This document discusses 8 cloud security mechanisms:
1. Encryption protects data confidentiality during transmission using encryption keys. Symmetric encryption uses one key while asymmetric uses two keys.
2. Hashing creates a unique code to verify data integrity and detect unauthorized changes using one-way functions.
3. Digital signatures provide authentication and non-repudiation by encrypting a hash of a message with a private key.
4. PKI uses digital certificates and certificate authorities to securely associate public keys with identities.
5. IAM controls user identities and access privileges using authentication, authorization, user management, and credential management.
6. SSO allows single authentication across multiple services using tokens from a security broker.
Cloud-based IT resources need to be set up, configured, maintained, and monitored. The systems covered in this chapter are mechanisms that encompass and enable these types of management tasks.
Cloud Computing offers an on-demand and scalable access to a shared pool of resources hosted in a data center at providers’ site. It reduces the overheads of up-front investments and financial risks for the end-user. Regardless of the fact that cloud computing offers great advantages to the end users, there are several challenging issues that are mandatory to be addressed.
Pgp-Pretty Good Privacy is the open source freely available tool to encrypt your emails then you can very securely send mails to others over internet without fear of eavesdropping by cryptanalyst.
Cloud-based IT resources need to be set up, configured, maintained, and monitored. The systems covered in this chapter are mechanisms that encompass and enable these types of management tasks.
Cloud Computing offers an on-demand and scalable access to a shared pool of resources hosted in a data center at providers’ site. It reduces the overheads of up-front investments and financial risks for the end-user. Regardless of the fact that cloud computing offers great advantages to the end users, there are several challenging issues that are mandatory to be addressed.
Pgp-Pretty Good Privacy is the open source freely available tool to encrypt your emails then you can very securely send mails to others over internet without fear of eavesdropping by cryptanalyst.
Cloud deployment models: public, private, hybrid, community – Categories of cloud computing: Everything as a service: Infrastructure, platform, software - Pros and Cons of cloud computing – Implementation levels of virtualization – virtualization structure – virtualization of CPU, Memory and I/O devices – virtual clusters and Resource Management – Virtualization for data center automation.
Infrastructure as a Service ( IaaS) is one of the three fundamental services in cloud computing. IaaS provides access to basic computing resources such as hardware- processor, storage , network cards and more
Cloud infrastructure mechanisms are foundational building blocks of cloud environments that establish primary artifacts to form the basis of fundamental cloud technology architecture.
Provides a simple and unambiguous taxonomy of three service models
- Software as a service (SaaS)
- Platform as a service (PaaS)
- Infrastructure as a service (IaaS)
(Private cloud, Community cloud, Public cloud, and Hybrid cloud)
Cloud deployment models: public, private, hybrid, community – Categories of cloud computing: Everything as a service: Infrastructure, platform, software - Pros and Cons of cloud computing – Implementation levels of virtualization – virtualization structure – virtualization of CPU, Memory and I/O devices – virtual clusters and Resource Management – Virtualization for data center automation.
Infrastructure as a Service ( IaaS) is one of the three fundamental services in cloud computing. IaaS provides access to basic computing resources such as hardware- processor, storage , network cards and more
Cloud infrastructure mechanisms are foundational building blocks of cloud environments that establish primary artifacts to form the basis of fundamental cloud technology architecture.
Provides a simple and unambiguous taxonomy of three service models
- Software as a service (SaaS)
- Platform as a service (PaaS)
- Infrastructure as a service (IaaS)
(Private cloud, Community cloud, Public cloud, and Hybrid cloud)
Authentication Mechanisms For Signature Based Cryptography By Using Hierarchi...Editor IJMTER
In this paper the signature of a person is taken as input which is encrypted using
hierarchical visual cryptography. By using HVC the input signature will be divided into four shares.
From that any three are taken to generate key share. Another fragmentation should handover to the
authenticated server. The authenticated server should maintain the generated key and fourth
fragmentation. Only the authorized user can be accessed. If the receiver identifies the fourth
fragmentation and decrypt they got message by using HVC. It is insecure process because anybody
can hack the decrypted message easily. For the secure process the authenticated server generate a
password while transferring a message. The authenticated person can only able to got that message.
The authenticated server checks whether the person should be authorized user or not, while starting
their conversation. It provides more security and challenged for the hackers.
A Review on Key-Aggregate Cryptosystem for Climbable Knowledge Sharing in Clo...Editor IJCATR
The Data sharing is an important functionality in cloud storage. In this article, we show how to securely, efficiently, and
flexibly share data with others in cloud storage. We describe new public-key cryptosystems which produce constant-size ciphertexts
such that efficient delegation of decryption rights for any set of ciphertexts are possible. The novelty is that one can aggregate any set
of secret keys and make them as compact as a single key, but encompassing the power of all the keys being aggregated. In other
words, the secret key holder can release a constant-size aggregate key for flexible choices of ciphertext set in cloud storage, but the
other encrypted files outside the set remain confidential. This compact aggregate key can be conveniently sent to others or be stored in
a smart card with very limited secure storage. We provide formal security analysis of our schemes in the standard model. We also
describe other application of our schemes. In particular, our schemes give the first public-key patient controlled encryption for flexible
hierarchy, which was yet to be known.
E-Mail Systems In Cloud Computing Environment Privacy,Trust And Security Chal...IJERA Editor
In this paper, SMCSaaS is proposed to secure email system based on Web Service and Cloud Computing
Model. The model offers end-to-end security, privacy, and non-repudiation of PKI without the associated
infrastructure complexity. The Proposed Model control risks in Cloud Computing like Insecure Application
Programming Interfaces, Malicious Insiders, Data Loss Shared Technology Vulnerabilities, or Leakage,
Account, Service, Traffic Hijacking and Unknown Risk Profile
Augmenting Publish/Subscribe System by Identity Based Encryption (IBE) Techni...IJCERT JOURNAL
Security is one of the extensive and complicated requirements that need to be provided in order to achieve few issues like confidentiality, integrity and authentication. In a content-based publish/subscribe system, authentication is difficult to achieve since there exists no strong bonding between the end parties. Similarly, Integrity and confidentiality needs arise in published events and subscription conflicts with content-based routing. The basic tool to support confidentiality, integrity is encryption. In this paper for providing security mechanism in broker-less content-based publish/subscribe system we adapt pairing-based cryptography mechanism. In this mechanism, we use Identity Based Encryption (IBE) technique to achieve the needs of publish/subscribe system. This approach helps in providing fine-grained key management, effective encryption, decryption operations and routing is carried out in the order of subscribed attributes
Performance Comparison of File Security System using TEA and Blowfish Algorithmsijtsrd
With the progress in data exchange by the electronic system, the need for information security has become a necessity. Due to the growth of multimedia application, security becomes an important issue of communication and storage of different files. To make its reality, cryptographic algorithms are widely used as essential tools. Cryptographic algorithms provide security services such as confidentiality, authentication, data integrity and secrecy by encryption. Different cryptographic algorithms are commonly used for information security in many research areas. Although there are two encryption techniques, asymmetric and symmetric, the simpler symmetric encryption technique is employed for testing file security system. In this study, the performance evaluation of the most common two symmetric encryption algorithms such as TEA and Blowfish algorithm is focused on the execution time intervals. Simulation has been conducted with many types of file encryption like .pdf, .txt, .doc, .docx, .xlsx, .pptx, .ppt, .xls, .jpg, .png and most common video file formats by using Java Programming Language. Win Myat Thu | Tin Lai Win | Su Mu Tyar "Performance Comparison of File Security System using TEA and Blowfish Algorithms" Published in International Journal of Trend in Scientific Research and Development (ijtsrd), ISSN: 2456-6470, Volume-3 | Issue-5 , August 2019, URL: https://www.ijtsrd.com/papers/ijtsrd26462.pdfPaper URL: https://www.ijtsrd.com/engineering/computer-engineering/26462/performance-comparison-of-file-security-system-using-tea-and-blowfish-algorithms/win-myat-thu
Security Mechanisms for Precious Data Protection of Divergent Heterogeneous G...RSIS International
This paper portrays security advancements and
components utilized as part of Grid computing environment. The
Grid Security Infrastructure (GSI) executed in the Globus
Toolkit also, is portrayed in detail. The principle concentrate is
on strategies for distinguishing proof, verification and approval,
in view of X.509 endorsements and SSL/TLS conventions. At
long last an answer of group based get to control over the
network assets is displayed, which is make over on the usage of
the Globus Toolkit
Grid computing is concerned with the sharing and use of resources in dynamic distributed virtual
organizations. The dynamic nature of Grid environments introduces challenging security concerns that
demand new technical approaches. In this brief overview we review key Grid security issues and outline
the technologies that are being developed to address those issues. We focus on works done by Globus
Toolkits to provide security and also we will discuss about the cyber security in Grid.
CLOUD BASED ACCESS CONTROL MODEL FOR SELECTIVE ENCRYPTION OF DOCUMENTS WITH T...IJNSA Journal
Cloud computing refers to a type of networked computing whereby an application can be run on connected
servers instead of local servers. Cloud can be used to store data, share resources and also to provide
services. Technically, there is very little difference between public and private cloud architecture. However,
the security and privacy of the data is a very big issue when sensitive data is being entrusted to third party
cloud service providers. Thus encryption with a fine grained access control is inevitable to enforce security
in clouds. Several techniques implementing attribute based encryption for fine grained access control have
been proposed. Under such approaches, the key management overhead is a little bit high in terms of
computational complexity. Also, secret sharing mechanisms have added complexity. Moreover, they lack
mechanisms to handle existence of traitors. Our proposed approach addresses these requirements and
reduces the overhead of the key management as well as secret sharing by using efficient algorithms and
protocols. Also, a traitor tracing technique is introduced into the cloud computing two layer encryption
environment.
SECURE CLOUD STORAGE USING DENIABLE ATTRIBUTE BASED ENCRYPTIONadeij1
Cloud storage services are a lot of well-liked today . To secure information from those that don't have access, several encoding schemes are projected. Most of the projected schemes assume cloud storage service suppliers or trustworthy third parties handling key management are trustworthy and can't be hacked; but, in follow, some entities could intercept communications between users and cloud storage suppliers and so compel storage suppliers to unleash user secrets by victimisation government power or alternative means that. During this case, encrypted information are assumed to be identified and storage suppliers are requested to unleash user secrets. Since it's tough to fight against outside coercion, we tend to aimed to create Associate in Nursing encoding theme that might facilitate cloud storage suppliers avoid this plight. We provide cloud storage suppliers means that to make pretend user secrets. Given such pretend user secrets, outside coercers will solely obtained solid information from a user’s keep cipher text. Once coercers suppose the received secrets are real, they'll be happy and a lot of significantly cloud storage suppliers won't have discovered any real secrets. Therefore, user privacy continues to be protected.
Messages addressed to specific users can be decrypted by Key Generation Centre (KGC) by generating their private keys. Data owner wants the data to be delivered only to specified user and not to unauthorized person that is the data owner makes their private data accessible only to authorized person. We propose attribute based encryption and escrow problem which means written agreement delivered to a third party to overcome this problem. Attribute based Encryption (ABE) is a type of public-key encryption in which the private key of a user and the cipher text are dependent upon attributes. It is a promising cryptographic approach.
Implementing High Grade Security in Cloud Application using Multifactor Auth...IJwest
As a high
-
speed internet foundation is being developed and people are informationized, most
of the tasks are engaged in internet field so there is
a risk that any private data like personal information or
applications for managing money can be wiretapped or eavesdropped. The consolidation of One Time
Passwords (OTPs) and Hash encryption algorithms are used to evolve a more secured password
-
protected
web sites and data storage systems. The new outlined scheme had higher security, small system overhead
and is easy to implement.
"The transition of companies to cloud-based will be quicker for some and slower for others depending on their individual circumstances, But the change will happen."
“The upcoming sections cover introductory topic areas pertaining to the fundamental models used to categorize and define clouds and their most common service offerings, along with definitions of organizational roles and the specific set of characteristics that collectively distinguish a cloud.”
“This chapter provide an overview of introductory cloud computing topics. It begins with a brief history of cloud computing along with short descriptions of its business and technology drivers. This is followed by definitions of basic concepts and terminology, in addition to explanations of the primary benefits and challenges of cloud computing adoption.”
“The chapter is organized into two primary sections that explore cloud delivery model issues pertaining to cloud providers and cloud consumers respectively.”
This chapter introduces and describes several of the more common foundational cloud architectural models, each exemplifying a common usage and characteristic of contemporary cloud-based environments. The involvement and importance of different combinations of cloud computing mechanisms in relation to these architectures are explored.
Cloud computing security!
Cloud computing security or, more simply, cloud security is an evolving sub-domain of computer security, network security, and, more broadly, information security.
It refers to a broad set of policies, technologies, and controls deployed to protect data, applications, and the associated infrastructure of cloud computing.
What is cloud computing?
Cloud computing means that instead of all the computer hardware and software you're using sitting on your desktop, or somewhere inside your company's network, it's provided for you as a service by another company and accessed over the Internet, usually in a completely seamless way. Exactly where the hardware and software is located and how it all works doesn't matter to you, the user—it's just somewhere up in the nebulous "cloud" that the Internet represents.
Cloud computing is a buzzword that means different things to different people. For some, it's just another way of describing IT (information technology) "outsourcing"; others use it to mean any computing service provided over the Internet or a similar network; and some define it as any bought-in computer service you use that sits outside your firewall. However we define cloud computing, there's no doubt it makes most sense when we stop talking about abstract definitions and look at some simple, real examples—so let's do just that.
JMeter webinar - integration with InfluxDB and GrafanaRTTS
Watch this recorded webinar about real-time monitoring of application performance. See how to integrate Apache JMeter, the open-source leader in performance testing, with InfluxDB, the open-source time-series database, and Grafana, the open-source analytics and visualization application.
In this webinar, we will review the benefits of leveraging InfluxDB and Grafana when executing load tests and demonstrate how these tools are used to visualize performance metrics.
Length: 30 minutes
Session Overview
-------------------------------------------
During this webinar, we will cover the following topics while demonstrating the integrations of JMeter, InfluxDB and Grafana:
- What out-of-the-box solutions are available for real-time monitoring JMeter tests?
- What are the benefits of integrating InfluxDB and Grafana into the load testing stack?
- Which features are provided by Grafana?
- Demonstration of InfluxDB and Grafana using a practice web application
To view the webinar recording, go to:
https://www.rttsweb.com/jmeter-integration-webinar
Smart TV Buyer Insights Survey 2024 by 91mobiles.pdf91mobiles
91mobiles recently conducted a Smart TV Buyer Insights Survey in which we asked over 3,000 respondents about the TV they own, aspects they look at on a new TV, and their TV buying preferences.
Dev Dives: Train smarter, not harder – active learning and UiPath LLMs for do...UiPathCommunity
💥 Speed, accuracy, and scaling – discover the superpowers of GenAI in action with UiPath Document Understanding and Communications Mining™:
See how to accelerate model training and optimize model performance with active learning
Learn about the latest enhancements to out-of-the-box document processing – with little to no training required
Get an exclusive demo of the new family of UiPath LLMs – GenAI models specialized for processing different types of documents and messages
This is a hands-on session specifically designed for automation developers and AI enthusiasts seeking to enhance their knowledge in leveraging the latest intelligent document processing capabilities offered by UiPath.
Speakers:
👨🏫 Andras Palfi, Senior Product Manager, UiPath
👩🏫 Lenka Dulovicova, Product Program Manager, UiPath
Accelerate your Kubernetes clusters with Varnish CachingThijs Feryn
A presentation about the usage and availability of Varnish on Kubernetes. This talk explores the capabilities of Varnish caching and shows how to use the Varnish Helm chart to deploy it to Kubernetes.
This presentation was delivered at K8SUG Singapore. See https://feryn.eu/presentations/accelerate-your-kubernetes-clusters-with-varnish-caching-k8sug-singapore-28-2024 for more details.
Elevating Tactical DDD Patterns Through Object CalisthenicsDorra BARTAGUIZ
After immersing yourself in the blue book and its red counterpart, attending DDD-focused conferences, and applying tactical patterns, you're left with a crucial question: How do I ensure my design is effective? Tactical patterns within Domain-Driven Design (DDD) serve as guiding principles for creating clear and manageable domain models. However, achieving success with these patterns requires additional guidance. Interestingly, we've observed that a set of constraints initially designed for training purposes remarkably aligns with effective pattern implementation, offering a more ‘mechanical’ approach. Let's explore together how Object Calisthenics can elevate the design of your tactical DDD patterns, offering concrete help for those venturing into DDD for the first time!
GraphRAG is All You need? LLM & Knowledge GraphGuy Korland
Guy Korland, CEO and Co-founder of FalkorDB, will review two articles on the integration of language models with knowledge graphs.
1. Unifying Large Language Models and Knowledge Graphs: A Roadmap.
https://arxiv.org/abs/2306.08302
2. Microsoft Research's GraphRAG paper and a review paper on various uses of knowledge graphs:
https://www.microsoft.com/en-us/research/blog/graphrag-unlocking-llm-discovery-on-narrative-private-data/
The Art of the Pitch: WordPress Relationships and SalesLaura Byrne
Clients don’t know what they don’t know. What web solutions are right for them? How does WordPress come into the picture? How do you make sure you understand scope and timeline? What do you do if sometime changes?
All these questions and more will be explored as we talk about matching clients’ needs with what your agency offers without pulling teeth or pulling your hair out. Practical tips, and strategies for successful relationship building that leads to closing the deal.
State of ICS and IoT Cyber Threat Landscape Report 2024 previewPrayukth K V
The IoT and OT threat landscape report has been prepared by the Threat Research Team at Sectrio using data from Sectrio, cyber threat intelligence farming facilities spread across over 85 cities around the world. In addition, Sectrio also runs AI-based advanced threat and payload engagement facilities that serve as sinks to attract and engage sophisticated threat actors, and newer malware including new variants and latent threats that are at an earlier stage of development.
The latest edition of the OT/ICS and IoT security Threat Landscape Report 2024 also covers:
State of global ICS asset and network exposure
Sectoral targets and attacks as well as the cost of ransom
Global APT activity, AI usage, actor and tactic profiles, and implications
Rise in volumes of AI-powered cyberattacks
Major cyber events in 2024
Malware and malicious payload trends
Cyberattack types and targets
Vulnerability exploit attempts on CVEs
Attacks on counties – USA
Expansion of bot farms – how, where, and why
In-depth analysis of the cyber threat landscape across North America, South America, Europe, APAC, and the Middle East
Why are attacks on smart factories rising?
Cyber risk predictions
Axis of attacks – Europe
Systemic attacks in the Middle East
Download the full report from here:
https://sectrio.com/resources/ot-threat-landscape-reports/sectrio-releases-ot-ics-and-iot-security-threat-landscape-report-2024/
Software Delivery At the Speed of AI: Inflectra Invests In AI-Powered QualityInflectra
In this insightful webinar, Inflectra explores how artificial intelligence (AI) is transforming software development and testing. Discover how AI-powered tools are revolutionizing every stage of the software development lifecycle (SDLC), from design and prototyping to testing, deployment, and monitoring.
Learn about:
• The Future of Testing: How AI is shifting testing towards verification, analysis, and higher-level skills, while reducing repetitive tasks.
• Test Automation: How AI-powered test case generation, optimization, and self-healing tests are making testing more efficient and effective.
• Visual Testing: Explore the emerging capabilities of AI in visual testing and how it's set to revolutionize UI verification.
• Inflectra's AI Solutions: See demonstrations of Inflectra's cutting-edge AI tools like the ChatGPT plugin and Azure Open AI platform, designed to streamline your testing process.
Whether you're a developer, tester, or QA professional, this webinar will give you valuable insights into how AI is shaping the future of software delivery.
Mission to Decommission: Importance of Decommissioning Products to Increase E...
Cloud Security Mechanisms
1. Cloud Security
Mechanisms
“Reference: Cloud Computing Concepts, Technology & Architecture.
Thomas Erl, Zaigham Mahmood and Richardo Puttini.”
Place photo here
1
Sartaj Fatima
Lecturer,
Mohammed Sajjad Ali
PMP, CCNP, E-commerce
2. 10.1 Encryption
10.2 Hashing
10.3 Digital Signature
10.4 Public Key Infrastructure (PKI)
10.5 Identity and Access Management (IAM)
10.6 Single Sign-On (SSO)
10.7 Cloud-Based Security Groups
10.8 Hardened Virtual Server Images
“This chapter establishes a set of fundamental cloud security mechanisms, several of which
can be used to counter the security threats described in Chapter 6.”
Contents :
2
Cloud Security Mechanisms
3. 10.1. Encryption
Data, by default, is coded in a readable format known as plaintext. When
transmitted over a network, plaintext is vulnerable to unauthorized and
potentially malicious access.
The encryption mechanism is a digital coding system dedicated to preserving
the confidentiality and integrity of data. It is used for encoding plaintext data
into a protected and unreadable format.
Encryption technology commonly relies on a standardized algorithm called a
cipher to transform original plaintext data into encrypted data, referred to as
ciphertext.
3
Cloud Security Mechanisms
4. Encryption
When encryption is applied to plaintext data, the data is paired with a string of characters
called an encryption key, a secret message that is established by and shared among
authorized parties.
The encryption key is used to decrypt the ciphertext back into its original plaintext format.
For example, malicious service agents that attempt traffic eavesdropping are unable to
decrypt messages in transit if they do not have the encryption key (Figure 10.1).
Figure 10.1. A malicious service agent is unable to retrieve data from an encrypted message. The
retrieval attempt may furthermore be revealed to the cloud service consumer. (Note the use of the lock
symbol to indicate that a security mechanism has been applied to the message contents.)
4
Cloud Security Mechanisms
5. Cloud Security Mechanisms
There are two common forms of encryption known as symmetric encryption and
asymmetric encryption.
Symmetric Encryption
Symmetric encryption uses the same key for both encryption and decryption,
both of which are performed by authorized parties that use the one shared key.
Also known as secret key cryptography, messages that are encrypted with a
specific key can be decrypted by only that same key
Note that symmetrical encryption does not have the characteristic of non-
repudiation.
5
6. Cloud Security Mechanisms
Asymmetric Encryption
Asymmetric encryption relies on the use of two different keys, namely a private
key and a public key. With asymmetric encryption (which is also referred to as
public key cryptography), the private key is known only to its owner while the
public key is commonly available.
A document that was encrypted with a private key can only be correctly
decrypted with the corresponding public key.
Conversely, a document that was encrypted with a public key can be
decrypted only using its private key counterpart.
Asymmetric encryption is almost always computationally slower than symmetric
encryption.
Private key encryption therefore offers integrity protection in addition to
authenticity and non-repudiation.
6
7. Cloud Security Mechanisms
Figure 10.2. The encryption mechanism is added to the communication channel between outside users
and Innovartus’ User Registration Portal. This safeguards message confidentiality via the use of HTTPS.
7
8. Cloud Security Mechanisms
10.2. Hashing
The hashing mechanism is used when a one-way, non-reversible form of data
protection is required. Once hashing has been applied to a message, it is
locked and no key is provided for the message to be unlocked.
A common application of this mechanism is the storage of passwords.
Hashing technology can be used to derive a hashing code or message digest
from a message, which is often of a fixed length and smaller than the original
message.
The message sender can then utilize the hashing mechanism to attach the
message digest to the message.
The recipient applies the same hash function to the message to verify that the
produced message digest is identical to the one that accompanied the
message.
Any alteration to the original data results in an entirely different message digest
and clearly indicates that tampering has occurred.
8
9. Cloud Security Mechanisms
Figure 10.3. A hashing function is applied to protect the integrity of a message that is intercepted
and altered by a malicious service agent, before it is forwarded. The firewall can be configured to
determine that the message has been altered, thereby enabling it to reject the message before it
can proceed to the cloud service.
9
10. Cloud Security Mechanisms
Figure 10.4. A hashing procedure is invoked when the PaaS environment is accessed
(1). The applications that were ported to this environment are checked .
(2). and their message digests are calculated.
(3). The message digests are stored in a secure on-premise database.
(4), and a notification is issued if any of their values are not identical to the ones in storage.
10
11. Cloud Security Mechanisms
10.3. Digital Signature
The digital signature mechanism is a means of providing data authenticity and
integrity through authentication and non-repudiation.
A message is assigned a digital signature prior to transmission, which is then
rendered invalid if the message experiences any subsequent, unauthorized
modifications.
A digital signature provides evidence that the message received is the same as
the one created by its rightful sender.
Both hashing and asymmetrical encryption are involved in the creation of a
digital signature, which essentially exists as a message digest that was
encrypted by a private key and appended to the original message. The
recipient verifies the signature validity and uses the corresponding public key to
decrypt the digital signature, which produces the message digest.
11
12. Cloud Security Mechanisms
Figure 10.5. Cloud Service Consumer B sends a message that was digitally signed but was
altered by trusted attacker Cloud Service Consumer A. Virtual Server B is configured to verify
digital signatures before processing incoming messages even if they are within its trust boundary.
The message is revealed as illegitimate due to its invalid digital signature, and is therefore
rejected by Virtual Server B.
12
13. Cloud Security Mechanisms
Figure 10.6. Whenever a cloud
consumer performs a management
action that is related to IT resources
provisioned by DTGOV, the cloud
service consumer program must
include a digital signature in the
message request to prove the
legitimacy of its user.
13
14. Cloud Security Mechanisms
10.4. Public Key Infrastructure (PKI)
A common approach for managing the issuance of asymmetric keys is based
on the public key infrastructure (PKI) mechanism, which exists as a system of
protocols, data formats, rules, and practices that enable large-scale systems to
securely use public key cryptography.
This system is used to associate public keys with their corresponding key owners
(known as public key identification) while enabling the verification of key
validity.
PKIs rely on the use of digital certificates, which are digitally signed data
structures that bind public keys to certificate owner identities, as well as to
related information, such as validity periods.
Digital certificates are usually digitally signed by a third-party certificate
authority (CA), as illustrated in Figure 10.7.
14
15. Cloud Security Mechanisms
Figure 10.7. The common steps involved
during the generation of certificates by
a certificate authority.
15
16. Cloud Security Mechanisms
Public Key Infrastructure (PKI)
Larger organizations, such as Microsoft, can act as their own CA and issue
certificates to their clients and the public, since even individual users can
generate certificates as long as they have the appropriate software tools.
The PKI is a dependable method for implementing asymmetric encryption,
managing cloud consumer and cloud provider identity information, and helping
to defend against the malicious intermediary and insufficient authorization
threats.
The PKI mechanism is primarily used to counter the insufficient authorization
threat.
16
17. Cloud Security Mechanisms
Figure 10.8. An external cloud resource
administrator uses a digital certificate to
access the Web-based management
environment. DTGOV’s digital certificate is
used in the HTTPS connection and then
signed by a trusted CA.
17
18. Cloud Security Mechanisms
10.5. Identity and Access Management (IAM)
The Identity and access management (IAM) mechanism encompasses the
components and policies necessary to control and track user identities and
access privileges for IT resources, environments, and systems.
Specifically, IAM mechanisms exist as systems comprised of four main
components:
18
19. Cloud Security Mechanisms
Identity and Access Management (IAM)
Four main components:
1. Authentication – Username and password combinations remain the most
common forms of user authentication credentials managed by the IAM
system, which also can support digital signatures, digital certificates,
biometric hardware (fingerprint readers), specialized software (such as
voice analysis programs), and locking user accounts to registered IP or MAC
addresses.
2. Authorization – The authorization component defines the correct granularity
for access controls and oversees the relationships between identities, access
control rights, and IT resource availability.
19
20. Cloud Security Mechanisms
Four main components:
3, User Management – Related to the administrative capabilities of the system,
the user management program is responsible for creating new user identities
and access groups, resetting passwords, defining password policies, and
managing privileges.
4, Credential Management – The credential management system establishes
identities and access control rules for defined user accounts, which
mitigates the threat of insufficient authorization.
The IAM mechanism is primarily used to counter the insufficient authorization,
denial of service, and overlapping trust boundaries threats.
20
21. Cloud Security Mechanisms
10.6. Single Sign-On (SSO)
Propagating the authentication and authorization information for a cloud
service consumer across multiple cloud services can be a challenge, especially
if numerous cloud services or cloud-based IT resources need to be invoked as
part of the same overall runtime activity.
The single sign-on (SSO)mechanism enables one cloud service consumer to be
authenticated by a security broker, which establishes a security context that is
persisted while the cloud service consumer accesses other cloud services or
cloud-based IT resources.
Otherwise, the cloud service consumer would need to re-authenticate itself with
every subsequent request.
The SSO mechanism essentially enables mutually independent cloud services
and IT resources to generate and circulate runtime authentication and
authorization credentials.
21
22. Cloud Security Mechanisms
Figure 10.9. A cloud service consumer provides
the security broker with login credentials
(1). The security broker responds with an
authentication token (message with small lock
symbol) upon successful authentication, which
contains cloud service consumer identity
information
(2) that is used to automatically authenticate
the cloud service consumer across Cloud
Services A, B, and C (3).
22
23. Cloud Security Mechanisms
Figure 10.10. The credentials received by the security broker are propagated to ready-made
environments across two different clouds. The security broker is responsible for selecting the
appropriate security procedure with which to contact each cloud.
23
24. Cloud Security Mechanisms
10.7. Cloud-Based Security Groups
Cloud resource segmentation is a process by which separate physical and
virtual IT environments are created for different users and groups. For example,
an organization’s WAN can be partitioned according to individual network
security requirements.
One network can be established with a resilient firewall for external Internet
access, while a second is deployed without a firewall because its users are
internal and unable to access the Internet.
Resource segmentation is used to enable virtualization by allocating a variety of
physical IT resources to virtual machines.
24
25. Cloud Security Mechanisms
Cloud-Based Security Groups
The cloud-based resource segmentation process creates cloud-based security
group mechanisms that are determined through security policies. Networks are
segmented into logical cloud-based security groups that form logical network
perimeters
Multiple virtual servers running on the same physical server can become
members of different logical cloud-based security groups (Figure 10.11).
Virtual servers can further be separated into public-private groups,
development-production groups, or any other designation configured by the
cloud resource administrator.
25
26. Cloud Security Mechanisms
Figure 10.11. Cloud-Based Security
Group A encompasses Virtual Servers A
and D and is assigned to Cloud
Consumer A. Cloud-Based Security
Group B is comprised of Virtual Servers B,
C, and E and is assigned to Cloud
Consumer B. If Cloud Service Consumer
A’s credentials are compromised, the
attacker would only be able to access
and damage the virtual servers in
Cloud-Based Security Group A, thereby
protecting Virtual Servers B, C, and E.
26
27. Cloud Security Mechanisms
Figure 10.12. When an external cloud
resource administrator accesses the Web
portal to allocate a virtual server, the
requested security credentials are
assessed and mapped to an internal
security policy that assigns a
corresponding cloud-based security
group to the new virtual server.
27
28. Cloud Security Mechanisms
10.8. Hardened Virtual Server Images
As previously discussed, a virtual server is created from a template configuration
called a virtual server image (or virtual machine image).
Hardening is the process of stripping unnecessary software from a system to limit
potential vulnerabilities that can be exploited by attackers.
Removing redundant programs, closing unnecessary server ports, and disabling
unused services, internal root accounts, and guest access are all examples of
hardening.
A hardened virtual server image is a template for virtual service instance
creation that has been subjected to a hardening process (Figure 10.13). This
generally results in a virtual server template that is significantly more secure than
the original standard image.
28
29. Cloud Security Mechanisms
Figure 10.13. A cloud provider applies its security policies to harden its standard virtual server
images. The hardened image template is saved in the VM images repository as part of a
resource management system.
29
30. Cloud Security Mechanisms
Hardened virtual server images help counter the denial of service, insufficient
authorization, and overlapping trust boundaries threats.
Figure 10.14. The cloud resource administrator
chooses the hardened virtual server image
option for the virtual servers provisioned for
Cloud-Based Security Group B.
30