Cloud security: Industry Trends and Research Challenges

Cloud Security,
Vulnerabilities and Integrity
Dr. Rajesh P Barnwal
Principal Scientist
AI & IoT Lab,
Information Technology Group
CSIR-Central Mechanical Engineering Research Institute, Durgapur
Invited Lecture at Faculty Development Program
SCMS School of Engineering and Technology,
Vidya Nagar, Karukutty-683576, Kerala
21st July’ 2021

AI & IoT Lab, CSIR-Central Mechanical Engineering Research Institute, Durgapur
Cloud Security?

Cloud Evolution
 Understanding Cloud Evolution is needed to know
about its Security, Integrity and Vulnerability

Evolution of Cloud Model

Bare Metal
PaaS Container Orchestrators
IaaS

Mention 3 reasons for adopting Cloud

Why shift to Cloud?
 Cost Savings
 Security
 Flexibility
 Mobility
 Insight
 Increased Collaboration
 Quality Control
 Disaster Recovery
 Loss Prevention
 Automatic Software Updates Source: SalesForce

What we exactly do?
 Hire Infrastructure and host our applications
 Hire applications and host our data
 Hire full services to use the hosted application and
gathered data

Main Concern about Cloud?
 The main security issues arises due to:
 Multi-tenant infrastructure
 Multi-application infrastructure
 Out of control infrastructure
 Third party handling of data
 Loosing control over physical security
 Loosing control over hired part of services
 In cloud environment, all the above depends upon
Cloud Service Providers (CSP)
 And the CSP becomes the main compute manager

Major Challenges
Source: IDC Report

 We will discover during this talk,
whether "Cloud Computing Security"
is different than "Regular IT Security"

Let us know the IT Security
 How the world looks without IT Security?
 https://youtu.be/TLxdOi5JDjc

Security domain in Cloud

"C-I-A" Objectives of Security
 Computer and network security is fundamentally
about three goals/objectives:
 Confidentiality (C) ,
 Integrity (I), and
 Availability (A)
 Out of the above three, Availability is the KEY issue
in the case of Cloud Security

Cloud Security becomes a New Challenge

Nothing is sufficient

Cloud Workloads increases security incidents

Cloud Security is not a single handed job

Cost of Missing Cloud Security

Security Challenges in Multi-Cloud Environment
Source: Tripwire Research

Market share of Popular Public Cloud
Source: Tripwire Research

Giants acquiring Cloud Security Businesses

Cyber Attacks increased in last one year

Cloud Security is Still Hard
 Even after so much progress in security technologies, Cloud security is still
so hard.
 Identity access management (IAM) are in place for more than a decade,
however not sufficient for cloud security.
 But now paradigm is shifting towards deep encryption services, key
management, and most recently, zero trust and secure access service
edge (SASE).

Classical Methods: Network Segmentation
 Network segmentation was another important strategy in the
fight against hackers and increase cloud security.
 It is an architectural approach that divides a network into
multiple segments or subnets, each acting as its own small
network.
 This allows network administrators to control the flow of traffic
between subnets based on granular policies.
 Ultimately, this improves monitoring, helps in boosting
performance, and most importantly in enhancing security.
 But it also gets failed in modern cloud system and work from
home environment.

New Network Infrastructure
 Cloud computing is redefining the network infrastructure and thus
requires totally different approach towards achieving security
 The old model of network infrastructure — centralized corporate
data centres secured by an on-premise network perimeter —
doesn’t work for today’s modern enterprises.
 Data that used to live in data centres now lives in the cloud and
SaaS applications.
 With the rise of distributed workforces, users need to be able to
connect to resources from anywhere in the world.
 This is challenging enterprises to provide network access and a
secure, straight-line path to the Internet without adopting complex
workarounds or increasing latency.

Old Security Tools Fail

Why old security tools fail in modern Cloud environment?

Security challenges in modern Enterprises?

Main Security Requirements
 The security requirements that should be considered when out-sourcing
the services to the cloud are as follows:
 Confidentiality: Data must be encrypted before it is outsourced, to protect it from
malicious internal or external attacks
 Integrity: Protect the data from the unauthorized insert, update, or delete. The
data owner and authorized users should be able to recognize if the data is
corrupted or incomplete, and receive the most recent updated version of the data,
which guarantees accuracy and consistency of data.
 Availability: The data in the cloud servers should be accessible to its users.
Major threats to availability are denial of service(DOS) attacks, natural disasters,
and equipment failures at the service provider’s end
 Access control: The outsourced data should be accessed only by authorized
users.
 Firewall: The CSP must be safeguarded against false accusations that may be
claimed by dishonest owners or users

Modern Cloud Security Requirements

Modern Industry standard Cloud Security Measures?
 Identity and Access Management (IAM)
 Secure Access Service Edge (SASE)
 Firewall as a Service (FWaaS)
 Cloud access security brokers (CASB)
 Zero-trust network access (ZNTA)

Identity and Access Management (IAM)
AWS Example:
Source: https://www2.deloitte.c

Identity and Access Management (IAM)
AWS Example:
Source: https://www2.deloitte.com/

Secure Access Service Edge (SASE)
 SASE is a relatively new framework
 SASE distributes critical network and security
functions from the cloud, close to the user and
applications
 SASE builds on software-defined WAN (SD-WAN)

Secure Access Service Edge (SASE)
 Cloud-native network infrastructure: SASE
simplifies network infrastructure by merging
networking and security services into a unified
architecture.
 Network security at the edge: SASE delivers
network security services — cloud access security
brokers (CASB), secure web gateways (SWG),
Firewall-as-a-Service (FWaaS), and more.
 Identity-based network access: SASE's network
access is determined by a Zero Trust, policy-based
model that verifies based on user identity &
contextual factors.

Network Security as a Service

SASE Features
 SASE features a combination of these network and
security functions:
 Firewall as a service
 Malware protection;
 Data loss prevention;
 Intrusion detection and intrusion prevention;
 Software as a service;
 Secure web gateways;
 Cloud access security brokers (CASBs); and
 Zero-trust network access.

How SASE Works?
SDP-Software Defined Perimeter

Good video resource on SASE
https://youtu.be/Opy9D-8eyVg

Another innovation in Cloud Security
CASB (Cloud Access Security Broker)

How CASB Works?
Source: Farnandez et al., 2015

CASB Working Example:
SDP: Software Defined Perimeter
SWG: Secure Web Gateway

Workflow of Software Defined Perimeter in CASB
Source: www.cloudflare.com

Workflow of Software Defined Perimeter
Source: www.cloudflare.com

Possible Security Policies Enforcement using CASB
 Authentication
 Single sign on
 Authorization
 Alerting
 Ability to see authorized and unauthorized cloud usage
 Credential mapping
 Device profiling
 Encryption
 Tokenization
 Logging
 Malware detection/prevention

CASB Features
 Policy-based services--consumers can define security policies,
e.g., RBAC, to apply to the services they use in order to restrict the
access of their employees and customers to cloud data.
 Secure channel—the channel to access cloud services can be
encrypted.
 Data encryption—CASBs can let consumers encrypt their data
using their own keys.
 Compliance—consumers can demonstrate compliance with
specific regulations because CASBs normally include security
loggers/auditors.
 Discovery—users at the company are able to find out what
services they have available through the CASB.

CASB Features
 Transparency—security is transparent to the application consumers when
they use the CASB, they would only know about the CASB if an attempted
access is rejected.
 Access unification—Consumers do not need to deal with a variety of
credential types and protocols.
 Heterogeneity—access to the cloud can be made from any type of device.
 Malware detection—access to the cloud application through a CASB can
guarantee that no malware will be found in the accessed service.
 Logging/auditing—the CASB keeps logs for security and compliance
reasons; these can be later audited.
 Identity—the CASB can provide identification services.

Another Paradigm Shift: Zero Trust
Shall discuss after the break

Zero Trust Principles
Source: Forester

Zero Trust Principles
Image source: https://www.centrify.com/blog/best-practices-zero-trust-security/

Strategic Plan for Zero Trust
Image source: https://www.centrify.com/blog/best-practices-zero-trust-security/
TRUSTED
ACCESS
RESILIENT
SERVICES
PROTECTED
ASSETS
SECURE AND TRUSTED

Deep Encryption Services

Shared model of Security
Source: SANS Cloud Security Summit 2019

In Legacy Cloud Environment

Case Study: Cloud Key Management Service

Bare Metal
PaaS Container Orchestrators
IaaS
Serverless

Serverless Computing: Future IoT Cloud
 Serverless computing is a method of providing
backend services on an as-used basis.
 A serverless provider allows users to write and
deploy code without the hassle of worrying about the
underlying infrastructure.
 Also called as -
 Function as a Service
 Platform to develop, run, and manage application
 Without the complexity of building and maintaining
the infrastructure

What is Serverless Computing?
 Serverless computing is a cloud-native
platform for -
 short-running, stateless computation and
 event-driven applications which
 scales up and down instantly and automatically
and
 charges for actual usage at a millisecond
granularity

Earlier Trend for Cloud Developer
 Develop Cloud Applications as a Monolithic
Architecture
 Hire a VM on cloud and deploy it
 Issues
 Difficult to scale after certain limit
 Involves high capital expenditure and
operating expenditure
 Overhead for internal system
administration processes;
 High development and deployment
costs and timeframes (delay to
market);
 Fault prone design.
Image Source: Amazon

Service Oriented Architecture
 Hire cloud software as a services from service
providers
 Pay per usage of services

Serverless Oriented Architecture
 Develop cloud application layer using hired
microservices
 Pay only per usage of microservices

Achieving Serverless Architecture
Monolithic Application
Break-down into
microservices
Make each micro service
HA
Protect against regional
outages
Region A Region B
Explosion in
number of
containers /
processes:
Increase of
infrastructure cost
footprint
Increase of
operational
management cost
and
complexity

Advantages of Serverless Architecture
 It transforms capital expenditure into operating
expenditure, and generally reduces operational
costs;
 One do not have to think about internal system
administration processes;
 It reduces the development and deployment costs
and timeframes (faster time to market);
 It’s scalable and fault tolerant by design.

Whether Serverless is Always Good?
Microservices
Mobile Backends
IoT
Modest Stream Processing
Bots, ML Inferencing
Serverless is good for
short-running
stateless
event-driven
Serverless is not good for
long-running
stateful
number crunching
Databases
Deep Learning Training
Heavy-Duty Stream Analytics
Numerical Simulation
f(x)
Service integration
Video Streaming

66
SAGITA Testbed

67
SAGITA Testbed Setup

68
SAGITA Cloud Architecture

69
SAGITA Communication Architecture

70
SAGITA Data Acquisition Module

71
SAGITA Data Bucket

72
Simplified ER Diagram

SAGITA Cloud Interface

SAGITA Cloud Interface: Tenant Login

SAGITA Cloud Interface: Farm Creation

SAGITA Cloud Interface: Farm Listing

SAGITA Cloud Interface: Device Registration
Device Button
Register Device
MAP BUTTON

SAGITA Cloud Interface: Data Logging

SAGITA Cloud Interface: Data Visualization

Attacks in Serverless Platform

Top Risks in Serverless Environment

Traditional Security measures fails

Traditional Security measures

Serverless- No Infrastructure, Only Fn

DevOps to DevSecOps
 Security must also be embedded by design and must be a strong
consideration during software development.
 DevSecOps could be a good consideration for enterprises that want
to move in this direction.
 This integrates security into all stages of the software delivery
process, ensuring that developers think about security when they
write code.
 DevSecOps effectively shifts security inspection closer to when
software is being developed and ensures that software is tested for
security problems before it is deployed.
 Moreover, it helps IT teams to address security issues quickly if
they appear after deployment.

Future of Cloud Security Skills

Your Questions Please?
r_barnwal@cmeri.res.in
For now, Let’s have a break!

Q&A Time

References
 Rady, Mai, Tamer Abdelkader, and Rasha Ismail. "Integrity and confidentiality in cloud outsourced data." Ain Shams Engineering Journal 10.2 (2019): 275-285.
 Fernandez, Edurardo, Nobukazu Yoshioka, and Hironori Washizaki. "Cloud Access Security Broker (CASB): A pattern for secure access to cloud services." 4th Asian
Conference on Pattern Languages of Programs, Asian PLoP. Vol. 15. 2015.
 Barnwal, Rajesh P., N. Ghosh, and Soumya K. Ghosh. "Data and Application Security in Cloud." Bio-inspiring Cyber Security and Cloud Services: Trends and
Innovations (2014): 479-495.
 Rady, Mai, Tamer Abdelkader, and Rasha Ismail. "Integrity and confidentiality in cloud outsourced data." Ain Shams Engineering Journal 10.2 (2019):
275-285.
 Kritikos, Kyriakos, et al. "A survey on vulnerability assessment tools and databases for cloud-based web applications." Array 3 (2019): 100011.
 Chen, Chao, Nima Khakzad, and Genserik Reniers. "Dynamic vulnerability assessment of process plants with respect to vapor cloud
explosions." Reliability Engineering & System Safety 200 (2020): 106934.
 https://www.talend.com/resources/reduce-data-integrity-risk/
 https://sectigostore.com/
 Applying Zero Trust to Cloud Environments (paloaltonetworks.com)
 https://vuldb.com
 https://nvd.nist.gov
 https://www.talend.com/resources/reduce-data-integrity-risk/

Dr. Rajesh P Barnwal, r_barnwal@cmeri.res.in
AI & IoT Lab, Information Technology Group,
CSIR-Central Mechanical Engineering Research Institute
MG Avenue, Durgapur 713 209, West Bengal [India]
https://www.cmeri.res.in

Cloud security: Industry Trends and Research Challenges

Recommended

Recommended

More Related Content

What's hot

What's hot (20)

Similar to Cloud security: Industry Trends and Research Challenges

Similar to Cloud security: Industry Trends and Research Challenges (20)

More from Dr. Rajesh P Barnwal

More from Dr. Rajesh P Barnwal (11)

Recently uploaded

Recently uploaded (20)

Cloud security: Industry Trends and Research Challenges