UNIT - III

CLOUDCOMPUTING :
Cloud Computing is a type of technology that provides remote services on the internet to manage, access, and store data rather than
storing it on Servers or local drives. This technology is also known as Serverless technology. Here the data can be anything like
Image, Audio, video, documents, files, etc.

Need of Cloud Computing :

Before using Cloud Computing, most of the large as well as small IT companies use traditional methods i.e. they store data in
Server, and they need a separate Server room for that. In that Server Room, there should be a database server, mail server,
firewalls, routers, modems, high net speed devices, etc. For that IT companies have to spend lots of money. In order to reduce all
the problems with cost Cloud computing come into existence and most companies shift to this technology.
SECURITY ISSUES IN CLOUD COMPUTING :
There is no doubt that Cloud Computing provides various Advantages but there are also some security issues in cloud
computing. Below are some following Security Issues in Cloud Computing as follows.
1. Data Loss –
Data Loss is one of the issues faced in Cloud Computing. This is also known as Data Leakage. As we know that our sensitive data
is in the hands of Somebody else, and we don’t have full control over our database. So, if the security of cloud service is to break
by hackers then it may be possible that hackers will get access to our sensitive data or personal files.

2. Interference of Hackers and Insecure API’s –

As we know, if we are talking about the cloud and its services it means we are talking about the Internet. Also, we know that
the easiest way to communicate with Cloud is using API. So it is important to protect the Interface’s and API’s which are used by
an external user. But also in cloud computing, few services are available in the public domain which are the vulnerable part of
Cloud Computing because it may be possible that these services are accessed by some third parties. So, it may be possible that
with the help of these services hackers can easily hack or harm our data.

3. User Account Hijacking –

Account Hijacking is the most serious security issue in Cloud Computing. If somehow the Account of User or an Organization is
hijacked by a hacker then the hacker has full authority to perform Unauthorized Activities.

4. Changing Service Provider –

Vendor lock-In is also an important Security issue in Cloud Computing. Many organizations will face different problems while
shifting from one vendor to another. For example, An Organization wants to shift from AWS Cloud to Google Cloud Services
then they face various problems like shifting of all data, also both cloud services have different techniques and functions, so
they also face problems regarding that. Also, it may be possible that the charges of AWS are different from Google Cloud, etc.

5. Lack of Skill –
While working, shifting to another service provider, need an extra feature, how to use a feature, etc. are the main problems
caused in IT Company who doesn’t have skilled Employees. So it requires a skilled person to work with Cloud Computing.

6. Denial of Service (DoS) attack –

This type of attack occurs when the system receives too much traffic. Mostly DoS attacks occur in large organizations such as the
banking sector, government sector, etc. When a DoS attack occurs, data is lost. So, in order to recover data, it requires a great
amount of money as well as time to handle it.

INFORMATION SECURITY
The term “information security” means protecting information and information systems from unauthorized access,
use, disclosure, disruption, modification, or destruction in order to provide integrity, confidentiality and availability[13].
Here, integrity means guarding against improper information modification or destruction, and includes ensuring
information non-repudiation and authenticity. Confidentiality means preserving authorized restrictions on disclosure and
access, including means for defending proprietary and personal privacy information. And availability means ensuring
timely and reliable access to and use of information. Cloud computing provides computing and storage resources on
demand without the need for internal infrastructure which ensures cost-saving benefits. As the technology arrangement
becomes more popular, additional cloud computing security measures are necessary to ensure the continued protection
of the confidentiality, availability, and integrity of enterprise data.
The physical boundaries of data and moving that data between trusted partners securely and reliably is changed by cloud
computing. To ensure the latest security capabilities are being used properly, this capability of cloud computing will
require encryption and trust models being constantly evaluated. By using the right service provider in the cloud, this
capability may be enhanced. To ensure information security data storage and privacy security need to be consider.

1.1.1 Data Storage Security

For Data Storage Security Data storage zoning, Data tagging, Data retention policies, Data permanence/deletion, Data
classification, Locality requirements, etc. have to be in the check list.

1.1.2 Data Privacy Security

Backup, Archiving, Multi-tenancy issues, Recovery, Privacy/privacy controls, prevention, Malicious data aggregation,
Encryption (at-rest, in-transit, key management, Federal information processing standards/Federal information security
management act), Digital signing/integrity, attestation, Data leak prevention etc. are need to be considered for Data
Privacy Security.

Table 3 states comparison of six cloud service providing companies regarding information security.
Table 3. Comparison on Information Security

Cloud Service
Sl No Description
Provider’s Name
1 Amazon AWS As part of normal operation, data stored in Amazon Elastic Block Store (EBS), Amazon S3 or
Amazon SimpleDB is redundantly stored in multiple physical locations. On the initial write
by storing objects multiple times across multiple Availability Zones, Amazon S3 and Amazon
SimpleDB provide object durability. In the event of device unavailability or detected bit-rot
further replication is actively done. AWS procedures include a decommissioning process
when a storage device has reached the end of its useful life. The process is designed to
prevent customer data from being exposed to unauthorized individuals. As part of the
decommissioning process AWS uses the techniques detailed in DoD 5220.22-M (“National
Industrial Security Program Operating Manual “) or NIST 800-88
(“Guidelines for Media Sanitization”) to destroy data. In accordance with industry-
standard practices a hardware device is
degaussed or physically destroyed if the device will be unable to be decommissioned

2 Force.com Salesforce.com guarantees that customer's data is protected with physical security,
application security, user authentication and data encryption. It also ensures the latest
standard-setting security practices and certifications, including: ISO27001, SOX, SysTrust
certifications, third-party vulnerability and World-class security specifications SAS 70 Type II.
It provides secure point- to-point data replication for data backup: Backup tapes for
customer data never leave providers facilities—no tapes ever in transport. Salesforce.com
uses 1024-bit RSA public keys and 128-bit VeriSign SSL Certification for ensuring strongest
encryption products to protect customer data and communications. The lock icon in the
browser indicates that data is fully shielded from access while in transit. Using RAID disks
and multiple data paths, customer's data are stored on carrier- class disk storage. on a
nightly basis, all customer data is automatically backed up to a primary tape library up to
the last committed transaction. on regular basis to verify their integrity, backup tapes are
immediately cloned and moved to fire-resistant, secure, off-site storage[7].
 Cloud Service
Sl No Description
Provider’s Name
3 GoogleApp Engine A distributed NoSQL data storage service is provided by App Engine with transactions and a
query engine features. The distributed datastore grows with data like the distributed web
server grows with traffic. Two different data storage options are available for customers. These
data storage are differentiated by their availability and consistency guarantees. The App Engine
datastore is not like a traditional relational database. Here data objects, or "entities," have a set
and kind of properties, using which, queries can retrieve entities of a given kind filtered and
sorted. Any of the supported property value types can be Property values. Here, datastore
entities are "schemaless" and data entities structure are enforced and provided by customer’s
application code. The datastore uses optimistic concurrency control and is strongly consistent. If
other processes are trying to update the same entity simultaneously, an update of entity occurs
in a transaction that is retried a fixed number of times. ensuring the integrity of customer’s
data, customer application can execute multiple datastore operations in a single transaction
which either all fail or all succeed. Using "entity groups", transactions are implemented across
its distributed network. Entities are manipulated through a transaction within a single group.
For efficient execution of transactions same group entities are stored together. When the
entities are created, application can assign them to groups. In case of errors or system failure
Google can recover data and restore accounts as they keeps multiple backup copies of
customers' content. When customer asks to delete messages and content, Google make
reasonable efforts to remove deleted information from their systems as quickly as is
Practicable.

4 Rack Space For secure collaboration, disaster recovery, and data access, Rackspace provides Cloud Drive.
Cloud Drive automatically backs up any file type or file size—no restrictions. Here, files are kept
secure using admin-controlled keys and AES-256
encryption.

5 Go Grid Go Grid offers disaster recovery and backup solutions i365 EVault SaaS for online data
protection. For small and medium- sized businesses, a cost-effective recovery and backup
solution is EVault SaaS. It provides efficient, reliable, secure protection of an organization’s
critical data through Internet. It automatically backs up server, desktop and laptop data from
across the customer’s organization. The customer can configure the retention schedule and
monitor their backups using a web browser. Customer’s data is reduplicated, compressed,
encrypted, and then transmitted to a vault in one of i365’s top-
tier Datacenter.
6 Windows Azure To minimize the impact of hardware failures Windows Azure replicate data within the Fabric to
three separate nodes. By creating a second Storage Account to provide hot-failover capability
Windows Azure infrastructure leverage Customers with the geographically distributed nature.
To synchronize and replicate data between Microsoft facilities, customers can create custom
roles. Customers can also create customized roles to extract data from storage for off-site
private backups. Strict hardware disposal processes and data handling procedures are followed
by Microsoft operational personnel after systems end- of-life. Assets are classified to determine
the strength of security controls to apply. To determine required protections, a defense- in-
depth approach is taken. For example, when data assets are residing on removable media or
when they are involved in external network transfers, fall into the moderate impact category
and are subject to encryption requirements. For high impact data, in addition to those
requirements, is subject to encryption requirements for network transfers, storage and for
internal system as well. The SDL cryptographic standards list the acceptable and unacceptable
cryptographic algorithms and all Microsoft products must meet that standards. For example,
symmetric encryption is required for longer than 128-bits keys. When using asymmetric
algorithms, keys of 2,048 bits or longer are required[12].
 SECURITY, PRIVACY, AND TRUST
 Security and privacy affect the entire cloud computing stack, since there is a massive use of third-party services and
infrastructures that are used to host important data or to perform critical operations. In this scenario, the trust toward providers is
fundamental to ensure the desired level of privacy for applications hosted in the cloud.
 When data are moved into the Cloud, providers may choose to locate them anywhere on the planet. The physical location of
data centers determines the set of laws that can be applied to the management of data.
SECURITY MANAGEMENT IN THE CLOUD:

Security management in the cloud is a set of strategies designed to allow a business to use cloud applications and networks to
their greatest potential while limiting potential threats and vulnerabilities. This is often done with several independent tactics:
 Identifying and assessing cloud services. First, you need to spend time identifying which cloud products and services are being used in
your organization, and which ones might be considered in the future. Then, you’ll need to assess and audit those items, analyzing their
security and potential vulnerabilities.
 Auditing and adjusting native security settings. Within each application, you’ll have full control of your own privacy and security
settings. It’s on your cloud security team to understand which settings are available, and take full advantage of them to grant your
organization the highest possible level of security.
 Encrypting data. In many cases, you’ll need to take extra efforts to prevent data loss and preserve data integrity by encrypting your
data and securing your connections. It’s your responsibility to allow legitimate network traffic and block suspicious traffic.
 Managing devices. Cloud applications allow you to reduce the amount of physical infrastructure you maintain, but you and your
employees will still be accessing data and services with specific devices. You’ll need some way to manage and monitor those devices to
ensure only authorized devices can access your data.
 Managing users. Similarly, you’ll need to consider user-level controls. Establish varying levels of user permissions, to restrict access to
your most valuable or sensitive information, and change user permissions as necessary to allow secure access.
 Reporting. It’s also important to monitor cloud activity from a high level, and report on that activity so you can better understand your
risks and ongoing operations.
SECURING A CLOUD REFERENCE ARCHITECTURE
We show now how to build a SRA and present a meta- model to relate the concepts we use. Subsequent chap- ters provide
details of the steps. Remember that our ob- jective is to show how to produce a SRA, not to present a complete one.
1. Procedure to define security services

We show a set of steps to find out what security services we need and where to insert them in the functional architecture. It is
not a methodology to build secure applications as the ones surveyed in [85]. The steps, described in Figure 2, include:
• We start from typical cloud use cases and their as- sociated roles. Lists of cloud use cases and roles are shown in [4, 58,
45] (section 5).
• We analyze each use case looking for vulnerabilities and threats as in [7]. This implies checking each ac- tivity in the
activity diagram of each use case to see how it can be attacked. This approach results in a systematic enumeration
of threats. We use the list of threats from [43] to confirm these threats and to find possible further vulnerabilities and
threats.
• These threats are then expressed in the form of mis- use patterns. We developed some misuse patterns for Cloud Computing
in [44], and we consider more of them here.
• We apply policies to handle the threats and we iden- tify security patterns to realize the policies. There are some defenses
that come from best practices and others that handle specific threats. There are also regulatory policies which are
realized as secu- rity patterns. We use an example of Cloud Admin- istration.
• We refine sections of the architecture and secure them, in similar fashion to get to the final model.
The justification of these steps is based on the fact that use cases define all possible interactions with the system if we
leave out the possibility that the attacker can have physical access to the cloud. If we analyze each activity in each use case
we can identify all threats for which we can later find defenses. We show now all the steps above, but first we present a
metamodel to relate our concepts.
Fig. 2 Securing a cloud Reference Architecture
 2. A metamodel for securing clouds

Figure 3 relates our security concepts to each other. Threats take advantage of Vulnerabilities that can ex- ist in any cloud
service level. A vunerability is a flaw in the system implementatio or in its configuration and use. A SRA is not concerned with
vulnerabilities, but with the use of them in its concrete instances by attack- ers to reach their goals (threats). Threats come
from analysis of Use Cases or from published Threat Lists [43, 73]. Each use case has a set of Roles that describe the
participants in the use case. We can stop a threat by removing the initial vulnerability or by controlling its propagation (by
removing other vulnera- bilities) through the use of a Security Pattern. The secu- rity pattern to use can be selected from the
countermea- sures defined in the Misuse Pattern which describes the threat (see Section 7). As indicated, we can also select
security patterns to apply from the list of threats, but it is more economic to select only the security patterns needed to stop
the identified misuses. In other words, there could be a threat that may not lead to any signif- icant misuse and we do not need
to prevent it. Security patterns can also be selected from some methodology based on patterns [85], even if those
methodologies are oriented to build specific types of applications. Threats that lead to misuses are the goals of the attacker
and are performed through low-level threats in the Threat List or directly through a use case operation.
Some threats apply to all service levels. For exam- ple, buffer overflow is a language problem and allows escalation of
privilege by the attacker operating at any level. Other threats are specific to the level; for exam- ple, a financial application
can be attacked by taking advantage of lack of proper authentication in remote of that application. If the threat affects
the IaaS level it affects all the cloud computations, and if it happens at the PaaS level it can affect all the applications de-
veloped or deployed in the cloud.

Fig. 3 Metamodel of the concepts used to secure clouds

CLASSIFICATION OF SECURITY ISSUE

In order to secure system and information, each company or organization should analyze the types of threats that will be
faced and how the threats affect information system security. Examples of threats such as unauthorized access (hacker and cracker),
computer viruses, theft, sabotage, vandalism and accidents.

1. Unauthorized Access (Hacker and Cracker): One of the most common security risks in relation to computerized information systems is
the danger of unauthorized access to confidential data. The main concern comes from unwanted intruders, or hackers, who use the
latest technology and their skills to break into supposedly secure computers or to disable them. A person who gains access to
information system for malicious reason is often termed of cracker rather than a hacker.
2. Computer Viruses: Computer virus is a kind of nasty software written deliberately to enter a computer without the user’s permission or
knowledge, with an ability to duplicate itself, thus continuing to spread. Some viruses do little but duplicate others can cause severe
harm or adversely affect program and performance of the system. Virus program may still cause crashes and data loss. In many cases,
the damages caused by computer virus might be accidental, arising merely as the result of poor programming. Type of viruses, for
example, worms and Trojan horses.
3. Theft: The loss of important hardware, software or data can have significant effects on an organization’s effectiveness. Theft can be
divided into three basic categories: physical theft, data theft, and identity theft.
4. Sabotage: With regard to information systems, damage may be on purpose or accidental and carried out an individual basis or as an act
of industrial sabotage. Insiders have knowledge that provide them with capability to cause maximum interruption to an agency by
sabotaging information systems. Examples include destroying hardware and infrastructure, changing data, entering incorrect data,
deleting software, planting logic bombs, deleting data, planting a virus etc.
5. Vandalism: Deliberate damage cause to hardware, software and data is considered a serious threat to information system security. The
threat from vandalism lies in the fact that the organization is temporarily denied access to someone of its resources. Even relatively
minor damage to parts of a system can have a significant effect on the organization as a whole.
6. Accidents: Major of damage caused to information systems or corporate data arises as a result of human error. Accidental misuse or
damage will be affected over time by the attitude and disposition of the staff in addition to the environment. Human errors have a
 greater impact on information system security than do man-made threats caused by purposeful attacks. But most accidents that are
serious threats to the security of information systems can be mitigated.
Types of Attackers
 DDoS Attacks. Distributed denial of service (DDoS) attacks are one of the most common types of cloud malware. ...
 Hypervisor DoS Attacks. ...
 Hypercall Attacks. ...
 Hyperjacking. ...
 Exploiting Live Migration.

5 Most Common Types of Attackers

There are a number of different types of malware that can impact your cloud environment. Here are some of the most common
ones:
1. DDoS Attacks
Distributed denial of service (DDoS) attacks are one of the most common types of cloud malware. In a DDoS attack, the
attacker sends a flood of traffic to your system in an attempt to overwhelm it and take it offline. DDoS attacks are designed to
take a target website offline by overwhelming it with traffic from multiple sources. This can include botnets, which are networks
of hijacked devices used to carry out an attack. DDoS attacks can be very disruptive to your business and can cause significant
financial damage.
2. Hypervisor DoS Attacks
Hypervisor denial of service (DoS) attacks exploit vulnerabilities in the hypervisor layer, which manages and allocates
resources to virtual machines. This can allow them to gain access to your data and systems, or even take your environment
offline. A successful hypervisor DoS attack can crash the hypervisor or take down an entire cloud infrastructure.

3. Hypercall Attacks
In a hypercall attack, the attacker sends specially crafted requests to your hypervisor in an attempt to extract
information or take control of your systems, resulting in the execution of malicious code. This can allow the attacker to gain
access and control over the entire cloud environment.
4. Hyperjacking
A hyperjacking attack occurs when an attacker takes control of a virtual machine and uses it for their own purposes,
such as launching cyberattacks or stealing data. During a hyperjacking attack, the attacker takes over your session and can
access your data and systems without your knowledge or permission. This can allow them to steal your data or even damage
your systems.
5. Exploiting Live Migration
Finally, exploiting live migrations is a new type of attack that is becoming more common. Cloud providers use live
migration to move running virtual machines from one physical server to another without downtime. Attackers can exploit this
process to steal data or install malware on target machines. Live migrations are often not properly secured, enabling malicious
actors to access sensitive data or even take control of systems.

Security Risks of Cloud Computing

Cloud computing provides various advantages, such as improved collaboration, excellent accessibility, Mobility, Storage
capacity, etc. But there are also security risks in cloud computing.
Some most common Security Risks of Cloud Computing are given below-
1. Data Loss
Data loss is the most common cloud security risks of cloud computing. It is also known as data leakage. Data loss is the
process in which data is being deleted, corrupted, and unreadable by a user, software, or application. In a cloud computing
environment, data loss occurs when our sensitive data is somebody else's hands, one or more data elements can not be utilized by
the data owner, hard disk is not working properly, and software is not updated.
2. Hacked Interfaces and Insecure APIs
As we all know, cloud computing is completely depends on Internet, so it is compulsory to protect interfaces and APIs that
are used by external users. APIs are the easiest way to communicate with most of the cloud services. In cloud computing, few
services are available in the public domain. These services can be accessed by third parties, so there may be a chance that these
services easily harmed and hacked by hackers.
3. Data Breach
Data Breach is the process in which the confidential data is viewed, accessed, or stolen by the third party without any
authorization, so organization's data is hacked by the hackers.
4. Vendor lock-in
Vendor lock-in is the of the biggest security risks in cloud computing. Organizations may face problems when transferring
their services from one vendor to another. As different vendors provide different platforms, that can cause difficulty moving one
cloud to another.
 5. Increased complexity strains IT staff
Migrating, integrating, and operating the cloud services is complex for the IT staff. IT staff must require the extra capability
and skills to manage, integrate, and maintain the data to the cloud.
6. Spectre & Meltdown
Spectre & Meltdown allows programs to view and steal data which is currently processed on computer. It can run on
personal computers, mobile devices, and in the cloud. It can store the password, your personal information such as images, emails,
and business documents in the memory of other running programs.
7. Denial of Service (DoS) attacks
Denial of service (DoS) attacks occur when the system receives too much traffic to buffer the server. Mostly, DoS attackers
target web servers of large organizations such as banking sectors, media companies, and government organizations. To recover the
lost data, DoS attackers charge a great deal of time and money to handle the data.
8. Account hijacking
Account hijacking is a serious security risk in cloud computing. It is the process in which individual user's or organization's
cloud account (bank account, e-mail account, and social media account) is stolen by hackers. The hackers use the stolen account to
perform unauthorized activities.

Security Threats against cloud computing:

Cloud services have transformed the way businesses store data and host applications while introducing new security challenges.

1. Identity, authentication and access management – This includes the failure to use multi-factor authentication, misconfigured
access points, weak passwords, lack of scalable identity management systems, and a lack of ongoing automated rotation of
cryptographic keys, passwords and certificates.
2. Vulnerable public APIs – From authentication and access control to encryption and activity monitoring, application
programming interfaces must be designed to protect against both accidental and malicious attempts to access sensitive data.
3. Account takeover – Attackers may try to eavesdrop on user activities and transactions, manipulate data, return falsified
information and redirect users to illegitimate sites.
4. Malicious insiders – A current or former employee or contractor with authorized access to an organization’s network, systems
or data may intentionally misuse the access in a manner that leads to a data breach or affects the availability of the
organization’s information systems.
5. Data sharing – Many cloud services are designed to make data sharing easy across organizations, increasing the attack surface
area for hackers who now have more targets available to access critical data.
6. Denial-of-service attacks – The disruption of cloud infrastructure can affect multiple organizations simultaneously and allow
hackers to harm businesses without gaining access to their cloud services accounts or internal network.