Cloud Computing Notes

Unit -5th
(Security, Standards and Applications)

Introduction to Cloud Security

Cloud Security refers to a set of practices, policies, technologies, and controls
deployed to protect data, applications, and the associated infrastructure of
cloud computing. It ensures secure access to cloud-based systems and protects
them from internal and external cyber threats.
Cloud security is essential because cloud environments involve shared resources
and multi-tenant models, which expose data and applications to a broader range
of vulnerabilities. As organizations move more critical operations and sensitive
information to the cloud, the need for strong security mechanisms becomes vital
to prevent data breaches, unauthorized access, data loss, and service
disruptions.
Key objectives of cloud security include:
Maintaining data confidentiality, integrity, and availability
Securing access to cloud services
Ensuring regulatory compliance
Protecting against malware, attacks, and data leaks

Basic Security Concepts

Confidentiality
It ensures that only authorized users and systems have access to sensitive data.
In the cloud, confidentiality is maintained through encryption, authentication,
and access controls.
Integrity
Refers to the assurance that data is not altered or tampered with during storage
or transmission. Techniques such as hashing, checksums, and digital signatures
help maintain data integrity in the cloud.
Availability
Ensures that cloud services and data are accessible whenever needed. It involves
measures like load balancing, fault tolerance, redundancy, and disaster recovery
mechanisms to prevent downtime.

Threat Models in Cloud Environments

Threat modeling helps identify potential vulnerabilities and attack vectors in a
cloud system. Common threat models include:
Insider threats: Malicious insiders or careless employees exposing data
Data breaches: Unauthorized access or theft of data
Denial of Service (DoS) attacks: Overloading systems to cause outages
Man-in-the-middle attacks: Intercepting data during transmission
VM escape attacks: Virtual machine breaches due to hypervisor flaws
Understanding these threats helps design robust security strategies to counter
them.
Security Responsibilities: In cloud computing, security is a shared responsibility
between the cloud service provider (CSP) and the customer (user). The division
of responsibilities depends on the cloud service model (IaaS, PaaS, SaaS).
Cloud Provider Responsibilities:
Physical security of data centers
Hypervisor and infrastructure security
Compliance certifications and service availability
Customer Responsibilities:
Securing data stored or processed in the cloud
Managing user access and identity
Ensuring application-level security
Encrypting sensitive information
For example, in SaaS, the provider handles most of the security, while in IaaS,
users must manage more of the security aspects themselves.

Cloud Security Challenges

1. Data Breaches and Privacy Issues
Data breaches involve unauthorized access to sensitive cloud-hosted
information. Such incidents can lead to financial loss, reputation damage, and
legalconsequences.
Cloud environments are attractive targets due to the massive amount of
personal, financial, and corporate data they hold. Privacy laws like GDPR and
HIPAA require strict controls over how data is accessed, stored, and shared.
Without proper encryption, access control, and monitoring, data in the cloud
becomes highly vulnerable to unauthorized access or exposure.
2. Multi-Tenancy and Isolation
Cloud providers host data from multiple users or organizations on shared
infrastructure. This multi-tenancy introduces a risk where a flaw in the isolation
mechanism can allow one tenant to access another tenant’s data.
Challenges include:
Side-channel attacks from co-resident VMs
Improper sandboxing or isolation
Resource contention leading to performance degradation or data leakage
To address these risks, cloud systems must enforce strong logical and physical
isolation techniques using hypervisors, containers, and virtual firewalls.

3. Compliance and Legal Concerns

Organizations must follow industry-specific regulations and compliance
standards (e.g., GDPR, ISO 27001, PCI-DSS). In cloud environments, data
location, access, and ownership often become unclear, leading to:
Jurisdictional issues if data is stored in another country
Lack of visibility into provider controls
Difficulty in performing audits and ensuring data residency
Cloud providers must offer tools and documentation to help users meet their
compliance obligations.

4. Identity and Access Management (IAM) Issues

IAM is critical to ensuring that only authorized users can access cloud
resources. Improper IAM configurations can result in:
Over-privileged accounts
Weak authentication mechanisms
Unmonitored access logs
Credential leakage or reuse
Organizations must enforce principles of least privilege, use multi-factor
authentication (MFA), and regularly review and update access control policies.

5. Insecure APIs
Application Programming Interfaces (APIs) are used to manage and integrate
cloud services. However, insecure APIs can serve as entry points for attackers if
not properly designed and protected.
Common API vulnerabilities include:
Lack of authentication
Improper input validation
Exposed sensitive data in responses
Poorly documented or unpatched APIs
Secure API development practices include using OAuth 2.0, rate limiting, and
continuous API monitoring for anomalies.

Security in Software as a Service (SaaS)

Software as a Service (SaaS) is a cloud computing model in which software
applications are delivered over the internet and managed by a third-party
provider. Users access SaaS applications using a web browser, and they do not
manage or control the underlying infrastructure or application code.
Security Implications:
Data Centralization: Since all user data is stored in the provider’s infrastructure,
a breach can impact multiple customers.
Multi-Tenancy: Users share the same application instance, increasing the risk of
unauthorized access if isolation fails.
Limited User Control: Customers depend on the provider’s security mechanisms
and configurations.
Automatic Updates: While beneficial, automatic updates can introduce
vulnerabilities if not thoroughly tested.

Access Control Mechanisms in SaaS

Access control is critical in SaaS environments due to the shared nature of
resources. Effective access control ensures that only authorized users can access
specific functionalities and data.
Types of Access Control Mechanisms:
Role-Based Access Control (RBAC): Permissions are granted based on user roles
(e.g., admin, editor, viewer).
Attribute-Based Access Control (ABAC): Decisions are made based on attributes
such as user location, device, or time.
Multi-Factor Authentication (MFA): Adds an extra layer of security by requiring
two or more forms of identity verification.
Session Management: Ensures session timeout and re-authentication to
prevent unauthorized access through idle sessions.

Data Encryption at Rest and in Transit

Encryption is a core component of cloud security that protects data
confidentiality.
Encryption at Rest: Protects data stored on disk, databases, or storage systems.
Techniques include file-level or disk-level encryption using keys managed by the
cloud provider or the user.
Encryption in Transit: Protects data during transfer between client devices and
cloud servers using protocols like HTTPS, TLS, and SSL.
Key Considerations:
Use of strong encryption algorithms (e.g., AES-256)
Key Management Systems (KMS) for secure generation and storage of
cryptographic keys
Ensuring end-to-end encryption in SaaS integrations and third-party APIs

Vendor Lock-In and Data Portability Issues

Vendor lock-in occurs when a customer becomes dependent on a specific cloud
provider's tools, making it difficult to switch providers without significant cost
or effort.
Risks and Challenges:
Proprietary data formats that hinder export/migration
Limited interoperability between platforms
High switching costs due to custom integrations and features
Security Concerns:
Difficulty ensuring data security during migration
Uncertainty about data deletion after service termination
Potential data exposure during transfer to a new platform

Mitigation Strategies:
Use open standards and APIs
Ensure providers support data export tools
Review contractual terms regarding data ownership and portability
Security Audit and Monitoring in SaaS
Security audits and monitoring are essential to detect and prevent security
incidents in SaaS platforms.
Auditing Includes:
Review of access logs, configuration settings, and user activity
Vulnerability assessments and penetration testing
Compliance checks with industry standards like ISO 27001, SOC 2, GDPR
Monitoring Tools and Techniques:
Real-time alert systems for abnormal activity
Integration with Security Information and Event Management (SIEM) tools
Automated logging of user access, file sharing, and permission changes

Cloud Security
Authentication and Authorization
Authentication verifies the identity of a user or system, while authorization
determines what resources they are allowed to access.
Encryption Techniques and Key Management
Encryption Techniques:
Symmetric Encryption: Same key for encryption and decryption (e.g., AES)
Asymmetric Encryption: Uses public and private key pairs (e.g., RSA)
Hashing: Irreversible transformation used for password storage (e.g., SHA-256)
Key Management:
Use Key Management Services (KMS) like AWS KMS, Azure Key Vault
Rotate encryption keys regularly
Separate duties: those who manage keys should not access the data
Use Hardware Security Modules (HSM) for higher protection
Role of Firewalls and Intrusion Detection Systems (IDS)
Firewalls and IDS provide a line of defense against unauthorized access and
threats.
Cloud Firewalls (Web Application Firewalls - WAF): Protect web applications
from common exploits such as SQL injection, XSS
Network Firewalls: Control inbound/outbound traffic based on rules
Intrusion Detection Systems (IDS): Monitor for suspicious activity, raise alerts
Intrusion Prevention Systems (IPS): Actively block threats in real-time
Cloud-native tools: AWS Shield, Azure Defender, Google Cloud Armor

Secure Software Development Life Cycle (SDLC) in Cloud Apps

Secure SDLC integrates security practices into each phase of software
development.
Key Phases:
Requirements: Define security requirements
Design: Threat modeling and architecture risk analysis
Implementation: Use secure coding standards (e.g., OWASP)
Testing: Perform static/dynamic code analysis and penetration testing
Deployment: Configure securely and patch regularly
Maintenance: Monitor, audit, and continuously improve security

Introduction to Cloud Standards

Need for Standardization in Cloud Computing
Cloud computing involves multiple providers, platforms, and technologies, each
with its own formats and interfaces. Without standardization, integrating
services or moving between providers becomes complex and error-prone.
Standardization in cloud computing means creating agreed-upon protocols,
formats, and practices to ensure interoperability, compatibility, security, and
portability across different cloud platforms.

Benefits of cloud standardization include:

Simplified integration between services and providers
Reduced vendor lock-in and improved data portability
Better security and compliance enforcement
Easier development of cloud-native applications
Support for hybrid and multi-cloud strategies

Types of Cloud Standards

Technical Standards:
Define how data is structured, stored, and transferred.
Examples: APIs, virtualization formats, network protocols.
Used to achieve interoperability across platforms.
Operational Standards:
Govern service delivery, monitoring, logging, and compliance.
Include service-level agreements (SLAs), audit trails, and incident management.
Help ensure reliable and measurable service quality.
Legal/Regulatory Standards:
Cover privacy, data protection, and jurisdictional issues.
Examples: GDPR (Europe), HIPAA (USA), IT Act (India).
Providers must comply with applicable legal frameworks depending on data
location and use.

Overview of Standard Development Organizations (SDOs)

SDOs are global or industry-specific bodies that define, promote, and maintain
cloud computing standards. These organizations work with vendors,
government bodies, and researchers to develop standards that ensure security,
interoperability, and open access in cloud computing.
Some key SDOs include:
ISO/IEC (International Organization for Standardization):
Develops international cloud standards (e.g., ISO/IEC 17788 for cloud
terminology).
IEEE (Institute of Electrical and Electronics Engineers):
Works on cloud interoperability and architecture guidelines.
NIST (National Institute of Standards and Technology):
Provides the U.S. government’s official cloud definition and security guidelines.
DMTF (Distributed Management Task Force):
Focuses on management and virtualization standards.
OASIS (Organization for the Advancement of Structured Information Standards):
Works on security protocols like SAML and XACML.
Open Cloud Consortium (OCC):
Promotes open standards, open data, and cloud research.
Distributed Management Task Force (DMTF)

Introduction and Purpose of DMTF

The Distributed Management Task Force (DMTF) is an industry standards
organization that develops, maintains, and promotes standards for systems
management and cloud interoperability. It aims to simplify and unify the
management of IT systems across diverse environments by defining
interoperable standards and technologies. DMTF plays a vital role in enabling
effective and secure management of computing resources in physical, virtual,
and cloud environments.
Key Standards: CIM, WBEM, etc.
CIM (Common Information Model): A conceptual framework that defines how
managed elements in an IT environment are represented. CIM allows consistent
modeling of devices and services regardless of manufacturer.
WBEM (Web-Based Enterprise Management): A set of technologies based on
CIM that enable the management of systems through web protocols.
SMASH, DASH, and Redfish: Other important DMTF protocols for server and
hardware management.
Impact on Cloud Interoperability
DMTF standards improve cloud interoperability by ensuring:
Standardized communication between cloud services and platforms.
Seamless integration across vendor-specific solutions.
Enhanced automation in hybrid and multi-cloud environments.

Standards for Application Developers

Importance of Standard APIs
Standard APIs (Application Programming Interfaces) provide consistent ways for
software components to interact. They are crucial for cloud environments
because:
They allow developers to build applications that work across multiple cloud
platforms.
They reduce development complexity and learning curves.
They promote faster development cycles and innovation.
Portability and Vendor Lock-In Issues
Portability refers to the ability to move applications and data across cloud
platforms without significant changes.
Vendor lock-in occurs when a customer becomes overly dependent on a single
cloud provider’s services, making it difficult to switch.
Using open standards helps avoid lock-in by enabling compatibility with multiple
providers.
Open API Standards and Frameworks
OpenStack APIs: Used in open-source cloud infrastructure.
OpenAPI Specification (formerly Swagger): Allows developers to describe and
document RESTful APIs.
Cloud Native Computing Foundation (CNCF): Supports open and interoperable
cloud-native technologies.

Standards for Messaging in Cloud

Messaging Protocols and Formats
Messaging is vital for communication between cloud services and applications.
Common messaging protocols include:
SOAP (Simple Object Access Protocol): An XML-based protocol for exchanging
structured information in web services.
REST (Representational State Transfer): A lightweight protocol using HTTP
methods for web communication.
MQTT (Message Queuing Telemetry Transport): A lightweight protocol ideal for
IoT devices and real-time messaging.
AMQP (Advanced Message Queuing Protocol): An open standard for message-
oriented middleware used in enterprise messaging.

Interoperability and Message Security

Interoperability ensures that different cloud systems can understand and
process messages regardless of the underlying platform or vendor.
Message Security involves encryption, authentication, and integrity checks to
prevent unauthorized access or tampering during message transmission.

Standards for Cloud Security

Key Standards
ISO/IEC 27001: A global standard for information security management systems
(ISMS).
NIST (National Institute of Standards and Technology): Provides guidelines and
standards like SP 800-53 for cloud and information system security.
CSA (Cloud Security Alliance): Offers best practices and the Cloud Controls
Matrix (CCM) for cloud-specific security.

Authentication and Authorization Protocols

Authentication confirms the identity of users (e.g., using usernames, passwords,
biometrics).
Authorization determines what actions authenticated users can perform (e.g.,
via Role-Based Access Control).
Protocols like OAuth 2.0, SAML, and OpenID Connect are commonly used in
cloud security for secure user management.

Role of Encryption Standards

Encryption protects sensitive data by converting it into unreadable code. Key
standards include:
AES (Advanced Encryption Standard): Used for data encryption at rest.
TLS (Transport Layer Security): Used for securing data in transit over networks.
These standards ensure confidentiality, integrity, and data protection across the
cloud infrastructure.
End-User Access to Cloud Computing
Methods of Accessing Cloud Services
End users can access cloud services
Web browsers (e.g., accessing Google Drive, Dropbox)
Desktop applications
Mobile apps
APIs integrated into other software

Security Risks at User Level

Weak passwords and credential theft
Phishing attacks
Unsecured devices or networks
Misconfigured access permissions
Secure Access Control and Identity Management
To enhance security:
Multi-Factor Authentication (MFA): Adds extra layers beyond just passwords.
Identity and Access Management (IAM): Tools and policies for managing user
identities and controlling access.
Single Sign-On (SSO): Allows users to access multiple services with one login,
improving both usability and security.

Mobile Internet Devices and the Cloud

Integration of Cloud and Mobile Technologies
Mobile internet devices (smartphones, tablets, etc.) are increasingly dependent
on cloud technologies to provide real-time access to data, applications, and
computing power. Cloud integration allows these devices to:
Store and sync data across platforms.
Run complex apps without needing powerful hardware.
Update and scale applications quickly.
This integration enhances mobility, productivity, and flexibility for users and
businesses alike.
Cloud Services for Mobile Apps
Cloud computing provides backend services for mobile apps such as:
Data storage (e.g., Firebase, iCloud)
Authentication and user management
Push notifications, file sharing, and media streaming
Real-time databases and analytics
These services enable developers to build scalable, responsive, and globally
accessible mobile applications with minimal infrastructure.
Security Concerns on Mobile-Cloud Interface
Data leakage: due to insecure cloud storage or app permissions
Device theft: risking exposure of login credentials and stored tokens
Insecure APIs: allowing unauthorized access
Public Wi-Fi vulnerabilities: increasing the chance of interception
To mitigate risks, encryption, secure authentication, mobile device management
(MDM), and secure API gateways are essential.

Introduction to Hadoop

Definition and Need for Hadoop

Hadoop is an open-source framework developed by Apache for distributed
storage and processing of large datasets using commodity hardware. It is
designed to handle Big Data — datasets that are too large or complex for
traditional databases.

Need arises from:

Rapid growth of data (structured and unstructured)
Need for high-speed data processing
Cost-effective scalability
Hadoop Ecosystem Overview
The Hadoop ecosystem consists of multiple tools and modules, including:
HDFS (Hadoop Distributed File System): For distributed data storage
MapReduce: For distributed data processing
YARN (Yet Another Resource Negotiator): For resource management
Hive, Pig, HBase, Sqoop, Zookeeper, Oozie: For querying, managing, and
orchestrating large-scale data
HDFS and MapReduce Basics
HDFS: Breaks large files into blocks and distributes them across a cluster,
providing fault tolerance and scalability.
MapReduce: A programming model for parallel processing of data using Map
(splitting tasks) and Reduce (aggregating results) functions.

MapReduce Framework
Components of MapReduce
Map Function: Takes input data and converts it into key-value pairs.
Shuffle and Sort: Intermediate key-value pairs are grouped and sorted by keys.
Reduce Function: Aggregates and processes the sorted data to produce the final
output.
How MapReduce Works
Input: Data is divided into blocks and processed in parallel.
Mapping Phase: Each block is handled by a mapper which outputs intermediate
key-value pairs.
Shuffling Phase: The framework collects and distributes the mapper output to
appropriate reducers.
Reducing Phase: Reducers process the data and generate the final result.
MapReduce is highly scalable, fault-tolerant, and efficient for batch processing
of big data.
Applications and Use Cases
Log analysis for large web applications
Data mining and recommendation engines
Bioinformatics and scientific data processing
Retail analytics, search indexing, and social media sentiment analysis
VirtualBox: Overview and Use in Cloud
What is VirtualBox?
VirtualBox is an open-source virtualization software developed by Oracle that
allows users to run multiple operating systems on a single physical machine. It
provides a platform to create and manage virtual machines (VMs), enabling test
environments, development setups, and isolated instances of OSes.

Features and Use in Virtualization

Cross-platform support (Windows, Linux, macOS, Solaris)
Snapshots: Save VM states for rollback
Virtual Networking: NAT, Bridged, Internal, Host-only
Shared Folders: For file sharing between host and guest
Cloning: Easily duplicate VM setups
Used extensively for:
Cloud application testing
OS simulation
Training and educational labs
Installing and Running VMs using VirtualBox
Download and install VirtualBox.
Create a new virtual machine and configure hardware settings (RAM, disk
space).
Mount the ISO file of the desired OS.
Install the OS inside the VM.
Boot and use the virtual machine like a physical system.

Google App Engine (GAE) and Its Programming Environment

Overview of Google App Engine
Google App Engine (GAE) is a Platform-as-a-Service (PaaS) offering by Google
Cloud Platform that allows developers to build and deploy applications without
managing the underlying infrastructure. It provides auto-scaling, load balancing,
and a fully managed runtime environment.

Supported Languages and SDKs

GAE supports:
Languages: Python, Java, PHP, Node.js, Go, Ruby, .NET
SDKs and Frameworks: Django, Flask, Spring, Express.js, etc.
Developers can use local SDKs for development and test deployment before
publishing to the cloud.
Creating and Deploying Apps on GAE
Develop the application using a supported language and framework.
Use app.yaml configuration file to define application settings.
Use Google Cloud SDK or Cloud Console to deploy the app.
GAE automatically scales resources and manages instances based on demand.
Benefits:
No need to manage servers
Built-in security and monitoring
Easy integration with other Google Cloud services (Datastore, Firestore,
Pub/Sub)