The document outlines various cloud security concepts including digital signatures, public key infrastructure (PKI), identity and access management (IAM), single sign-on (SSO), and multifactor authentication. It also discusses the significance of hardened virtual server images and biometric scanners, along with a range of data-oriented mechanisms for cloud and cyber security, such as virus scanning systems, malicious code analysis, and data loss prevention strategies. The content emphasizes the mechanisms and best practices necessary to secure data and manage user access within cloud environments.

1. BESE-2k22-13AB
Lecture 13ABC
Fall2024
Dr. Qaiser Riaz
Tenured Associate Professor
Faculty of Computing
SEECS, NUST

2. Agenda
2
Cloud Security
• Digital Signature
• Public Key Infrastructure (PKI)
• Identity and Access Management (IAM)
• Single Sign-On (SSO)
• Federated Identity Management
• Hardened Virtual Server Image
• Biometric Scanner
• Multifactor Authentication
Cloud and Cyber Security Data-
Oriented Mechanisms

3. Cloud Security

4. Digital Signatures

5. Digital Signatures
§ A means of providing data authenticity and
integrity through authentication
§ A message is assigned a digital signature prior to
transmission, which is then rendered invalid if the
message experiences any subsequent,
unauthorized modifications.
§ A digital signature provides evidence that the
message received is the same as the one created
by its rightful sender.

6. Digital
Signatures
§ Both hashing and asymmetrical encryption are
involved in the creation of a digital signature,
which essentially exists as a message digest that
was encrypted by a private key and appended to
the original message.
§ The recipient verifies the signature validity and
uses the corresponding public key to decrypt the
digital signature, which produces the message
digest.
§ The hashing mechanism can also be applied to
the original message to produce this message
digest.
§ Identical results from the two different
processes indicate that the message
maintained its integrity.

7. Digital
Signatures
Cloud Service Consumer B sends a
message that was digitally signed
but was altered by trusted attacker
Cloud Service Consumer A. Virtual
Server B is configured to verify
digital signatures before processing
incoming messages even if they are
within its trust boundary. The
message is revealed as illegitimate
due to its invalid digital signature,
and is therefore rejected by Virtual
Server B.

8. Digital Certificates

9. Public Key
Infrastructure
(PKI)

10. Public Key
Infrastructure (PKI)
§ A common approach for managing the issuance of asymmetric
keys is based on the public key infrastructure (PKI) mechanism,
§ Its a system of protocols, data formats, rules, and practices that enable
large-scale systems to securely use public key cryptography
§ This system is used to associate public keys with their
corresponding key owners (known as public key identification)
while enabling the verification of key validity.
§ PKIs rely on the use of digital certificates, which are digitally
signed data structures that bind public keys to certificate owner
identities, as well as to related information, such as validity periods
§ Digital certificates are usually digitally signed by a third-party
certificate authority

11. Identity and
Access
Management
(IAM)

12. Identity and Access
Management (IAM)
§ IAM mechanism encompasses the components and policies necessary
to control and track user identities and access privileges for IT
resources, environments, and systems.
§ Specifically, IAM mechanisms exist as systems comprised of four main
components:
§ Authentication – Username and password combinations, digital
signatures, digital certificates, biometric hardware (fingerprint
readers), specialized software (such as voice analysis programs), and
locking user accounts to registered IP or MAC addresses
§ Authorization – Defines the correct granularity for access controls
and oversees the relationships between identities, access control
rights, and IT resource availability
§ User Management – Related to the administrative capabilities of the
system; create new user identities and access groups, reset
passwords, define password policies, privileges
§ Credential Management – Establishes identities and access control
rules for defined user accounts

13. Single Sign-
On (SSO)

14. Single Sign-On (SSO)
§ Propagating the authentication and authorization information for a cloud
service consumer across multiple cloud services can be a challenge
§ Especially if numerous cloud services or cloud-based IT resources need
to be invoked as part of the same overall runtime activity
§ The single sign-on (SSO) mechanism enables one cloud service consumer
to be authenticated by a security broker, which establishes a security
context that is persisted while cloud service consumer accesses other cloud
services or cloud-based IT resources
§ Otherwise, the cloud service consumer will need to re-authenticate
itself with every subsequent request
§ The SSO mechanism essentially enables mutually independent cloud
services and IT resources to generate and circulate runtime authentication
and authorization credentials.

15. Single Sign-On (SSO)
§ A cloud service consumer provides the security broker with
login credentials (1).
§ The security broker responds with an authentication token
upon successful authentication, which contains cloud
service consumer identity information (2) that is used to
automatically authenticate the cloud service consumer
across Cloud Services A, B, and C (3).

16. Single Sign-On (SSO)
§ The credentials received by the security
broker are propagated to ready-made
environments across two different clouds
§ The security broker is responsible for
selecting the appropriate security procedure
with which to contact each cloud

17. Federated Identity
Management
§ Federated identity management (FIM) refers to
a way to connect identity management systems
together.
§ With FIM, a user's credentials are always stored
with a "home" organization (the "identity
provider").
§ When the user logs into a service (SaaS
application), instead of providing credentials to
the service provider, the service provider trusts
the identity provider to validate the credentials.
§ Hence the user never provides credentials
directly to anyone but the identity provider
§ SSO is a subset of FIM

18. Hardened Virtual
Server Image
§ In clouds, a virtual server is created from a
template configuration called a virtual server
image (or VM image).
§ Hardening is the process of stripping
unnecessary software from a system to limit
potential vulnerabilities that can be exploited
by attackers.
§ Removing redundant programs, closing
unnecessary server ports, and disabling
unused services, internal root accounts, and
guest access are all examples of hardening.

19. Biometric Scanner

20. Biometric Scanner
§ Biometrics is a technology used to
determine a person’s identity based
on their physiological or behavioral
characteristics.
§ Since biometric data is directly
derived from these types of unique
user characteristics, it cannot be lost
or forgotten by the user, nor can it be
easily forged by attackers.

21. Multifactor
Authentication

22. Multifactor
Authentication
§ A multi-factor authentication system
uses two or more factors (verifiers) to
achieve authentication.
§ It works by requesting one form of
verification from a user during a sign-in
process, and then requesting a second
form of verification to complete the sign-
in.
§ The types of authentication methods
are kept independent of each other,
thereby making it difficult for malicious
users to gain unauthorized access

23. Cloud and
Cyber Security
Data-Oriented
Mechanisms

24. Digital Virus Scanning and Decryption System
§ An advanced anti-virus system comprised of client-side and server-side components.
§ The client-side component detects viruses by scanning files using detection methods
that include specific pattern matches within executable files or heuristic methods to
detect viral activity.
§ It attempts to clean an identified virus infection by removing the virus’s code and
restoring the original file’s contents.
§ The server-side component is responsible for maintaining a database of collected virus
information and using data science technologies to analyze and learn from the available
information to help identify and counter new potential viruses or virus variants.
§ The client-side component periodically receives updated intelligence from the server-
side component

25. Malicious Code
Analysis System
§ The malicious code analysis
system is a mechanism that
performs analysis of massive
volumes of malicious code to
quickly produce a report that a
human analyst can use to
determine what actions the
malicious code took.
§ Contemporary malicious code
analysis systems rely on machine
learning technology to carry out
and constantly improve malware
detection capabilities.

26. Data Loss Prevention
(DLP) System
§ A tool that enables security professionals to
manage the security of and configure access
to distributed information assets, which
becomes more difficult with the remote
workforce.
§ Commonly used to avoid the unauthorized
or accidental sharing of confidential data by
internal staff.
A security professional with a DLP system blocks a user from storing
company data on a USB (1), scans a corporate server with files in folders
to identify the ones with confidential data (2) and forces an email going
outside of the organization boundary to be encrypted (3).

27. Activity Log
Monitor
§ Scans historical log files or
databases to attempt to find
patterns of activity on
networks which may provide
indicators of possible security
breaches.
§ Activity log data can come
from event logs, device
configuration logs, operating
system logs, etc.

28. Traffic
Monitor
§ Responsible for monitoring
network traffic to review and
analyze traffic activity in search
of abnormalities that may be
adversely affecting network
performance, availability
and/or security.
§ This mechanism provides
network administrators with
real-time data and long-term
usage trends for network
devices

29. Further Reading
§ Chapter 11: Cloud and Cyber Security Data-Oriented
Mechanisms
Cloud Computing, Concepts, Technology & Architecture by
Thomas Erl et al., 2023