This document discusses various aspects of cloud security including cloud security challenges, areas of concern in cloud computing, how to evaluate risks, cloud computing categories, the cloud security alliance, security service boundaries, responsibilities by service models, securing data, auditing and compliance, identity management protocols, and Windows Azure identity standards. It provides information on policies, controls, and technologies used to secure cloud environments, applications, and data.
Let us understand some of the infrastructural and
security challenges that every organization faces today
before delving into the concept of securing the cloud
data lake platform. Though Data lakes provide scalability,
agility, and cost-effective features, it possesses a unique
infrastructure and security challenges.
Guide to security patterns for cloud systems and data security in aws and azureAbdul Khan
Cloud has many advantages over the traditional on-premise infrastructure; however, this does bring many new concerns around issues of system security, communication security, data security, privacy, latency and availability. When designing and developing Cloud SaaS application, these security issues need to be addressed in order to ensure regulatory compliance, security and trusted environment in AWS and Azure.
The presentation provides real-world cloud security scenarios (problem statements) and proposed solutions for each security design pattern. Also covers the different security aspects of system including, data security to privacy and GDPR related problems.
Security Considerations When Using Cloud Infrastructure Services.pdfCiente
Vast amounts of data, massive networks of virtual machines, and the limitless potential of the cloud — are the hallmarks of cloud infrastructure services.
Read this Article here: https://ciente.io/blogs/security-considerations-when-using-cloud-infrastructure-services/
Learn more: https://ciente.io/blog/
Follow for more Articles here: https://ciente.io/
SMBs are fast at adapting to innovation and change, cloud computing has grabbed the spotlight for safer business with data security solutions. Know how today's business can reap and adopt cloud security features for public cloud.
Enterprise IT is transitioning from the use of traditional on-premise data centers to hybrid cloud environments. As a result, we’re experiencing a paradigm shift in the way we must think about and manage enterprise security. From Four Walls to No Walls Until now, the conventional view on IT security has been that applications and data are safe because they’re physically housed within the confines of a company’s data center walls using company-owned equipment. So, it’s not surprising that many decision makers perceive greater risks as they trade physical assets for cloud-based solutions.
Let us understand some of the infrastructural and
security challenges that every organization faces today
before delving into the concept of securing the cloud
data lake platform. Though Data lakes provide scalability,
agility, and cost-effective features, it possesses a unique
infrastructure and security challenges.
Guide to security patterns for cloud systems and data security in aws and azureAbdul Khan
Cloud has many advantages over the traditional on-premise infrastructure; however, this does bring many new concerns around issues of system security, communication security, data security, privacy, latency and availability. When designing and developing Cloud SaaS application, these security issues need to be addressed in order to ensure regulatory compliance, security and trusted environment in AWS and Azure.
The presentation provides real-world cloud security scenarios (problem statements) and proposed solutions for each security design pattern. Also covers the different security aspects of system including, data security to privacy and GDPR related problems.
Security Considerations When Using Cloud Infrastructure Services.pdfCiente
Vast amounts of data, massive networks of virtual machines, and the limitless potential of the cloud — are the hallmarks of cloud infrastructure services.
Read this Article here: https://ciente.io/blogs/security-considerations-when-using-cloud-infrastructure-services/
Learn more: https://ciente.io/blog/
Follow for more Articles here: https://ciente.io/
SMBs are fast at adapting to innovation and change, cloud computing has grabbed the spotlight for safer business with data security solutions. Know how today's business can reap and adopt cloud security features for public cloud.
Enterprise IT is transitioning from the use of traditional on-premise data centers to hybrid cloud environments. As a result, we’re experiencing a paradigm shift in the way we must think about and manage enterprise security. From Four Walls to No Walls Until now, the conventional view on IT security has been that applications and data are safe because they’re physically housed within the confines of a company’s data center walls using company-owned equipment. So, it’s not surprising that many decision makers perceive greater risks as they trade physical assets for cloud-based solutions.
Through our partnerships with leading cloud providers, we are able to offer hybrid, private and public cloud solutions. At Epoch Universal, we supply cloud the way you want it with deep control, extreme performance, and broad customization capabilities. When you join the Epoch Universal fold, you take back the keys to your kingdom. Reign as supreme commander in chief of your cloud. No compromises. No exceptions.
A robust and verifiable threshold multi authority access control system in pu...IJARIIT
Attribute-based Encryption is observed as a promising cryptographic leading tool to assurance data owners’ direct
regulator over their data in public cloud storage. The former ABE schemes include only one authority to maintain the whole
attribute set, which can carry a single-point bottleneck on both security and performance. Then, certain multi-authority
schemes are planned, in which numerous authorities distinctly maintain split attribute subsets. However, the single-point
bottleneck problem remains unsolved. In this survey paper, from another perspective, we conduct a threshold multi-authority
CP-ABE access control scheme for public cloud storage, named TMACS, in which multiple authorities jointly manage a
uniform attribute set. In TMACS, taking advantage of (t, n) threshold secret allocation, the master key can be shared among
multiple authorities, and a lawful user can generate his/her secret key by interacting with any t authorities. Security and
performance analysis results show that TMACS is not only verifiable secure when less than t authorities are compromised, but
also robust when no less than t authorities are alive in the system. Also, by efficiently combining the traditional multi-authority
scheme with TMACS, we construct a hybrid one, which satisfies the scenario of attributes coming from different authorities as
well as achieving security and system-level robustness.
APPLYING GEO-ENCRYPTION AND ATTRIBUTE BASED ENCRYPTION TO IMPLEMENT SECURE AC...IJCNCJournal
Cloud computing is utility-based computing provides many benefits to its clients but security is one aspect which is delaying its adoptions. Security challenges include data security, network security and infrastructure security. Data security can be achieved using Cryptography. If we include location information in the encryption and decryption process then we can bind access to data with the location so that data can be accessed only from the specified locations. In this paper, we propose a method based on the symmetric cryptography, location-based cryptography and ciphertext policy – Attribute-based encryption (CP-ABE) to implements secure access control to the outsourced data. The Symmetric key is used to encrypt that data whereas CP-ABE is used to encrypt the secret key and the location lock value before uploading on the server. User will download encrypted data and the symmetric secret key XORed with the Location Lock value, using his attributes based secret key he can obtain first XORed value of Symmetric secret key and location lock value. Using anti-spoof GPS Location lock value can be obtained which can be used to retrieve the symmetric secret key. We have adopted Massage Authentication Code (MAC) to ensure Integrity and Availability of the data. This protocol can be used in the Bank, government organization, military services or any other industry those are having their offices/work location at a fixed place, so data access can be bounded to that location.
Enhanced security framework to ensure data security in cloud using security b...eSAT Journals
Abstract Data security and Access control is a challenging research work in Cloud Computing. Cloud service users upload there private and confidential data over the cloud. As the data is transferred among the server and client, the data is to be protected from unauthorized entries into the server, by authenticating the user’s and provide high secure priority to the data. So the Experts always recommend using different passwords for different logins. Any normal person cannot possibly follow that advice and memorize all their usernames and passwords. That is where password managers come in. The purpose of this paper is to secure data from unauthorized person using Security blanket algorithm.
IJRET : International Journal of Research in Engineering and Technology is an international peer reviewed, online journal published by eSAT Publishing House for the enhancement of research in various disciplines of Engineering and Technology. The aim and scope of the journal is to provide an academic medium and an important reference for the advancement and dissemination of research results that support high-level learning, teaching and research in the fields of Engineering and Technology. We bring together Scientists, Academician, Field Engineers, Scholars and Students of related fields of Engineering and Technology.
the_role_of_resilience_data_in_ensuring_cloud_security.pdfsarah david
Enhance data security with our Data Resilience Cloud. No software/hardware; solve security challenges. Scale resources dynamically. Achieve resilience, efficiency, compliance. Partner with Cuneiform for seamless cloud data protection.
Cloud Security Challenges, Types, and Best Practises.pdfmanoharparakh
Cloud security refers to a collection of security methods used to secure cloud-based infrastructure, applications, and data. The objective is to gain control over data and resources, prevent unauthorized access, preserve data privacy, avoid malicious assaults by external hackers or internal threats, and safeguard cloud workloads from unintentional or deliberate interruption.
Enhanced Data Partitioning Technique for Improving Cloud Data Storage SecurityEditor IJMTER
Cloud computing is a model for enabling for on demand network access to shared
configurable computing resources (e.g. networks, servers, storage, applications, and services).It is
based on virtualization and distributed computing technologies. Cloud Data storage systems enable
user to store data efficiently on server without any trouble of data resources. User can easily store
and retrieve their data remotely. The two biggest concerns about cloud data storage are reliability and
security. Clients aren’t like to entrust their data to another third party or companies without a
guarantee that they will be able to access therein formations whenever they want. In the existing
system, the data are stored in the cloud using dynamic data operation with computation which makes
the user need to make a copy for further updating and verification of the data loss. Different
distributed storing auditing techniques are used for overcoming the problem of data loss. Recent
work of this paper has show that data partitioning technique used for data storage by providing
Digital signature to every partitioning data and user .this technique allow user to upload or retrieve
the data with matching the digital signatures provided to them. This method ensures high cloud
storage integrity, enhanced error localization and easy identification of misbehaving server and
unauthorized access to the cloud server. Hence this work aims to store the data securely in reduced
space with less time and computational cost.
the_role_of_resilience_data_in_ensuring_cloud_security.pptxsarah david
Enhance data security with our Data Resilience Cloud. No software/hardware; solve security challenges. Scale resources dynamically. Achieve resilience, efficiency, compliance. Partner with Cuneiform for seamless cloud data protection.
Secure Data Sharing In an Untrusted CloudIJERA Editor
Cloud computing is a huge area which basically provides many services on the basis of pay as you go. One of the fundamental services provided by cloud is data storage. Cloud provides cost efficiency and an efficient solution for sharing resource among cloud users. A secure and efficient data sharing scheme for groups in cloud is not an easy task. On one hand customers are not ready to share their identity but on other hand want to enjoy the cost efficiency provided by the cloud. It needs to provide identity privacy, multiple owner and dynamic data sharing without getting effected by the number of cloud users revoked. In this paper, any member of a group can completely enjoy the data storing and sharing services by the cloud. A secure data sharing scheme for dynamic cloud users is proposed in this paper. For which it uses group signature and dynamic broadcast encryption techniques such that any user in a group can share the information in a secured manner. Additionally the permission option is proposed for the security reasons. This means the file access permissions are generated by the admin and given to the user using Role Based Access Control (RBA) algorithm. The file access permissions are read, write and delete. In this, owner can provide files with options and accepts the users using that option. The revocation of cloud user is a function generated by the Admin for security purpose. The encryption computational cost and storage overhead is not dependent on the number of users revoked. We analyze the security by proofs and produce the cloud efficiency report using cloudsim.
Through our partnerships with leading cloud providers, we are able to offer hybrid, private and public cloud solutions. At Epoch Universal, we supply cloud the way you want it with deep control, extreme performance, and broad customization capabilities. When you join the Epoch Universal fold, you take back the keys to your kingdom. Reign as supreme commander in chief of your cloud. No compromises. No exceptions.
A robust and verifiable threshold multi authority access control system in pu...IJARIIT
Attribute-based Encryption is observed as a promising cryptographic leading tool to assurance data owners’ direct
regulator over their data in public cloud storage. The former ABE schemes include only one authority to maintain the whole
attribute set, which can carry a single-point bottleneck on both security and performance. Then, certain multi-authority
schemes are planned, in which numerous authorities distinctly maintain split attribute subsets. However, the single-point
bottleneck problem remains unsolved. In this survey paper, from another perspective, we conduct a threshold multi-authority
CP-ABE access control scheme for public cloud storage, named TMACS, in which multiple authorities jointly manage a
uniform attribute set. In TMACS, taking advantage of (t, n) threshold secret allocation, the master key can be shared among
multiple authorities, and a lawful user can generate his/her secret key by interacting with any t authorities. Security and
performance analysis results show that TMACS is not only verifiable secure when less than t authorities are compromised, but
also robust when no less than t authorities are alive in the system. Also, by efficiently combining the traditional multi-authority
scheme with TMACS, we construct a hybrid one, which satisfies the scenario of attributes coming from different authorities as
well as achieving security and system-level robustness.
APPLYING GEO-ENCRYPTION AND ATTRIBUTE BASED ENCRYPTION TO IMPLEMENT SECURE AC...IJCNCJournal
Cloud computing is utility-based computing provides many benefits to its clients but security is one aspect which is delaying its adoptions. Security challenges include data security, network security and infrastructure security. Data security can be achieved using Cryptography. If we include location information in the encryption and decryption process then we can bind access to data with the location so that data can be accessed only from the specified locations. In this paper, we propose a method based on the symmetric cryptography, location-based cryptography and ciphertext policy – Attribute-based encryption (CP-ABE) to implements secure access control to the outsourced data. The Symmetric key is used to encrypt that data whereas CP-ABE is used to encrypt the secret key and the location lock value before uploading on the server. User will download encrypted data and the symmetric secret key XORed with the Location Lock value, using his attributes based secret key he can obtain first XORed value of Symmetric secret key and location lock value. Using anti-spoof GPS Location lock value can be obtained which can be used to retrieve the symmetric secret key. We have adopted Massage Authentication Code (MAC) to ensure Integrity and Availability of the data. This protocol can be used in the Bank, government organization, military services or any other industry those are having their offices/work location at a fixed place, so data access can be bounded to that location.
Enhanced security framework to ensure data security in cloud using security b...eSAT Journals
Abstract Data security and Access control is a challenging research work in Cloud Computing. Cloud service users upload there private and confidential data over the cloud. As the data is transferred among the server and client, the data is to be protected from unauthorized entries into the server, by authenticating the user’s and provide high secure priority to the data. So the Experts always recommend using different passwords for different logins. Any normal person cannot possibly follow that advice and memorize all their usernames and passwords. That is where password managers come in. The purpose of this paper is to secure data from unauthorized person using Security blanket algorithm.
IJRET : International Journal of Research in Engineering and Technology is an international peer reviewed, online journal published by eSAT Publishing House for the enhancement of research in various disciplines of Engineering and Technology. The aim and scope of the journal is to provide an academic medium and an important reference for the advancement and dissemination of research results that support high-level learning, teaching and research in the fields of Engineering and Technology. We bring together Scientists, Academician, Field Engineers, Scholars and Students of related fields of Engineering and Technology.
the_role_of_resilience_data_in_ensuring_cloud_security.pdfsarah david
Enhance data security with our Data Resilience Cloud. No software/hardware; solve security challenges. Scale resources dynamically. Achieve resilience, efficiency, compliance. Partner with Cuneiform for seamless cloud data protection.
Cloud Security Challenges, Types, and Best Practises.pdfmanoharparakh
Cloud security refers to a collection of security methods used to secure cloud-based infrastructure, applications, and data. The objective is to gain control over data and resources, prevent unauthorized access, preserve data privacy, avoid malicious assaults by external hackers or internal threats, and safeguard cloud workloads from unintentional or deliberate interruption.
Enhanced Data Partitioning Technique for Improving Cloud Data Storage SecurityEditor IJMTER
Cloud computing is a model for enabling for on demand network access to shared
configurable computing resources (e.g. networks, servers, storage, applications, and services).It is
based on virtualization and distributed computing technologies. Cloud Data storage systems enable
user to store data efficiently on server without any trouble of data resources. User can easily store
and retrieve their data remotely. The two biggest concerns about cloud data storage are reliability and
security. Clients aren’t like to entrust their data to another third party or companies without a
guarantee that they will be able to access therein formations whenever they want. In the existing
system, the data are stored in the cloud using dynamic data operation with computation which makes
the user need to make a copy for further updating and verification of the data loss. Different
distributed storing auditing techniques are used for overcoming the problem of data loss. Recent
work of this paper has show that data partitioning technique used for data storage by providing
Digital signature to every partitioning data and user .this technique allow user to upload or retrieve
the data with matching the digital signatures provided to them. This method ensures high cloud
storage integrity, enhanced error localization and easy identification of misbehaving server and
unauthorized access to the cloud server. Hence this work aims to store the data securely in reduced
space with less time and computational cost.
the_role_of_resilience_data_in_ensuring_cloud_security.pptxsarah david
Enhance data security with our Data Resilience Cloud. No software/hardware; solve security challenges. Scale resources dynamically. Achieve resilience, efficiency, compliance. Partner with Cuneiform for seamless cloud data protection.
Secure Data Sharing In an Untrusted CloudIJERA Editor
Cloud computing is a huge area which basically provides many services on the basis of pay as you go. One of the fundamental services provided by cloud is data storage. Cloud provides cost efficiency and an efficient solution for sharing resource among cloud users. A secure and efficient data sharing scheme for groups in cloud is not an easy task. On one hand customers are not ready to share their identity but on other hand want to enjoy the cost efficiency provided by the cloud. It needs to provide identity privacy, multiple owner and dynamic data sharing without getting effected by the number of cloud users revoked. In this paper, any member of a group can completely enjoy the data storing and sharing services by the cloud. A secure data sharing scheme for dynamic cloud users is proposed in this paper. For which it uses group signature and dynamic broadcast encryption techniques such that any user in a group can share the information in a secured manner. Additionally the permission option is proposed for the security reasons. This means the file access permissions are generated by the admin and given to the user using Role Based Access Control (RBA) algorithm. The file access permissions are read, write and delete. In this, owner can provide files with options and accepts the users using that option. The revocation of cloud user is a function generated by the Admin for security purpose. The encryption computational cost and storage overhead is not dependent on the number of users revoked. We analyze the security by proofs and produce the cloud efficiency report using cloudsim.
Final project report on grocery store management system..pdfKamal Acharya
In today’s fast-changing business environment, it’s extremely important to be able to respond to client needs in the most effective and timely manner. If your customers wish to see your business online and have instant access to your products or services.
Online Grocery Store is an e-commerce website, which retails various grocery products. This project allows viewing various products available enables registered users to purchase desired products instantly using Paytm, UPI payment processor (Instant Pay) and also can place order by using Cash on Delivery (Pay Later) option. This project provides an easy access to Administrators and Managers to view orders placed using Pay Later and Instant Pay options.
In order to develop an e-commerce website, a number of Technologies must be studied and understood. These include multi-tiered architecture, server and client-side scripting techniques, implementation technologies, programming language (such as PHP, HTML, CSS, JavaScript) and MySQL relational databases. This is a project with the objective to develop a basic website where a consumer is provided with a shopping cart website and also to know about the technologies used to develop such a website.
This document will discuss each of the underlying technologies to create and implement an e- commerce website.
CFD Simulation of By-pass Flow in a HRSG module by R&R Consult.pptxR&R Consult
CFD analysis is incredibly effective at solving mysteries and improving the performance of complex systems!
Here's a great example: At a large natural gas-fired power plant, where they use waste heat to generate steam and energy, they were puzzled that their boiler wasn't producing as much steam as expected.
R&R and Tetra Engineering Group Inc. were asked to solve the issue with reduced steam production.
An inspection had shown that a significant amount of hot flue gas was bypassing the boiler tubes, where the heat was supposed to be transferred.
R&R Consult conducted a CFD analysis, which revealed that 6.3% of the flue gas was bypassing the boiler tubes without transferring heat. The analysis also showed that the flue gas was instead being directed along the sides of the boiler and between the modules that were supposed to capture the heat. This was the cause of the reduced performance.
Based on our results, Tetra Engineering installed covering plates to reduce the bypass flow. This improved the boiler's performance and increased electricity production.
It is always satisfying when we can help solve complex challenges like this. Do your systems also need a check-up or optimization? Give us a call!
Work done in cooperation with James Malloy and David Moelling from Tetra Engineering.
More examples of our work https://www.r-r-consult.dk/en/cases-en/
Hybrid optimization of pumped hydro system and solar- Engr. Abdul-Azeez.pdffxintegritypublishin
Advancements in technology unveil a myriad of electrical and electronic breakthroughs geared towards efficiently harnessing limited resources to meet human energy demands. The optimization of hybrid solar PV panels and pumped hydro energy supply systems plays a pivotal role in utilizing natural resources effectively. This initiative not only benefits humanity but also fosters environmental sustainability. The study investigated the design optimization of these hybrid systems, focusing on understanding solar radiation patterns, identifying geographical influences on solar radiation, formulating a mathematical model for system optimization, and determining the optimal configuration of PV panels and pumped hydro storage. Through a comparative analysis approach and eight weeks of data collection, the study addressed key research questions related to solar radiation patterns and optimal system design. The findings highlighted regions with heightened solar radiation levels, showcasing substantial potential for power generation and emphasizing the system's efficiency. Optimizing system design significantly boosted power generation, promoted renewable energy utilization, and enhanced energy storage capacity. The study underscored the benefits of optimizing hybrid solar PV panels and pumped hydro energy supply systems for sustainable energy usage. Optimizing the design of solar PV panels and pumped hydro energy supply systems as examined across diverse climatic conditions in a developing country, not only enhances power generation but also improves the integration of renewable energy sources and boosts energy storage capacities, particularly beneficial for less economically prosperous regions. Additionally, the study provides valuable insights for advancing energy research in economically viable areas. Recommendations included conducting site-specific assessments, utilizing advanced modeling tools, implementing regular maintenance protocols, and enhancing communication among system components.
Sachpazis:Terzaghi Bearing Capacity Estimation in simple terms with Calculati...Dr.Costas Sachpazis
Terzaghi's soil bearing capacity theory, developed by Karl Terzaghi, is a fundamental principle in geotechnical engineering used to determine the bearing capacity of shallow foundations. This theory provides a method to calculate the ultimate bearing capacity of soil, which is the maximum load per unit area that the soil can support without undergoing shear failure. The Calculation HTML Code included.
Hierarchical Digital Twin of a Naval Power SystemKerry Sado
A hierarchical digital twin of a Naval DC power system has been developed and experimentally verified. Similar to other state-of-the-art digital twins, this technology creates a digital replica of the physical system executed in real-time or faster, which can modify hardware controls. However, its advantage stems from distributing computational efforts by utilizing a hierarchical structure composed of lower-level digital twin blocks and a higher-level system digital twin. Each digital twin block is associated with a physical subsystem of the hardware and communicates with a singular system digital twin, which creates a system-level response. By extracting information from each level of the hierarchy, power system controls of the hardware were reconfigured autonomously. This hierarchical digital twin development offers several advantages over other digital twins, particularly in the field of naval power systems. The hierarchical structure allows for greater computational efficiency and scalability while the ability to autonomously reconfigure hardware controls offers increased flexibility and responsiveness. The hierarchical decomposition and models utilized were well aligned with the physical twin, as indicated by the maximum deviations between the developed digital twin hierarchy and the hardware.
Water scarcity is the lack of fresh water resources to meet the standard water demand. There are two type of water scarcity. One is physical. The other is economic water scarcity.
2. Cloud Security
Consists of a set of policies, controls, procedures and
technologies that work together to protect
» Cloud-based systems
» Data and
» infrastructure
Procedures and technology that secure cloud computing
environments against both external and insider cybersecurity
threats.
Security measures are configured to protect cloud data, support
regulatory compliance
Protect customers privacy as well as setting authentication rules
for individual users and devices.
From authenticating access to filtering traffic, cloud security can
be configured to the exact needs of the business
3. Cloud Security Challenges
People can attack network hosts and web apps as fast as they
can be protected.
Cloud administrators should test their environments and have
the latest security audits and reports.
Take care when adopting new technologies, such as AI and
machine learning, which use many data sources
4. Areas of cloud computing that they felt were
uniquely troublesome
• Auditing
A cloud auditor can make an assessment of the security
controls in the information system to determine the extent to which
the controls are implemented correctly, operating as intended, and
producing the desired outcome with respect to the security
requirements for the system
• Data integrity
• e-Discovery for legal compliance
E-discovery is still reliable for organizing and preserving data for legal
compliance, but e-discovery in the cloud and container-based storage
complicate governance processes.
• Privacy
• Recovery
• Regulatory compliance
Cloud compliance is about complying with the laws and regulations
5. To evaluate your risks
Need to perform the following analysis
1.Determine which resources (data, services, or applications)
you are planning to move to the cloud.
2.Determine the sensitivity of the resource to risk.
Risks that need to be evaluated are loss of privacy, unauthorized
access by others, loss of data, and interruptions in availability
3.Determine the risk associated with the particular cloud type
for a resource.
4.Take into account the particular cloud service model that you
will be using.
5.If you have selected a particular cloud service provider, you
need to evaluate its system to understand how data is
transferred, where it is stored, and how to move data both in
and out of the cloud.
6. Cloud Computing Categories
1. Public cloud services, operated by a public cloud provider
software-as-a-service (SaaS), infrastructure-as-a-service (IaaS),
and platform-as-a-service (PaaS).
2.Private cloud services, operated by a public cloud provider
These services provide a computing environment dedicated to
one customer, operated by a third party.
3.Private cloud services, operated by internal staff
These services are an evolution of the traditional data center,
where internal staff operates a virtual environment they control.
4.Hybrid cloud services
Private and public cloud computing configurations can be
combined, hosting workloads and data based on optimizing
factors such as cost, security, operations and access.
Operation will involve internal staff, and optionally the public
cloud provider.
7. Cloud Security Alliance
The security boundary
The boundary between the responsibility of the service provider
is separate from the responsibility of the customer.
The Cloud Security Alliance (CSA) is the world’s leading
organization dedicated to defining and raising awareness of best
practices to help ensure a secure cloud computing environment.
CSA’s comprehensive research program works in collaboration
with industry, higher education and government on a global
basis.
8. The CSA partitions its guidance into a set of
operational domains
• Governance and enterprise risk management
• Legal and electronic discovery
• Compliance and audit
• Information lifecycle management
• Portability and interoperability
• Traditional security, business continuity, and disaster
recovery
• Datacenter operations
• Incidence response, notification, and remediation
• Application security
• Encryption and key management
• Identity and access management
• Virtualization
10. Security service boundary
In the SaaS model, the vendor provides security as part of the
Service Level Agreement, with the compliance, governance, and
liability levels stipulated under the contract for the entire stack.
For the PaaS model, the security boundary may be defined for
the vendor to include the software framework and middleware
layer.
In the PaaS model, the customer would be responsible for the
security of the application and UI at the top of the stack.
The model with the least built-in security is IaaS, where
everything that involves software of any kind is the customer’s
problem.
12. Security mapping
The cloud service model you choose determines where in the
proposed deployment the variety of security features,
compliance auditing, and other requirements must be placed.
To determine the particular security mechanisms you need, you
must perform a mapping of the particular cloud service model
to the particular application you are deploying.
These mechanisms must be supported by the various controls
that are provided by your service provider, your organization, or
a third party.
A security control model includes the security that you normally
use for your applications, data, management, network, and
physical hardware
13. Securing Data
Securing data sent to, received from, and stored in the cloud is
the single largest security concern that most organizations
should have with cloud computing
These are the key mechanisms for protecting
❖Access control
❖Auditing
❖ Authentication
❖Authorization data mechanisms
14. Brokered Cloud Storage Access
The problem with the data you store in the cloud is that it can
be located anywhere in the cloud service provider’s system:
In another datacenter, another state or province, and in many
cases even in another country.
Therefore, to protect your cloud storage assets, you want to
find a way to isolate data from direct client access.
Brokered Cloud Storage Access is an approach for isolating
storage in the cloud.
In this approach, two services are created:
A broker with full access to storage but no access to client.
A proxy with no access to storage but access to both client and
broker.
15. Brokered Cloud Storage Access
Isolated Access to Data
Data stored in cloud can be retrieved from anywhere, hence it should
have a mechanism to isolate data and protect it from clients direct
access.
To isolate storage in the cloud, Brokered Cloud Storage Access is an
approach.
Following two services are generated in this approach:
• A broker with complete access to storage, but no access to client.
• A proxy with no access to storage, but access to client and broker
both.
The broker does not need full access to the cloud storage, but it may
be configured to grant READ and QUERY operations, while not
allowing APPEND or DELETE.
The proxy has a limited trust role, while the broker can run with
higher privileges or even as native code.
16. Security mapping
Two services are in the direct data path between the client and
data stored in the cloud.
A broker with complete access to storage, but no access to client.
A proxy with no access to storage, but access to client and broker
both.
Under this system, when a client makes a request for data, here’s
what happens:
1. The request goes to the external service interface (or
endpoint) of the proxy, which has only a partial trust.
2. The proxy, using its internal interface, forwards the request to
the broker.
3. The broker requests the data from the cloud storage system.
4. The storage system returns the results to the broker.
5. The broker returns the results to the proxy.
6. The proxy completes the response by sending the data
requested to the client.
19. Storage location and Tenancy
data stored in the cloud is usually stored from multiple tenants,
each vendor has its own unique method for segregating one
customer’s data from another.
Important to have some understanding of how your specific
service provider maintains data segregation.
Most cloud service providers store data in an encrypted form.
Encryption does present its own set of problems.
There is a problem with encrypted data, the result is that the
data may not be recoverable
20. Encryption
• Strong encryption technology is a core technology for protecting data in
transit to and from the cloud as well as data stored in the cloud.
• The goal of encrypted cloud storage is to create a virtual private storage
system that maintains confidentiality and data integrity while
maintaining the benefits of cloud storage: ubiquitous, reliable, shared
data storage.
• Encryption should separate stored data (data at rest) from data in transit.
• Microsoft allows up to five security accounts per client, and you can use
these different accounts to create different zones.
• On Amazon Web Service, you can create multiple keys and rotate those
keys during different sessions.
• Keys should have a defined lifecycle.
• Among the schemes used to protect keys are the creation of secure key
stores that have restricted role-based access, automated key stores
backup, and recovery techniques.
• It’s a good idea to separate key management from the cloud provider
21. Auditing and compliance
Logging is the recording of events into a repository; auditing is
the ability to monitor the events to understand performance.
Logging and auditing is an important function because it is not
only necessary for evaluation performance.
Logs should record system, application, and security events, at
the very minimum.
Cloud service providers often have proprietary log formats that
you need to be aware of.
Monitoring and analysis tools you use need to be aware of
these logs and able to work with them.
Cloud services are both multitenant and multisite operations,
the logging activity and data for different clients may not only
be co-located, they may also be moving across a landscape of
different hosts and sites.
22. Compliance under the laws of the governing
bodies
• Which regulations apply to your use of a particular cloud
computing service
• Which regulations apply to the cloud service provider and
where the demarcation line falls for responsibilities
• How your cloud service provider will support your need for
information associated with regulation
• How to work with the regulator to provide the information
necessary regardless of who had the responsibility to collect
the data
23. SLAs that enforce for protections
• You have contracts reviewed by your legal staff.
• You have a right-to-audit clause in your SLA.
• You review any third parties who are service providers and
assess their impact on security and regulatory compliance.
• You understand the scope of the regulations that apply to
your cloud computing applications and services.
• You consider what steps you must take to comply with the
demands of regulations that apply.
• You consider adjusting your procedures to comply with
regulations.
• You collect and maintain the evidence of your compliance
with regulations.
• You determine whether your cloud service provider can
provide an audit statement that is SAS 70 Type II-compliant.
24. Establishing Identity
• Managing personal identity information so that access to
computer resources, applications, data, and services is
controlled properly.
• IDaaS is cloud-based authentication built and operated by a
third-party provider.
• The goal of an Identity Service is to ensure users are who they
claim to be, and to give them the right kinds of access to
software applications, files, or other resources at the right
times
• Identity management is a primary mechanism for controlling
access to data in the cloud, prevent_x0002_ing unauthorized
uses, maintaining user roles, and complying with regulations.
25. Presence
• Its purpose is to signal availability for interaction over a
network.
• It is used on networks to indicate the status of available
parties and their location
• Presence is an enabling technology for peer-to-peer
interaction.
• it adds context that can modify services and service delivery
• Among the cloud computing services that rely on
• presence information are telephony systems such as VoIP,
instant messaging services (IM), and geo-location-based
systems such as GPS.
• Presence is playing an important role in cell phones,
particularly smart phones.
26. Identity protocol standards
Identity Protocol Standards define how exchange identity
information between parties.
Many protocols that provide identity services form the basis to
create interoperability among services.
Commonly used Identity protocol standards:
• OpenID
• XACML and SAML
• OAuth
Cloud computing requires the following:
• That you establish an identity
• That the identity be authenticated
• That the authentication be portable
• That authentication provide access to cloud
27. OpenID
❖It is the standard associated with creating an identity and
authenticate its use by a third-party service.
❖It is the key to creating Single Sign-On (SSO) systems.
❖OpenID doesn’t specify the means for authentication of an identity; a
particular system should execute the authentication process.
❖Authentication can be by a Challenge and Response Protocol (CHAP),
through smart card, or a biometric measurement.
In OpenIDL, the authentication procedure has the following steps:
• The end-user uses a program like a browser that is called a user
agent to enter an OpenID identifier.
• The OpenID is presented to a service that provides access to the
resource that is desired.
• An entity called a relaying party queries the OpenID identity provider
to authenticate the accuracy of the OpenID credentials.
• The authentication is sent back to the relaying party from the
identity provider and access is either provided or denied.
28. OAuth
• An open standard called OAuth provides a token service that
can be used to present validated access to resources.
• The use of OAuth tokens allows clients to present credentials
that contain no account information (userID or password) to a
cloud service.
• The token comes with a defined period after which it can no
longer be used.
29. Windows Azure Identity Standards
The Windows Azure Platform uses a claims-based identity based on
open authentication and access protocols.
These standards may be used without modification on a system that is
running in the cloud or on-premises.
Windows Azure security draws on the following three services:
• Active Directory Federation Services 2.0
It is a Security Token Service (STS) that allows users to authenticate
their access to applications both locally and in the cloud with a claims-
based identity.
• Windows Azure AppFabric Access Control Service
Claims-based identity system is built directly into the AppFabric Access
Control authentication and claims-based authorization access.
• Windows Identity Foundation (WIF)
SOAP service (WCF-SOAP) into a unified object model.
This allows WIF to have full access to the features of WS-Security and
to work with tokens in the SAML format.