out their relationship with signatures of known attacks or compare the userā€™s current behaviour with already known attacks in real-time. ā€¢ Host based IDS (HIDS) HIDS gather the information from a particular host and analyse it to detect unauthorized events. The information can be system logs of operating system. HIDS analyses the information, if there is any change in the behaviour of system or program; it instantly report to network manager that the system is in danger. HIDS are mainly used to protect the integrity of software.
Types of IDs in cloud ā€¢ Hypervisor based IDS Hypervisor provides a level for interaction among VMs. Hypervisor based IDSs is placed at the hypervisor layer. It helps in analyse the available information for detection of anomalous actions of users. The information is based on communication at multiple levels like communication between VMs, VM and hypervisor, and communication within the hypervisor based virtual network [4]. ā€¢ Distributed IDS (DIDS) A Distributed IDS contains number of IDSs such as NIDS, HIDS which are deployed over the network to analyse the traffic for intrusive detection behaviour. Each of these individual IDSs has its two components: detection component and correlation manager . ā€¢ Detection component examine the systemā€™s behaviour and transmits the collected data in a standard format to the correlation manager. ā€¢ Correlation manager combines data from multiple IDS and generate high level alerts that keep up a correspondence to an attack. Analysis phase makes use of signature based and anomaly based detection techniques so DIDS can detect known as well as unknown attacks.
Disaster Recovery ā€¢ Disaster Recovery deals with catastrophic failures that are extremely unlikely to occur during the lifetime of a system. ā€¢ Although each single disaster is unexpected over the lifetime of a system, the possibility of some disaster occurring over time is reasonably nonzero.
Disaster Recovery Plan Disaster Recovery plan involves two key metrics: ā€¢ Recovery Point Objective (RPO) The recovery point objective identifies how much data you are willing to lose in the event of a disaster. This value is typically specified in a number of hours or days of data. For example, if you determine that it is OK to lose 24 hours of data, you must make sure that the backups youā€™ll use for your disaster recovery plan are never more than 24 hours old. ā€¢ Recovery Time Objective (RTO) The recovery time objective identifies how much downtime is acceptable in the event of a disaster. If your RTO is 24 hours, you are saying that up to 24 hours may elapse between the point when your system first goes offline and the point at which you are fully operational again.
Disaster Recovery Plan ā€¢ Everyone would love a disaster recovery scenario in which no downtime and no loss of data occur, no matter what the disaster. The nature of a disaster, however, generally requires you to accept some level of loss; anything else will come with a significant price tag. ā€¢ the cost of surviving with zero downtime and zero data loss could have been having multiple data centres in different geographic locations that were constantly synchronized. ā€¢ Accomplishing that level of redundancy is expensive. It would also come with a nontrivial performance penalty. ā€¢ Determining an appropriate RPO and RTO is ultimately a financial calculation: at what point does the cost of data loss and downtime exceed the cost of a backup strategy that will prevent that level of data loss and downtime?
Disaster Recovery Plan ā€¢ The easiest place to start is your RPO. ā€¢ Your RPO is typically governed by the way in which you save and back up data: ā€¢ Weekly off-site backups will survive the loss of your data centre with a week of data loss. Daily off-site backups are even better. ā€¢ Daily on-site backups will survive the loss of your production environment with a day of data loss plus replicating transactions during the recovery period after the loss of the system. Hourly on-site backups are even better. ā€¢ A NAS/SAN will survive the loss of any individual server, except for instances of data corruption with no data loss. ā€¢ A clustered database will survive the loss of any individual data storage device or database node with no data loss. ā€¢ A clustered database across multiple data centres will survive the loss of any individual data center with no data loss.
Disasters in the Cloud ā€¢ Assuming unlimited budget and capabilities, three key things in disaster recovery planning to be focused: 1. Backups and data retention 2. Geographic redundancy 3. Organizational redundancy ā€¢ Fortunately, the structure of the Amazon cloud makes it very easy to take care of the first and second items. In addition, cloud computing in general makes the third item much easier.
Backup management
Configuration data backup strategy ā€¢ Create regularā€”at a minimum, dailyā€”snapshots of your configuration data. ā€¢ Create semi-regularā€”at least less than your RPOā€”file system archives in the form of ZIP or TAR files and move those archives into Amazon S3. ā€¢ On a semi-regular basisā€”again, at least less than your RPOā€”copy your file system archives out of the Amazon cloud into another cloud or physical hosting facility.
Persistent data backup strategy (aka database backups) ā€¢ Set up a master with its data files stored on a block storage device. ā€¢ Set up a replication slave, storing its data files on a block storage device. ā€¢ Take regular snapshots of the master block storage device based on my RPO. ā€¢ Create regular database dumps of the slave database and store them in S3. ā€¢ Copy the database dumps on a semi-regular basis from S3 to a location outside the Amazon cloud.
ā€¢ Taking snapshots or creating database dumps for some database engines is actually very tricky in a runtime environment, ā€¢ You need to freeze the database only for an instant to create your snapshot. The process follows these steps: 1. Lock the database. 2. Sync the file system (this procedure is file system-dependent). 3. Take a snapshot. 4. Unlock the database.
Geographic Redundancy ā€¢ If you can develop geographical redundancy, you can survive just about any physical disaster that might happen. With a physical infrastructure, geographical redundancy is expensive. ā€¢ In the cloud, however, it is relatively cheap. ā€¢ No need to have your application running actively in all locations, but you need the ability to bring your application up from the redundant location in a state that meets your Recovery Point Objective within a timeframe that meets your Recovery Time Objective. ā€¢ Amazon provides built-in geographic redundancy in the form of regions and availability zones.
Geographic Redundancy
Organizational Redundancy ā€¢ Physical disasters are a relatively rare thing, but companies go out of business everywhere every dayā€”even big companies like Amazon and Rackspace. Even if a company goes into bankruptcy restructuring, thereā€™s no telling what will happen to the hardware assets that run their cloud infrastructure. Your disaster recovery plan should therefore have contingencies that assume your cloud provider simply disappears from the face of the earth. ā€¢ The best approach to organizational redundancy is to identify another cloud provider and establish a backup environment with that provider in the event your first provider fails.
Disaster Management ā€¢ To complete the disaster recovery scenario, you need to recognize when a disaster has happened and have the tools and processes in place to execute your recovery plan. Monitoring ā€¢ Monitoring your cloud infrastructure is extremely important. You cannot replace a failing server or execute your disaster recovery plan if you donā€™t know that there has been a failure. ā€¢ Monitoring must be independent of your clouds. ā€¢ you should be checking capacity issues such as disk usage, RAM, and CPU. ā€¢ you will need to monitor for failure at three levels: ā€¢ Through the provisioning API (for Amazon, the EC2 web services API) ā€¢ Through your own instance state monitoring tools ā€¢ Through your application health monitoring tools
Disaster Management Load Balancer Recovery ā€¢ One of the reasons companies pay absurd amounts of money for physical load balancers is to greatly reduce the likelihood of load balancer failure. ā€¢ With cloud vendors such as GoGridā€”and in the future, Amazonā€” you can realize the benefits of hardware load balancers withoutincurring the costs. ā€¢ Recovering a load balancer in the cloud, however, is lightning fast. As a result, the downside of a failure in your cloud-based load balancer is minor.
Disaster Management Application Server Recovery ā€¢ If you are operating multiple application servers in multiple availability zones, your system as a whole will survive the failure of any one instanceā€”or even an entire availability zone. You will still need to recover that server so that future failures donā€™t affect your infrastructure. ā€¢ The recovery of a failed application server is only slightly more complex than the recovery of a failed load balancer. Like the failed load balancer, you start up a new instance from the application server machine image. You then pass it configuration information, including where the database is.
Disaster Management Database Recovery ā€¢ Database recovery is the hardest part of disaster recovery in the cloud. Your disaster recovery algorithm has to identify where an uncorrupted copy of the database exists. This process may involve promoting slaves into masters, rearranging your backup management, and reconfiguring application servers. ā€¢ The best solution is a clustered database that can survive the loss of an individual database server without the need to execute a complex recovery procedure. The following process will typically cover all levels of database failure: 1. Launch a replacement instance in the old instanceā€™s availability zone and mount its old volume. 2. If the launch fails but the volume is still running, snapshot the volume and launch a new instance in any zone, and then create a volume in that zone based on the snapshot. 3. If the volume from step 1 or the snapshot from step 2 are corrupt, you need to fall back to the replication slave and promote it to database master. 4. If the database slave is not running or is somehow corrupted, the next step is to launch a replacement volume from the most recent database snapshot. 5. If the snapshot is corrupt, go further back in time until you find a backup that is not corrupt.
Disaster Management Database Recovery ā€¢ Database recovery is the hardest part of disaster recovery in the cloud. Your disaster recovery algorithm has to identify where an uncorrupted copy of the database exists. This process may involve promoting slaves into masters, rearranging your backup management, and reconfiguring application servers. ā€¢ The best solution is a clustered database that can survive the loss of an individual database server without the need to execute a complex recovery procedure. The following process will typically cover all levels of database failure: 1. Launch a replacement instance in the old instanceā€™s availability zone and mount its old volume. 2. If the launch fails but the volume is still running, snapshot the volume and launch a new instance in any zone, and then create a volume in that zone based on the snapshot. 3. If the volume from step 1 or the snapshot from step 2 are corrupt, you need to fall back to the replication slave and promote it to database master. 4. If the database slave is not running or is somehow corrupted, the next step is to launch a replacement volume from the most recent database snapshot. 5. If the snapshot is corrupt, go further back in time until you find a backup that is not corrupt.
Thank You
Related question of chapter four: 1. What do you mean by disaster recovery? What are the differences between recovery point objective and recovery time objective? 2. Explain the disaster recovery planning of Cloud Computing. 3. Explain cloud computing security architecture? How can you design it? 4. Explain the process of implementation of network intrusion detection. 5. What are the challenges of security issues in cloud computing?

Recommended

the_role_of_resilience_data_in_ensuring_cloud_security.pptx
the_role_of_resilience_data_in_ensuring_cloud_security.pptxthe_role_of_resilience_data_in_ensuring_cloud_security.pptx
the_role_of_resilience_data_in_ensuring_cloud_security.pptx
sarah david
Ā 
the_role_of_resilience_data_in_ensuring_cloud_security.pdf
the_role_of_resilience_data_in_ensuring_cloud_security.pdfthe_role_of_resilience_data_in_ensuring_cloud_security.pdf
the_role_of_resilience_data_in_ensuring_cloud_security.pdf
sarah david
Ā 
Cloud Security
Cloud SecurityCloud Security
Cloud Security
Pyingkodi Maran
Ā 
chapitre1-cloud security basics-23 (1).pptx
chapitre1-cloud security basics-23 (1).pptxchapitre1-cloud security basics-23 (1).pptx
chapitre1-cloud security basics-23 (1).pptx
GhofraneFerchichi2
Ā 
Security and Privacy Issues of Cloud Computing; Solutions and Secure Framework
Security and Privacy Issues of Cloud Computing; Solutions and Secure FrameworkSecurity and Privacy Issues of Cloud Computing; Solutions and Secure Framework
Security and Privacy Issues of Cloud Computing; Solutions and Secure Framework
IOSR Journals
Ā 
Cheatsheet for your cloud project
Cheatsheet for your cloud projectCheatsheet for your cloud project
Cheatsheet for your cloud project
Petteri Heino
Ā 
Security Considerations When Using Cloud Infrastructure Services.pdf
Security Considerations When Using Cloud Infrastructure Services.pdfSecurity Considerations When Using Cloud Infrastructure Services.pdf
Security Considerations When Using Cloud Infrastructure Services.pdf
Ciente
Ā 
3433 IBM messaging security why securing your environment is important-feb2...
3433 IBM messaging security why securing your environment is important-feb2...3433 IBM messaging security why securing your environment is important-feb2...
3433 IBM messaging security why securing your environment is important-feb2...
Robert Parker
Ā 

Recommended

the_role_of_resilience_data_in_ensuring_cloud_security.pptx
the_role_of_resilience_data_in_ensuring_cloud_security.pptxthe_role_of_resilience_data_in_ensuring_cloud_security.pptx
the_role_of_resilience_data_in_ensuring_cloud_security.pptx
sarah david
Ā 
the_role_of_resilience_data_in_ensuring_cloud_security.pdf
the_role_of_resilience_data_in_ensuring_cloud_security.pdfthe_role_of_resilience_data_in_ensuring_cloud_security.pdf
the_role_of_resilience_data_in_ensuring_cloud_security.pdf
sarah david
Ā 
Cloud Security
Cloud SecurityCloud Security
Cloud Security
Pyingkodi Maran
Ā 
chapitre1-cloud security basics-23 (1).pptx
chapitre1-cloud security basics-23 (1).pptxchapitre1-cloud security basics-23 (1).pptx
chapitre1-cloud security basics-23 (1).pptx
GhofraneFerchichi2
Ā 
Security and Privacy Issues of Cloud Computing; Solutions and Secure Framework
Security and Privacy Issues of Cloud Computing; Solutions and Secure FrameworkSecurity and Privacy Issues of Cloud Computing; Solutions and Secure Framework
Security and Privacy Issues of Cloud Computing; Solutions and Secure Framework
IOSR Journals
Ā 
Cheatsheet for your cloud project
Cheatsheet for your cloud projectCheatsheet for your cloud project
Cheatsheet for your cloud project
Petteri Heino
Ā 
Security Considerations When Using Cloud Infrastructure Services.pdf
Security Considerations When Using Cloud Infrastructure Services.pdfSecurity Considerations When Using Cloud Infrastructure Services.pdf
Security Considerations When Using Cloud Infrastructure Services.pdf
Ciente
Ā 
3433 IBM messaging security why securing your environment is important-feb2...
3433 IBM messaging security why securing your environment is important-feb2...3433 IBM messaging security why securing your environment is important-feb2...
3433 IBM messaging security why securing your environment is important-feb2...
Robert Parker
Ā 
IBM Messaging Security - Why securing your environment is important : IBM Int...
IBM Messaging Security - Why securing your environment is important : IBM Int...IBM Messaging Security - Why securing your environment is important : IBM Int...
IBM Messaging Security - Why securing your environment is important : IBM Int...
Leif Davidsen
Ā 
Chap 6 cloud security
Chap 6 cloud securityChap 6 cloud security
Chap 6 cloud security
Raj Sarode
Ā 
Cloud Security_ Unit 4
Cloud Security_ Unit 4Cloud Security_ Unit 4
Cloud Security_ Unit 4
Integral university, India
Ā 
Data Security and Compliance in Enterprise Cloud Migration.pdf
Data Security and Compliance in Enterprise Cloud Migration.pdfData Security and Compliance in Enterprise Cloud Migration.pdf
Data Security and Compliance in Enterprise Cloud Migration.pdf
Flentas
Ā 
How to Secure Your Enterprise Network.docx
How to Secure Your Enterprise Network.docxHow to Secure Your Enterprise Network.docx
How to Secure Your Enterprise Network.docx
NeilStark1
Ā 
How to Secure Your Enterprise Network.pdf
How to Secure Your Enterprise Network.pdfHow to Secure Your Enterprise Network.pdf
How to Secure Your Enterprise Network.pdf
NeilStark1
Ā 
How to Secure Your Enterprise Network.docx
How to Secure Your Enterprise Network.docxHow to Secure Your Enterprise Network.docx
How to Secure Your Enterprise Network.docx
NeilStark1
Ā 
Presentation 10.pptx
Presentation 10.pptxPresentation 10.pptx
Presentation 10.pptx
mishogelashvili28
Ā 
CCSK.pptx
CCSK.pptxCCSK.pptx
CCSK.pptx
sukhpreetsingh295239
Ā 
Understanding security operation.pptx
Understanding security operation.pptxUnderstanding security operation.pptx
Understanding security operation.pptx
Piyush Jain
Ā 
SECURING THE CLOUD DATA LAKES
SECURING THE CLOUD DATA LAKESSECURING THE CLOUD DATA LAKES
SECURING THE CLOUD DATA LAKES
Happiest Minds Technologies
Ā 
Security architecture, engineering and operations
Security architecture, engineering and operationsSecurity architecture, engineering and operations
Security architecture, engineering and operations
Piyush Jain
Ā 
Project Quality-SIPOCSelect a process of your choice and creat.docx
Project Quality-SIPOCSelect a process of your choice and creat.docxProject Quality-SIPOCSelect a process of your choice and creat.docx
Project Quality-SIPOCSelect a process of your choice and creat.docx
wkyra78
Ā 
The ultimate guide to cloud computing security-Hire cloud expert
The ultimate guide to cloud computing security-Hire cloud expertThe ultimate guide to cloud computing security-Hire cloud expert
The ultimate guide to cloud computing security-Hire cloud expert
Chapter247 Infotech
Ā 
Top Cloud Infrastructure Practices And Strategies For Maximum Security.pdf
Top Cloud Infrastructure Practices And Strategies For Maximum Security.pdfTop Cloud Infrastructure Practices And Strategies For Maximum Security.pdf
Top Cloud Infrastructure Practices And Strategies For Maximum Security.pdf
Forgeahead Solutions
Ā 
ISO/IEC 27001 & ISO/IEC 27002:2022: What you need to know
ISO/IEC 27001 & ISO/IEC 27002:2022: What you need to knowISO/IEC 27001 & ISO/IEC 27002:2022: What you need to know
ISO/IEC 27001 & ISO/IEC 27002:2022: What you need to know
PECB
Ā 
Security and privacy in cloud computing.pptx
Security and privacy in cloud computing.pptxSecurity and privacy in cloud computing.pptx
Security and privacy in cloud computing.pptx
TRSrinidi
Ā 
crisc_wk_5.pptx
crisc_wk_5.pptxcrisc_wk_5.pptx
crisc_wk_5.pptx
dotco
Ā 
Bil Harmer - Myths of Cloud Security Debunked!
Bil Harmer - Myths of Cloud Security Debunked!Bil Harmer - Myths of Cloud Security Debunked!
Bil Harmer - Myths of Cloud Security Debunked!
centralohioissa
Ā 
Security Issues of Cloud Computing
Security Issues of Cloud ComputingSecurity Issues of Cloud Computing
Security Issues of Cloud Computing
Falgun Rathod
Ā 
Employee leave management system project.
Employee leave management system project.Employee leave management system project.
Employee leave management system project.
Kamal Acharya
Ā 
Generative AI or GenAI technology based PPT
Generative AI or GenAI technology based PPTGenerative AI or GenAI technology based PPT
Generative AI or GenAI technology based PPT
bhaskargani46
Ā 

More Related Content

Similar to Chapter_5_Security_CC.pptx

Project Quality-SIPOCSelect a process of your choice and creat.docx
Project Quality-SIPOCSelect a process of your choice and creat.docxProject Quality-SIPOCSelect a process of your choice and creat.docx
Project Quality-SIPOCSelect a process of your choice and creat.docx
wkyra78
Ā 
The ultimate guide to cloud computing security-Hire cloud expert
The ultimate guide to cloud computing security-Hire cloud expertThe ultimate guide to cloud computing security-Hire cloud expert
The ultimate guide to cloud computing security-Hire cloud expert
Chapter247 Infotech
Ā 
ISO/IEC 27001 & ISO/IEC 27002:2022: What you need to know
ISO/IEC 27001 & ISO/IEC 27002:2022: What you need to knowISO/IEC 27001 & ISO/IEC 27002:2022: What you need to know
ISO/IEC 27001 & ISO/IEC 27002:2022: What you need to know
PECB
Ā 
Bil Harmer - Myths of Cloud Security Debunked!
Bil Harmer - Myths of Cloud Security Debunked!Bil Harmer - Myths of Cloud Security Debunked!
Bil Harmer - Myths of Cloud Security Debunked!
centralohioissa
Ā 

Similar to Chapter_5_Security_CC.pptx (20)

IBM Messaging Security - Why securing your environment is important : IBM Int...
IBM Messaging Security - Why securing your environment is important : IBM Int...IBM Messaging Security - Why securing your environment is important : IBM Int...
IBM Messaging Security - Why securing your environment is important : IBM Int...
Ā 
Chap 6 cloud security
Chap 6 cloud securityChap 6 cloud security
Chap 6 cloud security
Ā 
Cloud Security_ Unit 4
Cloud Security_ Unit 4Cloud Security_ Unit 4
Cloud Security_ Unit 4
Ā 
Data Security and Compliance in Enterprise Cloud Migration.pdf
Data Security and Compliance in Enterprise Cloud Migration.pdfData Security and Compliance in Enterprise Cloud Migration.pdf
Data Security and Compliance in Enterprise Cloud Migration.pdf
Ā 
How to Secure Your Enterprise Network.docx
How to Secure Your Enterprise Network.docxHow to Secure Your Enterprise Network.docx
How to Secure Your Enterprise Network.docx
Ā 
How to Secure Your Enterprise Network.pdf
How to Secure Your Enterprise Network.pdfHow to Secure Your Enterprise Network.pdf
How to Secure Your Enterprise Network.pdf
Ā 
How to Secure Your Enterprise Network.docx
How to Secure Your Enterprise Network.docxHow to Secure Your Enterprise Network.docx
How to Secure Your Enterprise Network.docx
Ā 
Presentation 10.pptx
Presentation 10.pptxPresentation 10.pptx
Presentation 10.pptx
Ā 
CCSK.pptx
CCSK.pptxCCSK.pptx
CCSK.pptx
Ā 
Understanding security operation.pptx
Understanding security operation.pptxUnderstanding security operation.pptx
Understanding security operation.pptx
Ā 
SECURING THE CLOUD DATA LAKES
SECURING THE CLOUD DATA LAKESSECURING THE CLOUD DATA LAKES
SECURING THE CLOUD DATA LAKES
Ā 
Security architecture, engineering and operations
Security architecture, engineering and operationsSecurity architecture, engineering and operations
Security architecture, engineering and operations
Ā 
Project Quality-SIPOCSelect a process of your choice and creat.docx
Project Quality-SIPOCSelect a process of your choice and creat.docxProject Quality-SIPOCSelect a process of your choice and creat.docx
Project Quality-SIPOCSelect a process of your choice and creat.docx
Ā 
The ultimate guide to cloud computing security-Hire cloud expert
The ultimate guide to cloud computing security-Hire cloud expertThe ultimate guide to cloud computing security-Hire cloud expert
The ultimate guide to cloud computing security-Hire cloud expert
Ā 
Top Cloud Infrastructure Practices And Strategies For Maximum Security.pdf
Top Cloud Infrastructure Practices And Strategies For Maximum Security.pdfTop Cloud Infrastructure Practices And Strategies For Maximum Security.pdf
Top Cloud Infrastructure Practices And Strategies For Maximum Security.pdf
Ā 
ISO/IEC 27001 & ISO/IEC 27002:2022: What you need to know
ISO/IEC 27001 & ISO/IEC 27002:2022: What you need to knowISO/IEC 27001 & ISO/IEC 27002:2022: What you need to know
ISO/IEC 27001 & ISO/IEC 27002:2022: What you need to know
Ā 
Security and privacy in cloud computing.pptx
Security and privacy in cloud computing.pptxSecurity and privacy in cloud computing.pptx
Security and privacy in cloud computing.pptx
Ā 
crisc_wk_5.pptx
crisc_wk_5.pptxcrisc_wk_5.pptx
crisc_wk_5.pptx
Ā 
Bil Harmer - Myths of Cloud Security Debunked!
Bil Harmer - Myths of Cloud Security Debunked!Bil Harmer - Myths of Cloud Security Debunked!
Bil Harmer - Myths of Cloud Security Debunked!
Ā 
Security Issues of Cloud Computing
Security Issues of Cloud ComputingSecurity Issues of Cloud Computing
Security Issues of Cloud Computing
Ā 

Recently uploaded

XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
ssuser89054b
Ā 
BhubaneswaršŸŒ¹Call Girls Bhubaneswar ā¤Komal 9777949614 šŸ’Ÿ Full Trusted CALL GIRL...
BhubaneswaršŸŒ¹Call Girls Bhubaneswar ā¤Komal 9777949614 šŸ’Ÿ Full Trusted CALL GIRL...BhubaneswaršŸŒ¹Call Girls Bhubaneswar ā¤Komal 9777949614 šŸ’Ÿ Full Trusted CALL GIRL...
BhubaneswaršŸŒ¹Call Girls Bhubaneswar ā¤Komal 9777949614 šŸ’Ÿ Full Trusted CALL GIRL...
Call Girls Mumbai
Ā 
Kuwait City MTP kit ((+919101817206)) Buy Abortion Pills Kuwait
Kuwait City MTP kit ((+919101817206)) Buy Abortion Pills KuwaitKuwait City MTP kit ((+919101817206)) Buy Abortion Pills Kuwait
Kuwait City MTP kit ((+919101817206)) Buy Abortion Pills Kuwait
jaanualu31
Ā 
Call Girls in South Ex (delhi) call me [šŸ”9953056974šŸ”] escort service 24X7
Call Girls in South Ex (delhi) call me [šŸ”9953056974šŸ”] escort service 24X7Call Girls in South Ex (delhi) call me [šŸ”9953056974šŸ”] escort service 24X7
Call Girls in South Ex (delhi) call me [šŸ”9953056974šŸ”] escort service 24X7
9953056974 Low Rate Call Girls In Saket, Delhi NCR
Ā 
"Lesotho Leaps Forward: A Chronicle of Transformative Developments"
"Lesotho Leaps Forward: A Chronicle of Transformative Developments""Lesotho Leaps Forward: A Chronicle of Transformative Developments"
"Lesotho Leaps Forward: A Chronicle of Transformative Developments"
mphochane1998
Ā 
Navigating Complexity: The Role of Trusted Partners and VIAS3D in Dassault Sy...
Navigating Complexity: The Role of Trusted Partners and VIAS3D in Dassault Sy...Navigating Complexity: The Role of Trusted Partners and VIAS3D in Dassault Sy...
Navigating Complexity: The Role of Trusted Partners and VIAS3D in Dassault Sy...
Arindam Chakraborty, Ph.D., P.E. (CA, TX)
Ā 
School management system project Report.pdf
School management system project Report.pdfSchool management system project Report.pdf
School management system project Report.pdf
Kamal Acharya
Ā 

Recently uploaded (20)

Employee leave management system project.
Employee leave management system project.Employee leave management system project.
Employee leave management system project.
Ā 
Generative AI or GenAI technology based PPT
Generative AI or GenAI technology based PPTGenerative AI or GenAI technology based PPT
Generative AI or GenAI technology based PPT
Ā 
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
Ā 
S1S2 B.Arch MGU - HOA1&2 Module 3 -Temple Architecture of Kerala.pptx
S1S2 B.Arch MGU - HOA1&2 Module 3 -Temple Architecture of Kerala.pptxS1S2 B.Arch MGU - HOA1&2 Module 3 -Temple Architecture of Kerala.pptx
S1S2 B.Arch MGU - HOA1&2 Module 3 -Temple Architecture of Kerala.pptx
Ā 
2016EF22_0 solar project report rooftop projects
2016EF22_0 solar project report rooftop projects2016EF22_0 solar project report rooftop projects
2016EF22_0 solar project report rooftop projects
Ā 
Online electricity billing project report..pdf
Online electricity billing project report..pdfOnline electricity billing project report..pdf
Online electricity billing project report..pdf
Ā 
BhubaneswaršŸŒ¹Call Girls Bhubaneswar ā¤Komal 9777949614 šŸ’Ÿ Full Trusted CALL GIRL...
BhubaneswaršŸŒ¹Call Girls Bhubaneswar ā¤Komal 9777949614 šŸ’Ÿ Full Trusted CALL GIRL...BhubaneswaršŸŒ¹Call Girls Bhubaneswar ā¤Komal 9777949614 šŸ’Ÿ Full Trusted CALL GIRL...
BhubaneswaršŸŒ¹Call Girls Bhubaneswar ā¤Komal 9777949614 šŸ’Ÿ Full Trusted CALL GIRL...
Ā 
Design For Accessibility: Getting it right from the start
Design For Accessibility: Getting it right from the startDesign For Accessibility: Getting it right from the start
Design For Accessibility: Getting it right from the start
Ā 
Hazard Identification (HAZID) vs. Hazard and Operability (HAZOP): A Comparati...
Hazard Identification (HAZID) vs. Hazard and Operability (HAZOP): A Comparati...Hazard Identification (HAZID) vs. Hazard and Operability (HAZOP): A Comparati...
Hazard Identification (HAZID) vs. Hazard and Operability (HAZOP): A Comparati...
Ā 
DC MACHINE-Motoring and generation, Armature circuit equation
DC MACHINE-Motoring and generation, Armature circuit equationDC MACHINE-Motoring and generation, Armature circuit equation
DC MACHINE-Motoring and generation, Armature circuit equation
Ā 
Unleashing the Power of the SORA AI lastest leap
Unleashing the Power of the SORA AI lastest leapUnleashing the Power of the SORA AI lastest leap
Unleashing the Power of the SORA AI lastest leap
Ā 
AIRCANVAS[1].pdf mini project for btech students
AIRCANVAS[1].pdf mini project for btech studentsAIRCANVAS[1].pdf mini project for btech students
AIRCANVAS[1].pdf mini project for btech students
Ā 
FEA Based Level 3 Assessment of Deformed Tanks with Fluid Induced Loads
FEA Based Level 3 Assessment of Deformed Tanks with Fluid Induced LoadsFEA Based Level 3 Assessment of Deformed Tanks with Fluid Induced Loads
FEA Based Level 3 Assessment of Deformed Tanks with Fluid Induced Loads
Ā 
Kuwait City MTP kit ((+919101817206)) Buy Abortion Pills Kuwait
Kuwait City MTP kit ((+919101817206)) Buy Abortion Pills KuwaitKuwait City MTP kit ((+919101817206)) Buy Abortion Pills Kuwait
Kuwait City MTP kit ((+919101817206)) Buy Abortion Pills Kuwait
Ā 
COST-EFFETIVE and Energy Efficient BUILDINGS ptx
COST-EFFETIVE and Energy Efficient BUILDINGS ptxCOST-EFFETIVE and Energy Efficient BUILDINGS ptx
COST-EFFETIVE and Energy Efficient BUILDINGS ptx
Ā 
Call Girls in South Ex (delhi) call me [šŸ”9953056974šŸ”] escort service 24X7
Call Girls in South Ex (delhi) call me [šŸ”9953056974šŸ”] escort service 24X7Call Girls in South Ex (delhi) call me [šŸ”9953056974šŸ”] escort service 24X7
Call Girls in South Ex (delhi) call me [šŸ”9953056974šŸ”] escort service 24X7
Ā 
Computer Networks Basics of Network Devices
Computer Networks Basics of Network DevicesComputer Networks Basics of Network Devices
Computer Networks Basics of Network Devices
Ā 
"Lesotho Leaps Forward: A Chronicle of Transformative Developments"
"Lesotho Leaps Forward: A Chronicle of Transformative Developments""Lesotho Leaps Forward: A Chronicle of Transformative Developments"
"Lesotho Leaps Forward: A Chronicle of Transformative Developments"
Ā 
Navigating Complexity: The Role of Trusted Partners and VIAS3D in Dassault Sy...
Navigating Complexity: The Role of Trusted Partners and VIAS3D in Dassault Sy...Navigating Complexity: The Role of Trusted Partners and VIAS3D in Dassault Sy...
Navigating Complexity: The Role of Trusted Partners and VIAS3D in Dassault Sy...
Ā 
School management system project Report.pdf
School management system project Report.pdfSchool management system project Report.pdf
School management system project Report.pdf
Ā 

Chapter_5_Security_CC.pptx

  • 1. Cloud Computing Chapter -5 Er. Loknath Regmi Asst. Prof. IOE Pulchowk Campus 1
  • 2. Chapter 5 Security in Cloud Computing
  • 3.
  • 4. Cloud Computing Security ā€¢ Cloud computing security is the set of control-based technologies and policies designed to adhere to regulatory compliance rules and protect information, data applications and infrastructure associated with cloud computing use. ā€¢ Cloud computing security processes should address the security controls the cloud provider will incorporate to maintain the customer's data security, privacy and compliance with necessary regulations.
  • 5. Cloud Computing Security Cloud Security Simplified as: ļ±Access Control ļ±System Protection ļ±Personal Security ļ±Information Integrity ļ±Cloud Security Management ļ±Network Protection ļ±Identity Management
  • 6. Security Issues in Cloud Computing ļ±There is no doubt that Cloud Computing provides various Advantages but there are also some security issues in cloud computing. ļ±Security Issues in Cloud Computing as follows. ļƒ¼ Data Loss ļƒ¼Interference of Hackers and Insecure APIā€™s ļƒ¼User Account Hijacking ļƒ¼Changing Service Provider(Vender Lockin) ļƒ¼Lack of Skill ļƒ¼Denial of Service (DoS) attack
  • 7. Cloud Security Challenges ā€¢ Can you trust your data to your service provider? ā€¢ With the cloud model, you lose control over physical security. In a public cloud, you are sharing computing resources with other companies. ā€¢ Exposing your data in an environment shared with other companies could give the government ā€œreasonable causeā€ to seize your assets because another company has violated the law. Simply because you share the environment in the cloud, may put your data at risk of seizure. ā€¢ If information is encrypted while passing through the cloud, who controls the encryption/decryption keys? Is it the customer or the cloud vendor?
  • 9. Data Control Security When the cloud provider goes down ā€¢ This scenario has a number of variants: bankruptcy, deciding to take the business in another direction, or a widespread and extended outage. Whatever is going on, you risk losing access to your production systems due to the actions of another company. You also risk that the organization controlling your data might not protect it in accordance with the service levels to which they may have been previously committed. When a subpoena compels your cloud provider to turn over your data ā€¢ If the subpoena is directed at you, obviously you have to turn over the data to the courts, regardless of what precautions you take, but these legal requirements apply whether your data is in the cloud or on your own internal IT infrastructure. What weā€™re dealing with here is a subpoena aimed at your cloud provider that results from court action that has nothing to do with you. ā€¢ To get at the data, the court will have to come to you and subpoena you. As a result, you will end up with the same level of control you have in your private data center.
  • 10. Data Control Security When your cloud provider fails to adequately protect their network ā€¢ When you select a cloud provider, you absolutely must understand how they treat physical, network, and host security. Though it may sound counterintuitive, the most secure cloud provider is one in which you never know where the physical server behind your virtual instance is running. ā€¢ Chances are that if you cannot figure it out, a determined hacker who is specifically targeting your organization is going to have a much harder time breaching the physical environment in which your data is hosted. ā€¢ Nothing guarantees that your cloud provider will, in fact, live up to the standards and processes they profess to support.
  • 11. Data Control Security: Vulnerabilities and threats/Risks 1.Data Breaches/Data Loss 2.Denial of Service Attacks/Malware Injection 3.Hijacking Account 4.Inadequate Change Control and Misconfiguration 5.Insecure Interfaces and Poor APIs implementation 6.Insider Threats 7.Insufficient Credentials and Identity/Compromised accounts 8.Weak control plane/Insufficient Due Diligence 9.Shared Vulnerabilities 10.Nefarious use or Abuse of Cloud Services 11.Lack of cloud security strategy/Regulatory violations 12.Limited cloud usage visibility
  • 12. Software as a service security The technology analyst and consulting firm Gartner lists seven security issues which one should discuss with a cloud-computing vendor: ā€¢ Privileged user access ā€”inquire about who has specialized access to data, and about the hiring and management of such administrators. ā€¢ Regulatory complianceā€”make sure that the vendor is willing to undergo external audits and/or security certifications. ā€¢ Data locationā€”does the provider allow for any control over the location of data? ā€¢ Data segregation ā€”make sure that encryption is available at all stages, and that these encryption schemes were designed and tested by experienced professionals. ā€¢ Recovery ā€”Find out what will happen to data in the case of a disaster. Do they offer complete restoration? If so, how long would that take? ā€¢ Investigative support ā€”Does the vendor have the ability to investigate any inappropriate or illegal activity? ā€¢ Long-term viability ā€”What will happen to data if the company goes out of business? How will data be returned, and in what format?
  • 13. Risk Management ā€¢ Effective risk management entails identification of technology assets; identification of data and its links to business processes, applications, and data stores; and assignment of ownership and custodial responsibilities. ā€¢ To minimize risk in cloud ā€¢ Develop a SaaS security strategy and build a SaaS Security reference architecture that reflects that strategy. ā€¢ Balance risk and productivity. ā€¢ Implement SaaS security controls.
  • 14. Security Monitoring and Incident response Security Monitoring ā€¢ Supervises virtual and physical servers to continuously assess and measure data, application, or infrastructure behaviors for potential security threats. ā€¢ Assures that the cloud infrastructure and platform function optimally while minimizing the risk of costly data breaches.
  • 15. How Security Monitoring Works ā€¢ Cloud monitoring can be done in the cloud platform itself, on premises using an enterpriseā€™s existing security management tools, or via a third party service provider. ā€¢ Some of the key capabilities of cloud security monitoring software include: ā€¢ Scalability ā€¢ Tools must be able to monitor large volumes of data across many distributed locations ā€¢ Visibility ā€¢ The more visibility into application, user, and file behavior that a cloud monitoring solution provides, the better it can identify potential attacks or compromises ā€¢ Timeliness ā€¢ The best cloud security monitoring solutions will provide constant monitoring, ensuring that new or modified files are scanned in real time 15
  • 16. How Security Monitoring Works ā€¢ Integration ā€¢ Monitoring tools must integrate with a wide range of cloud storage providers to ensure full monitoring of an organizationā€™s cloud usage ā€¢ Auditing and Reporting ā€¢ Cloud monitoring software should provide auditing and reporting capabilities to manage compliance requirements for cloud security 16
  • 18. Incident Response ā€¢ Incident response is a term used to describe the process by which an organization handles a data breach or cyberattack, including the way the organization attempts to manage the consequences of the attack or breach (the ā€œincidentā€). Ultimately, the goal is to effectively manage the incident so that the damage is limited and both recovery time and costs, as well as collateral damage such as brand reputation, are kept at a minimum. ā€¢ Incident Response (IR) is one of the cornerstones of information security management: even the most diligent planning, implementation, and execution of preventive security controls cannot completely eliminate the possibility of an attack on the Confidentiality, Integrity, or Availability of information assets.
  • 19. Steps for incident response ā€¢ Preparation - The most important phase of incident response is preparing for an inevitable security breach. Preparation helps organizations determine how well their CIRT will be able to respond to an incident and should involve policy, response plan/strategy, communication, documentation, determining the CIRT members, access control, tools, and training. ā€¢ Identification - Identification is the process through which incidents are detected, ideally promptly to enable rapid response and therefore reduce costs and damages. For this step of effective incident response, IT staff gathers events from log files, monitoring tools, error messages, intrusion detection systems, and firewalls to detect and determine incidents and their scope. ā€¢ Containment - Once an incident is detected or identified, containing it is a top priority. The main purpose of containment is to contain the damage and prevent further damage from occurring (as noted in step number two, the earlier incidents are detected, the sooner they can be contained to minimize damage). Itā€™s important to note that all of SANSā€™ recommended steps within the containment phase should be taken, especially to ā€œprevent the destruction of any evidence that may be needed later for prosecution.ā€ These steps include short-term containment, system back-up, and long-term containment.
  • 20. Steps for incident response ā€¢ Eradication - Eradication is the phase of effective incident response that entails removing the threat and restoring affected systems to their previous state, ideally while minimizing data loss. Ensuring that the proper steps have been taken to this point, including measures that not only remove the malicious content but also ensure that the affected systems are completely clean, are the main actions associated with eradication. ā€¢ Recovery - Testing, monitoring, and validating systems while putting them back into production in order to verify that they are not re-infected or compromised are the main tasks associated with this step of incident response. This phase also includes decision making in terms of the time and date to restore operations, testing and verifying the compromised systems, monitoring for abnormal behaviour's, and using tools for testing, monitoring, and validating system behaviour. ā€¢ Lessons Learned - Lessons learned is a critical phase of incident response because it helps to educate and improve future incident response efforts. This is the step that gives organizations the opportunity to update their incident response plans with information that may have been missed during the incident, plus complete documentation to provide information for future incidents. Lessons learned reports give a clear review of the entire incident and may be used during recap meetings, training materials for new CIRT members, or as benchmarks for comparison.
  • 21. Security Architecture Design ā€¢ A security architecture framework should be established with consideration of processes (enterprise authentication and authorization, access control, confidentiality, integrity, nonrepudiation, security management, etc.), operational procedures, technology specifications, people and organizational management, and security program compliance and reporting. ā€¢ Technology and design methods should be included, as well as the security processes necessary to provide the following services across all technology layers: 1. Authentication 2. Authorization 3. Availability 4. Confidentiality 5. Integrity 6. Accountability 7. Privacy
  • 22. Security Architecture Design ā€¢ The creation of a secure architecture provides the engineers, data center operations personnel, and network operations personnel a common blueprint to design, build, and test the security of the applications and systems. Design reviews of new changes can be better assessed against this architecture to assure that they conform to the principles described in the architecture, allowing for more consistent and effective design reviews.
  • 23. SaaS Security Architecture Goals ā€¢ Protection of information. It deals with prevention and detection of unauthorized actions and ensuring confidentiality, integrity of data. ā€¢ Robust tenant data isolation ā€¢ Flexible RBAC ā€“ Prevent unauthorized action ā€¢ Proven Data Security ā€¢ Prevention of Web related top threats as per OWASP ā€¢ Strong Security Audit Logs
  • 24. Vulnerability Assessment ā€¢ Vulnerability assessment classifies network assets to more efficiently prioritize vulnerability-mitigation programs, such as patching and system upgrading. ā€¢ It measures the effectiveness of risk mitigation by setting goals of reduced vulnerability exposure and faster mitigation. ā€¢ Vulnerability management should be integrated with discovery, patch management, and upgrade management processes to close vulnerabilities before they can be exploited.
  • 25. Vulnerability Assessment ā€¢ Vulnerability assessment is not Penetration Testing i.e. it does not simulate the external or internal cyber attacks that aims to breach the information security of the organization ā€¢ A vulnerability assessment attempts to ā€¢ identify the exposed vulnerabilities of a specific host, ā€¢ or possibly an entire network
  • 26. Data Privacy and Security ā€¢ What is Data Privacy? ā€¢ To preserve and protect any personal information, collected by any organization, from being accessed by a third party. ā€¢ Determine what data within a system can be shared with others and which should be restricted. ā€¢ What is Data Security? ā€¢ Data Security refers to protecting data from unauthorized access and data corruption throughout its lifecycle. ā€¢ Data security refers to data encryption, tokenization and key management practices that protect data across all applications and platforms.
  • 27. Intrusions in Cloud ā€¢ Virtual Machine Attacks: Attackers effectively control the virtual machines by compromising the hypervisor. The most common attacks on virtual layer are SubVir, BLUEPILL, and DKSM which allow hackers to manage host through hypervisor. Attackers easily target the virtual machines to access them by exploiting the zero-day vulnerabilities in virtual machines this may damage the several websites based on virtual server ā€¢ U2R (User to root attacks): The attacker may hack password to access a genuine userā€™s account which enables him to obtain information about a system by exploiting vulnerabilities. This attack violates the integrity of cloud based system. ā€¢ Insider Attacks: The attackers can be authorized users who try to obtain and misuse the rights that are assigned to them or not assigned to them.
  • 28. Intrusions in Cloud ā€¢ Denial of Service (DoS) attack: In cloud computing, the attackers may send huge number of requests to access virtual machines thus disabling their availability to valid users which is called DoS attack. This attack targets the availability of cloud resources. ā€¢ Port Scanning : Different methods of port scanning are SYN, ACK, TCP, FIN, UDP scanning etc. In cloud computing environment, attackers can determine the open ports using port scanning and attack the services running on the same ports. This attack may loss the confidentiality and integrity on cloud. ā€¢ Backdoor path attacks: Hackers continuously access the infected machines by exploiting passive attack to compromise the confidentiality of user information. Hacker can use backdoor path to get control of infected resource launches DDoS attack. This attack targets the privacy and availability of cloud users.
  • 29. Network Intrusion Detection ā€¢ Perimeter security often involves network intrusion detection systems (NIDS), such as Snort, which monitor local traffic for anything that looks irregular. Examples of irregular traffic include: ā€¢ Port scans ā€¢ Denial-of-service attacks ā€¢ Known vulnerability exploit attempts ā€¢ You perform network intrusion detection either by routing all traffic through a system that analyzes it or by doing passive monitoring from one box on local traffic on your network.
  • 30. The purpose of a network intrusion detection system ā€¢ Network intrusion detection exists to alert you of attacks before they happen and, in some cases, foil attacks as ā€¢ NIDS typically alerts you to port scans as evidence of a precursor to a potential future attack. they happen. ā€¢ As with port scans, Amazon network intrusion systems are actively looking for denial-of-service attacks and would likely identify any such attempts long before your own intrusion detection software. ā€¢ One place in which an additional network intrusion detection system is useful is its ability to detect malicious payloads coming into your network.
  • 31. Implementing network intrusion detection in the cloud ā€¢ cloud that does not expose LAN traffic so cannot implement a network intrusion detection system in cloud directly. ā€¢ Instead, you must run the NIDS on your load balancer or on each server in your infrastructure. ā€¢ The simplest approach is to have a dedicated NIDS server in front of the network as a whole that watches all incoming traffic and acts accordingly. ā€¢ The load balancer approach creates a single point of failure for your network intrusion detection system because, in general, the load balancer is the most exposed component in your infrastructure.
  • 32.
  • 33. Implementing network intrusion detection in the cloud ā€¢ Alternately implement intrusion detection on a server behind the load balancer that acts as an intermediate point between the load balancer and the rest of the system. This design is generally superior to the previously described design, except that it leaves the load balancer exposed (only traffic passed by the load balancer is examined) and reduces the overall availability of the system. ā€¢ Another approach is to implement network intrusion detection on each server in the network. This approach creates a very slight increase in the attack profile of the system as a whole because you end up with common software on all servers.
  • 34. Types of intrusion detection in cloud
  • 35. Types of IDs in cloud ā€¢ Network based IDS (NIDSs) NIDS capture the traffic from network and analyse that traffic to detect possible intrusions like DoS attacks, port scanning, etc. NIDS collects the network packets and find out their relationship with signatures of known attacks or compare the userā€™s current behaviour with already known attacks in real-time. ā€¢ Host based IDS (HIDS) HIDS gather the information from a particular host and analyse it to detect unauthorized events. The information can be system logs of operating system. HIDS analyses the information, if there is any change in the behaviour of system or program; it instantly report to network manager that the system is in danger. HIDS are mainly used to protect the integrity of software.
  • 36. Types of IDs in cloud ā€¢ Hypervisor based IDS Hypervisor provides a level for interaction among VMs. Hypervisor based IDSs is placed at the hypervisor layer. It helps in analyse the available information for detection of anomalous actions of users. The information is based on communication at multiple levels like communication between VMs, VM and hypervisor, and communication within the hypervisor based virtual network [4]. ā€¢ Distributed IDS (DIDS) A Distributed IDS contains number of IDSs such as NIDS, HIDS which are deployed over the network to analyse the traffic for intrusive detection behaviour. Each of these individual IDSs has its two components: detection component and correlation manager . ā€¢ Detection component examine the systemā€™s behaviour and transmits the collected data in a standard format to the correlation manager. ā€¢ Correlation manager combines data from multiple IDS and generate high level alerts that keep up a correspondence to an attack. Analysis phase makes use of signature based and anomaly based detection techniques so DIDS can detect known as well as unknown attacks.
  • 37. Disaster Recovery ā€¢ Disaster Recovery deals with catastrophic failures that are extremely unlikely to occur during the lifetime of a system. ā€¢ Although each single disaster is unexpected over the lifetime of a system, the possibility of some disaster occurring over time is reasonably nonzero.
  • 38. Disaster Recovery Plan Disaster Recovery plan involves two key metrics: ā€¢ Recovery Point Objective (RPO) The recovery point objective identifies how much data you are willing to lose in the event of a disaster. This value is typically specified in a number of hours or days of data. For example, if you determine that it is OK to lose 24 hours of data, you must make sure that the backups youā€™ll use for your disaster recovery plan are never more than 24 hours old. ā€¢ Recovery Time Objective (RTO) The recovery time objective identifies how much downtime is acceptable in the event of a disaster. If your RTO is 24 hours, you are saying that up to 24 hours may elapse between the point when your system first goes offline and the point at which you are fully operational again.
  • 39. Disaster Recovery Plan ā€¢ Everyone would love a disaster recovery scenario in which no downtime and no loss of data occur, no matter what the disaster. The nature of a disaster, however, generally requires you to accept some level of loss; anything else will come with a significant price tag. ā€¢ the cost of surviving with zero downtime and zero data loss could have been having multiple data centres in different geographic locations that were constantly synchronized. ā€¢ Accomplishing that level of redundancy is expensive. It would also come with a nontrivial performance penalty. ā€¢ Determining an appropriate RPO and RTO is ultimately a financial calculation: at what point does the cost of data loss and downtime exceed the cost of a backup strategy that will prevent that level of data loss and downtime?
  • 40. Disaster Recovery Plan ā€¢ The easiest place to start is your RPO. ā€¢ Your RPO is typically governed by the way in which you save and back up data: ā€¢ Weekly off-site backups will survive the loss of your data centre with a week of data loss. Daily off-site backups are even better. ā€¢ Daily on-site backups will survive the loss of your production environment with a day of data loss plus replicating transactions during the recovery period after the loss of the system. Hourly on-site backups are even better. ā€¢ A NAS/SAN will survive the loss of any individual server, except for instances of data corruption with no data loss. ā€¢ A clustered database will survive the loss of any individual data storage device or database node with no data loss. ā€¢ A clustered database across multiple data centres will survive the loss of any individual data center with no data loss.
  • 41. Disasters in the Cloud ā€¢ Assuming unlimited budget and capabilities, three key things in disaster recovery planning to be focused: 1. Backups and data retention 2. Geographic redundancy 3. Organizational redundancy ā€¢ Fortunately, the structure of the Amazon cloud makes it very easy to take care of the first and second items. In addition, cloud computing in general makes the third item much easier.
  • 43. Configuration data backup strategy ā€¢ Create regularā€”at a minimum, dailyā€”snapshots of your configuration data. ā€¢ Create semi-regularā€”at least less than your RPOā€”file system archives in the form of ZIP or TAR files and move those archives into Amazon S3. ā€¢ On a semi-regular basisā€”again, at least less than your RPOā€”copy your file system archives out of the Amazon cloud into another cloud or physical hosting facility.
  • 44. Persistent data backup strategy (aka database backups) ā€¢ Set up a master with its data files stored on a block storage device. ā€¢ Set up a replication slave, storing its data files on a block storage device. ā€¢ Take regular snapshots of the master block storage device based on my RPO. ā€¢ Create regular database dumps of the slave database and store them in S3. ā€¢ Copy the database dumps on a semi-regular basis from S3 to a location outside the Amazon cloud.
  • 45. ā€¢ Taking snapshots or creating database dumps for some database engines is actually very tricky in a runtime environment, ā€¢ You need to freeze the database only for an instant to create your snapshot. The process follows these steps: 1. Lock the database. 2. Sync the file system (this procedure is file system-dependent). 3. Take a snapshot. 4. Unlock the database.
  • 46. Geographic Redundancy ā€¢ If you can develop geographical redundancy, you can survive just about any physical disaster that might happen. With a physical infrastructure, geographical redundancy is expensive. ā€¢ In the cloud, however, it is relatively cheap. ā€¢ No need to have your application running actively in all locations, but you need the ability to bring your application up from the redundant location in a state that meets your Recovery Point Objective within a timeframe that meets your Recovery Time Objective. ā€¢ Amazon provides built-in geographic redundancy in the form of regions and availability zones.
  • 48. Organizational Redundancy ā€¢ Physical disasters are a relatively rare thing, but companies go out of business everywhere every dayā€”even big companies like Amazon and Rackspace. Even if a company goes into bankruptcy restructuring, thereā€™s no telling what will happen to the hardware assets that run their cloud infrastructure. Your disaster recovery plan should therefore have contingencies that assume your cloud provider simply disappears from the face of the earth. ā€¢ The best approach to organizational redundancy is to identify another cloud provider and establish a backup environment with that provider in the event your first provider fails.
  • 49. Disaster Management ā€¢ To complete the disaster recovery scenario, you need to recognize when a disaster has happened and have the tools and processes in place to execute your recovery plan. Monitoring ā€¢ Monitoring your cloud infrastructure is extremely important. You cannot replace a failing server or execute your disaster recovery plan if you donā€™t know that there has been a failure. ā€¢ Monitoring must be independent of your clouds. ā€¢ you should be checking capacity issues such as disk usage, RAM, and CPU. ā€¢ you will need to monitor for failure at three levels: ā€¢ Through the provisioning API (for Amazon, the EC2 web services API) ā€¢ Through your own instance state monitoring tools ā€¢ Through your application health monitoring tools
  • 50. Disaster Management Load Balancer Recovery ā€¢ One of the reasons companies pay absurd amounts of money for physical load balancers is to greatly reduce the likelihood of load balancer failure. ā€¢ With cloud vendors such as GoGridā€”and in the future, Amazonā€” you can realize the benefits of hardware load balancers withoutincurring the costs. ā€¢ Recovering a load balancer in the cloud, however, is lightning fast. As a result, the downside of a failure in your cloud-based load balancer is minor.
  • 51. Disaster Management Application Server Recovery ā€¢ If you are operating multiple application servers in multiple availability zones, your system as a whole will survive the failure of any one instanceā€”or even an entire availability zone. You will still need to recover that server so that future failures donā€™t affect your infrastructure. ā€¢ The recovery of a failed application server is only slightly more complex than the recovery of a failed load balancer. Like the failed load balancer, you start up a new instance from the application server machine image. You then pass it configuration information, including where the database is.
  • 52. Disaster Management Database Recovery ā€¢ Database recovery is the hardest part of disaster recovery in the cloud. Your disaster recovery algorithm has to identify where an uncorrupted copy of the database exists. This process may involve promoting slaves into masters, rearranging your backup management, and reconfiguring application servers. ā€¢ The best solution is a clustered database that can survive the loss of an individual database server without the need to execute a complex recovery procedure. The following process will typically cover all levels of database failure: 1. Launch a replacement instance in the old instanceā€™s availability zone and mount its old volume. 2. If the launch fails but the volume is still running, snapshot the volume and launch a new instance in any zone, and then create a volume in that zone based on the snapshot. 3. If the volume from step 1 or the snapshot from step 2 are corrupt, you need to fall back to the replication slave and promote it to database master. 4. If the database slave is not running or is somehow corrupted, the next step is to launch a replacement volume from the most recent database snapshot. 5. If the snapshot is corrupt, go further back in time until you find a backup that is not corrupt.
  • 53. Disaster Management Database Recovery ā€¢ Database recovery is the hardest part of disaster recovery in the cloud. Your disaster recovery algorithm has to identify where an uncorrupted copy of the database exists. This process may involve promoting slaves into masters, rearranging your backup management, and reconfiguring application servers. ā€¢ The best solution is a clustered database that can survive the loss of an individual database server without the need to execute a complex recovery procedure. The following process will typically cover all levels of database failure: 1. Launch a replacement instance in the old instanceā€™s availability zone and mount its old volume. 2. If the launch fails but the volume is still running, snapshot the volume and launch a new instance in any zone, and then create a volume in that zone based on the snapshot. 3. If the volume from step 1 or the snapshot from step 2 are corrupt, you need to fall back to the replication slave and promote it to database master. 4. If the database slave is not running or is somehow corrupted, the next step is to launch a replacement volume from the most recent database snapshot. 5. If the snapshot is corrupt, go further back in time until you find a backup that is not corrupt.
  • 55. Related question of chapter four: 1. What do you mean by disaster recovery? What are the differences between recovery point objective and recovery time objective? 2. Explain the disaster recovery planning of Cloud Computing. 3. Explain cloud computing security architecture? How can you design it? 4. Explain the process of implementation of network intrusion detection. 5. What are the challenges of security issues in cloud computing?

Editor's Notes

  1. Subpoena:-a writ ordering a person to attend a court.