Cloud Computing (KCS-713)

CLOUD COMPUTING
UNIT-4
RESOURCE MANAGEMENT AND SECURITY IN CLOUD
Inter Cloud Resource Management

Cloud computing paradigm provides management of resources and helps create

extended portfolio of services. ... For scalability and better service provisioning, at
times, clouds have to communicate with other clouds and share their resources. This
scenario is called Inter-cloud computing or cloud federation.

Resource Provisioning

 Cloud computing is a model for enabling convenient, on-demand network

access to a shared pool of configurable computing resources (e.g., networks,
servers, applications and services) that can be rapidly provisioned and released.

 Resource Provisioning means the selection, deployment, and run-time

management of software (e.g., database server management systems, load
balancers) and hardware resources (e.g., CPU, storage, and network) for
guaranteed performance for applications.

 Resource Provisioning is an important and challenging problem in the large-

scale distributed systems such as cloud computing environments

 Cloud provisioning is the allocation of resources and services from a cloud

provider to a client. The growing catalog of cloud services that customers can
provide includes infrastructure as a service, software as a service, and platform
as a service, in public or private cloud environments.

 Provisioning is the process of configuring the IT infrastructure. It can also refer to

the steps necessary to manage access to data and resources and make them
Cloud Computing (KCS-713)

available to users and systems. Once something has been provisioned, the next
step is configuration.

 Provisioning resources in the cloud is a difficult task that can be compromised

due to the unavailability of expected resources. Quality of Service (QoS)
requirements for workloads arises from the provision of appropriate resources for
cloud workloads.

 Discover the best workload: the pair of resources based on the application
requirements of cloud users is an optimization problem. Acceptable quality of
service cannot be provided to cloud users until the provision of resources is
offered as a critical capability.

 Therefore, a resource provisioning technique based on QoS parameters is

required for efficient resource provisioning. This research shows an in-depth
analysis of the methodical literature on the provisioning of cloud resources in
general and the identification of cloud resources in particular.

Resource Provisioning Techniques

 Static Provisioning-With advance provisioning, the customer contracts with the

provider for services and the provider prepares the appropriate resources in
advance of start of service. The customer is charged a flat fee or is billed on a
monthly basis

 Dynamic Provisioning-With dynamic provisioning, the provider allocates more

resources as they are needed and removes them when they are not. The
customer is billed on a pay-per-use basis. When dynamic provisioning is used to
create a hybrid cloud, it is sometimes referred to as cloud bursting

 User Self Provisioning-With user self-provisioning (also known as cloud self-

service), the customer purchases resources from the cloud provider through a
web form, creating a customer account and paying for resources with a credit
Cloud Computing (KCS-713)

card. The provider's resources are available for customer use within hours, if not
minutes.

Resource Provisioning Techniques

1. Particle Swarm Optimization (PSO) algorithm and Simulated Annealing(SA)

algorithm
 Marwah Hashim Eawna et al., 2015 propose dynamic resources provisioning
in multi-tier application by using meta-heuristic technique such as Particle
Swarm Optimization (PSO) algorithm, Simulated Annealing (SA) algorithm
and hybrid algorithm that combine Particle Swarm Optimization (PSO) and
Simulated Annealing (SA).
 In PSO algorithm, there is calculated average computation cost of all tasks on
all the computer resources. There is used PSO as a local searching select
local best position (Lbest) and global searching to select global best position
(Gbest). To improve optimal performance of PSO, Gbest can be searched by
SA after iteration of particle swarm, whose result can be taken as new Gbest
of PSO system.
 The resource provisioning based on PSO-SA algorithm in multi-tier
application is much faster than resource provisioning in multi-tier application
based on PSO algorithm and SA algorithm, that is beneficial in the
development of cloud computing.
2. Optimal Cloud Resource Provisioning (OCRP) algorithm

 Sivadon Chaisiri et al., 2012 has proposed the optimal cloud resource
provisioning algorithm for the virtual machine management. The optimization
formulation of stochastic integer programming is proposed to obtain the decision
of the OCRP algorithm as such the total cost of resource provisioning in cloud
computing environments is minimized.

 The optimal solution obtained from OCRP is obtained by formulating and solving
stochastic integer programming with multistage resource.
Cloud Computing (KCS-713)

3. Variable size bin packing greedy algorithm

 GA algorithm Alok Gautam Kumbhare et al., 2015 has developed the concept of
“dynamic data flows” which utilize alternate tasks as additional control over the
data flow’s cost and QoS. They formalize an optimization problem to represent
deployment and runtime resource provisioning that allows balancing the
application’s QoS, value, and the resource cost.

 They proposed two greedy heuristics, centralized and shared, based on the
variable-sized bin packing algorithm and compare against a Genetic Algorithm
(GA) based heuristic that gives a near-optimal solution.

 A large-scale simulation study, using the linear road benchmark and VM

performance traces from the AWS public cloud, shows that while GA-based
heuristic provides a better quality schedule, the greedy heuristics are more
practical, and can intelligently utilize cloud elasticity to mitigate the effect of
variability, both in input data rates and cloud resource performance, to meet the
QoS of fast data applications.

4. SPRNT Strategy

 Jinzhao Liu et al., 2015 introduce SPRNT, a novel resource management

framework, to ensure high-level QoS in the cloud computing system.

 SPRNT utilizes an aggressive resource provisioning strategy which encourages

SPRNT to substantially increase the resource allocation in each adaptation cycle
when workload increases. This strategy first provisions resources which are
possibly more than actual demands, and then reduces the over provisioned
resources if needed.

 By applying the aggressive strategy, SPRNT can satisfy the increasing

performance requirement in the first place so that the QoS can be kept at a high
level. The experimental results show that SPRNT achieves up to 7.7* speedup in
adaptation time, compared with existing efforts. By enabling quick adaptation,
Cloud Computing (KCS-713)

SPRNT limits the SLO violation rate up to 1.3 % even when dealing with rapidly
increasing workload.

5. Dynamical Request Redirection and Resource Provisioning (DYRECEIVE)

method

 As user demands are difficult to predict and the prices of the VMs vary in
different time and region, optimizing the number of VMs of each type rented from
datacenters located in different regions in a given time frame becomes essential
to achieve cost effectiveness for VSPs.

 It is equally important to guarantee users’ Quality of Experience (QoE) with

rented VMs. Wenhua Xiao et al., 2016 give a systematic method called
Dynamical Request Redirection and Resource Provisioning (DYRECEIVE) to
address this problem.

 They formulate the problem as a stochastic optimization problem and design a

Lyapunov optimization framework based online algorithm to solve it. This method
is able to minimize the long-term time average cost of renting cloud resources
while maintaining the user QoE.
Cloud Computing (KCS-713)

Comparison Table

Global Exchange of Cloud Resources

 Global Cloud Xchange (GCX) provides network services for enterprises, new

media providers and telecoms carriers.

 Their services cover cloud-centric connectivity from managed SD-WAN and

hybrid networks, to direct Cloud connections and 100 Gbps+ waves.

 GCX provides connectivity throughout the Emerging Markets Corridor into Asia

via the vast GCX global network (the world’s largest private submarine cable

network), with extensions available into more than 200 countries worldwide.
Cloud Computing (KCS-713)

 In order to support a large number of application service consumers from around

the world, cloud infrastructure providers (i.e., IaaS providers) have established

data centers in multiple geographical locations to provide redundancy and ensure

reliability in case of site failures. For example, Amazon has data centers in the

United States (e.g., one on the East Coast and another on the West Coast) and

Europe.

 However, currently Amazon expects its cloud customers (i.e., SaaS providers) to

express a preference regarding where they want their application services to be

hosted. Amazon does not provide seamless/automatic mechanisms for scaling

its hosted services across multiple geographically distributed data centers.

 In addition, no single cloud infrastructure provider will be able to establish its data

centers at all possible locations throughout the world. As a result, cloud

application service (SaaS) providers will have difficulty in meeting QoS

expectations for all their consumers. Hence, they would like to make use of

services of multiple cloud infrastructure service providers who can provide better

support for their specific consumer needs.

 This kind of requirement often arises in enterprises with global operations and

applications such as Internet services, media hosting, and Web 2.0 applications.

This necessitates federation of cloud infrastructure service providers for

seamless provisioning of services across different cloud providers.

 To realize this, the Cloud bus Project at the University of Melbourne has

proposed Inter-Cloud architecture sup-porting brokering and exchange of cloud

resources for scaling applications across multiple clouds.

 By realizing Inter-Cloud architectural principles in mechanisms in their offering,

cloud providers will be able to dynamically expand or resize their provisioning

capability based on sudden spikes in workload demands by leasing available

computational and storage capabilities from other cloud service providers;

Cloud Computing (KCS-713)

operate as part of a market-driven resource leasing federation, where application

service providers such as Salesforce.com host their services based on

negotiated SLA contracts driven by competitive market prices; and deliver on-

demand, reliable, cost-effective, and QoS-aware services based on virtualization

technologies while ensuring high QoS standards and minimizing service costs.

 They need to be able to utilize market based utility models as the basis for

provisioning of virtualized software services and federated hardware

infrastructure among users with heterogeneous applications.

 They consist of client brokering and coordinator services that support utility-

driven federation of clouds: application scheduling, resource allocation, and

migration of workloads. The architecture cohesively couples the administratively

and topologically distributed storage and compute capabilities of clouds as part of

a single resource leasing abstraction. The system will ease the cross domain

capability integration for on-demand, flexible, energy-efficient, and reliable

access to the infrastructure based on virtualization technology.

 The Cloud Exchange (CEx) acts as a market maker for bringing together service

producers and consumers. It aggregates the infrastructure demands from

application brokers and evaluates them against the available supply currently

published by the cloud coordinators. It supports trading of cloud services based

on competitive economic models such as commodity markets and auctions. CEx

allows participants to locate providers and consumers with fitting offers. Such

markets enable services to be commoditized, and thus will pave the way for

creation of dynamic market infrastructure for trading based on SLAs.

 An SLA specifies the details of the service to be provided in terms of metrics

agreed upon by all parties, and incentives and penalties for meeting and violating

the expectations, respectively. The availability of a banking system within the

Cloud Computing (KCS-713)

market ensures that financial transactions pertaining to SLAs between

participants are carried out in a secure and dependable environment.

Cloud Security Challenges

 Lacking trust between service providers and cloud users has hindered the

universal acceptance of cloud computing as a service on demand. In the past,

trust models have been developed to protect mainly e-commerce and online

shopping provided by eBay and Amazon.

 For web and cloud services, trust and security become even more demanding,

because leaving user applications completely to the cloud providers has faced

strong resistance by most PC and server users.

 Cloud platforms become worrisome to some users for lack of privacy protection,

security assurance, and copyright protection. Trust is a social problem, not a

pure technical issue. However, the social problem can be solved with a technical

approach. Common sense dictates that technology can enhance trust, justice,

reputation, credit, and assurance in Internet applications.

 As a virtual environment, the cloud poses new security threats that are more

difficult to contain than traditional client and server configurations. To solve these

trust problems, a new data-protection model is presented in this section. In many

cases, one can extend the trust models for P2P networks and grid systems to

protect clouds and data centers.

Cloud Security Defense Strategies

 A healthy cloud ecosystem is desired to free users from abuses, violence,

cheating, hacking, viruses, rumors, spam, and privacy and copyright violations.
Cloud Computing (KCS-713)

 The security demands of three cloud service models, IaaS, PaaS, and SaaS, are

described in this section. These security models are based on various SLAs

between providers and users.

Basic Cloud Security

 Three basic cloud security enforcements are expected. First, facility security in

data centers demands on-site security year round. Biometric readers, CCTV

(close-circuit TV), motion detection, and man traps are often deployed.

 Network security demands fault-tolerant external firewalls, intrusion detection

systems (IDSes), and third-party vulnerability assessment. Finally, platform

security demands SSL and data decryption, strict password policies, and system

trust certification.

 Servers in the cloud can be physical machines or VMs. User interfaces are

applied to request services. The provisioning tool carves out the systems from

the cloud to satisfy the requested service.

 A security-aware cloud architecture demands security enforcement. Malware-

based attacks such as network worms, viruses, and DDoS attacks exploit system

vulnerabilities.

 These attacks compromise system functionality or provide intruders unauthorized

access to critical information. Thus, security defenses are needed to protect all

cluster servers and data centers. Here are some cloud components that demand

special security protection:

• Protection of servers from malicious software attacks such as worms,

viruses, and malware

• Protection of hypervisors or VM monitors from software-based attacks and

vulnerabilities

• Protection of VMs and monitors from service disruption and DoS attacks
Cloud Computing (KCS-713)

• Protection of data and information from theft, corruption, and natural

disasters

• Providing authenticated and authorized access to critical data and

services

Security Challenges in VMs

 Traditional network attacks include buffer overflows, DoS attacks, spyware,

malware, rootkits, Trojan horses, and worms. In a cloud environment, newer

attacks may result from hypervisor malware, guest hopping and hijacking, or VM

rootkits.

 Another type of attack is the man-in-the-middle attack for VM migrations. In

general, passive attacks steal sensitive data or passwords. Active attacks may

manipulate kernel data structures which will cause major damage to cloud

servers.

 IDS can be a NIDS or a HIDS. Program shepherding can be applied to control

and verify code execution. Other defense technologies include using the RIO

dynamic optimization infra-structure, or VMware’s vSafe and vShield tools,

security compliance for hypervisors, and Intel vPro technology. Others apply a

hardened OS environment or use isolated execution and sandboxing.

Cloud Defense Methods

 Virtualization enhances cloud security. But VMs add an additional layer of

software that could become a single point of failure. With virtualization, a single

physical machine can be divided or partitioned into multiple VMs (e.g., server

consolidation).
Cloud Computing (KCS-713)

 This provides each VM with better security isolation and each partition is

protected from DoS attacks by other partitions. Security attacks in one VM are

isolated and contained from affecting the other VMs.

 VM failures do not propagate to other VMs. The hypervisor provides visibility of

the guest OS, with complete guest isolation. Fault containment and failure

isolation of VMs provide a more secure and robust environment.

 Malicious intrusions may destroy valuable hosts, networks, and storage

resources. Internet anomalies found in routers, gate-ways, and distributed hosts

may stop cloud services. Trust negotiation is often done at the SLA level.

 Public Key Infrastructure (PKI) services could be augmented with data-center

reputation systems. Worm and DDoS attacks must be contained. It is harder to

establish security in the cloud because all data and software are shared by

default.

SaaS Security

 SaaS providers handle much of the security for a cloud application. The SaaS
provider is responsible for securing the platform, network, applications, operating
system, and physical infrastructure. However, providers are not responsible for
securing customer data or user access to it. Some providers offer a bare
minimum of security, while others offer a wide range of SaaS security options.
 By 2022, Gartner projects that 95% of cloud security failures will be the
customer's fault. To avoid security breaches, customers can implement improved
security practices and technologies. Below are SaaS security practices that
organizations can adopt to protect data in their SaaS applications.

 Detect rogue services and compromised accounts. The average organization

uses 1,935 unique cloud services. Unfortunately, the IT departments believe
they use only 30 cloud services, according to the 2019 McAfee Cloud Adoption
Cloud Computing (KCS-713)

and Risk Report. Moreover, nearly 9% of those cloud services were rated as
high-risk services. Organizations can use tools, such as cloud access security
brokers (CASB) to audit their networks for unauthorized cloud services and
compromised accounts.
 Apply identity and access management (IAM). A role-based identity and access
management solution can ensure that end users do not gain access to more
resources than they require for their jobs. IAM solutions use processes and
user access policies to determine what files and applications a particular user
can access. An organization can apply role-based permissions to data so that
end users will see only the data they're authorized to view.
 Encrypt cloud data. Data encryption protects both data at rest (in storage) and
data in transit between the end user and the cloud or between cloud
applications. Government regulations usually require encryption of sensitive
data. Sensitive data includes financial information, healthcare data, and
personally identifiable information (PII). While a SaaS vendor may provide
some type of encryption, an organization can enhance data security by
applying its own encryption, such as by implementing a cloud access security
broker (CASB).
 Enforce data loss prevention (DLP). DLP software monitors for sensitive data
within SaaS applications or outgoing transmissions of sensitive data and
blocks the transmission. DLP software detects and prevents sensitive data
from being downloaded to personal devices and blocks malware or hackers
from attempting to access and download data.
 Monitor collaborative sharing of data. Collaboration controls can detect granular
permissions on files that are shared with other users, including users outside
the organization who access the file through a web link. Employees may
inadvertently or intentionally share confidential documents through email, team
spaces, and cloud storage sites such as Dropbox.
 Check provider's security. The Cloud Adoption and Risk Report surveyed
respondents on their trust of cloud providers' security. It found that nearly 70%
Cloud Computing (KCS-713)

of them trust their providers to secure their data. However, only 8% of cloud
services actually meet the data security requirements defined in
the CloudTrust Program. Only 1 in 10 providers encrypt data at rest, and just
18% support multifactor authentication. Clearly, not all of that customer trust is
deserved. An audit of a SaaS provider can include checks on its compliance
with data security and privacy regulations, data encryption policies, employee
security practices, cyber-security protection, and data segregation policies.

SaaS Security solutions

Several types of security solutions can help organizations improve SaaS security. The
solutions can be implemented separately or together as part of a CASB.

 Data loss prevention (DLP) safeguards intellectual property and protects

sensitive data in cloud applications, as well as at endpoints such as laptops.
Organizations can define data access policies that DLP enforces.
 Compliance solutions provide controls and reporting capabilities to ensure
compliance with government and industry regulations.
 Advanced malware prevention includes technologies such as behavioral
analytics and real-time threat intelligence that can help detect and block zero-
day attacks and malicious files that may be spread through cloud email and file
sharing applications.
 Cloud access security brokers (CASBs) protect enterprise data and users across
all cloud services, including SaaS, PaaS, and IaaS. According to Gartner's
Magic Quadrant for Cloud Access Security Brokers, CASBs detect threats and
provide IT departments with greater visibility into data usage and user behavior
for cloud services, end users, and devices. CASBs also act immediately to
remediate security threats by eliminating security misconfigurations and
correcting high-risk user activities applications. CASBs provide a variety of
security services, including:
o Monitoring for unauthorized cloud services
Cloud Computing (KCS-713)

o Enforcing data security policies including encryption

o Collecting details about users who access data in cloud services from
any device or location
o Restricting access to cloud services based on the user, device, and
application
o Providing compliance reporting

CASB solutions, which are typically SaaS applications, may provide additional
capabilities. These may include:

 File encryption
 Pre-built policy templates to guide IT staff through the process of policy creation
 User entity behavior analytics (UEBA) backed by machine learning
 In-application coaching to help end users learn improved security practices
 Security configuration audits to suggest changes to security settings based on
best practices

Cloud Security Governance

 Cloud security governance refers to the management model that facilitates

effective and efficient security management and operations in the cloud
environment so that an enterprise’s business targets are achieved.
 This model incorporates a hierarchy of executive mandates, performance
expectations, operational practices, structures, and metrics that, when
implemented, result in the optimization of business value for an enterprise. Cloud
security governance helps answer leadership questions such as:
1. Are our security investments yielding the desired returns?
2. Do we know our security risks and their business impact?
3. Are we progressively reducing security risks to acceptable levels?
4. Have we established a security-conscious culture within the enterprise?
Cloud Computing (KCS-713)

 Strategic alignment, value delivery, risk mitigation, effective use of resources and
performance measurement are key objectives of any IT-related governance
model, security included.
 To successfully pursue and achieve these objectives, it is important to
understand the operational culture and business and customer profiles of an
enterprise, so that an effective security governance model can be customized for
the enterprise.

Cloud Security Governance Challenges

 Lack of senior management participation and buy-in: the lack of a senior

management influenced and endorsed security policy is one of the common
challenges facing cloud customers. An enterprise security policy is intended to
set the executive tone, principles and expectations for security management and
operations in the cloud. However, many enterprises tend to author security
policies that are often laden with tactical content, and lack executive input or
influence.
 The result of this situation is the ineffective definition and communication of
executive tone and expectations for security in the cloud. To resolve this
challenge, it is essential to engage enterprise executives in the discussion and
definition of tone and expectations for security that will feed a formal enterprise
security policy.
 It is also essential for the executives to take full accountability for the policy,
communicating inherent provisions to the enterprise, and subsequently enforcing
compliance
 Lack of embedded management operational controls: Another common cloud
security governance challenge is lack of embedded management controls into
cloud security operational processes and procedures. Controls are often
interpreted as an auditor’s checklist or repackaged as procedures, and as a
result, are not effectively embedded into security operational processes and
Cloud Computing (KCS-713)

procedures as they should be, for purposes of optimizing value and reducing
day-to-day operational risks.
 This lack of embedded controls may result in operational risks that may not be
apparent to the enterprise. For example, the security configuration of a device
may be modified (change event) by a staffer without proper analysis of the
business impact (control) of the modification. The net result could be the
introduction of exploitable security weaknesses that may not have been apparent
with this modification.
 The enterprise would now have to live with an inherent operational risk that could
have been avoided if the control had been embedded in the change execution
process.
 Lack of operating model, roles, and responsibilities: Many enterprises moving
into the cloud environment tend to lack a formal operating model for security, or
do not have strategic and tactical roles and responsibilities properly defined and
operationalized. This situation stifles the effectiveness of a security management
and operational function/organization to support security in the cloud.
 Simply, establishing a hierarchy that includes designating an accountable official
at the top, supported by a stakeholder committee, management team,
operational staff, and third-party provider support (in that order) can help an
enterprise to better manage and control security in the cloud, and protect
associated investments in accordance with enterprise business goals. This
hierarchy can be employed in an in-sourced, out-sourced, or co-sourced model
depending on the culture, norms, and risk tolerance of the enterprise.
 Lack of metrics for measuring performance and risk : Another major challenge for
cloud customers is the lack of defined metrics to measure security performance
and risks – a problem that also stifles executive visibility into the real security
risks in the cloud.
 This challenge is directly attributable to the combination of other challenges
discussed above. For example, a metric that quantitatively measures the number
Cloud Computing (KCS-713)

of exploitable security vulnerabilities on host devices in the cloud over time can
be leveraged as an indicator of risk in the host device environment.
 Similarly, a metric that measures the number of user-reported security incidents
over a given period can be leveraged as a performance indicator of staff
awareness and training efforts. Metrics enable executive visibility into the extent
to which security tone and expectations (per established policy) are being met
within the enterprise and support prompt decision-making in reducing risks or
rewarding performance as appropriate.
 The challenges described above clearly highlight the need for cloud customers to
establish a framework to effectively manage and support security in cloud
management, so that the pursuit of business targets is not potentially
compromised.
 Unless tone and expectations for cloud security are established (via an
enterprise policy) to drive operational processes and procedures with embedded
management controls, it is very difficult to determine or evaluate business value,
performance, resource effectiveness, and risks regarding security operations in
the cloud. Cloud security governance facilitates the institution of a model that
helps enterprises explicitly address the challenges described above.

Key Objectives for Cloud Security Governance

 Building a cloud security governance model for an enterprise requires strategic-
level security management competencies in combination with the use of
appropriate security standards and frameworks (e.g., NIST, ISO, CSA) and the
adoption of a governance framework (e.g., COBIT). The first step is to visualize
the overall governance structure, inherent components, and to direct its effective
design and implementation.
 The use of appropriate security standards and frameworks allow for a minimum
standard of security controls to be implemented in the cloud, while also
meeting customer and regulatory compliance obligations where applicable.
 A governance framework provides referential guidance and best practices for
establishing the governance model for security in the cloud.
Cloud Computing (KCS-713)

 The following represents key objectives to pursue in establishing a governance

model for security in the cloud. These objectives assume that appropriate
security standards and a governance framework have been chosen based on the
enterprise’s business targets, customer profile, and obligations for protecting
data and other information assets in the cloud environment.
 Strategic Alignment
Enterprises should mandate that security investments, services, and
projects in the cloud are executed to achieve established business goals
(e.g., market competitiveness, financial, or operational performance).

 Value Delivery
Enterprises should define, operationalize, and maintain an appropriate security
function/organization with appropriate strategic and tactical representation, and
charged with the responsibility to maximize the business value (Key Goal
Indicators, ROI) from the pursuit of security initiatives in the cloud.

 Risk Mitigation
Security initiatives in the cloud should be subject to measurements that
gauge effectiveness in mitigating risk to the enterprise (Key Risk Indicators).
These initiatives should also yield results that progressively demonstrate a
reduction in these risks over time.

 Effective Use of Resources

It is important for enterprises to establish a practical operating model for
managing and performing security operations in the cloud, including the
proper definition and operationalization of processes to be completed, the
institution of appropriate roles and responsibilities, and use of relevant tools
for overall efficiency and effectiveness.
Cloud Computing (KCS-713)

 Sustained Performance
Security initiatives in the cloud should be measurable in terms of performance,
value and risk to the enterprise (Key Performance Indicators, Key Risk
Indicators), and yield results that demonstrate attainment of desired targets
(Key Goal Indicators) over time.

IAM (Identity & Access Management)

 Identity and access management (IAM) is a framework of business processes,

policies and technologies that facilitates the management of electronic or digital
identities. With an IAM framework in place, information technology (IT) managers
can control user access to critical information within their organizations.
 Systems used for IAM include single sign-on systems, two-factor authentication,
multifactor authentication and privileged access management. These
technologies also provide the ability to securely store identity and profile data as
well as data governance functions to ensure that only data that is necessary and
relevant is shared.
 IAM systems can be deployed on premises, provided by a third-party vendor
through a cloud-based subscription model or deployed in a hybrid model.
 On a fundamental level, IAM encompasses the following components:

 how individuals are identified in a system (understand the difference between

identity management and authentication);

 how roles are identified in a system and how they are assigned to individuals;

 adding, removing and updating individuals and their roles in a system;

 assigning levels of access to individuals or groups of individuals; and

 Protecting the sensitive data within the system and securing the system itself.
Cloud Computing (KCS-713)

Basic components of IAM

 An IAM framework enables IT to control user access to critical information within

their organizations. IAM products offer role-based access control, which lets
system administrators regulate access to systems or networks based on the
roles of individual users within the enterprise.

 In this context, access is the ability of an individual user to perform a specific

task, such as view, create or modify a file. Roles are defined according to job,
authority and responsibility within the enterprise.

 IAM systems should do the following: capture and record user login information,
manage the enterprise database of user identities, and orchestrate the
assignment and removal of access privileges.

 That means systems used for IAM should provide a centralized directory service
with oversight and visibility into all aspects of the company user base.

 Digital identities are not just for humans; IAM can manage the digital identities of
devices and applications to help establish trust.

 In the cloud, IAM can be handled by authentication as a service or identity as a

service (IDaaS). In both cases, a third-party service provider takes on the burden
of authenticating and registering users, as well as managing their information.
Read more about these cloud-based IAM options.

Benefits of IAM

 IAM technologies can be used to initiate, capture, record and manage user
identities and their related access permissions in an automated manner. This
brings an organization the following IAM benefits:
Cloud Computing (KCS-713)

 Access privileges are granted according to policy, and all individuals and
services are properly authenticated, authorized and audited.

 Companies that properly manage identities have greater control of user

access, which reduces the risk of internal and external data breaches.

 Automating IAM systems allows businesses to operate more efficiently by

decreasing the effort, time and money that would be required to manually
manage access to their networks.

 In terms of security, the use of an IAM framework can make it easier to

enforce policies around user authentication, validation and privileges, and
address issues regarding privilege creep.

 IAM systems help companies better comply with government regulations by

allowing them to show corporate information is not being misused.
Companies can also demonstrate that any data needed for auditing can be
made available on demand.

 Companies can gain competitive advantages by implementing IAM tools and

following related best practices. For example, IAM technologies allow the
business to give users outside the organization -- like customers, partners,
contractors and suppliers -- access to its network across mobile applications, on-
premises applications and SaaS without compromising security. This enables
better collaboration, enhanced productivity, increased efficiency and reduced
operating costs.

IAM technologies and tools

 IAM technologies are designed to simplify the user provisioning and account
setup process. These systems should reduce the time it takes to complete these
processes with a controlled workflow that decreases errors and the potential for
abuse while allowing automated account fulfillment.
Cloud Computing (KCS-713)

 An IAM system should also allow administrators to instantly view and

change evolving access roles and rights.

 These systems should balance the speed and automation of their processes with
the control that administrators need to monitor and modify access rights.
Consequently, to manage access requests, the central directory needs an
access rights system that automatically matches employee job titles, business
unit identifiers and locations to their relevant privilege levels.

 Multiple review levels can be included as workflows to enable the proper

checking of individual requests. This simplifies setting up appropriate review
processes for higher-level access as well as easing reviews of existing rights to
prevent privilege creep, which is the gradual accumulation of access rights
beyond what users need to do their jobs.

 IAM systems should be used to provide flexibility to establish groups with specific
privileges for specific roles so that access rights based on employee job
functions can be uniformly assigned. The system should also provide request
and approval processes for modifying privileges because employees with the
same title and job location may need customized, or slightly different, access.

Security Standards for Cloud

 Cloud security standards and their support by prospective cloud service
providers and within the enterprise should be a critical area of focus for cloud
service customers. The benefits of supporting key security standards are
numerous:
 Standards promote interoperability, eliminating vendor lock-in and
making it simpler to transition from one cloud service provider to another.
 Standards facilitate hybrid cloud computing by making it easier to
integrate on-premises security technologies with those of cloud service
providers.
Cloud Computing (KCS-713)

 Standards provide a level of assurance that critical best practices are

being followed both internally within an enterprise and by cloud service
providers – certifications are available for several security standards.
 Standards support provides an effective means by which cloud service
customers can compare and contrast cloud service providers.
 Standards support enables an easier path to regulatory compliance.
 As cloud service customers assess the security standards support of their cloud
service providers, it is important to understand and distinguish the different types
of security standards that exist:
 Advisory standards. These standards are meant to be interpreted and
applied to all types and sizes of organization according to the particular
information security risks they face.
 In practice, this flexibility gives users a lot of latitude to adopt the
information security controls that make sense to them, but makes it
unsuitable for the relatively straightforward compliance testing implicit in
most formal certification schemes.
 Security frameworks. Security frameworks define specific policies,
controls, checklists, and procedures along with processes for examining
support that can be used by auditors to assess and measure a service
provider’s conformance.
 Standards specifications. These types of security standards specifically
define APIs, data structures and communication protocols that must be
implemented to claim support for the standard.

Cloud Security Standards Guidance

 As customers transition their applications and data to use cloud computing, it is
critically important that the level of security provided in the cloud environment be
equal to or better than the security provided by their non-cloud IT environment.
Cloud Computing (KCS-713)

 Failure to ensure appropriate security protection could ultimately result in higher

costs and potential loss of business, thus eliminating any of the potential benefits
of cloud computing.

The CSCC Security for Cloud Computing:

There is a series of ten steps that cloud service customers should take to
evaluate and manage the security of their cloud environment with the goal of
mitigating risk and delivering an appropriate level of support. The following steps
are discussed in detail:
1. Ensure effective governance, risk and compliance processes exist
2. Audit operational and business processes
3. Manage people, roles and identities
4. Ensure proper protection of data and information
5. Enforce privacy policies
6. Assess the security provisions for cloud applications
7. Ensure cloud networks and connections are secure
8. Evaluate security controls on physical infrastructure and facilities
9. Manage security terms in the cloud service agreement
10. Understand the security requirements of the exit process