The document presents an overview of cloud security focusing on virtualization security concerns, including threats and mitigation strategies. It discusses principles of cloud security—availability, confidentiality, data integrity, control, and audit—and outlines various security challenges associated with the use of cloud computing and virtualization. Additionally, it highlights key concerns such as network availability, disaster recovery, and new vulnerabilities that arise from a cloud-based environment.

1. Cloud Security
ADAD 1

2. Cloud Security
Cloud and Virtualization Security
Date:
Presented By:
Rubal Sagwal
NIT, Kurukshetra
Department of Computer Engineering
2Rubal

3. Contents
• Virtualization security concerns
• Hypervisor and host/platform Security
• Security communications between
• Guest instances, hosts and guests
• Security challenges and mitigation measures
• Common threats
• Security considerations for Paas, Saas and Iaas
models
• Cloud based BCP/DRP
• Functional security requirements
3

4. Virtualization
4

5. Virtual
Not physically existing as such but made by software
to appear to do so.
5

6. Virtualization
Virtualization is creation of replica – rather than
actual – version of something.
Virtualization enables multiple operating systems to
run on the same physical platform.
6

7. Virtualization
• A VM is simply an environment, typically an operating
system (OS) or a program, that is created within
another environment.
• Guest – is usually used to refer to the VM.
• Host – we refer to the hosting environment as the host.
• A single host can support multiple guest environments
in a dynamic on-demand manner.
• Guest VMs can execute completely different
instruction sets that are foreign to the underlying
physical hardware, which can be abstracted away by
the host environment.
8

8. Using Virtualization to form Clouds
• Virtualization has several key attributes, which also
happen to be key attributes of cloud computing:
• Sharing of Infrastructure
• Scalability and Elasticity
• Redundancy
• Location Independency
• Virtualization technologies are what enable the
forming of most modern cloud computing
architectures.
9

9. Using Virtualization to form Clouds
• These key virtualization attributes contribute
immensely to the implementation of clouds.
• Server/ OS/ Application Virtualization for Clouds
• Desktop Virtualization for Clouds
• Storage Virtualization for Clouds
10

10. Real world Cloud usage Scenarios Forming Cloud using
Virtualization
• Private:
• Using VMware
• It is very common to use simple virtualization if you have
particular applications that consume server capacity at
different times of day or applications that require the
operating system in which they run to be dedicated but
consume very little overall system resources to operate.
11

11. Real world Cloud usage Scenarios Forming Cloud using
Virtualization
• Public:
• One of the most common forms of a public cloud at the
virtualization level would be any company that
purchases a virtual server running on the Amazon EC2
platform (or any other cloud hosting provider).
• Already very scalable and highly resilient, they did this
by building out a Platform-as-a-Service offering called
Amazon Web Services and then basically allowed
subscribers to purchase excess capacity of their private
cloud in the form of a public cloud.
12

12. Using Virtualization to form Clouds
• These key virtualization attributes contribute
immensely to the implementation of clouds.
• However, the tradeoff to all of these benefits is the
fact that with more abstraction can come greater
complication.
• Greater complexity both challenges and requires
increased security as the attack surface is
generally wider.
• In general, complex interactions require more
complicated security.
13

13. How Virtualization works in Clouds
• Virtualization plays a significant role in cloud technology and
its working mechanism. Usually, what happens in the cloud -
the users not only share the data that are located in the
cloud like an application but also share their infrastructures
with the help of virtualization.
• Virtualization is used mainly to provide applications with
standard versions for the cloud customers & with the
release of the latest version of an application the providers
can efficiently provide that application to the cloud and its
users and it is possible using virtualization only.
• By the use of this virtualization concept, all servers &
software other cloud providers require those are
maintained by a third-party, and the cloud provider pays
them on a monthly or yearly basis.
14

14. How Virtualization works in Clouds
• Essentially there is a gap between these two terms,
though cloud technology requires the concept of
virtualization.
• Virtualization is a technology - it can also be treated
as software that can manipulate hardware.
• Whereas cloud computing is a service which is the
result of the manipulation.
• Virtualization is the foundation element of cloud
computing whereas Cloud technology is the delivery
of shared resources as a service-on-demand via the
internet.
• Cloud is essentially made-up from the concept of
virtualization.
15

15. Cloud Adoption
Challenge
16

16. Security issues
17

17. Cloud Security
18

18. What is Cloud Security
• Is it Keeping your cloud under the bed?
• Or keeping your cloud inside your locker?
• Placing your cloud in sky, to a completely
unreachable place?
• If no, then?
19

19. What is Cloud Security
20

20. Cloud Security Principles
21

21. Cloud Security
• However, security and privacy issues present a
strong barrier for users to adapt into Cloud
Computing systems. Traditionally it contains five
goals:
• Availability
• Confidentiality
• Data integrity
• Control
• Audit
22

22. What is Cloud Security
23

23. Cloud Security
• Availability:
• The goal of availability for Cloud Computing systems
(including applications and its infrastructures) is to
ensure its users can use them at any time, at any place.
• As its web-native nature, Cloud Computing system
enables its users to access the system (e.g., applications,
services) from anywhere.
24

24. What is Cloud Security
25

25. Cloud Security
• Confidentiality:
• Keeping users’ data secret in the Cloud systems.
• The confidentiality in Cloud systems is a big obstacle for users
to step into it, as many users said ”My sensitive corporate
data will never be in the Cloud” in the article named ”Above
the Cloud”.
• Currently, Cloud Computing system offerings (e.g.,
applications and its infrastructures) are essentially public
networks, say the applications or systems are exposed to
more attacks when comparison to those hosted in the private
data centers.
• Therefore, keeping all confidential data of users’ secret in the
Cloud is a fundamental requirement which will attract even
more users consequently.
26

26. Cloud Security
27

27. Cloud Security
• Data Integrity:
• To preserve information integrity (i.e., not lost or
modified by unauthorized users).
• As data is the base for providing Cloud Computing
services, such as Data as a Services, Software as a
Service, Platform as a Service, keeping data integrity is a
fundamental task. Furthermore, Cloud Computing
system usually provides massive data procession
capability. Herein, massive data means many Tera Bytes
(TB) data or even Peta Bytes (PB) data in volume. The
challenges for data integrity associated with data
storage in the Cloud Computing system are as follows.
28

28. Cloud Security
• Control:
• Control in the Cloud system means to regulate the use
of the system, including the applications, its
infrastructure and the data.
29

29. Cloud Security
• Control:
• When all personal data are stored in the Cloud Computing system
environment, users of Cloud Computing systems may face many
threats to their individual data.
• For example, let’s consider a medical patient who is deciding
whether to participate in a health-care study or not. Firstly, he or
she may concern the careless or malicious usage of his or her data,
and consequently results in the exposure of his or her individual
data. For instance, by writing his or her individual data into a world
wide readable file which may further be indexed by a search
engine. Second, he or she may be concerned that even if all
computations are done correctly and securely. However, the study
result itself (e.g., the aggregate health-care statistics computed as
part of the study) may leak sensitive information about his or her
personal medical information.
• Cloud Computing systems on such sensitive individual data raises
serious security and privacy concerns.
30

30. Cloud Security
• Audit:
• Means to watch what happened in the Cloud system.
• Auditability could be added as an additional layer above the
virtualized operation system (or virtualized application
environment) hosted on the virtual machine to provide
facilities watching what happened in the system.
• It is much more secure than that is built into the applications
or into the software themselves, since it is able watch the
entire access duration. For such kind of scenarios, three main
attributes should be audited:
• Events: The state changes and other factors that effected the
system availability.
• Logs: Comprehensive information about users’ application and its
runtime environment.
• Monitoring: Should not be intrusive and must be limited to what
the Cloud provider reasonably needs in order to.
31

31. Cloud Security Concerns
32

32. Cloud Security Concern
1. Network Availability
2. Cloud Provider Viability
3. Disaster Recovery and Business Continuity
4. Security Incidents
5. Transparency
6. Loss of Physical Control
7. New risk, new vulnerability
33

33. Cloud Security Concern
1. Network Availability:
• The value of cloud computing can only be realized when
your network connectivity and bandwidth meet your
minimum needs: The cloud must be available whenever
you need it. If it is not, then the consequences are no
different than a denial-of-service situation.
2. Cloud Provider Viability:
• Since cloud providers are relatively new to the business,
there are questions about provider viability and
commitment. This concern increase when a provider
requires tenants to use proprietary interfaces, thus
leading to tenant lock-in.
34

34. Cloud Security Concern
3. Disaster Recovery and Business Continuity:
• Tenants and users require confidence that their
operations and services will continue if the cloud
provider’s production environment is subject to a
disaster.
4. Security Incidents
• Tenants and users need to be appropriately informed
by the provider when an incident occurs. Tenants or
users may require provider support to respond to audit
or assessment findings. Also, a provider may not offer
sufficient support to tenants or users for resolving
investigations.
35

35. Cloud Security Concern
5. Transparency:
• When a cloud provider does not expose details of their
internal policy or technology implementation, tenants or
users must trust the cloud provider’s security claims. Even
so, tenants and users require some transparency by
providers as to provider cloud security, privacy, and how
incidents are managed.
6. Loss of Physical Control: Since tenants and users lose
physical control over their data and applications, this results in
a range of concerns:
• Privacy over Data – With public or community clouds, data may not
remain in the same system, raising multiple legal concerns.
• Control over Data – User or organization data may be comingled/
mix in various ways with data belonging to others.
36

36. Cloud Security Concern
7. New Risks, New Vulnerabilities
• There is some concern that cloud computing brings
new classes of risks and vulnerabilities. Although
we can suggest various hypothetical new risks,
actual exploits will largely be a function of a
provider’s implementation. Although all software,
hardware, and networking equipment are subject
to unearthing of new vulnerabilities, by applying
layered security and well-conceived operational
processes, a cloud may be protected from common
types of attack even if some of its components are
inherently vulnerable.
37

37. Cloud Security Concern
• The Cloud Security Alliance (CSA) affectionately
calls its top cloud threats in 2016 the treacherous
twelve, 12 security concerns associated with cloud
technology. These are as follows:(1)Data
loss(2)Weak identity, credentials, and access
management(3)Insecure APIs(4)System and
application vulnerabilities(5)Account
hacking(6)Malicious insiders(7)Advanced persistent
threat (APTs)(8)Permanent data loss(9)Insufficient
due diligence(10)Abuse and nefarious use of cloud
services(11)DOS attacks(12)Shared technology or
shared dangers
38

38. Cloud Security Concern
1. Data Breaches
2. Hijacking of Accounts: Attackers now have the ability to
use your (or your employees’) login information to
remotely access sensitive data stored on the cloud;
additionally, attackers can falsify and manipulate
information through hijacked credentials.
3. Insider Threats: An attack from inside your organization
may seem unlikely, but the insider threat does exist.
Employees can use their authorized access to an
organization’s cloud-based services to misuse or access
information such as customer accounts, financial forms,
and other sensitive information.
4. Denial of Service Attack
39

39. Cloud Security Concern
5. Malware Injection: Malware injections are scripts
or code embedded into cloud services that act as
“valid instances” and run as SaaS to cloud servers.
This means that malicious code can be injected into
cloud services and viewed as part of the software or
service that is running within the cloud servers
themselves.
6. Permeant Data Loss: Data on cloud services can
be lost through a malicious attack, natural disaster,
or a data wipe by the service provider.
40

40. Virtualization Security
Concerns
41

41. Virtualization Security concern
42
• First, by adding each new VM, you are adding an
additional OS—which itself entails security risk. Every
OS should be appropriately patched, maintained, and
monitored as appropriate per its intended use.
• Second, typical network-based intrusion detection
does not work well with virtual servers that are co-
located on the same host.
• When data and applications are moved between
multiple physical servers for load balancing, network
monitoring systems cannot yet assess and reflect
these operations for what they are.

42. Virtualization Security concern
43
• Third, the use of virtualization demands the
adoption of different management approaches for
many functions, including configuration
management to VM placement and capacity
management. Likewise, resource allocation
problems can quickly become performance issues;
thus, performance management is critical to run
an effective virtualized environment.

43. Virtualization Security Concern with Cloud
44
1. Just as an OS attack is possible, a hacker can take
control of a hypervisor. If the hacker gains control of
the hypervisor, he gains control of everything that it
controls; therefore, he could do a lot of damage.
• If the hypervisor is vulnerable to being exploited, it will
become a primary target. At the scale of a cloud, such a risk
would have broad impact .
2. Another area of concern with virtualization has to do
with the nature of allocating and deallocating resources
such as the local storage associated with VMs.
• If during the deployment and operation of a VM, data is
written to physical media—or to memory—and it is not
cleared before those information resources are reallocated
to the next VM, then there is a potential for information
exposure.

44. Virtualization Security Concern with Cloud
45
• 3. Most fully featured hypervisors (for example,
VMware) have virtual switches (and firewalls)
that sit between the server physical interfaces and
the virtual interfaces provided to the VMs. All of
these facilities have to be managed as changes
are made to VM locations and the allowable
communication paths between them.

45. Virtualization Security Concern with Cloud
46
• 4. Network monitoring with cloud computing: Current
network defenses are based on physical networks. In
the virtualized environment, the network is no longer
physical; its configuration can actually change
dynamically, which makes network monitoring
difficult.
• 5. Configuration and change management: The simple
act of changing configurations or patching the
software on virtual machines becomes much more
complex if the software is locked away in virtual
images; in the virtual world, you no longer have a
fixed static address to update the configuration.

46. Recommendations And
Best Practices For Secure
Virtualization
PaaS – SaaS – IaaS
47

47. Virtualization Security
48
1. Administrator Access and Separation of Duties:
• Provide server admins with on/off rights for their servers
only and no others.
• Separate authentication should be in place for each
guest OS unless there’s a good reason for two or more
guest OS to share credentials.

48. Virtualization Security
49
2. Desktop Virtualization and Security: The following are
four effective measures for making sure that
unauthorized and unsecured virtualization doesn’t exist
in the environment:
• Update Acceptable Use Policy
• Limit the Use of VMs to the Users That Need Them: Forbid
the installation of freely downloadable software on corporate
desktops and laptops. Limit permissions to a small group of
developers and testers for virtual tools and VMs, and help
them understand that they still have to conform to corporate
security policies.
• Keep Virtualization and Security Software Up to Date
• Create and Maintain a Library of Secure VM Builds: Maintain
a repository of VM builds containing all of the configuration
settings, security software and patches that users can
download, use and re-use.

49. Virtualization Security
50
3. Network Security:
• Disconnect any unused NICs so that there isn’t an easy way to
get onto the network.
• Make sure that the host platform that connects the
hypervisor and guests to the physical network is secure by
setting file permissions, putting things in place to control
users and groups, and setting up logging and time
synchronization.
• Encrypt all traffic between clients and hosts, between
management systems and the hypervisor, and between the
hypervisor and hosts using SSL.
• Secure IP communications between two hosts by using
authentication and encryption on each IP packet.
• Place virtual switches into promiscuous mode for monitoring
purposes and enable MAC address filtering to prevent MAC
spoofing attacks.

50. Virtualization Security
51
4. Virtual Machine: VMs shouldn’t be placed on storage,
backup or management networks that are connected to the
hypervisor.
• VMs shouldn’t be able to access or view the resources used by the
kernel or host. These resources include storage networks and
networking responsible for moving VMs.
• Don’t create more VMs than is necessary. Keep track of all of your
running VMs to track potential entry points for attacks. Limit use of
VMs to critical staff only.
• Turn off any unused VMs.
• Unused hardware ports like USB on VMs should be disabled.
• Use IPSec or other forms of encryption between the host and VM.
• Physical devices like CD-ROM and floppy drives can be controlled by
VMs indirectly or directly on the host. Configure this capability on a
per VM basis and disable this connection to hosts by default on all
VMs

51. Virtualization Security
52
5. Hypervisor Security: Install vendor supplied patches and
updates to the hypervisor as they’re released. Support this with a
sound patch management process to mitigate the risk of hypervisor
vulnerabilities. Place the latest service packs on guests and hosts
and remove any applications with a history of vulnerabilities.
• Disable any unused virtual hardware that connects to the hypervisor.
• Disable unneeded services like clipboard or file sharing.
• Perform constant monitoring of the hypervisor for any potential signs
of compromise. Monitor and analyze the hypervisor logs on a
consistent basis.
• Do not expose the management interface to the hypervisor to your
LAN.
• Disable all local administration of the hypervisor and require use of a
centralized management application.
• Require multi-factor authentication for any admin functions on the
hypervisor.

52. Virtualization Security
53
6. Auditing and Logging: Use centralized logging to
determine whether guests have gone offline. These
guests can get out of sync in regards to patches and
updates. Log any VM power events (such as On, Off,
Suspended or Resumed), changes in hardware
configurations or any login events related to those
with elevated privileges. VMs that are copied, moved
or deleted should also be logged.
• Conduct regular audits of the environment including the
virtual network, storage, the hypervisor, the VMs and
the management systems.
• Send log files securely to a remote log server.

53. Virtualization Security
54
7. Management System: Secure your
communications between management systems and
the hosts to prevent data loss, eavesdropping and
any chance for man-in-the-middle attacks. Enable
one or more of the available SSH, IPSec and SSL
protocols for this purpose.

54. Virtualization Security
55
10. Snapshots and Images: No guest OS images
should have write access.
• Protect VMs by the snapshot capability of the hypervisor
as the snapshot captures the current state of the VM.
The snapshot captures the OS, configuration settings,
data and application state contained in the VM at that
point in time.

55. Virtualization Security
56
11. Remote Access: Remote access management
should be limited to a small set of authorized
management system IP addresses.
• Any remote access should ask for a username as well as
a password backed up with a strong password policy. For
strong security environments, use two factor
authentication or one time use passwords.
• Remote communication to any management tools
should be encrypted and authenticated.

56. Virtualization Security
57
12. Backup: Encrypt any backup data streams in case
a server image is stolen. Data at rest should have
access control lists to control copying or mounting of
images.
• Network level protections like VLANs and access control
lists should be in place to protect backup data whether
at rest or in transit.
• Do not allow root accounts to be used for backup.

57. Virtualization Security
58
13. Disaster Recovery: Maintain your production firewall,
security posture and IPS/IDS at your disaster recovery
(DR) site. If your firewall is disabled at the DR site, until a
disaster occurs or if the rules on the firewall are different
from the main site, audit the firewall regularly.
• Implement proper change control so that your backup site
and main site are kept as identical as possible.
• Any logging and monitoring at the DR site should be treated
as if it is at your primary site.
• Any replications to your backup site should be encrypted.
• Place a copy of your business recovery plan at your offsite
location.
• Rotate your backup media and keep it in offsite storage.

58. Security considerations
for CC Models
PaaS – SaaS – IaaS
59

59. Extent of Control over Security in SaaS, PaaS and IaaS
60

60. Extent of Control over Security in SaaS, PaaS and IaaS
61
• Cloud-based IaaS does not typically expose actual
hardware or networking layers to the tenant of the
service, rather these underlying resources are
abstracted for the consumer.
• PaaS abstracts infrastructure to a greater extent and
generally presents middleware containers that are
tailored for categories of usage—such as development.
• These containers provide tools to simplify application
development and limit application interactions with the
underlying systems.
• SaaS abstracts even further and generally exposes
narrow-functionality software-based services such as
Customer Relationship Management (CRM) or e-mail.

61. Extent of Control over Security in SaaS, PaaS and IaaS
62
• With SaaS, the burden of security lies with the cloud
provider. In part, this is because of the degree of
abstraction, but the SaaS model is based on a high
degree of integrated functionality with minimal
customer control or extensibility.
• By contrast, the PaaS model offers greater extensibility
and greater customer control but fewer higher-level
features.
• Largely because of the relatively lower degree of
abstraction, IaaS offers greater tenant or customer
control over security than do PaaS or SaaS.

62. Extent of Control over Security in SaaS, PaaS and IaaS
63
• Clearly, the degree of control that a tenant or
customer has in a public cloud is minimal, whereas
the tenant organization has maximum control with
a private cloud. The degree of control will vary for
community and hybrid clouds and may not be
relevant depending on what such external
computing resources are used for.

63. Disaster Recovery Plan
64

64. Defining Levels of IT Continuity
65
• Back Up to and Restore from the Cloud – Online
backup
• Applications and data remain on-premises, with data being
backed up into the cloud and restored onto on-premises
hardware when a disaster occurs.
• In other words, the backup in the cloud becomes a substitute
for tape-based off-site backups.
• Back Up to and Restore to the Cloud – Cloud based DR
• Data is not restored back to on-premises infrastructure;
instead it is restored to virtual machines in the cloud. This
requires both cloud storage and cloud compute resources.
The restore can be done when a disaster is declared or on a
continuous basis (pre-staged).
• Pre-staging DR VMs and keeping them relatively up-to-date
through scheduled restores is crucial.

65. Defining Levels of IT Continuity
66
• Replication of Virtual Machines in the Cloud – Cloud to
Cloud
• For firms that require aggressive recovery time (RTO) and recovery
point objectives (RPOs), as well as application awareness,
replication is the data movement option of choice. Replication to
cloud virtual machines can be used to protect both cloud and on-
premises production instances.
• In other words, replication is suitable for both cloud-VM-to-cloud-
VM and on-premises-to-cloud-VM data protection
• The benefits provide important features for disaster
recovery:
• VM startup can be easily automated, lowering recovery times
• Virtualization eliminates hardware dependencies, potentially
lowering hardware requirements at the backup site.
• Application agnostic state replication software can be run outside
of the VM, treating it as a black box.

66. References
• https://www.disasterrecovery.org/cloud-computing-for-disaster-recovery-
business-continuity/
• http://www.new.alionis.net/en/pca_pra/
• http://techgenix.com/security-considerations-infrastructure-service-cloud-
computing-model/
• https://www.csoonline.com/article/2126885/saas-paas-and-iaas-a-security-
checklist-for-cloud-models.html
• https://www.valencynetworks.com/articles/ensuring-security-on-open-source-
virtual-platform.html
• https://resources.infosecinstitute.com/virtualization-security-2/#gref
• https://www.valencynetworks.com/articles/ensuring-security-on-open-source-
virtual-platform.html
67

67. Thank You
ADAD 68