The document summarizes key aspects of cloud security based on a lecture given by Dr. Rajesh P Barnwal. It discusses the evolution of cloud models from bare metal to serverless computing. It highlights some major security challenges in cloud computing like multi-tenancy, loss of control, and third party handling of data. The document then covers modern cloud security measures like identity and access management, secure access service edge, firewall as a service, cloud access security brokers, and zero trust network access. It also discusses new paradigms like serverless computing and their advantages for security.
Cloud security: Industry Trends and Research Challenges
1. Cloud Security,
Vulnerabilities and Integrity
Dr. Rajesh P Barnwal
Principal Scientist
AI & IoT Lab,
Information Technology Group
CSIR-Central Mechanical Engineering Research Institute, Durgapur
Invited Lecture at Faculty Development Program
SCMS School of Engineering and Technology,
Vidya Nagar, Karukutty-683576, Kerala
21st July’ 2021
2. AI & IoT Lab, CSIR-Central Mechanical Engineering Research Institute, Durgapur
Cloud Security?
3. AI & IoT Lab, CSIR-Central Mechanical Engineering Research Institute, Durgapur
Cloud Evolution
Understanding Cloud Evolution is needed to know
about its Security, Integrity and Vulnerability
4. AI & IoT Lab, CSIR-Central Mechanical Engineering Research Institute, Durgapur
Evolution of Cloud Model
5. AI & IoT Lab, CSIR-Central Mechanical Engineering Research Institute, Durgapur
Evolution of Cloud Model
Bare Metal
PaaS Container Orchestrators
IaaS
6. AI & IoT Lab, CSIR-Central Mechanical Engineering Research Institute, Durgapur
Mention 3 reasons for adopting Cloud
7. AI & IoT Lab, CSIR-Central Mechanical Engineering Research Institute, Durgapur
Why shift to Cloud?
Cost Savings
Security
Flexibility
Mobility
Insight
Increased Collaboration
Quality Control
Disaster Recovery
Loss Prevention
Automatic Software Updates Source: SalesForce
8. AI & IoT Lab, CSIR-Central Mechanical Engineering Research Institute, Durgapur
What we exactly do?
Hire Infrastructure and host our applications
Hire applications and host our data
Hire full services to use the hosted application and
gathered data
9. AI & IoT Lab, CSIR-Central Mechanical Engineering Research Institute, Durgapur
Main Concern about Cloud?
The main security issues arises due to:
Multi-tenant infrastructure
Multi-application infrastructure
Out of control infrastructure
Third party handling of data
Loosing control over physical security
Loosing control over hired part of services
In cloud environment, all the above depends upon
Cloud Service Providers (CSP)
And the CSP becomes the main compute manager
10. AI & IoT Lab, CSIR-Central Mechanical Engineering Research Institute, Durgapur
Major Challenges
Source: IDC Report
11. AI & IoT Lab, CSIR-Central Mechanical Engineering Research Institute, Durgapur
We will discover during this talk,
whether "Cloud Computing Security"
is different than "Regular IT Security"
12. AI & IoT Lab, CSIR-Central Mechanical Engineering Research Institute, Durgapur
Let us know the IT Security
How the world looks without IT Security?
https://youtu.be/TLxdOi5JDjc
13. AI & IoT Lab, CSIR-Central Mechanical Engineering Research Institute, Durgapur
Security domain in Cloud
14. AI & IoT Lab, CSIR-Central Mechanical Engineering Research Institute, Durgapur
"C-I-A" Objectives of Security
Computer and network security is fundamentally
about three goals/objectives:
Confidentiality (C) ,
Integrity (I), and
Availability (A)
Out of the above three, Availability is the KEY issue
in the case of Cloud Security
15. AI & IoT Lab, CSIR-Central Mechanical Engineering Research Institute, Durgapur
Cloud Security becomes a New Challenge
16. AI & IoT Lab, CSIR-Central Mechanical Engineering Research Institute, Durgapur
Nothing is sufficient
17. AI & IoT Lab, CSIR-Central Mechanical Engineering Research Institute, Durgapur
Cloud Workloads increases security incidents
18. AI & IoT Lab, CSIR-Central Mechanical Engineering Research Institute, Durgapur
Cloud Security is not a single handed job
19. AI & IoT Lab, CSIR-Central Mechanical Engineering Research Institute, Durgapur
Cost of Missing Cloud Security
20. AI & IoT Lab, CSIR-Central Mechanical Engineering Research Institute, Durgapur
Security Challenges in Multi-Cloud Environment
Source: Tripwire Research
21. AI & IoT Lab, CSIR-Central Mechanical Engineering Research Institute, Durgapur
Market share of Popular Public Cloud
Source: Tripwire Research
22. AI & IoT Lab, CSIR-Central Mechanical Engineering Research Institute, Durgapur
Giants acquiring Cloud Security Businesses
23. AI & IoT Lab, CSIR-Central Mechanical Engineering Research Institute, Durgapur
Cyber Attacks increased in last one year
24. AI & IoT Lab, CSIR-Central Mechanical Engineering Research Institute, Durgapur
Cloud Security is Still Hard
Even after so much progress in security technologies, Cloud security is still
so hard.
Identity access management (IAM) are in place for more than a decade,
however not sufficient for cloud security.
But now paradigm is shifting towards deep encryption services, key
management, and most recently, zero trust and secure access service
edge (SASE).
25. AI & IoT Lab, CSIR-Central Mechanical Engineering Research Institute, Durgapur
Classical Methods: Network Segmentation
Network segmentation was another important strategy in the
fight against hackers and increase cloud security.
It is an architectural approach that divides a network into
multiple segments or subnets, each acting as its own small
network.
This allows network administrators to control the flow of traffic
between subnets based on granular policies.
Ultimately, this improves monitoring, helps in boosting
performance, and most importantly in enhancing security.
But it also gets failed in modern cloud system and work from
home environment.
26. AI & IoT Lab, CSIR-Central Mechanical Engineering Research Institute, Durgapur
New Network Infrastructure
Cloud computing is redefining the network infrastructure and thus
requires totally different approach towards achieving security
The old model of network infrastructure — centralized corporate
data centres secured by an on-premise network perimeter —
doesn’t work for today’s modern enterprises.
Data that used to live in data centres now lives in the cloud and
SaaS applications.
With the rise of distributed workforces, users need to be able to
connect to resources from anywhere in the world.
This is challenging enterprises to provide network access and a
secure, straight-line path to the Internet without adopting complex
workarounds or increasing latency.
27. AI & IoT Lab, CSIR-Central Mechanical Engineering Research Institute, Durgapur
Old Security Tools Fail
28. AI & IoT Lab, CSIR-Central Mechanical Engineering Research Institute, Durgapur
Why old security tools fail in modern Cloud environment?
29. AI & IoT Lab, CSIR-Central Mechanical Engineering Research Institute, Durgapur
Security challenges in modern Enterprises?
30. AI & IoT Lab, CSIR-Central Mechanical Engineering Research Institute, Durgapur
Main Security Requirements
The security requirements that should be considered when out-sourcing
the services to the cloud are as follows:
Confidentiality: Data must be encrypted before it is outsourced, to protect it from
malicious internal or external attacks
Integrity: Protect the data from the unauthorized insert, update, or delete. The
data owner and authorized users should be able to recognize if the data is
corrupted or incomplete, and receive the most recent updated version of the data,
which guarantees accuracy and consistency of data.
Availability: The data in the cloud servers should be accessible to its users.
Major threats to availability are denial of service(DOS) attacks, natural disasters,
and equipment failures at the service provider’s end
Access control: The outsourced data should be accessed only by authorized
users.
Firewall: The CSP must be safeguarded against false accusations that may be
claimed by dishonest owners or users
31. AI & IoT Lab, CSIR-Central Mechanical Engineering Research Institute, Durgapur
Modern Cloud Security Requirements
32. AI & IoT Lab, CSIR-Central Mechanical Engineering Research Institute, Durgapur
Modern Industry standard Cloud Security Measures?
Identity and Access Management (IAM)
Secure Access Service Edge (SASE)
Firewall as a Service (FWaaS)
Cloud access security brokers (CASB)
Zero-trust network access (ZNTA)
33. AI & IoT Lab, CSIR-Central Mechanical Engineering Research Institute, Durgapur
Identity and Access Management (IAM)
AWS Example:
Source: https://www2.deloitte.c
34. AI & IoT Lab, CSIR-Central Mechanical Engineering Research Institute, Durgapur
Identity and Access Management (IAM)
AWS Example:
Source: https://www2.deloitte.com/
35. AI & IoT Lab, CSIR-Central Mechanical Engineering Research Institute, Durgapur
Secure Access Service Edge (SASE)
SASE is a relatively new framework
SASE distributes critical network and security
functions from the cloud, close to the user and
applications
SASE builds on software-defined WAN (SD-WAN)
36. AI & IoT Lab, CSIR-Central Mechanical Engineering Research Institute, Durgapur
Secure Access Service Edge (SASE)
Cloud-native network infrastructure: SASE
simplifies network infrastructure by merging
networking and security services into a unified
architecture.
Network security at the edge: SASE delivers
network security services — cloud access security
brokers (CASB), secure web gateways (SWG),
Firewall-as-a-Service (FWaaS), and more.
Identity-based network access: SASE's network
access is determined by a Zero Trust, policy-based
model that verifies based on user identity &
contextual factors.
37. AI & IoT Lab, CSIR-Central Mechanical Engineering Research Institute, Durgapur
Network Security as a Service
38. AI & IoT Lab, CSIR-Central Mechanical Engineering Research Institute, Durgapur
SASE Features
SASE features a combination of these network and
security functions:
Firewall as a service
Malware protection;
Data loss prevention;
Intrusion detection and intrusion prevention;
Software as a service;
Secure web gateways;
Cloud access security brokers (CASBs); and
Zero-trust network access.
39. AI & IoT Lab, CSIR-Central Mechanical Engineering Research Institute, Durgapur
How SASE Works?
SDP-Software Defined Perimeter
40. AI & IoT Lab, CSIR-Central Mechanical Engineering Research Institute, Durgapur
Good video resource on SASE
https://youtu.be/Opy9D-8eyVg
41. AI & IoT Lab, CSIR-Central Mechanical Engineering Research Institute, Durgapur
Another innovation in Cloud Security
CASB (Cloud Access Security Broker)
42. AI & IoT Lab, CSIR-Central Mechanical Engineering Research Institute, Durgapur
How CASB Works?
Source: Farnandez et al., 2015
43. AI & IoT Lab, CSIR-Central Mechanical Engineering Research Institute, Durgapur
CASB Working Example:
SDP: Software Defined Perimeter
SWG: Secure Web Gateway
44. AI & IoT Lab, CSIR-Central Mechanical Engineering Research Institute, Durgapur
Workflow of Software Defined Perimeter in CASB
Source: www.cloudflare.com
45. AI & IoT Lab, CSIR-Central Mechanical Engineering Research Institute, Durgapur
Workflow of Software Defined Perimeter
Source: www.cloudflare.com
46. AI & IoT Lab, CSIR-Central Mechanical Engineering Research Institute, Durgapur
Possible Security Policies Enforcement using CASB
Authentication
Single sign on
Authorization
Alerting
Ability to see authorized and unauthorized cloud usage
Credential mapping
Device profiling
Encryption
Tokenization
Logging
Malware detection/prevention
47. AI & IoT Lab, CSIR-Central Mechanical Engineering Research Institute, Durgapur
CASB Features
Policy-based services--consumers can define security policies,
e.g., RBAC, to apply to the services they use in order to restrict the
access of their employees and customers to cloud data.
Secure channel—the channel to access cloud services can be
encrypted.
Data encryption—CASBs can let consumers encrypt their data
using their own keys.
Compliance—consumers can demonstrate compliance with
specific regulations because CASBs normally include security
loggers/auditors.
Discovery—users at the company are able to find out what
services they have available through the CASB.
48. AI & IoT Lab, CSIR-Central Mechanical Engineering Research Institute, Durgapur
CASB Features
Transparency—security is transparent to the application consumers when
they use the CASB, they would only know about the CASB if an attempted
access is rejected.
Access unification—Consumers do not need to deal with a variety of
credential types and protocols.
Heterogeneity—access to the cloud can be made from any type of device.
Malware detection—access to the cloud application through a CASB can
guarantee that no malware will be found in the accessed service.
Logging/auditing—the CASB keeps logs for security and compliance
reasons; these can be later audited.
Identity—the CASB can provide identification services.
49. AI & IoT Lab, CSIR-Central Mechanical Engineering Research Institute, Durgapur
Another Paradigm Shift: Zero Trust
Shall discuss after the break
50. AI & IoT Lab, CSIR-Central Mechanical Engineering Research Institute, Durgapur
Zero Trust Principles
Source: Forester
51. AI & IoT Lab, CSIR-Central Mechanical Engineering Research Institute, Durgapur
Zero Trust Principles
Image source: https://www.centrify.com/blog/best-practices-zero-trust-security/
52. AI & IoT Lab, CSIR-Central Mechanical Engineering Research Institute, Durgapur
Strategic Plan for Zero Trust
Image source: https://www.centrify.com/blog/best-practices-zero-trust-security/
TRUSTED
ACCESS
RESILIENT
SERVICES
PROTECTED
ASSETS
SECURE AND TRUSTED
53. AI & IoT Lab, CSIR-Central Mechanical Engineering Research Institute, Durgapur
Deep Encryption Services
54. AI & IoT Lab, CSIR-Central Mechanical Engineering Research Institute, Durgapur
Shared model of Security
Source: SANS Cloud Security Summit 2019
55. AI & IoT Lab, CSIR-Central Mechanical Engineering Research Institute, Durgapur
In Legacy Cloud Environment
Source: SANS Cloud Security Summit 2019
56. AI & IoT Lab, CSIR-Central Mechanical Engineering Research Institute, Durgapur
Case Study: Cloud Key Management Service
57. AI & IoT Lab, CSIR-Central Mechanical Engineering Research Institute, Durgapur
Evolution of Cloud Model
Bare Metal
PaaS Container Orchestrators
IaaS
Serverless
58. AI & IoT Lab, CSIR-Central Mechanical Engineering Research Institute, Durgapur
Serverless Computing: Future IoT Cloud
Serverless computing is a method of providing
backend services on an as-used basis.
A serverless provider allows users to write and
deploy code without the hassle of worrying about the
underlying infrastructure.
Also called as -
Function as a Service
Platform to develop, run, and manage application
Without the complexity of building and maintaining
the infrastructure
59. AI & IoT Lab, CSIR-Central Mechanical Engineering Research Institute, Durgapur
What is Serverless Computing?
Serverless computing is a cloud-native
platform for -
short-running, stateless computation and
event-driven applications which
scales up and down instantly and automatically
and
charges for actual usage at a millisecond
granularity
60. AI & IoT Lab, CSIR-Central Mechanical Engineering Research Institute, Durgapur
Earlier Trend for Cloud Developer
Develop Cloud Applications as a Monolithic
Architecture
Hire a VM on cloud and deploy it
Issues
Difficult to scale after certain limit
Involves high capital expenditure and
operating expenditure
Overhead for internal system
administration processes;
High development and deployment
costs and timeframes (delay to
market);
Fault prone design.
Image Source: Amazon
61. AI & IoT Lab, CSIR-Central Mechanical Engineering Research Institute, Durgapur
Service Oriented Architecture
Hire cloud software as a services from service
providers
Pay per usage of services
62. AI & IoT Lab, CSIR-Central Mechanical Engineering Research Institute, Durgapur
Serverless Oriented Architecture
Develop cloud application layer using hired
microservices
Pay only per usage of microservices
63. AI & IoT Lab, CSIR-Central Mechanical Engineering Research Institute, Durgapur
Achieving Serverless Architecture
Monolithic Application
Break-down into
microservices
Make each micro service
HA
Protect against regional
outages
Region A Region B
Explosion in
number of
containers /
processes:
Increase of
infrastructure cost
footprint
Increase of
operational
management cost
and
complexity
64. AI & IoT Lab, CSIR-Central Mechanical Engineering Research Institute, Durgapur
Advantages of Serverless Architecture
It transforms capital expenditure into operating
expenditure, and generally reduces operational
costs;
One do not have to think about internal system
administration processes;
It reduces the development and deployment costs
and timeframes (faster time to market);
It’s scalable and fault tolerant by design.
65. AI & IoT Lab, CSIR-Central Mechanical Engineering Research Institute, Durgapur
Whether Serverless is Always Good?
Microservices
Mobile Backends
IoT
Modest Stream Processing
Bots, ML Inferencing
Serverless is good for
short-running
stateless
event-driven
Serverless is not good for
long-running
stateful
number crunching
Databases
Deep Learning Training
Heavy-Duty Stream Analytics
Numerical Simulation
f(x)
Service integration
Video Streaming
66. AI & IoT Lab, CSIR-Central Mechanical Engineering Research Institute, Durgapur
66
SAGITA Testbed
67. AI & IoT Lab, CSIR-Central Mechanical Engineering Research Institute, Durgapur
67
SAGITA Testbed Setup
68. AI & IoT Lab, CSIR-Central Mechanical Engineering Research Institute, Durgapur
68
SAGITA Cloud Architecture
69. AI & IoT Lab, CSIR-Central Mechanical Engineering Research Institute, Durgapur
69
SAGITA Communication Architecture
70. AI & IoT Lab, CSIR-Central Mechanical Engineering Research Institute, Durgapur
70
SAGITA Data Acquisition Module
71. AI & IoT Lab, CSIR-Central Mechanical Engineering Research Institute, Durgapur
71
SAGITA Data Bucket
72. AI & IoT Lab, CSIR-Central Mechanical Engineering Research Institute, Durgapur
72
Simplified ER Diagram
73. AI & IoT Lab, CSIR-Central Mechanical Engineering Research Institute, Durgapur
SAGITA Cloud Interface
74. AI & IoT Lab, CSIR-Central Mechanical Engineering Research Institute, Durgapur
SAGITA Cloud Interface: Tenant Login
75. AI & IoT Lab, CSIR-Central Mechanical Engineering Research Institute, Durgapur
SAGITA Cloud Interface: Farm Creation
76. AI & IoT Lab, CSIR-Central Mechanical Engineering Research Institute, Durgapur
SAGITA Cloud Interface: Farm Listing
77. AI & IoT Lab, CSIR-Central Mechanical Engineering Research Institute, Durgapur
SAGITA Cloud Interface: Device Registration
Device Button
Register Device
MAP BUTTON
78. AI & IoT Lab, CSIR-Central Mechanical Engineering Research Institute, Durgapur
SAGITA Cloud Interface: Data Logging
79. AI & IoT Lab, CSIR-Central Mechanical Engineering Research Institute, Durgapur
SAGITA Cloud Interface: Data Visualization
80. AI & IoT Lab, CSIR-Central Mechanical Engineering Research Institute, Durgapur
Attacks in Serverless Platform
Source: SANS Cloud Security Summit 2019
81. AI & IoT Lab, CSIR-Central Mechanical Engineering Research Institute, Durgapur
Attacks in Serverless Platform
Source: SANS Cloud Security Summit 2019
82. AI & IoT Lab, CSIR-Central Mechanical Engineering Research Institute, Durgapur
Top Risks in Serverless Environment
Source: SANS Cloud Security Summit 2019
83. AI & IoT Lab, CSIR-Central Mechanical Engineering Research Institute, Durgapur
Traditional Security measures fails
Source: SANS Cloud Security Summit 2019
84. AI & IoT Lab, CSIR-Central Mechanical Engineering Research Institute, Durgapur
Traditional Security measures
Source: SANS Cloud Security Summit 2019
85. AI & IoT Lab, CSIR-Central Mechanical Engineering Research Institute, Durgapur
Serverless- No Infrastructure, Only Fn
Source: SANS Cloud Security Summit 2019
86. AI & IoT Lab, CSIR-Central Mechanical Engineering Research Institute, Durgapur
DevOps to DevSecOps
Security must also be embedded by design and must be a strong
consideration during software development.
DevSecOps could be a good consideration for enterprises that want
to move in this direction.
This integrates security into all stages of the software delivery
process, ensuring that developers think about security when they
write code.
DevSecOps effectively shifts security inspection closer to when
software is being developed and ensures that software is tested for
security problems before it is deployed.
Moreover, it helps IT teams to address security issues quickly if
they appear after deployment.
87. AI & IoT Lab, CSIR-Central Mechanical Engineering Research Institute, Durgapur
Future of Cloud Security Skills
89. AI & IoT Lab, CSIR-Central Mechanical Engineering Research Institute, Durgapur
Q&A Time
90. AI & IoT Lab, CSIR-Central Mechanical Engineering Research Institute, Durgapur
References
Rady, Mai, Tamer Abdelkader, and Rasha Ismail. "Integrity and confidentiality in cloud outsourced data." Ain Shams Engineering Journal 10.2 (2019): 275-285.
Fernandez, Edurardo, Nobukazu Yoshioka, and Hironori Washizaki. "Cloud Access Security Broker (CASB): A pattern for secure access to cloud services." 4th Asian
Conference on Pattern Languages of Programs, Asian PLoP. Vol. 15. 2015.
Barnwal, Rajesh P., N. Ghosh, and Soumya K. Ghosh. "Data and Application Security in Cloud." Bio-inspiring Cyber Security and Cloud Services: Trends and
Innovations (2014): 479-495.
Rady, Mai, Tamer Abdelkader, and Rasha Ismail. "Integrity and confidentiality in cloud outsourced data." Ain Shams Engineering Journal 10.2 (2019):
275-285.
Kritikos, Kyriakos, et al. "A survey on vulnerability assessment tools and databases for cloud-based web applications." Array 3 (2019): 100011.
Chen, Chao, Nima Khakzad, and Genserik Reniers. "Dynamic vulnerability assessment of process plants with respect to vapor cloud
explosions." Reliability Engineering & System Safety 200 (2020): 106934.
https://www.talend.com/resources/reduce-data-integrity-risk/
https://sectigostore.com/
Applying Zero Trust to Cloud Environments (paloaltonetworks.com)
https://vuldb.com
https://nvd.nist.gov
https://www.talend.com/resources/reduce-data-integrity-risk/
91. Dr. Rajesh P Barnwal, r_barnwal@cmeri.res.in
AI & IoT Lab, Information Technology Group,
CSIR-Central Mechanical Engineering Research Institute
MG Avenue, Durgapur 713 209, West Bengal [India]
https://www.cmeri.res.in