TEE Notes - CSM

Module-1
R-1.2 - process, procedures, practices for security programs (implementation - SAML,
SSL), secure sdlc (for management).
1.2. Demonstrate the processes, procedures, and practices necessary for implementing a
security program in a cloud computing environment.
Security standards define the processes, procedures, and practices necessary for implementing a
security program.
Security standards are based on a set of key principles intended to protect this type of trusted
environment.

Security standards should ensure a secure environment is maintained and that provides privacy
and security of confidential information in a cloud environment.

The cloud environment use the security protocol as stacks are:

SAML – Security Assertion Markup Language
OAuth - Open Authentication
OpenID and SSL/TLS

● Security Assertion Markup Language

SAML is an XML-based standard for communicating authentication, authorization, and

attribute information among online partners.It allows businesses to securely send assertions
between partner organizations regarding the identity and entitlements of a principal.
OASIS: Organization for the Advancement of Structured Information Standards (OASIS)
Security Services Technical Committee is in charge of defining, enhancing, and maintaining the
SAML specifications.

SAML is built on a number of existing standards, namely, SOAP, HTTP, and XML.

SAML relies on HTTP as its communications protocol and specifies the use of SOAP. Most
SAML transactions are expressed in a standardized form of XML.

SAML assertion and protocols are specified using XML schema.

Both SAML 1.1 and SAML 2.0 use digital signatures for authentication and message integrity.

SAML defines XML-based assertions and protocols, bindings, and profiles.

The general syntax and semantics of SAML assertion protocol used to request and transmit
those assertions from one system entity to another.

The protocol refers to “What is transmitted, not how it is transmitted”.

A SAML binding determines “how SAML requests and responses map to standard messaging
protocols. Synchronous binding is SAML SOAP binding.
SAML assertions are usually transferred from identity providers to service providers.

Assertion contain statements that service providers use to make access control decisions.

Three types of statements are provided by SAML:

1. Authentication Statements

2. Attribute Statements

3. Authorization Decision Statements

Summary:

SAML protocol is a simple “request-response” protocol. It describes how certain SAML

elements are packaged within SAML request and response elements.
● Open Authentication (OAuth)
OAuth is an open protocol, initiated by Blaine Cook and Chris Messina, to allow secure API
authentication in a simple, standardized method for various types of web applications.

OAuth is a method for publishing and interacting with protected data.

For developers: OAuth provides users access to their data while protecting account credentials. It
allows users to grant access to their information, which is shared by the service provider and
consumers without sharing all of their identity.

Benefits: Establish a mechanism for exchanging a user name and password for a token with
defined rights and to provide tools to protect the token.
Limitations: OAuth Core 1.0 does not provide many desired features.

For example: automated discovery of endpoints, language support, support for XML-RPC and
SOAP, standard definition of resource access, OpenID integration, privacy,signing algorithms,
etc.

● OpenID
OpenID is an open protocol, decentralized standard for user authentication and access
control that allows users to log onto many services using the same digital identity.
It is a single-sign-on (SSO) method of access control. It replaces the common log-in process by
allowing users to log-in once and gain access to resources across participating systems.

An OpenID is in the form of a unique URL and is authenticated by the entity hosting the OpenID
URL. It is used for nonstandard forms of authentication such as smart cards, biometrics, or
ordinary passwords are allowed.

A user visits a web site that displays an OpenID log-in form somewhere on the page, which has
fields for user name and password. For that, a user will have previously registered an OpenID
identifier with an OpenID identity provider. The user types this OpenID identifier into the
OpenID log-in form.
● SSL/TLS

Transport Layer Security (TLS) and its predecessor, Secure Sockets Layer (SSL), are
cryptographically secure protocols designed to provide security and data integrity for
communications over TCP/IP.

TLS and SSL encrypt the segments of network connections at the transport layer. Several
versions of the protocols are in general use in web browsers, email, instant messaging, and
voice-over-IP.

TLS is an IETF standard protocol which was last updated in RFC 5246.

The TLS protocol allows client/server applications to communicate across a network in a way
specifically designed to prevent eavesdropping, tempering, and message forgery.

TLS provides endpoint authentication and data confidentiality by using cryptography.

TLS involves three basic phases:

1. Peer negotiation for algorithm support: The client and server negotiate cipher suites,

2. Key exchange and authentication: Typically Public key algorithms.

3. Symmetric cipher encryption and message authentication: Hash functions.

1.5. Explain the Secure Software Development Life Cycle (SDLC) with a neat diagram.
Answer:
● Secure Software Development Life Cycle
The SecSDLC involves identifying specific threats and the risks they represent. The
SecSDLC must provide consistency, repeatability, and conformance.

The SDLC consists of 6 phases, and there are steps unique to the SecSLDC in each of the phases.

(IAna - LITMus)

Phase-1-Investigation: Define project processes and goals, and document them in the program
security policy.

Phase-2-Analysis: Analyze existing security policies and programs, current threats and controls,
examine legal issues, and perform risk analysis.

Phase-3-Logical Design: Develop a security blueprint, plan incident response actions, plan
business responses to disaster, and determine the feasibility of continuing and/or outsourcing the
project.

Phase-4-Implementation: Buy or develop security solutions. At the end of this phase, present a
tested package to management for approval.

Phase-5-Testing: Assesses the software for errors and document bugs. Validation and
Integration testing carried out by the development service teams and releasing different software
applications for various purposes.

Phase-6-Maintenance: Constantly monitor, test, modify, update, and repair to respond to

changing threats.
SecSDLC - Application code is written in a consistent manner that can easily be audited and
enhanced; core application services are provided in a common, structured, and repeatable
manner; and framework modules are thoroughly tested for security issues before implementation
and continuously retested for conformance through the software regression test cycle.

Additionally, internal and external penetration testing and standard security requirements based
on data classification. Formal training and communications should be developed to raise
awareness of process enhancements.

R-1.6 - Cloud Security Policy, character query, policy versions,

characteristics/functionalities.
1.6. Define policy. Explain different policies that provide trust services in an Information
Service Control.
● Information Service Control

Service organization maintains controls to provide reasonable assurance that access to user
system and data is limited to properly authorized individuals.

A formal process for granting and revoking access to user information systems and services.
Access to information system is based on a valid business reason for access and common user’s
requirements.

Privileged OS access to the production system is restricted to authorized individuals.

Procedures require that default OS accounts, passwords, and other security parameters be
changed in accordance with user OS configuration standards.

Authorized personnel are permitted to administer production servers and network devices by
authenticating first to the user network, bastion host, relevant server, network device.

Trust Service Criteria

The system is protected against unauthorized access both physical and logical.

1.0 Policies: The entity defined and documented its policies for the security of its system.

1.1 Policies: The entity's security policies are established and periodically reviewed and
approved by a designated individual or group.

1.2 Policies:

> Identifying and documenting the security requirements of authorized users.

> Allowing access, and determining the nature of that access and who authorizes such access.

> Preventing unauthorized access.

> Developing the procedures to add new users, modify the access levels of existing users, and
remove users who no longer need access.

> Assigning responsibility and accountability for system security.

> Assigning responsibility and accountability for system changes and maintenance.

> Testing, evaluating, and authorizing system components before implementation.

> Addressing how complaints and requests relating to security issues are resolved.

> Developing procedures to handle security breaches and other incidents.

1.3 Policies:

> Assuming responsibility and ensuring accountability for the entity’s system security policies,
and changes and updates to those policies are assigned.
R-1.8 - layer approaches in IAAS security approach diagram (layers - application,
Network, Host level approaches) (diagram can be latered approach)

App - file transfer protocol - SOAP, REST, HTTP (how security can be applied here) -
include HTTPS, SSH (customer makes Private key by Asymmetric methods)

1.8. Illustrate the functionalities of IaaS security controls based on the cloud layer protocol
stack.

Layered Security Approach in IaaS with Communication Protocols

Here's a breakdown of the three main layers incorporating secure communication protocols:

1. Application Layer Security:

○ Secure coding practices: This remains essential to prevent vulnerabilities within
the applications themselves that could be exploited to compromise data or gain
unauthorized access.
○ Access control: Granular access controls should be implemented to restrict
unauthorized access to data and functionalities based on user roles and
permissions. This applies to both user interfaces and APIs.
○ Data encryption at rest and in transit: Data encryption is critical throughout its
lifecycle. At the application layer, consider libraries that support strong
encryption algorithms for data at rest (e.g., on storage) and in transit (during
transfer).
2. Network Layer Security:
○ HTTPS: Enforce HTTPS for all application communication to ensure data
confidentiality and integrity in transit over the network. This prevents
eavesdropping and tampering with data packets.
○ Firewalls: Configure firewalls to filter incoming and outgoing traffic based on
security policies. These policies should allow only authorized protocols and ports
for application communication (e.g., port 443 for HTTPS).
3. Host Layer Security:
○ SSH for secure remote access: Utilize SSH (Secure Shell) for secure remote
access to virtual machines. Enforce strong password policies and implement
key-based authentication using asymmetric cryptography. This eliminates the
need to transmit passwords over the network, reducing the risk of interception.
■ SSH key generation: You can generate SSH key pairs using asymmetric
cryptography libraries. The private key remains on the user's machine,
while the public key is added to the authorized_keys file on the VM. SSH
then uses this public key to verify the user's identity without requiring a
password.

Conceptual Diagram:
 Unset

+--------------------+
| Application Layer | (WAF, Access Control, Encryption)
| | SOAP/REST/HTTP | (HTTPS)
+--------------------+
|
v
+--------------------+
| Network Layer | (Firewall - Allow HTTPS)
+--------------------+
|
v
+--------------------+
| Host Layer | (SSH key-based auth)
+--------------------+
|
v
+--------------------+
| IaaS Infrastructure | (Virtual Machines, Storage,
Network)
+--------------------+

Key Points:

● This approach emphasizes secure communication protocols at each layer.

● HTTPS provides encryption for application layer protocols (SOAP, REST, HTTP).
● SSH with key-based authentication secures access to the host layer.
● Remember, the specific protocols and libraries used may vary depending on your needs
and the IaaS provider's offerings.

M2

2.1. Compare and contratict On-premise and Cloud computing technologies.

R-2.4 - client server architecture diagram ( Client - user, Server - database, and
intermediary - CSP, which acts as the main authority)

Para virtualization diagram (another diagram to be included)

Threat concerns - VM threat, multitenant, Hypervisor attack, mis-configuration pf

physical resources

2.4. Illustrate different cloud security threats faced in cloud computing as per Customer
and CSP perspectives.

Customer Perspective:

1. **VM Vulnerabilities**:

- Concerned about VM security both when running and powered-off.

- Seeks assurance that VM images are encrypted and protected during migration.

- Expects cloud service provider (CSP) to implement robust security measures for VM
templates.
2. **VM Theft**:

- Worried about unauthorized copying or movement of VMs.

- Expects CSP to enforce strict copy and move restrictions to prevent theft.

- Requires assurance that VMs are bound to specific physical machines to prevent unauthorized
use.

3. **VM Escape and Hyperjacking**:

- Concerned about VM escape and rogue hypervisors compromising data.

- Expects CSP to implement measures like secure hypervisor launching and hardware-level
scanning to prevent attacks.

- Seeks assurance that regular security measures are in place and effective against
hyperjacking.

4. **Data Leakage**:

- Worried about unauthorized access or manipulation of confidential data stored on third-party

clouds.

- Expects CSP to ensure end-to-end data protection and evaluate all parties' access to data.

- Concerned about side-channel attacks (SCA) like cross-VM SCA and expects CSP to address
these risks.

5. **Denial of Service (DoS) Attack**:

- Concerned about malicious VMs consuming server resources and disrupting services.

- Expects CSP to implement measures to restrict VM resource consumption and mitigate DoS
attacks.

- Requires assurance that proper monitoring and response mechanisms are in place to address
DoS threats.
CSP Perspective:

1. **VM Vulnerabilities**:

- Implement encryption and protection measures for VM images.

- Ensure secure migration processes to prevent unauthorized access.

- Enforce access controls and encryption for VM templates.

2. **VM Theft**:

- Enforce strict copy and move restrictions to prevent unauthorized VM theft.

- Implement measures to bind VMs to specific physical machines.

- Monitor and audit VM access to detect and prevent unauthorized activities.

3. **VM Escape and Hyperjacking**:

- Implement secure hypervisor launching and hardware-level scanning to prevent VM escape

and hyperjacking.

- Regularly assess hypervisor integrity and detect rogue hypervisors.

- Implement security measures to prevent unauthorized applications from running on guest OS.

4. **Data Leakage**:

- Implement end-to-end data protection measures and evaluate all parties' access to data.

- Address side-channel attack risks like cross-VM SCA through careful client placement.

- Implement encryption and access controls to protect against unauthorized data access.

5. **Denial of Service (DoS) Attack**:

 - Implement measures to restrict VM resource consumption and mitigate DoS attacks.

- Monitor and respond to abnormal resource usage patterns to detect and mitigate DoS threats.

- Implement network-level protections to prevent exploitation of communication weaknesses.

R-2.6 - Data security, Identity security (authentication) , Access security (authorization),

communication Network area - CPU : Interprocess communication, API, encryption tech
for sharing data, NIC : Router, spoofing, phishing, hyperlinks, attack security protocol
2.6. How cloud computing presents a unique risk to traditional concept of data, identity,
and access management traversing infrastructure?(or add krna hai)

Risks and threats inherent in traditional IT computing, cloud computing presents an organization
with its own set of security issues.

Cloud computing Risk to Privacy Assurance and Compliance Regulations:

1. How cloud computing presents a unique risk to the traditional concept of data,
identity, and access management traversing infrastructure.

2. How those risks and threats may be unique to cloud service providers (CSPs).

CIA Triad:

The fundamental of information security are:

Confidentiality, Integrity, and Availability.

Confidentiality:

Prevention of intentional or unintentional unauthorized disclosure of contents.

Loss of confidentiality can occur in many ways:

Intentional release of private company information or through a misapplication of network

rights.

Telecommunication elements to ensure confidentiality are:

Ø Network Security Protocols.

Ø Network Authentication Services.

Ø Data Encryption Services.

Integrity:

Guarantee the message sent is the message received and that the message is not intentionally or
unintentionally altered.

Elements to ensure Integrity are:

Ø Firewall Services.

Ø Communications Security Management

Ø Intrusion Detection Services.

Availability:

Create reliability and stability in networks and systems.

It ensures connectivity is accessible when needed.

Allowing authorized users to access the network or systems.

Elements to ensure availability are:

Ø Fault tolerance for data availability – Backups and Redundant Disk systems.

Ø Acceptable Logins and Operating Process Performance.

Ø Reliable and interoperable security processes and Network security mechanisms.

Ø Other concepts in Traditional IT & Cloud Computing are:

Ø Identification: Which users claim their identities to a system. Mostly used for Access
Control, Identification is necessary for Authentication and Authorization.

Ø Authentication: Testing of evidence of a user’s identity.

Ø Authorization: The rights and permission granted to an individual or process that

enable access to a computer resources.

Ø Accountability: A systems capability is to determine the actions and behaviors of a

single individual within a system and to identify that particular individual. Audit trails
and Logs support accountability.

Ø Privacy: The level of confidentiality and privacy protection given to a user in a

system.
M3

R-3.1 - Architecture diagram in 3.1, description, pros and cons, Functions of modules
3.1. Explain the functional modules of cloud security architecture with a neat diagram.

Cloud security architecture is often called cloud computing security architecture. It consists of
security layers, design and structure of infrastructure, tools, software, platform, and best
practices adopted within a cloud security solution. A cloud security architecture provides a visual
and written model to establish how to secure and configure activities and operations in cloud;
methods and controls in place for protection of applications, data; approach towards visibility in
compliance, threats, and overall security posture.

Cloud Security Architecture - Principles (PSC in DU AI in CS)

Identification: Overall cloud resource repository knowledge involving users, assets, business
environment, policies, vulnerabilities, threats, risk management strategies which exist

Controls for security: Parameters and policies implemented across users, assets, data, and
infrastructure to manage overall security posture.
Security by Design: Standardized and repeated deployment of common use cases with security
controls, standards, and audit requirements.

Compliance: Integration of industry standard and regulatory standards into cloud architecture to
meet the requirements.

Perimeter Security: Management of connection points between corporate networks and public /
external networks.

Segmentation: To prevent lateral movement of attackers in cloud network segregation of

sections.

User Identity and Access Management: Visibility, understanding, and control on all users
which have access to cloud assets. Access, permissions, and protocol enforcement.

Data Encryption: Data at Rest and data in motion is encrypted to minimize breach impact.

Automation: Rapid security and configuration provisioning and quick threat detection.

Logging and Monitoring: Activities are captured and monitored related to all connected
systems and cloud-based services to ensure operations visibility, compliance, and early detection
of threats.

The seven core principles that can be include: (SUVNACA)

1. Security by Design: Cloud architecture design should implement security controls that are not
vulnerable to security mis-configurations. For example, if a cloud storage container holds
sensitive data, external access should be locked.

2. Visibility: Many organizations use multi-cloud and hybrid-cloud deployments that traditional
security solutions fail to protect. An effective strategy accounts for both the tools and the
processes to maintain visibility throughout an organization’s complete cloud-based
infrastructure.

3. Unified management: Security teams are often overworked and understaffed, and so cloud
security solutions must provide unified management interfaces. Teams must be able to centrally
manage a wide range of cloud security solutions from one pane of glass.

4. Network security: The cloud uses a shared responsibility model, and the organization is
responsible for securing traffic flows to and from cloud resources, and between the public cloud
and on-premise networks.
5. Agility: The cloud fosters development and deployment of new solutions. Security should not
inhibit this agility. Organizations can use cloud-native security solutions that integrate seamlessly
into the agile development lifecycle.

6. Automation: Automation is critical to swift provisioning and updating of security controls in

a cloud environment. It can also help identify and remediate mis-configurations and other
security gaps in real time.

7. Compliance: Regulations and standards like GDPR, CCPA, and PCI/DSS protect both data
and processes in the cloud.

Cloud Security Architecture – Affecting Factors

Continuous Engagement Model: Continuous release of software updates and cloud features
make fixed engagement models obsolete.

Security from the Cloud: Incorporate security capabilities from the cloud to reduce enablement
time and ongoing maintenance costs (hardware, software, time, and effort).

Security of the Cloud: Ensure coverage of all cloud assets including software as a service
(SaaS) applications,platform as a service (PaaS) applications and services.

Identity Integration: Security architects should ensure tight alignment with identity teams to
help organizations meet the dual goals of enabling productivity and providing security
assurances.

Cloud Security Solutions

Several common technologies that help organizations to secure their cloud deployments.

Cloud Workload Protection Platform (CWPP)

Cloud Security Posture Management (CSPM)

Cloud Access Security Broker (CASB)

eXtended Detection and Response (XDR)

SaaS Security Posture Management (SSPM)

R-3.3 - (2.6 + 1.8), Infrastructure core Components of only Network level, Network
Topplogy, protocol of that topology (TCP, UDP) and which other security protocols can be
added in them
3.3. Illustrate the Infrastructure core component security functionalities with suitable
diagrams.

Network-Level Security Components

● Network Devices:
○ Firewalls: Filter incoming and outgoing traffic based on security policies (e.g.,
allow SSH access on port 22, deny all other inbound traffic).
○ Routers: Direct network traffic between different networks. Security concerns
include misconfigurations allowing unauthorized access or incorrect routing.
○ Network Intrusion Detection/Prevention Systems (NIDS/NIPS): Monitor network
traffic for suspicious activity and can take actions to block attacks.
● Network Topologies:
○ Common topologies include bus, star, mesh, and hybrid. The choice of topology
can impact security (e.g., a star topology with a central firewall offers better
control compared to a bus).
● Network Protocols:
○ TCP (Transmission Control Protocol): Provides reliable, ordered data delivery
with error checking and retransmission. Suitable for large file transfers and
applications requiring guaranteed delivery.
○ UDP (User Datagram Protocol): Offers connectionless, best-effort data delivery.
Faster than TCP but less reliable. Suitable for real-time applications where speed
is critical (e.g., streaming media).

Layered Security Approach

Building upon network-level security, a layered approach strengthens cloud security:

1. Application Layer Security:

○ Secure coding practices to prevent vulnerabilities in applications.
○ Web Application Firewalls (WAFs) to filter malicious traffic targeting web
applications.
○ Access controls to restrict unauthorized access to applications and data.
○ Data encryption at rest and in transit (e.g., HTTPS).
2. Network Layer Security (as discussed above): Firewalls, routers, NIDS/NIPS
3. Host Layer Security:
○ Operating system hardening to reduce the attack surface of virtual machines.
○ Antivirus and anti-malware software to detect and remove malicious code.
○ Patch management to ensure VMs are up-to-date with the latest security patches.
○ User access controls and strong password policies.
R-3.7 - steps of creating a VM and Virtualization techniques in Para Virtualization
(physical, OS, hypervisor, VM)

Communication channel - installation of SSH in client side area (frontend area) using
asymmetric algo (encryption by user and another encryption by Proxy server - last
diagram)

3.7. Demonstrate the procedure for creating a Virtual Machine using virtualization
software and provide security to the communication channel that ensures confidentiality.
1.Select a machine type (or size) – a ratio between the amount of virtual CPU
(vCPU) and memory, according to their requirements (general-purpose, compute-
optimized, memory-optimized, and so on).

2. Select a preinstalled image of an operating system (from Windows to Linux flavors).

3. Configure storage (adding additional volumes, connecting to file sharing services,
and others).
4. Configure network settings (from network access controls to micro-segmentation,
and others).
5. Configure permissions to access cloud resources.
6. Deploy an application.
7. Carry out ongoing maintenance of the operating system.

Diagram:

Unset

+--------------------+ +-----------------+
+-----------------+
| Client Machine | ------> | Proxy Server | ------>
| Server (VM) |
| (Frontend Area) | | (Optional) |
| |
+--------------------+ +-----------------+
+-----------------+
| Asymmetric Encryption
|
 | (Public Key)
|
v v v
+--------------------+ +-----------------+
+-----------------+
| User's Private Key | ------> | Encrypted Data | ------>
| Decrypted Data |
+--------------------+ +-----------------+
+-----------------+
| | (Private Key)
|
v v
SSH Connection (Secure Shell)

M4:
R-4.4 - IAAS VPC Management (textbook), select 5-6 topics and elaborate them, pdf - 148
page No (book - 128)
4.4. Discuss the security responsibilities of customer and provider on IaaS VPC
Management.
IaaS VPC management focuses on the CSP-managed infrastructure, as well as the customer
infrastructure interfacing with the IaaS service. IaaS VPC management diverges from SaaS and
PaaS in that the infrastructure delineation, network boundary between customers, and CSP
infrastructure are blurred. For each layer of infrastructure (network, host, storage), the
customer and CSP have responsibilities in managing VPC in the respective layers from their
perspective (i.e., the CSP is responsible for the common CSP infrastructure available to all
customers, and the customer is responsible for the virtual infrastructure available to the
customer for the duration of use). Hence, a VPC management program should address both
the common and shared infrastructures.
IaaS provider responsibilities
In general, an IaaS CSP is responsible for VPC management of the infrastructure that is owned
and operated by the CSP, as well as the third-party infrastructure and services they may rely
on. The VPC management scope should include:
• Systems, networks, hosts (hypervisors), storage, and applications that are CSP-owned and
operated
• Systems, networks, hosts, storage, and applications that are managed by third parties
• The web console or management station used by customers to manage their virtual
infrastructure
• Personal computers owned by the IaaS employees and contractors
IaaS customer responsibilities
IaaS customers are responsible for VPC management of the virtual infrastructure allocated by
an IaaS CSP for customer use. The VPC management scope should include:
Virtual servers
This includes VMs that are active or dormant. The VPC management process of VMs must
consider the OSs of the virtual servers and customize the program accordingly (e.g., Fedora
Linux, Solaris 10, Windows 2003). Customers are advised to follow the standard practice
in managing VMs, which includes:

Image standardization via a security-by-default approach

Customers are advised to standardize the image after sufficiently hardening it using
the security-by-default approach. Loss of security by default is more apparent in the

early days of cloud services, until experience and best practices catch up. The security-
by-default concept is the implicit security existing in day-to-day operations.
Configuration standards
The OS, applications server, database, and web server must be installed and
configured in accordance with least-privilege and security hardening principles to
reduce their overall attack surface. For example, the Center for Internet Security
publishes Internet security benchmarks for major OS, databases, and application servers
based on recognized best practices for deployment, configuration, and operation of
networked systems. The center’s security-enhancing benchmarks encompass all three
factors in Internet-based attacks and disruptions: technology (software and
hardware), process (system and network administration), and human (end user and
management behavior).
Configuration management
This refers to centralized configuration management where the appropriate
configuration information is necessary to manage a large number of nodes and zones
in a public IaaS cloud. Numerous configuration management tools are available,
including open source tools (e.g., Puppet) and tools from commercial vendors such
as BMC, Configuresoft, HP, Microsoft, and IBM. However, configuration
management of virtual servers hosted in the cloud will require customization per CSP,
given the uniqueness of the CSP-specific management API.
Network access policies
Firewalling is heavily used to establish security zones for applications hosted in an IaaS
cloud, and network zoning plays a large role in the security architecture. The configuration
of network policies that permit traffic in and out of a customer infrastructure should be
carefully managed to mitigate risk due to improper configuration. Improper configuration
of network access policies can expose vulnerable services to crackers on the Internet.
Policies are typically grouped into the following trust categories:
Internet policy
Allow traffic between customer virtual servers and hosts on the Internet (e.g., allow
only ports 22, 80, and 443 to servers). Deny all outbound traffic initiated from
customer virtual servers.
Zone policy
Allow traffic between virtual servers within the cloud (e.g., allow port 3306 [MySQL]
from server zone A to server zone B).

R-4.5 - textbook 2
4.5. Summarize the responsibilities of customers and cloud service providers (CSPs) for
both intrusion detection and incident response functions.
When discussing the responsibilities of customers and Cloud Service Providers (CSPs) for
intrusion detection and incident response, it's important to understand that these responsibilities
can vary depending on the type of cloud service model being used: Infrastructure as a Service
(IaaS), Platform as a Service (PaaS), or Software as a Service (SaaS). Here is a general summary
of the responsibilities for both parties:

Intrusion Detection

Cloud Service Providers (CSPs):

Infrastructure Security: CSPs are responsible for securing the underlying infrastructure that
includes the physical data centers, network, and hardware. This includes implementing security
measures to protect against physical and network intrusions.
Security Tools: CSPs provide tools and services for intrusion detection, such as security
monitoring services, logging, and alerting systems.
Compliance: CSPs ensure that their infrastructure complies with relevant security standards and
regulations, providing audit reports and certifications to customers.
Customers:

Application and Data Security: Customers are responsible for securing their own applications
and data that run on the cloud infrastructure. This includes configuring the security settings of
their virtual machines, databases, and applications.
Using CSP Tools: Customers need to correctly configure and use the security tools provided by
the CSP for intrusion detection, such as enabling logging and setting up alerts.
Custom Intrusion Detection: Customers may deploy additional intrusion detection systems (IDS)
to monitor their specific applications and data, which involves setting up and managing these
systems.
Incident Response
Cloud Service Providers (CSPs):

Infrastructure-Level Incidents: CSPs handle incidents that affect the underlying cloud
infrastructure, such as DDoS attacks, hardware failures, and breaches at the infrastructure level.
Notification: CSPs notify customers of any incidents that could potentially impact their services
and provide updates on the status and resolution of these incidents.
Support: CSPs offer support and guidance to customers during incident response, including
access to incident response teams and forensic services.
Customers:

Application-Level Incidents: Customers are responsible for responding to incidents that affect
their own applications and data. This includes detecting, analyzing, and mitigating breaches or
attacks at the application level.
Incident Response Plan: Customers should develop and maintain an incident response plan
tailored to their cloud environment, including steps for detection, containment, eradication, and
recovery.
Coordination with CSPs: During an incident, customers need to coordinate with the CSP to
leverage the provider's expertise and tools for effective incident management and to understand
the scope and impact of the incident on the infrastructure.
Forensic Analysis: Customers are responsible for conducting forensic analysis on their own data
and applications to determine the cause and impact of the incident, while potentially leveraging
CSP-provided forensic tools and services.
Summary
The division of responsibilities between customers and CSPs for intrusion detection and incident
response is generally aligned with the layers of control each party has in the cloud service model
being used. CSPs focus on securing and managing the cloud infrastructure and providing tools
and support, while customers are responsible for securing their applications and data, using the
provided tools effectively, and managing their own incident response processes. Effective
collaboration and clear communication between customers and CSPs are essential for robust
intrusion detection and efficient incident response.
National Institute of Standards and Technology (NIST) defines the following stages for
conducting incident response:
• Preparation – Prepare up-to-date contact person information (taking part in
the incident response process), prepare a system to document incident response
activities, prepare a workstation for forensics purposes, and so on.
• Detection and analysis – Collect audit logs and change management logs to detect
anomalies (such as multiple failed logons or changes to configuration files, and
analyze gathered information from IDS/IPS logs to website defacement events,
and so on).
• Containment, eradication, and recovery – Identify the attacking host, conduct
removal actions (such as removing malware from an infected host), and return
systems to normal activity (return clean hosts to production).

210 Monitoring and Auditing Your Cloud Environments

• Post-incident activity – Conduct lessons-learned and update procedures to
minimize the chances of similar attacks happening again.

R-4.7 - only for Google Cloud

4.7. As a Google Cloud user, analyze the different technical requirements that helps to
digital forensics?( google gemini se liya hai acha mile to dal dena)
As a Google Cloud user, several technical aspects can aid in digital forensics investigations:

● Preserving Evidence: Google Cloud Storage (GCS) offers secure and tamper-evident

storage for digital evidence. This ensures the integrity of data collected during the

investigation.

● Maintaining Chain of Custody: GCP's logging and auditing tools provide detailed

records of user activity and data access. This meticulous documentation helps maintain a

clear chain of custody, crucial for legal proceedings.

● Data Encryption: Google Cloud offers encryption options for data at rest and in transit.

Encryption safeguards sensitive information and potential evidence from unauthorized

access.

● Forensic Imaging: GCP allows creating forensic disk images of cloud virtual machines.

These images capture the entire state of the virtual machine at a specific point in time,

enabling a comprehensive forensic analysis.

● Cloud Logs Analysis: GCP generates comprehensive logs for various services and

resources. Analyzing these logs can reveal suspicious activity or provide valuable

insights into the timeline of events during a security incident.

● Network Traffic Analysis: Network traffic logs within GCP can be examined to identify

potential intrusions or data exfiltration attempts.

 ● Isolation and Acquisition: When a security incident is suspected, GCP allows isolating

infected virtual machines to prevent further contamination. Tools can then be used to

acquire forensic data from the isolated environment.

Remember, these are technical capabilities. For a successful digital forensics investigation, you'll

also need a well-defined incident response plan and qualified personnel to collect, analyze, and

interpret the evidence according to best practices.

M5:
R-5.4 - textbook
5.4. Illustrate the steps to build an automated event management in Google Cloud
Platform.

1) Automate Infrastructure Buildout:By automating infrastructure buildout, engineers are

relieved from manually configuring security groups, networks, user access, firewalls, DNS
names, and log shipping, among others. This significantly reduces the scope for engineers to
make security mistakes. Moreover, automation in the security team need not worry about the best
practices every time they spin up a new instance, as they only have to touch the scripts, not the
instances, to make the changes.
2) Automate Script : In traditional IT, a zero-day vulnerability or any other major security
workflow automation issue requires an organization’s system engineers to work rigorously to
patch every server manually. However, automating scripts requires only a single line change in
the manifests to ensure the newly released version is running instead. These automation script
resources are declarative management tools that automatically configure instances, virtualized
servers, or even bare metal servers. Whenever a new instance is launched, these scripts get the
instance ready for production, including the security configuration tasks like ensuring central
authentication, installing intrusion detection agents, and enabling multi-factor authentication.
3) Automate Deployments : Though automating deployments is one of the best practices in
DevOps implementation, it can also improve an organization’s security posture. In a zero-day
vulnerability, deployment automation ensures that changes made to the DevOps tool script get
automatically deployed across every instance or server. This makes it possible for a single
system engineer to respond to threats quickly.
4) Automate Security Monitoring : In the growing trend of hybrid and multi-cloud
environments that support individual applications, monitoring the entire infrastructure in a single
interface is imperative. During automating security attacks and downtime, it can be
resource-draining and time-consuming to identify and fix the problem. Automated security
monitoring aids engineers with the proper intelligence to address threats and secure critical
assets.
5) Get Ready for the Future of Automation: Data balloons and hybrid environments will
become mainstream within the next few years, making the manual security approach
incompetent. Hence, now is the best time to develop or outsource an internal automation team.
Although achieving end-to-end process automation across hybrid environments may take months
or even years, it will prove infinitely more valuable than training employees to reduce human
error.
Benefits of cloud Automation
1. Reducing IT infrastructure expenses.
2. Enabling continuous deployment.
3. Making the most of the cloud.
4. Improving security and resilience.
5. Enhancing backup processes
6. Taking governance to the next level.

R-5.5 - Services (IAAS, PAAS, SAAS), Expected attacks, defense strategies, how do you
apply Scripting techniques for this Automaton.
5.5. As a Cloud Service Provider, how to build automated defensive strategies for all kind of
services.
Cloud Security Automation, driven by advanced technologies and intelligent protocols, offers a
proactive and efficient approach to protecting against many cyber threats in real-time. In this
blog,
we delve into the significance of Cloud Security Automation and explore how it empowers
businesses to fortify their digital fortresses while maintaining agility and resilience in the cloud
automation era.
Cloud offers new opportunities to transform, modernize, and innovate, security workflow
automation remains the most significant hurdle to cloud adoption. Moreover, the complexity of
hybrid and multi-cloud environments further complicates the journey to cloud automation.
Security automation uses technology to streamline and enhance an organization’s security
operations. It uses software and automated processes to handle tasks like threat detection,
incident
response, and vulnerability management. By automating routine security tasks, organizations can
respond to threats more efficiently and reduce the risk of human error.

Automation of cloud security involves a 5-step strategy as follows:

1) Monitor
Your cloud capacity will always scale to meet all the operational needs. So, monitoring the
workflow of all the tasks in your cloud security operations automation is imperative. This
enables
you to understand how each workflow is carried out.

2) Evaluate
In automating cloud security infrastructure, knowing and prioritizing the tasks to automate is the
first critical step. Closely monitoring the workflows helps to evaluate tasks that should be
automated, like repeated tasks, automated cloud deployments, resource provisioning, and
creating
automation security rules.
3) Analyze
Do an in-depth analysis of the collected information based on low, medium, or high-risk severity.
Then, automate low-risk processes first, followed by medium and high. The in-depth analysis
also
helps you do controlled automation and study the impact on infrastructure.
4) Automate and Report
The resulting analysis can now be pushed to integrated systems to automate the workflows.
Then,
configure the automation processes to generate the reports that give the overview of the changes
before or after.
5) Remediate
By now, you will get a clear picture of cloud automation, irrespective of whether you started
automating simple or complex workflows. This enables you to implement remediation and
enhance
the overall automation security posture.
The provided text describes how to automate GCP tasks using the gcloud command-line tool.

Here's a breakdown of the key points:

Automating GCP tasks with gcloud:

● You can script various GCP tasks like deploying code, analyzing logs, and managing

compute engine networks using gcloud commands.

● Flags like filter and format help structure the output and extract specific information.

● This allows non-interactive management of GCP resources and projects through scripts.

Script for deleting terminated VMs:

1. Listing Terminated VMs:

○ gcloud compute instances list --filter="status=terminated" lists terminated VMs.

○ --format=text --limit=1 displays just the first VM (for initial testing).

2. Extracting Zone Information:

○ --format="value(zone)" extracts the zone info from the list command.

3. Deleting VM with zone:

○ The script iterates through terminated VMs using a while loop.

○ Inside the loop:

 ■ echo statements display information about the VM.

■ gcloud compute instances delete $name --zone=$zone --quiet deletes the

VM with extracted zone information and avoids confirmation prompts.

Important Note:

● This script permanently deletes terminated VMs. Use with caution!

Iterating through Running VMs:

● The example shows iterating through running VMs in the us-central1 zone with a specific

filter.

Free Space Check on VMs:

● The script outlines checking free memory on VMs using gcloud compute ssh and

commands within the loop.

Potential Script Improvement:

The script can be improved by adding error handling and logging for better monitoring and

debugging.

I hope this explanation is helpful! Let me know if you have any other questions.

R-5.7 - 3.7 + for Hadoop : SSH Software, software module for Keygen, Command under

SSH to generate the key under asymmetric Key Generation (keygen RSA command) here

any algorithm can be called like AES, RSA etc.

RSA, SSH Implementation, log file after key generation, amount of data in logs,

Certification, session time, the same asymmetric algo will be used by server for encryption
Diagram - Simple encryption techniques to ensure confidentiality - Cloud Server -> user ->

encryption technique for confidentiality.

5.7. Analyze the confidentiality strength of cloud user’s data on symmetric and asymmetric
algorithms by using SSH security protocol?
Confidentiality Strength of Cloud User's Data Using Symmetric and Asymmetric Algorithms
with SSH Security Protocol
1. Introduction

When securing cloud user data, understanding the confidentiality strengths of both symmetric
and asymmetric encryption algorithms within the SSH protocol is essential. SSH (Secure Shell)
uses these algorithms to ensure secure communication over potentially insecure networks.

2. Symmetric vs. Asymmetric Algorithms

Symmetric Algorithms: Use a single key for both encryption and decryption (e.g., AES).
Asymmetric Algorithms: Use a pair of keys (public and private) for encryption and decryption
(e.g., RSA).
SSH Security Protocol
SSH employs both symmetric and asymmetric encryption to secure data transfer. Initially,
asymmetric encryption (e.g., RSA) is used for key exchange, and then a symmetric algorithm
(e.g., AES) encrypts the data session.

3. Key Generation and SSH Implementation

Key Generation
Asymmetric Key Generation (RSA):
code
ssh-keygen -t rsa -b 2048
This command generates a 2048-bit RSA key pair for use in SSH.
Symmetric Encryption (AES)
AES Key Usage in SSH:
AES keys are generated and used for encrypting data during an SSH session, following the key
exchange process.
Steps Involved in Ensuring Confidentiality
Key Exchange:
RSA Key Pair Generation:
The client generates an RSA key pair using ssh-keygen.
Server Receives Public Key:
The server receives the public key and encrypts session keys.
Session Establishment:

Session Key Exchange:

Using RSA, the client and server exchange session keys securely.
Symmetric Encryption (AES):
The session keys are used to initiate symmetric encryption with AES for the data transfer.
Data Encryption and Transmission:

Data Encryption:
The data transmitted between the client and server is encrypted using the AES algorithm.
Confidentiality:
AES ensures high confidentiality due to its strong encryption capabilities.
Diagram - Simple Encryption Techniques to Ensure Confidentiality

Analysis of Confidentiality Strength

RSA (Asymmetric Encryption):

Confidentiality: Strong due to the use of large key sizes (2048-bit or higher).
Vulnerabilities: Potential risks if keys are not managed securely.
AES (Symmetric Encryption):

Confidentiality: Very strong, especially with key sizes of 128, 192, or 256 bits.
Performance: Faster than RSA, suitable for encrypting large volumes of data.
SSH Protocol:
Confidentiality: High due to the combination of RSA for secure key exchange and AES for data
encryption.
Security Measures: Regular key regeneration, secure key storage, and periodic updates to
encryption algorithms enhance overall confidentiality.
Conclusion
The combination of symmetric and asymmetric encryption algorithms within the SSH protocol
provides robust confidentiality for cloud user data. RSA ensures secure key exchange, while
AES offers efficient and strong data encryption. Proper implementation and management of
these cryptographic techniques are crucial to maintaining high confidentiality in cloud
environments.