Cloud Computing

(213INT3314)

UNIT 2
HARDWARE AND ARCHITECTURE

( Unit – 2 )

Dr. V.Sivakumar
AP / IT
 UNIT 2: HARDWARE AND ARCHITECTURE

Clients-Security-Network-Services. Accessing the cloud: Platforms-web

applications-web APIsweb browsers. Cloud storage: overview-providers.
Standards: application-client-infrastructureservice.
Clients

• The clients on your end users’ desks are how you will interact with the cloud.
• The different types of clients and how they can be configured to communicate with the cloud.
• There are different types of clients that can link to the cloud, and each one offers a different way for
you to interact with your data and applications.
Mobile
• Mobile clients run the range from laptops to PDAs and
smartphones, like an iPhone or BlackBerry. You’re not likely to
utilize a particularly robust application on a PDA or smartphone,
but laptop users can connect to the cloud and access applications.
• Mobile clients, of course, have security and speed concerns.
Thin Clients
• Thin clients, are client computers that have no hard drives, no
DVD-ROM drives, and simply display what’s on the server.
• It is useful, only if you have an in-house cloud.
• If a client only needs to access cloud-based services or is accessing a
virtualized server, then thin clients are a great option.
• They’re less expensive than thick clients, are much less expensive to
maintain, and use less energy.
Thick clients
•Thick clients are good choices if users need to maintain files
on their own machines or run programs that don’t exist on the
cloud.
•Security-wise, thick clients are more vulnerable to attack than
thins.
•Since data is stored on the machine’s hard drive, if the
machine is stolen then the data could be compromised.
Security

• Security is issue when it comes to cloud computing, and that only makes
sense. Since a third party, stores your data, you don’t know what’s going on
with it.
• Data leakage in the context of cloud computing refers to the unauthorized or
unintentional exposure of sensitive information stored in the cloud to
unauthorized parties.
Causes of Data Leakage in the Cloud:
❖ Inadequate Access Controls:
❖ Cause: Improperly configured access controls may allow unauthorized users
to access sensitive data.
❖ Prevention: Implement strong access controls, regularly review and update
permissions, and follow the principle of least privilege.
❖ Insufficient Encryption:
❖ Cause: Data that is not adequately encrypted is vulnerable to interception
and unauthorized access.
❖ Prevention: Use strong encryption protocols for data both in transit and at
rest. Implement encryption key management practices.
❖ Weak Authentication:
❖ Cause: Weak or compromised passwords can lead to unauthorized access
to cloud accounts.
❖ Prevention: Enforce strong password policies, implement multi-factor
authentication (MFA), and regularly audit and update credentials.
Causes of Data Leakage in the Cloud:
❖ Insecure APIs:
❖ Cause: Vulnerabilities in application programming interfaces (APIs) can be
exploited to gain unauthorized access to data.
❖ Prevention: Regularly update and patch APIs, conduct security
assessments, and adhere to industry best practices for API security.
❖ Data Transfer Issues:
❖ Cause: Unprotected data during transit can be intercepted by attackers.
❖ Prevention: Use secure communication protocols (e.g., HTTPS), encrypt
data during transit, and implement secure file transfer practices.
❖ Lack of Data Loss Prevention (DLP) Measures:
❖ Cause: Absence of DLP mechanisms can result in the unintentional sharing
of sensitive information.
❖ Prevention: Implement DLP solutions to monitor, detect, and prevent the
unauthorized transfer of sensitive data.
Offloading Work
• Another security benefit isn’t so much a technology, but the fact that you don’t have to do it
yourself. It’s up to the cloud provider to provide adequate security.
• After all, can your organization afford 24/7 IT security staffing?
• The fact of the matter is that your cloud provider might offer more security features than you had
before.
• The fact that so many clients are paying allows cloud providers to have beefier security, simply
because of the economy of scale involved.
• That is, there are many paying clients so the provider is able to do more, because there is more
money in the pot. Plus it’s to the provider’s benefit to offer more, because they want to get a good
reputation.
Logging

• Logging plays a crucial role in cloud security by providing a detailed record of

activities and events within a cloud environment.
• Effective logging and monitoring help organizations detect and respond to
security incidents, troubleshoot issues, and maintain compliance with
regulatory requirements.
key aspects of logging in cloud security:
1. Audit Logging:
Enable audit logging for all relevant services and resources in the cloud environment.
Record activities such as user logins, resource provisioning, configuration changes, and data
access.
2. Centralized Logging:
Aggregate logs from various cloud services and resources into a centralized logging solution.
Centralization facilitates easier analysis, correlation of events, and comprehensive visibility.
3. Event Types to Log:
Capture authentication and authorization events.
Log changes to security group rules, network configurations, and access control policies.
Record instances of resource creation, modification, and deletion.
Monitor for suspicious or anomalous activities.
key aspects of logging in cloud security:
4. Logging Storage and Retention
Choose a secure and scalable storage solution for logs.
Define retention policies to comply with regulatory requirements and for incident
investigation.
5. Encryption of Logs:
Ensure that logs are encrypted both in transit and at rest to protect sensitive
information.
Use secure protocols for log transmission.
6. Monitoring and Alerting:
Implement real-time monitoring for security events.
Set up alerts for specific events or patterns that may indicate a security incident.
Utilize cloud-native monitoring and alerting services.
7. Integrate with SIEM (Security Information and Event Management):
Integrate cloud logs with SIEM solutions for advanced analysis and correlation of
events.
Leverage SIEM capabilities for threat detection and response.
key aspects of logging in cloud security:
8. Access Control for Logs:
Implement strict access controls for log data.
Grant access only to authorized personnel and monitor access logs to detect
any unauthorized access.
9. Regular Log Analysis:
Conduct regular log analysis to identify patterns, anomalies, or potential
security incidents.
Use automated tools to assist in the analysis process.
10. Compliance Logging:
Ensure logging practices align with industry regulations and compliance
standards (e.g., GDPR, HIPAA, PCI DSS).
Maintain audit trails for compliance purposes.
key aspects of logging in cloud security:
11. Incident Response:
Develop and regularly test an incident response plan that includes the
use of logs for investigation and remediation.
Logs are essential for reconstructing events during and after an
incident.
12. Cloud Service Provider-Specific Logging:
Familiarize yourself with the logging capabilities provided by the cloud
service provider.
Leverage native logging features and services offered by the cloud
provider.
13. Periodic Review and Updates:
Regularly review and update logging configurations to adapt to
changes in the cloud environment and emerging security threats.
Forensics

• If there is a breach, the cloud provider can respond to the incident with less
downtime than if you had to investigate the breach locally.
• It is easy to build a forensic server online, and it costs almost nothing until it
comes into use.
• If there is a problem, the virtual machine can be cloned for easy offline
analysis.
• Further, many companies don’t have a dedicated in-house incident response
team.
• If there is a problem, IT staff have to quickly figure out their new job of taking
the server down, quickly investigating, and getting it back online for minimal
production downtime.
Development

• Even more good news is that security vendors aren’t in the dark about this
whole cloud thing.
• They are actively developing products that can apply to virtual machines and
the cloud.
• Security vendors also have a unique opportunity in the cloud.
• Since it’s new ground, there are new opportunities for the vendors who are
open-minded enough to imagine them.
Compliance

• The same security issues that your organization deals with are the sorts
of issues that SaaS providers face—securing the network, hardware
issues, applications, and data.
• But compliance adds another level of headache.
• Regulations like Sarbanes-Oxley (SOX), Gramm-Leach-Bliley (GLBA),
and HIPAA, and industry standards like the Payment Card
• Industry Data Security Standard (PCI DSS) make things particularly
challenging.
Prior to SaaS, compliance could be managed by a few tasks:

• Identify users and access privileges

• Identify sensitive data
• Identify where it’s located
• Identify how it is encrypted
• Document this for auditors and regulators
Payment Card Industry Data Security Standard (PCI DSS)

• SaaS brings with it a number of regulations, including PCI DSS.

• Within PCI DSS are regulations for service providers.
• Requirement 12.8 of PCI mandates that service providers be compliant and contractually
acknowledge their responsibility for protecting credit card data.
Four subprovisions that regulate how data is maintained
by a service provider
Unauthorized Exposure
• The first subsection requires that each client of the provider only has access to their own data.
• The important question to ask is how the SaaS provider’s system architecture prevents the
unauthorized exposure of data to other subscribers using the same service.
Credential Management
• A requires that access controls be held by the service provider and that the
controls only allow the client to be able to access that data and to protect
the data from others.
• Either the provider can maintain those controls or maintenance can be
done by connecting to the client’s access management system.
• If the SaaS provider handles access controls, the authentication credentials
are stored on the provider’s servers.
• While providers generally claim this method is safe and secure, use extra
caution.
Credential Management
• If there is a breach at the provider, then not only could your data be
compromised, but also your authentication credentials.
• Further, if the provider handles the authentication, you must keep careful
control of user accounts.
• If a user leaves your organization, their credentials need to be revoked,
and that’s easier to do in-house by your own IT staff than by relying on a
service provider.
• The best method is to have a direct connection with the company’s
directory services, like Active Directory or LDAP for authentication to the
SaaS. Many SaaS vendors offer this service.
Logging
• Logging and audit trails also mandated by Requirement 10 of PCI.
• Logs and audit trails are used for investigating incidents.
Reporting

• service providers must “provide for timely forensic investigation” if there is a breach.
• The SaaS provider’s logs are internal and most likely not accessible by clients, so monitoring is
nearly impossible.
• Access to logs is required for PCI compliance, and auditors or regulators may request access to
them.
• As such, you should be sure to negotiate access to the provider’s logs as part of your service
agreement.
Thank You