This document discusses security considerations for cloud computing. It covers security challenges like privacy, portability, interoperability, reliability and availability. It also discusses security planning, boundaries based on infrastructure as a service (IaaS), platform as a service (PaaS) and software as a service (SaaS) models. Additional topics include data security, software as a service security, security monitoring, and security architecture design.

1. Module: 5
CLOUD COMPUTING
SECURITY IN THE CLOUD: Security Overview, Cloud Security Challenges and Risks. Software-
as-a-Service Security, Security Monitoring, Security Architecture Design, Data Security, Application
Security, Virtual Machine Security, Identity Management and Access Control, Autonomic Security.
Cloud Security Challenges and Risks
Cloud computing, an emergent technology, has placed many challenges in different aspects
of data and information handling. Some of these are shown in the following diagram:
Security and Privacy
Security and Privacy of information is the biggest challenge to cloud computing. Security and
privacy issues can be overcome by employing encryption, security hardware and security
applications.
Portability
This is another challenge to cloud computing that applications should easily be migrated from
one cloud provider to another. There must not be vendor lock-in. However, it is not yet made
possible because each of the cloud provider uses different standard languages for their
platforms.
Interoperability
It means the application on one platform should be able to incorporate services from the other
platforms. It is made possible via web services, but developing such web services is very
complex.

2. Computing Performance
Data intensive applications on cloud requires high network bandwidth, which results in high
cost. Low bandwidth does not meet the desired computing performance of cloud application.
Reliability and Availability
It is necessary for cloud systems to be reliable and robust because most of the businesses are
now becoming dependent on services provided by third-party.
Security in cloud computing is a major concern. Data in cloud should be stored in encrypted
form. To restrict client from accessing the shared data directly, proxy and brokerage services
should be employed.
Security Planning
Before deploying a particular resource to cloud, one should need to analyze several aspects of
the resource such as:
• Select resource that needs to move to the cloud and analyze its sensitivity to risk.
• Consider cloud service models such as IaaS, PaaS, and SaaS. These models require
customer to be responsible for security at different levels of service.
• Consider the cloud type to be used such as public, private, community or hybrid.
• Understand the cloud service provider's system about data storage and its transfer into
and out of the cloud.
The risk in cloud deployment mainly depends upon the service models and cloud types.
Understanding Security of Cloud
Security Boundaries
A particular service model defines the boundary between the responsibilities of service
provider and customer. Cloud Security Alliance (CSA) stack model defines the boundaries
between each service model and shows how different functional units relate to each other. The
following diagram shows the CSA stack model:

3. Key Points to CSA Model
• IaaS is the most basic level of service with PaaS and SaaS next two above levels of
services.
• Moving upwards, each of the service inherits capabilities and security concerns of the
model beneath.
• IaaS provides the infrastructure, PaaS provides platform development environment,
and SaaS provides operating environment.
• IaaS has the least level of integrated functionalities and integrated security while SaaS
has the most.
• This model describes the security boundaries at which cloud service provider's
responsibilities end and the customer's responsibilities begin.
• Any security mechanism below the security boundary must be built into the system
and should be maintained by the customer.
Although each service model has security mechanism, the security needs also depend upon
where these services are located, in private, public, hybrid or community cloud.
Understanding Data Security
Since all the data is transferred using Internet, data security is of major concern in the cloud.
Here are key mechanisms for protecting data.
• Access Control

4. • Auditing
• Authentication
• Authorization
All of the service models should incorporate security mechanism operating in all above-
mentioned areas.
Isolated Access to Data
Since data stored in cloud can be accessed from anywhere, we must have a mechanism to
isolate data and protect it from client’s direct access.
Brokered Cloud Storage Access is an approach for isolating storage in the cloud. In this
approach, two services are created:
• A broker with full access to storage but no access to client.
• A proxy with no access to storage but access to both client and broker.
Working Of Brokered Cloud Storage Access System
When the client issues request to access data:
• The client data request goes to the external service interface of proxy.
• The proxy forwards the request to the broker.
• The broker requests the data from cloud storage system.
• The cloud storage system returns the data to the broker.
• The broker returns the data to proxy.
• Finally the proxy sends the data to the client.
All of the above steps are shown in the following diagram:

5. Encryption
Encryption helps to protect data from being compromised. It protects data that is being
transferred as well as data stored in the cloud. Although encryption helps to protect data from
any unauthorized access, it does not prevent data loss.
Software as a Service Security
In Software as a Service (SaaS) model, the client needs to be dependent on the service provider
for proper security measures of the system. The service provider must ensure that their multiple
users don‘t get to see each other‘s private data. So, it becomes important to the user to ensure
that right security measures are in place and also difficult to get an assurance that the
application will be available when needed [15]. Cloud computing providers need to provide
some solution to solve the common security challenges that traditional communication systems
face. At the same time, they also have to deal with other issues inherently introduced by the
cloud computing paradigm itself. A.
Authentication and authorization: The authorization and authentication applications used in
enterprise environments need to be changed, so that they can work with a safe cloud
environment. Forensics tasks will become much more difficult since it will be very hard or
maybe not possible for investigators may to access the system hardware physically.
Data confidentiality: Confidentiality may refer to the prevention of unintentional or
intentional unauthorized disclosure or distribution of secured private information.
Confidentiality is closely related to the areas of encryption, intellectual property rights, traffic
analysis, covert channels, and inference in cloud system. Whenever a business, an individual,
a government agency, or any other entity wants to shares information over cloud,
confidentiality or privacy is a questions nay need to be asked.

6. Availability: The availability ensures the reliable and timely access to cloud data or cloud
computing resources by the appropriate personnel. The availability is one of the big concerns
of cloud service providers, since if the cloud service is disrupted or compromised in any way;
it affects large no. of customers than in the traditional model.
Information Security: In the SaaS model, the data of enterprise is stored outside of the
enterprise boundary, which is at the SaaS vendor premises. Consequently, these SaaS vendor
needs to adopt additional security features to ensure data security and prevent breaches due to
security vulnerabilities in the application or by malicious employees. This will need the use of
very strong encryption techniques for data security and highly competent authorization to
control access private data.
Data Access: Data access issue is mainly related to security policies provided to the users while
accessing the data. Organizations have their own security policies based on which each
employee can have access to a particular set of data. These security policies must be adhered
by the cloud to avoid intrusion of data by unauthorized users. The SaaS model must be flexible
enough to incorporate the specific policies put forward by the organization.
Network Security: In a SaaS deployment model, highly sensitive information is obtained from
the various enterprises, then processed by the SaaS application and stored at the SaaS vendor‘s
premises. All data flow over the network has to be secured in order to prevent leakage of
sensitive information.
Data breaches: Since data from various users and business organizations lie together in a cloud
environment, breaching into this environment will potentially make the data of all the users
vulnerable. Thus, the cloud becomes a high potential target.
Identity management and sign-on process: Identity management (IdM) or ID management
is an area that deals with identifying individuals in a system and controlling the access to the
resources in that system by placing restrictions on the established identities. Aria of IdM is
considered as one of the biggest challenges in information security. When a SaaS provider want
to know how to control who has access to what systems within the enterprise it becomes a lot
more challenging task.
There are several research works happening in the area of cloud security. Several organization
and groups are now interested in developing security solutions and standards for the cloud. The
Cloud Security Alliance (CSA) is gathering solution providers, non- profits and individuals to
enter into discussion about the current and future best practices for information assurance in
the cloud. The Open Web Application Security Project (OWASP) maintains list of top
vulnerabilities to cloud-based or SaaS models which is updated as the threat landscape changes.
The Cloud Standards website collects and coordinates information about cloudrelated
standards under development by the groups. The Open Grid Forum publishes documents to
containing security and infrastructural specifications and information for grid computing
developers and researchers.
We will discuss a security checklist for SaaS which can be used. To assess the security threats
or capabilities of third-party SaaS providers, all customers need to ask some right questions:
What metrics can be used for reporting?

7. Will the service providers be able to present reports which will satisfy the CIO, the board and
auditors that enterprise data is secured and meets regulatory requirements?
What is the level of the access controls?
The most established mechanism for data breaches now a day is through malicious or
unintentional misuse of user access credentials. Visibility of the activity of individual users,
which also includes administrative changes, is essential for data protection.
Is provided data such that it can be easily adapted into internal monitoring tools, to
preventing data silos?
To make reporting simple and foolproof, you'll need to monitor enterprise‘s internal
applications alongside SaaS applications, from a centralized dashboard.
How important and critical the enterprise data is?
Each SaaS application, must know the business criticality of the data involved. Is the SaaS
application managing confidential customer data properly or not? You can then perform an
inventory of the applicable compliance issues.
Security Monitoring
Cloud security monitoring is the practice of continuously supervising both virtual and physical
servers to analyze data for threats and vulnerabilities. Cloud security monitoring solutions often
rely on automation to measure and assess behaviors related to data, applications and
infrastructure.
Cloud security monitoring solutions can be built natively into the cloud server hosting
infrastructure (like AWS’s CloudWatch, for example) or they can be third-party solutions that
are added to an existing environment (like Blumira). Organizations can also perform cloud
monitoring on premises using existing security management tools.
Like a SIEM, cloud security monitoring works by collecting log data across servers. Advanced
cloud monitoring solutions analyze and correlate gathered data for anomalous activity, then
send alerts and enable incident response. A cloud security monitoring service will typically
offer:
Visibility. Moving to the cloud inherently lowers an organization’s visibility across their
infrastructure, so cloud monitoring security tools should bring a single pane of glass to monitor
application, user and file behavior to identify potential attacks.

8. Scalability. Cloud security monitoring tools should be able to monitor large amounts of data
across a variety of distributed locations.
Auditing. It’s a challenge for organizations to manage and meet compliance requirements, so
cloud security monitoring tools should provide robust auditing and monitoring capabilities.
Continuous monitoring. Advanced cloud security monitoring solutions should continuously
monitor behavior in real time to quickly identify malicious activity and prevent an attack.
Integration. To maximize visibility, a cloud monitoring solution should ideally integrate with
an organization’s existing services, such as productivity suites (i.e. Microsoft 365 and G Suite),
endpoint security solutions (i.e. Crowdstrike and VMware Carbon Black) and identity and
authentication services (i.e. Duo and Okta).
Benefits of Cloud Security Monitoring
Cloud security monitoring provides the following benefits:
Maintain compliance. Monitoring is a requirement for nearly every major regulation, from
HIPAA to PCI DSS. Cloud-based organizations must use monitoring tools to avoid compliance
violations and costly fees.
Identify vulnerabilities. Automated monitoring solutions can quickly alert IT and security
teams about anomalies and help identify patterns that point to risky or malicious behavior.
Overall, this brings a deeper level of observability and visibility to cloud environments.
Prevent loss of business. An overlooked security incident can be detrimental and even result
in shutting down business operations, leading to a decrease in customer trust and satisfaction
— especially if customer data was leaked. Cloud security monitoring can help with business
continuity and data security, while avoiding a potentially catastrophic data breach.
Increase security maturity. An organization with a mature infosec model has a proactive,
multi-layered approach to security. A cloud monitoring solution enables organizations to
include cloud as one of those layers and provides visibility into the overall environment.

9. Cloud Security Monitoring Challenges
Lack of cloud security strategy. Many organizations hastily migrate to the cloud to support
remote work without developing a clear cloud security strategy.
Key stakeholders should know answers to questions such as:
• How can we gain visibility into cloud policy changes or configurations?
• How do we keep track of our assets in the cloud and who has access?
• How will we approach backups? Will we have offsite copies?
• Will our cloud provider have access to company data? If so, what can they do
with it?
Without a clear strategy, an organization will not be able to fully reap the benefits of a cloud
security monitoring solution.
Alert fatigue. Many cloud monitoring products are noisy, which can result in IT and security
teams lacking insight into what’s important to focus on. A FireEye study revealed that some
organizations receive up to 10,000 alerts per month from security products. Cloud monitoring
solutions with prioritized alerts can reduce the noise and chances of receiving false positives,
which provides higher security value.
Lack of context. Logs and alerts are only valuable if an organization understands how to
interpret them. Security teams should understand what they want to monitor and why; once
they receive alerts, they should know which actions to take. A best-in-class threat detection
and response platform will provide remediation steps and playbooks in addition to prioritized
alerts.
SECURITY ARCHITECTURE DESIGN
A cloud security architecture (also sometimes called a “cloud computing security architecture”)
is defined by the security layers, design, and structure of the platform, tools, software,
infrastructure, and best practices that exist within a cloud security solution. A cloud security
architecture provides the written and visual model to define how to configure and secure
activities and operations within the cloud, including such things as identity and access
management; methods and controls to protect applications and data; approaches to gain and
maintain visibility into compliance, threat posture, and overall security; processes for instilling

10. security principles into cloud services development and operations; policies and governance to
meet compliance standards; and physical infrastructure security components.
Cloud security, in general, refers to the protection of information, applications, data, platforms,
and infrastructure that operate or exist within the cloud. Cloud security is applicable to all types
of cloud computing infrastructures, including public clouds, private clouds, and hybrid clouds.
Cloud security is a type of cybersecurity.
When developing a cloud security architecture several critical elements should be included:
• Security at Each Layer
• Centralized Management of Components
• Redundant & Resilient Design
• Elasticity & Scalability
• Appropriate Storage for Deployments
• Alerts & Notifications
• Centralization, Standardization, & Automation
Infrastructure-as-a-Service (IaaS) – IaaS is a cloud computing model that provides
virtualized computing resources including networking, storage, and machines accessible
through the internet. In IaaS, the Cloud Service Provider (CSP) is responsible for the controls
that protect their underlying servers and data including security of servers, storage and
networking hardware, virtualization, and the hypervisor. The enterprise’s security
responsibilities include user access, data, applications, operating systems, and network traffic.
According to Gartner, by 2021, 50% of enterprises will unknowingly and mistakenly have
exposed some IaaS storage services, network segments, applications, or APIs directly to the
public internet, up from 25% at YE18.
IaaS cloud security models also require these security features:
• Audit and monitor resources for misconfiguration
• Automate policy corrections
• Prevent data loss with DLP
• Capture custom app activity and enforce controls

11. • Detect malicious user activity and behavior
• Detect and remove malware
• Discover rouge IaaS services and accounts
• Identify provisioned user risk
• Enrich native cloud platform forensics
• Manage multiple IaaS providers
According to Gartner, through 2023, at least 99% of cloud security failures will be the
customer’s fault. Through 2024, workloads that leverage the programmability of cloud
infrastructure to improve security protection will demonstrate improved compliance and at
least 60% fewer security incidents than those in traditional data centers. As with on-premises
data centers, the majority of successful cloud attacks are caused by mistakes, such as
misconfiguration, missing patches, or mismanaged credentials. To achieve more secure cloud-
based infrastructure and platform services, Gartner recommends a systematic and risk-based
approach for IaaS/PaaS security using a set of layered capabilities.
Platform-as-a-Service (PaaS) – The CSP secures a majority of a PaaS cloud service model,
however, the enterprise is responsible for the security of its applications. PaaS builds upon IaaS
deploying applications without taking on the cost and resources required to buy and manage
hardware, software, and hosting capabilities. These features can include:
• Cloud Access Security Brokers (CASB)
• Cloud workload protection platforms (CWPP)
• Cloud security posture management (CSPM)
• Business analytics/intelligence
• Logs
• IP restrictions
• API gateways
• Internet of Things (IoT)
Software-as-a-Service (SaaS) – Terms of security ownership within SaaS are negotiated with
the CSP as part of their service contract. SaaS often hosts an enterprise’s physical,
infrastructure, hypervisor, network traffic, and operating system. SaaS apps and infrastructure
controls can include:
• Enforce data loss prevention (DLP)
• Prevent unauthorized sharing of sensitive data to wrong people
• Block sync/download of corporate data to personal devices
• Detect compromised account, insider threats, and malware
• Gain visibility into unsanctioned applications
• Audit for misconfiguration
DATA SECURITY
Cloud data protection is the practice of securing a company’s data in a cloud environment,
wherever that data is located, whether it’s at rest or in motion, and whether it’s managed
internally by the company or externally by a third party.

12. This practice has become increasingly important as more companies have switched from
building and managing their own data centers to storing their applications and data in the
cloud instead. A 2018 survey by IDG, a leading technology media company, stated that 73%
of companies had applications or infrastructure in the cloud, with another 17% expected to
make the move in the coming year
Companies are collecting massive amounts of data, ranging from highly confidential
business, financial and customer data to fairly unimportant information. They’re also moving
more and more of their data to the cloud and storing it in more places than ever – public,
private and hybrid clouds, cloud storage environments, software-as-a-service applications,
and so on.
As they do this, companies are discovering just how complicated protecting and securing all
their data across multiple environments can be. For example:
• They no longer know where all their applications and data are.
• With most of their applications and data housed on third-party infrastructure,
companies no longer have visibility into who is accessing and using their applications
and data, which devices are being used for access, or how their data is potentially
being used or shared.
• They have no insight into how cloud providers are storing and securing their data.
• Even though most cloud providers have state-of-the-art security, this security is
limited. After all, companies and cloud providers share responsibilities for cloud
security.
• Different cloud providers have varying capabilities, which can result in inconsistent
cloud data protection and security.
On top of this, companies face a host of security challenges, including the potential for:
• Security breaches
• Loss or theft of sensitive data
• Application vulnerabilities and malware propagation
The Benefits of Cloud Data Protection

13. Among the benefits of cloud data protection, it enables companies to:
• Secure applications and data across multiple environments while maintaining complete
visibility into all user, folder and file activity.
• Proactively identify and mitigate risks, such as security threats, suspicious user
behavior, malware and others.
• Better govern access.
• Define policies.
• Prevent and detect data loss and disruption.
APPLICATION SECURITY
Application security describes security measures at the application level that aim to prevent
data or code within the app from being stolen or hijacked. It encompasses the security
considerations that happen during application development and design, but it also involves
systems and approaches to protect apps after they get deployed.
Application security may include hardware, software, and procedures that identify or minimize
security vulnerabilities. A router that prevents anyone from viewing a computer’s IP address
from the Internet is a form of hardware application security. But security measures at the
application level are also typically built into the software, such as an application firewall that
strictly defines what activities are allowed and prohibited. Procedures can entail things like an
application security routine that includes protocols such as regular testing.
Why application security is important
Application security is important because today’s applications are often available over various
networks and connected to the cloud, increasing vulnerabilities to security threats and breaches.
There is increasing pressure and incentive to not only ensure security at the network level but
also within applications themselves. One reason for this is because hackers are going after apps
with their attacks more today than in the past. Application security testing can reveal
weaknesses at the application level, helping to prevent these attacks.
Application security is the process of developing, adding, and testing security features within
applications to prevent security vulnerabilities against threats such as unauthorized access and
modification.
Types of application security
Different types of application security features include authentication, authorization,
encryption, logging, and application security testing. Developers can also code applications to
reduce security vulnerabilities.

14. Authentication: When software developers build procedures into an application to ensure that
only authorized users gain access to it. Authentication procedures ensure that a user is who
they say they are. This can be accomplished by requiring the user to provide a user name and
password when logging in to an application. Multi-factor authentication requires more than one
form of authentication—the factors might include something you know (a password),
something you have (a mobile device), and something you are (a thumb print or facial
recognition).
Authorization: After a user has been authenticated, the user may be authorized to access and
use the application. The system can validate that a user has permission to access the application
by comparing the user’s identity with a list of authorized users. Authentication must happen
before authorization so that the application matches only validated user credentials to the
authorized user list.
Encryption: After a user has been authenticated and is using the application, other security
measures can protect sensitive data from being seen or even used by a cybercriminal. In cloud-
based applications, where traffic containing sensitive data travels between the end user and the
cloud, that traffic can be encrypted to keep the data safe.
Logging: If there is a security breach in an application, logging can help identify who got access
to the data and how. Application log files provide a time-stamped record of which aspects of
the application were accessed and by whom.
Application security testing: A necessary process to ensure that all of these security controls
work properly.
VIRTUAL MACHINE SECURITY
IDENTITY MANAGEMENT AND ACCESS CONTROL
AUTONOMIC SECURITY