Unit 4: Overview of Cloud Security

Explain the security concerns in Traditional IT

Security of computer facilities, stored data, and the information generated is part of a successful
conversion. Recognition of the need for security is a natural outgrowth of the belief that
information is a key organizational resource, as discussed in Chapter “Systems, Roles and
Development Methodologies“. With increasingly complex transactions and many innovative
exchanges, the Web has brought heightened security concerns to the IS professional’s world.

It is useful to think of security of systems, data, and information on an imaginary continuum

from totally secure to totally open. Although there is no such thing as a totally secure system,
the actions analysts and users take are meant to move systems toward the secure end of the
continuum by lessening the system’s vulnerability. It should be noted that as more people in
the organization gain greater computer power, gain access to the Web, or connect to intranets
and extranets, security becomes increasingly difficult and complex. Sometimes, organizations
will hire a security consultant to work with the systems analyst when security is crucial to
successful operations.

Security is the responsibility of all those who come into contact with the system and is only as
good as the most lax behavior or policy in the organization. Security has three interrelated
aspects: physical, logical, and behavioral. All three must work together if the quality of security
is to remain high.

• Physical Security

Physical security refers to securing the computer facility, its equipment, and software
through physical means. It can include controlling access to the computer room by means
of machinereadable badges, biometric systems, or a human sign-in/sign-out system, as
well as using closed-circuit television cameras to monitor computer areas, backing up data
frequently, and storing backups in a fireproof, waterproof area, often at a secure off-site
location.

In addition, small computer equipment should be secured so that a typical user cannot
move it, and it should be guaranteed uninterrupted power. Alarms that notify appropriate
people of fire, flood, or unauthorized human intrusion must be in working order at all
times.

Decisions about physical security should be made along with users when the analyst is
planning for computer facilities and equipment purchases. Obviously, physical security
can be much tighter if anticipated in advance of actual installation and if computer rooms
are specially equipped for security when they are constructed rather than outfitted as an
afterthought.
• Logical Security

Logical security refers to logical controls in the software itself. The logical controls
familiar to most users are passwords or authorization codes of some sort. When used, they
permit the user with the correct password to enter the system or a particular part of a
database.

Passwords, however, are treated cavalierly in many organizations. Employees have been
overheard yelling a password across crowded offices, taping passwords to their display
screens, and sharing personal passwords with authorized employees who have forgotten
their own.

Special encryption software has been developed to protect commercial transactions on the
Web, and business transactions are proliferating. Internet fraud is also up sharply,
however, with few authorities trained in catching Internet criminals and a “wild west,” or
“last frontier,” mentality clearly evidenced in those instances when authorities have been
able to apprehend Web criminals.

One way for networks to cut down on the risk of exposure to security challenges from the
outside world is to build a firewall or firewall system. A firewall constructs a barricade
between an internal organization’s network and an external (inter)network, such as the
Internet. The internal network is assumed to be trustworthy and secure, whereas the
Internet is not. Firewalls are intended to prevent communication into or out of the network
that has not been authorized and that is not wanted. A firewall system is not a perfect
remedy for organizational and Internet security; it is, however, an additional layer of
security that is now widely endorsed. There is still no fully integrated way to address
security problems with internal and external networks, but they do deserve analysts’
attention when planning any new or improved systems.

Logical and physical controls are important but clearly not enough to provide adequate
security. Behavioral changes are also necessary.

• Behavioral Security

The behavioral expectations of an organization are implicit in its policy manuals and even
on signs posted in work rooms and lunch rooms, as we saw in Chapter “Information
Gathering: Unobtrusive Methods“. The behavior that organization members internalize,
however, is also critical to the success of security efforts. (One reason firewalls are not
attack-proof is because many attacks to information systems come from within the
organization.)

Security can begin with the screening of employees who will eventually have access to
computers, data, and information, to ensure that their interests are consistent with the
organization’s interests and that they fully understand the importance of carrying through
on security procedures. Policies regarding security must be written, distributed, and
updated so that employees are fully aware of expectations and responsibilities. It is typical
that the systems analyst will first have contact with the behavioral aspects of security.
Some organizations have written rules or policies prohibiting employees from surfing the
 Web during work hours, or even prohibiting Web surfing altogether, if company
equipment is involved. Other corporations use software locks to limit access to Web sites
that are judged to be objectionable in the workplace, such as game, gambling, or
pornographic sites.

Part of the behavioral facet of security is monitoring behavior at irregular intervals to

ascertain that proper procedures are being followed and to correct any behaviors that may
have eroded with time. Having the system log the number of unsuccessful sign-on attempts
of users is one way to monitor whether unauthorized users are attempting to sign on to the
system. Periodic and frequent inventorying of equipment and software is desirable. In
addition, unusually long sessions or atypical after-hours access to the system should be
examined.

Employees should clearly understand what is expected of them, what is prohibited, and
the extent of their rights and responsibilities. In the United States and European Union,
employers are legally obligated to disclose all monitoring that is being done or that is being
contemplated, and they must supply the rationale behind it. Such disclosure should include
the use of video cameras, software, and phone monitoring.

Output generated by the system must be recognized for its potential to put the organization
at risk in some circumstances. Controls for output include displays that can only be
accessed via password, the classification of information (that is, to whom it can be
distributed and when), and secure storage of printed and stored documents, no matter what
their format.

In some cases, provision for shredding documents that are classified or proprietary must
be made. Shredding or pulverization services can be contracted from an outside firm that,
for a fee, will shred magnetic media, printer cartridges, and paper. A large corporation may
shred upward of 76,000 pounds of output in a variety of media annually.

• Special Security Considerations for Ecommerce

It is well known that intruders can violate the integrity of any computer system. As an
analyst, you need to take a series of precautions to protect the computer network from both
internal and external Web security threats. A number of actions and products can help you:

1. Virus protection software.

2. Email filtering products that provide policy-based email and email attachment scanning
and filtering to protect companies against both incoming and outgoing email. Incoming
scanning protects against spam (unsolicited email such as advertising) attacks, and
outgoing scanning protects against the loss of proprietary information.
3. RL filtering products that provide employees with access to the Web by user, by groups
of users, by computers, by the time, or by the day of the week.
4. Firewalls, gateways, and virtual private networks that prevent hackers from gaining
backdoor access to a corporate network.
 5. Intrusion detection and antiphishing products that continually monitor usage, provide
messages and reports, and suggest actions to take.
6. Vulnerability management products that assess the potential risks in a system and
discover and report vulnerabilities. Some products correlate the vulnerabilities to make
it easier to find the root cause of the security breach. Risk cannot be eliminated, but this
software can help manage the risk by balancing security risk to the financial bottom
line.
7. Security technologies such as secure socket layering (SSL) for authentication.
8. Encryption technologies such as secure electronic translation (SET).
9. Public key infrastructure (PKI) and digital certificates (obtained from a company such
as VeriSign). Use of digital certificates ensures that the reported sender of the message
is really the company that sent the message.

• Privacy Considerations for Ecommerce

The other side of security is privacy. To make your Web site more secure, you must ask
the user or customer to give up some privacy.

As a Web site designer, you will recognize that the company for which you design
exercises a great deal of power over the data its customers are providing. The same tenets
of ethical and legal behavior apply to Web site design as to the design of any traditional
application that accepts personal data from customers. The Web, however, allows the data
to be collected faster and allows different data to be collected (such as the browsing habits
of the customer). In general, information technology makes it possible to store more data
in data warehouses, process that data, and distribute the data more widely.

Every company for which you design an ecommerce application should adopt a privacy
policy. Here are some guidelines:

1. Start with a corporate policy on privacy. Make sure it is prominently displayed on the
Web site so that all customers can access the policy whenever they complete a
transaction.
2. Only ask for information the application requires to complete the transaction at hand.
For example, is it necessary to the transaction to ask a person’s age or gender?
3. Make it optional for customers to fill out personal information on the Web site. Some
customers do not mind receiving targeted messages, but you should always give
customers an opportunity to maintain the confidentiality of their personal data by not
responding.
4. Use sources that allow you to obtain anonymous information about classes of
customers. There are companies that offer audience profiling technology and
technology solutions for management of advertisements, their targeting, and their
delivery. They do so by maintaining a dynamic database of consumer profiles without
linking them to individuals, thereby respecting customers’ rights to privacy.
5. Be ethical. Avoid the latest cheap trick that permits your client to gather information
about the customer in highly suspect ways. Tricks such as screen scraping (capturing
 remotely what is on a customer’s screen) and email cookie grabbing are clear violations
of privacy, and may prove to be illegal as well.

A coordinated policy of security and privacy is essential. It is essential to establish these

policies and adhere to them when implementing an ecommerce application.

Introduce challenges in Cloud Computing in terms of Application Security

All the major promises of the cloud -- improved IT efficiency, flexibility and scalability --
come with one major challenge: security.

Many organizations can't delineate where cloud service provider (CSP) responsibilities end and
their own responsibilities begin, opening them to numerous vulnerabilities. The increased
expansiveness of the cloud also increases an organization's potential attack surface. To further
complicate the matter, traditional security controls often don't fulfill cloud security needs.

To help companies understand the cloud challenges they're up against, the Cloud Security
Alliance (CSA) went directly to the professionals. A working group of practitioners, architects,
developers and C-level staff identified a list of about 25 security threats, which were then
analyzed by security professionals who ranked them and narrowed them down further to the
11 most common cloud security challenges:

1. data breaches
2. misconfigurations and inadequate change control
3. lack of cloud security architecture and strategy
 4. insufficient identity, credential, access and key management
5. account hijacking
6. insider threats
7. insecure interfaces and APIs
8. weak control plane
9. metastructure and applistructure failures
10. limited cloud usage visibility
11. abuse and nefarious use of cloud services

1. Data breaches
A responsibility of both CSPs and their customers, data breaches remained the top cloud
security threat yet again this year in CSA's report. A number of data breaches have been
attributed to the cloud over the past years, one of the most notable being Capital One's cloud
misconfigurations.

A data breach can bring a company to its knees, causing irreversible damage to its reputation,
financial woes due to regulatory implications, legal liabilities, incident response costs and
decreased market value.

CSA recommended the following:

• defining data value and the impact of its loss;

• protecting data via encryption; and
• having a strong, well-tested incident response plan.

CSA Cloud Controls Matrix (CCM) specifications (see "CSA Cloud Controls Matrix" sidebar
for more info) include the following:

• performing data input and output integrity routines;

• applying the principle of least privilege to access control; and
• establishing policies and procedures for secure data removal and disposal.

2. Misconfigurations and inadequate change control

When assets are set up incorrectly, they are vulnerable to attack. For example, the Capital One
breach was traced back to a web application firewall misconfiguration that exposed Amazon
S3 buckets. In addition to insecure storage, excessive permissions and the use of default
credentials are two other major sources of vulnerabilities.

Related to this, ineffective change control can cause cloud misconfigurations. In on-demand,
real-time cloud environments, change control should be automated to support rapid change.

A responsibility of the customer, misconfigurations and change control are new to the cloud
security threat list.

CSA recommended the following:

paying special attention to data accessible via the internet;

defining the business value of data and the impact of its loss; and

creating and maintaining a strong incident response plan.

CCM specifications include the following:

ensuring external partners adhere to the change management, release and testing procedures
used by internal developers;

conducting risk assessments at planned intervals; and

performing security awareness training with contractors, third-party users and employees.

3. Lack of cloud security architecture and strategy

Too many organizations jump into the cloud without the proper architecture and strategy in
place. Prior to making the leap to the cloud, customers must understand the threats they are
exposed to, how to migrate to the cloud securely -- note, it's not a lift-and-shift process -- and
the ins and outs of the shared responsibility model.

This threat is new to the list and is a responsibility of the customer. Without proper planning,
customers will be vulnerable to cyber attacks that can result in financial losses, reputational
damage, and legal and compliance issues.

CSA recommended the following:

• ensuring the security architecture aligns with business goals and objectives;
 • developing and implementing a security architecture framework; and

• implementing continuous security monitoring procedures.

CCM specifications include the following:

• ensuring risk assessment policies include updating policies, procedures, standards

and controls to remain relevant;

• designing, developing and deploying business-critical/customer-impacting

application and API designs and configurations and network and system
components in accordance with agreed-upon service-level and capacity-level
expectations, IT governance, and service management policies and procedures;
and

• restricting and monitoring traffic between trusted and untrusted connections in

network environments and virtual instances.
4. Insufficient identity, credential, access and key management

A majority of cloud security threats -- and cybersecurity threats in general -- can be linked to
identity and access management (IAM) issues. According to CSA guidance, this stems from
the following:

• improper credential protection

• lack of automated cryptographic key, password and certificate rotation

• IAM scalability challenges

• absence of multifactor authentication

• weak passwords

New to the top cloud security challenges list, standard IAM challenges are exacerbated by
cloud use. Conducting inventory, tracking, monitoring and managing the sheer number of
cloud accounts needed is compounded by provisioning and deprovisioning issues, zombie
accounts, excessive admin accounts and users bypassing IAM controls, as well as challenges
with defining roles and privileges.

As a customer responsibility, CSA recommended the following:

 • using two-factor authentication;

• practicing strict IAM controls for cloud users and identities;

• rotating keys, removing unused credentials and access privileges, and employing
central, programmatic key management.

CCM specifications include the following:

• identifying key managers and creating and maintaining key management policies;

• assigning, documenting and communicating the roles and responsibilities for

performing employment termination or procedure changes; and

• performing timely deprovisioning -- whether revocation or modification -- of user

access to data and network components.
5. Account hijacking

Cloud account hijacking is the disclosure, accidental leakage, exposure or other compromise
of a cloud account that is critical to the operation, administration or maintenance of a cloud
environment. These highly privileged and sensitive accounts, if breached, can cause massive
consequences.

From phishing and credential stuffing to weak or stolen credentials to improper coding,
account compromise can lead to data breaches and service disruptions.

A responsibility of CSPs and customers, CSA recommended the following:

• remembering that account hijacking isn't just a password reset; and

• using defense-in-depth and IAM controls.

CCM specifications include the following:

• establishing, documenting and adopting a unified business continuity plan;

• separating production and nonproduction environments; and

• maintaining and regularly updating compliance liaisons in preparation for a

forensic investigation requiring rapid engagement with law enforcement.
6. Insider threats

The risks associated with employees and others working within an organization's network are
not limited to the cloud. Whether negligent or intentional, insiders -- including current and
former employees, contractors and partners -- can cause data loss, system downtime, reduced
customer confidence and data breaches.

A responsibility of the customer, insider threats involving leaked or stolen data, credential
issues, human errors and cloud misconfigurations must be addressed.

CSA recommended the following:

• conducting security awareness training;

• fixing misconfigured cloud servers; and

• restricting access to critical systems.

CCM specifications include the following:

• requiring authorization prior to relocating or transferring hardware, software or

data;

• authorizing and revalidating user access controls at planned intervals; and

• segmenting multi-tenant apps, infrastructure and networks from other tenants.

7. Insecure interfaces and APIs

CSP UIs and APIs through which customers interact with cloud services are some of the most
exposed components of a cloud environment. The security of any cloud service starts with
how well these are safeguarded and is the responsibility of both customers and CSPs.

CSPs must ensure security is integrated, and customers must be diligent in managing,
monitoring and securely using what CSA calls the "front door" of the cloud. This threat
dropped from the third most important in the last report but is still important to address.

CSA recommended the following:

• practicing good API hygiene;

 • avoiding API key reuse; and

• using standard and open API frameworks.

CCM specifications include the following:

• designing, developing, deploying and testing APIs in accordance with industry

leading standards, as well as adhering to applicable legal, statutory and regulatory
obligations;

• segregating and restricting access to audit tools that interact with the
organization's information systems to prevent data disclosure and tampering; and

• restricting utility programs capable of overriding system, object, network, VM

and application controls.
8. Weak control plane

A responsibility of the customer and new to the list this year, the cloud control plane is the
collection of cloud administrative consoles and interfaces used by an organization. It also
includes data duplication, migration and storage, according to CSA. Improperly secured, a
breached control plane could cause data loss, regulatory fines and other consequences, as
well as a tarnished brand reputation that could lead to revenue loss.

CSA recommended the following:

• requiring adequate controls from CSPs; and

• performing due diligence to determine if potential cloud services have adequate

control planes.

CCM specifications include the following:

• establishing and making infosec policies and procedures readily available for
review by internal personnel and external business relationships;

• implementing and applying defense-in-depth measures to detect and respond to

network-based attacks in a timely manner; and

• establishing policies to label, handle and secure data and objects that contain data.
9. Metastructure and applistructure failures

The metastructure, defined by CSA, is "the protocols and mechanisms that provide the
interface between the infrastructure layer and other layers" -- in other words, "the glue that
ties the technologies and enables management and configuration."

Also known as the waterline, the metastructure is the line of demarcation between CSPs and
customers. Many security threats exist here -- for example, CSA cited poor API
implementation by CSPs or improper cloud app use by customers. Such security challenges
could lead to service disruption and misconfigurations with financial and data loss
consequences.

The applistructure is defined as "the applications deployed in the cloud and the underlying
application services used to build them -- for example, PaaS features like message queues, AI
analysis or notification services."

A new threat this report, it is a customer and CSP responsibility. CSA recommended the
following:

• CSPs offering visibility and exposing mitigations to counteract their tenants' lack
of transparency;

• CSPs conducting penetration testing and providing findings to customers; and

• customers implementing features and controls in cloud-native designs.

CCM specifications include the following:

• developing and maintaining audit plans to address business process disruptions;

• implementing encryption to protect data in storage, in use and in transit; and

• establishing policies and procedures to store and manage identity information.

10. Limited cloud usage visibility

Cloud visibility has long been a concern of enterprise admins, but it is new to the CSA cloud
security challenges list this report. Limited visibility results in two key challenges, according
to CSA:
 1. Unsanctioned app use, also known as shadow IT, is when employees use
applications not permitted by IT.

2. Sanctioned app misuse is when apps approved by IT are not used as intended.
This includes users authorized to use the app, as well as unauthorized individuals
accessing it with stolen credentials obtained via SQL injection or DNS attacks, for
example.

This limited visibility, CSA said, leads to lack of governance, awareness and security -- all of
which can result in cyber attacks, data loss and breaches.

New to the list this year, it is a responsibility of CSPs and customers. CSA recommended the
following:

• developing a cloud visibility effort from the top down;

• mandating and enforcing companywide training on acceptable cloud usage

policies; and

• requiring all nonapproved cloud services be reviewed and approved by a cloud

security architect or third-party risk management.

CCM specifications include the following:

• conducting risk assessments at regular intervals;

• making all personnel aware of their compliance and security roles and
responsibilities; and

• conducting inventories, documenting and maintaining data flows.

11. Abuse and nefarious use of cloud services

Just as the cloud can be used for good, it can also be used maliciously by threat actors.
Nefarious use of legitimate SaaS, PaaS and IaaS offerings affects individuals, cloud
customers and CSPs alike. Disguised as coming from a CSP, customers are especially
vulnerable to the misuse of cloud services via the following:

• distributed denial-of-service attacks

 • phishing

• cryptomining

• click fraud

• brute-force attacks

• hosted malicious or pirated content

Compromised and abused cloud services can lead to incurred expenses -- for example, loss in
cryptocurrency or payments made by the attacker; the customer unknowingly hosting
malware; data loss; and more.

CSA recommended CSPs be diligent in detecting and mitigating such attacks with an incident
response framework. CSPs should also offer tools and controls their customers can use
to monitor cloud workloads and applications.

A customer and CSP responsibility, CSA recommended the following:

• monitoring employee cloud use; and

• using cloud data loss prevention technologies.

CCM specifications include the following:

• adopting technical measures to manage mobile device risks;

• defining allowances and usage permissions for enterprise- and user-owned

endpoints, including workstations, laptops and mobile devices; and

• creating and maintaining a list of approved applications and application stores.

Introduce challenges in Cloud Computing in terms of Server Security

Today’s businesses want it all: secure data and applications accessible anywhere from any
device. It’s possible with cloud technology, but there are inherent cloud computing security
challenges to making it a reality.

What can enterprise businesses do to reap the benefits of cloud technology while ensuring a
secure environment for sensitive information? Recognizing those challenges is the first step to
finding solutions that work. The next step is choosing the right tools and vendors to mitigate
those cloud security challenges.

In our technology driven world, security in the cloud is an issue that should be discussed from
the board level all the way down to new employees. The CDNetworks blog recently discussed
“what is cloud security” and explained some of its benefits. Now that we understand what cloud
security is, let’s take a look at some of the key challenges that may be faced and why you want
to prevent unauthorized access at all costs.

1: DDoS and Denial-of-Service Attacks

As more and more businesses and operations move to the cloud, cloud providers are becoming
a bigger target for malicious attacks. Distributed denial of service (DDoS) attacks are more
common than ever before. Verisign reported IT services, cloud platforms (PaaS) and SaaS was
the most frequently targeted industry during the first quarter of 2015.

A DDoS attack is designed to overwhelm website servers so it can no longer respond to

legitimate user requests. If a DDoS attack is successful, it renders a website useless for hours,
or even days. This can result in a loss of revenue, customer trust and brand authority.

Complementing cloud services with DDoS protection is no longer just good idea for the
enterprise; it’s a necessity. Websites and web-based applications are core components of 21st
century business and require state-of-the-art cybersecurity.

2: Data breaches

Known data breaches in the U.S. hit a record-high of 738 in 2014, according to the Identity
Theft Research Center, and hacking was (by far) the number one cause. That’s an incredible
statistic and only emphasizes the growing challenge to secure sensitive data.

Traditionally, IT professionals have had great control over the network infrastructure and
physical hardware (firewalls, etc.) securing proprietary data. In the cloud (in all scenarios
including private cloud, public cloud, and hybrid cloud situations), some of those security
controls are relinquished to a trusted partner meaning cloud infrastructure can increase security
risks. Choosing the right vendor, with a strong record of implementing strong security
measures, is vital to overcoming this challenge.

3: Data loss

When business critical information is moved into the cloud, it’s understandable to be concerned
with its security. Losing cloud data, either through accidental deletion and human error,
malicious tampering including the installation of malware (i.e. DDoS), or an act of nature that
brings down a cloud service provider, could be disastrous for an enterprise business. Often a
DDoS attack is only a diversion for a greater threat, such as an attempt to steal or delete data.

To face this challenge, it’s imperative to ensure there is a disaster recovery process in place, as
well as an integrated system to mitigate malicious cyberattacks. In addition, protecting every
network layer, including the application layer (layer 7), should be built-in to a cloud security
solution.
4: Insecure access control points

One of the great benefits of the cloud is it can be accessed from anywhere and from any device.
But, what if the interfaces and particularly the application programming interfaces (APIs) users
interact with aren’t secure? Hackers can find and gain access to these types of vulnerabilities
and exploit authentication via APIs if given enough time.

A behavioral web application firewall examines HTTP requests to a website to ensure it is

legitimate traffic. This always-on device helps protect web applications and APIS from security
breaches within cloud environments and data centers that are not on-premises.

5: Notifications and alerts

Awareness and proper communication of security threats is a cornerstone of network security

and the same goes for cloud computing security. Alerting the appropriate website or application
managers as soon as a threat is identified should be part of a thorough data security and access
management plan. Speedy mitigation of a threat relies on clear and prompt communication so
steps can be taken by the proper entities and impact of the threat minimized.

Introduce challenges in Cloud Computing in terms of Network Security

Cloud computing, an emergent technology, has placed many challenges in different aspects
of data and information handling. Some of these are shown in the following diagram:
Security and Privacy
Security and Privacy of information is the biggest challenge to cloud computing. Security and
privacy issues can be overcome by employing encryption, security hardware and security
applications.

Portability
This is another challenge to cloud computing that applications should easily be migrated from
one cloud provider to another. There must not be vendor lock-in. However, it is not yet made
possible because each of the cloud provider uses different standard languages for their
platforms.

Interoperability
It means the application on one platform should be able to incorporate services from the other
platforms. It is made possible via web services, but developing such web services is very
complex.

Computing Performance
Data intensive applications on cloud requires high network bandwidth, which results in high
cost. Low bandwidth does not meet the desired computing performance of cloud application.

Reliability and Availability

It is necessary for cloud systems to be reliable and robust because most of the businesses are
now becoming dependent on services provided by third-party.

Security reference model

Security in cloud computing is a major concern. Data in cloud should be stored in encrypted
form. To restrict client from accessing the shared data directly, proxy and brokerage services
should be employed.

Security Planning

Before deploying a particular resource to cloud, one should need to analyze several aspects of
the resource such as:

Select resource that needs to move to the cloud and analyze its sensitivity to risk.

Consider cloud service models such as IaaS, PaaS, and SaaS. These models require customer
to be responsible for security at different levels of service.

Consider the cloud type to be used such as public, private, community or hybrid.

Understand the cloud service provider's system about data storage and its transfer into and out
of the cloud.

The risk in cloud deployment mainly depends upon the service models and cloud types.

Understanding Security of Cloud

Security Boundaries
A particular service model defines the boundary between the responsibilities of service
provider and customer. Cloud Security Alliance (CSA) stack model defines the boundaries
between each service model and shows how different functional units relate to each other. The
following diagram shows the CSA stack model:

Key Points to CSA Model

• IaaS is the most basic level of service with PaaS and SaaS next two above levels of
services.
• Moving upwards, each of the service inherits capabilities and security concerns of the
model beneath.
• IaaS provides the infrastructure, PaaS provides platform development environment,
and SaaS provides operating environment.
• IaaS has the least level of integrated functionalities and integrated security while SaaS
has the most.
• This model describes the security boundaries at which cloud service provider's
responsibilities end and the customer's responsibilities begin.
• Any security mechanism below the security boundary must be built into the system
and should be maintained by the customer.
Although each service model has security mechanism, the security needs also depend upon
where these services are located, in private, public, hybrid or community cloud.

Understanding Data Security

Since all the data is transferred using Internet, data security is of major concern in the cloud.
Here are key mechanisms for protecting data.

• Access Control
 • Auditing
• Authentication
• Authorization
All of the service models should incorporate security mechanism operating in all above-
mentioned areas.

Isolated Access to Data

Since data stored in cloud can be accessed from anywhere, we must have a mechanism to
isolate data and protect it from client’s direct access.
Brokered Cloud Storage Access is an approach for isolating storage in the cloud. In this
approach, two services are created:
• A broker with full access to storage but no access to client.
• A proxy with no access to storage but access to both client and broker.

Working Of Brokered Cloud Storage Access System

When the client issues request to access data:

• The client data request goes to the external service interface of proxy.
• The proxy forwards the request to the broker.
• The broker requests the data from cloud storage system.
• The cloud storage system returns the data to the broker.
• The broker returns the data to proxy.
• Finally the proxy sends the data to the client.
All of the above steps are shown in the following diagram:
Encryption

Encryption helps to protect data from being compromised. It protects data that is being
transferred as well as data stored in the cloud. Although encryption helps to protect data from
any unauthorized access, it does not prevent data loss.

Abuse and Nefarious Use of Cloud Computing

This threat refers to attackers leveraging the resources of cloud computing to target users,
enterprises, and other cloud providers. Examples include launching DDoS attacks, phishing,
email spams, get access to credential databases, and more.

This threat arises due to relatively weak registration systems present in the cloud computing
environment. In cloud computing registration process, anyone having a valid credit card can
register and use the service. This facilitates anonymity, due to which spammer, malicious code
authors and criminals can attack the system.

Remediations:
• Organizations must use strong IDS/IPS.
• Organizations must use firewalls that can inspect incoming and outgoing traffic.
• The integration of cloud services must not be left up to individuals, groups for
implementation.
• An organization must choose their storage vendors wisely. The process must be corporate
IT or security team only. It will be especially important to involve cloud software
engineer for problem solving.
• By implementing stricter registration process and validation process.
• By credit card fraud monitoring and coordination.
• Detailed introspection of user’s network traffic.
Malicious users can exploit poorly secured cloud service deployments, free cloud service trials,
and fraudulent account sign-ups, which expose cloud computing models such as Iaas, PaaS,
and SaaS. You might experience denial of service attacks, email spam and phishing campaigns,
and brute-force computing attacks, or malicious individuals spoofing identities.

Some charts display data reported by Amazon GuardDuty, which is a threat detection service
that continuously watches for malicious activity and unauthorized behavior.

Insecure interfaces and APIs

Cloud service providers expose a set of software user interfaces or application programming
interfaces (APIs) that organizations use to manage and interact with the cloud services.
Moreover, customers and third-party users often offer services to their customers through these
interfaces.

An unauthorized user may access and re-use these APIs or passwords. They may transmit
content, get authorizations and logging capabilities.

Customers use a set of software Interfaces or APIs to interact with cloud services. The
provisioning, management, orchestration and monitoring of the cloud service are generally
done using these interfaces. If the weak set of interfaces and APIs are used, this may expose
organizations to various security threats, such as anonymous access, reusable tokens or

password, clear-text authentication or transmission of content, inflexible access controls or

improper authorizations, limited monitoring, and logging capabilities.

Remediations:
• Use a good security model of software interfaces.
• Practise strong authentication methods and limit access with encrypted transmission.
• Use standard API frameworks.
To mitigate the above threats, the security model of cloud provider interfaces should be
analysed. Strong authentication and access controls should be implemented. Encryption should
be used for transmission of content and, dependency chain associated with the API should be
clearly understood.

Malicious Insiders
This threat is well known to most organizations. Malicious insiders’ impact on organization is
considerable. Given their level of access, they can infiltrate organizations and assets and do
brand damage, financial losses and productivity losses. Therefore, it is critical for customers of
cloud services as to what controls have been provided by cloud providers to detect and defend
against the malicious insider threats.

A malicious insider can access sensitive data of the system administrator or may even get
control over the cloud services at greater levels with little or no risk of detection. A malicious
insider may affect an organization through brand damage, financial impact and productivity
loss.

Remediations:
• Organizations must understand the practices performed by cloud providers, how to grant
access to employees, and set compliance policies.
• There should be security and privacy awareness programs to understand, recognize and
report any suspicious activity.
• Organizations should automate their processes and use technologies that scan frequently
for misconfigured resources and remediate unknown activity in real time.
The Malicious insider threats can be mitigated by specifying human resources requirements as
part of legal contracts, conducting a comprehensive supplier assessment, providing
transparency into overall information security and management practices, as well as
compliance reporting and determining security breach notification processes.
Shared Technology Issues
Cloud providers deliver their services by sharing applications, or infrastructure. Sometimes,
the components that make up the infrastructure for cloud technology as-a-service offering are
not designed to offer strong isolation properties for a multi-tenant cloud service. This may lead
to vulnerabilities in shared technology that can be attacked in almost all delivery models.

Remediations:
• Sensitive data should be protected via encryption.
• Data should be segmented and protected according to sensitivity levels.
• Organizations must conduct vulnerability scanning and configuration audits regularly.

Data Loss or Leakage

The data loss threat occurs in cloud due to interaction with risks within the cloud or
architectural characteristics of the cloud application. Unauthorized parties may access data to
delete or alter records of an organization.

Data loss or leakages have an adverse effect on the business. The brand or reputation is
completely lost and the customers’ morale and trust are eroded. This data loss or leakage may
be due to insufficient authentication, authorization and audit controls, inconsistent use of
encryption and software keys, disposal challenges, a data center reliability, and disaster
recovery.

Remediations:
• Cloud service providers should provide adequate security controls to customers as well
as specify backup and retention strategies to them.
• Use strong API access control.
• Encrypt security of data in transit.
The threats arising due to data loss or leakage can be mitigated by encrypting and protecting
integrity of data in transit, analyzing data protection at both design and runtime,implementing
strong key generation, storage and management. Contractually demanding provider to wipe
persistent media before it is released in to pool and contractually specifying provider backup
and retention strategies.

Account or Service Hijacking

Cloud account hijacking occurs when a malicious actor manages to gain control of one of your
employee’s cloud-based accounts. Once in the account, they can access a wealth of sensitive
data or even impersonate your employee to commit fraud.

How does cloud hijacking happen?

It’s clear that cloud hijacking is a real risk for businesses – with grave consequences if a hacker
manages to steal sensitive data.

There are many ways for a cloud hijacking attack to happen, including:
 • Phishing attacks
• Brute force password attacks, in which a cybercriminal uses trial and error to guess an
employee’s password
• Using stolen password and login data up for grabs on the Dark Web
• Server-side request forgery (SSRF) attacks
• Manipulation of insecure web and mobile applications
• Credential-stealing malware

Underlying all of these tactics is a common thread: the fact that hackers don’t need to be
physically on-premises to access your employees’ cloud accounts. Unless you have the right
security tools at your disposal, it will be impossible for you to tell whether the person logging
in to your employee’s account is legitimate or malicious.

How to prevent cloud hijacking

Because cloud hijacking can have many root causes, you need to take a multi-levelled approach
to ensure adequate protection. Here are our top tips to consider:

• Enable MFA:
Multi-factor Authentication (MFA) is an authentication tool that mandates your users
to verify themselves using two or more methods in order to access corporate resources
like cloud applications. MFA is a simple way to protect common cloud hijacking tactics
like brute force attacks. You should use MFA in conjunction with strong password
policies – such as enforcing employees to change their passwords every six weeks. As
a side note, if MFA is difficult to implement across your cloud applications, set a
company policy that encourages employees to call the cellphone of the person who has
asked for a wire transfer to ensure it’s legitimate.

• Implement the principles of least privilege and zero trust:

Zero Trust sanctions that all networks, devices and users must first be treated as
untrusted. Users will need to authenticate their identity before being able to access
corporate files and resources. A big part of zero trust is the principle of least privilege,
whereby employees are given just enough corporate access to get their job done – but
can’t access unnecessary sensitive files. This prevents cybercriminals from
using any employee’s account to steal data, making things more difficult for them.

• Invest in SaaS DLP:

While identity and access management (IAM) principles are important, IAM alone will
never be enough. Your IAM strategy needs to be complemented by a more rigorous
approach to cloud security management, focusing on access at the data level rather than
the application level. An excellent cloud DLP solution gives you real-time visibility
into user behavior and data movement in the cloud. It lets you see how users behave
and uses automation and pattern recognition to spot and block suspicious behavior in
real-time. At the same time, DLP uses predefined policies to find, classify and protect
unstructured data across your cloud applications, ensuring that only authorized, verified
users can access sensitive information.
Unknown Risk Profile
Cloud computing offers significant potential for reduced cost, simplified IT infrastructures, and
improved IT efficiency.

Software versions, updates, security practices, vulnerability profiles, intrusion attempts, and
security design are all factors for estimating your institution’s security posture.

In some of these areas, cloud computing solutions may offer different levels of visibility
compared to their on-premise counterparts. This can contribute to making it harder to
“calculate” a risk profile. In reality, all infrastructures have some unknown risks.

Remediation: Cloud providers can help reduce the unknowns by

➢ disclosing applicable logs and data

➢ by providing a partial or full disclosure of infrastructure details (e.g., patch levels,
firewalls, etc.).
➢ Monitoring and proactive alerts and notifications can also help reduce this risk.

Shared security model between vendor and customer in IAAS/PAAS/SAAS

The cloud provider is responsible for the security of the cloud, while the customer is
responsible for security in the cloud.

Essentially, your cloud provider is responsible for making sure your infrastructure built within
its platform is inherently secure and reliable. To provide a secure cloud, the cloud vendor
manages and controls the host Operating System (OS) and the virtualization layer. They also
guarantee the physical security of the facilities.

On the flip-side, customizable cloud capabilities like application management, network

configuration, and encryption are the customer’s responsibility. To ensure security within a
given cloud environment, the customer configures and manages the security controls for the
guest OS and other apps (including updates and security patches), as well as for the security
group firewall. The cloud customer is also responsible for encrypting data in-transit and at-rest.
Separation of Responsibilities

Staying secure in a cloud is a shared responsibility. Type of cloud service model – IaaS, PaaS
and SaaS- dictates who is responsible for which security task.

SaaS moves the task of managing software and its deployment to third-party services. In a
SaaS model, the provider is primarily responsible for the infrastructure and software stack, as
the user has less control over these components.

PaaS provides its’ clients an environment in which the operating system and server software,
as well as the underlying server hardware and network infrastructure are taken care of. This
lets the user free to focus on the business side of scalability, and the application development
of their product or service.

In IaaS, cloud provider supplies and is responsible for securing basic cloud infrastructure
components, such as virtual machines, disks and networks. The provider is also responsible for
the physical security of the data centers that house its infrastructure. IaaS users, are generally
responsible for the security of the operating system and software stack required to run their
applications, as well as their data.

Users’ responsibilities generally increase as they move from SaaS to PaaS to IaaS.

The shared responsibility for cloud security has been adopted by other prominent cloud
providers as well. The division of responsibilities in Microsoft Azure’s shared responsibility
model differentiates obligations according to the customer’s level of cloud deployment. Those
three levels include Infrastructure-as-a-Service (IaaS), Platform-as-a-Service (PaaS), and
Software-as-a-Service (SaaS).