Subject Name:- Cloud Computing

Subject Code:- KCS-713

1
 Content
1:- Security Overview
2:-Cloud Security Challenges

2
 1. Security Overview
• Cloud service providers are leveraging
virtualization technologies combined with self-
service capabilities for computing resources
via the Internet.
• In these service provider environments, virtual
machines from multiple organizations have to
be co-located on the same physical server in
order to maximize the efficiencies of
virtualization.
3
• Cloud service providers must learn from the
managed service provider (MSP) model and
ensure that their customers’ applications and data
are secure if they hope to retain their customer
base and competitiveness.
• Today, enterprises are looking toward cloud
computing horizons to expand their on-premises
infrastructure, but most cannot afford the risk of
compromising the security of their applications
and data.
4
• IDC recently conducted a survey (see Figure 1)
of 244 IT executives/CIOs and their line-of-
business (LOB) colleagues to gauge their
opinions and understand their companies’ use
of IT cloud services.
• Security ranked first as the greatest challenge
or issue of cloud computing.

5
Figure 1: Results of IDC survey ranking security challenges.

6
Cloud computing service provider models review

7
• Inspired by the IT industry’s move toward SaaS,
in which software is not purchased but rented
as a service from providers.
• IT-as-a-Service (ITaaS) is being proposed to take this
concept further, to bring the service model right to
your IT infrastructure.
• There are some key financial benefits in moving to
an ITaaS model, such has not having to incur capital
costs; having a transparent, monthly pricing plan;
scalability; and reasonable costs of expansion.
8
• Operational benefits of ITaaS include increased
reliability because of a centralized infrastructure,
which can ensure that critical services and
applications are monitored continually; software
flexibility, with centrally maintained products that
allow for quick rollout of new functionalities and
updates; and data security, since company data
can be stored on owner-managed premises and
backed up using encryption to a secure off-site
data center.
9
• On the surface, it appears that XaaS is a
potentially game-changing technology that
could reshape IT.
• However, most CIOs still depend on internal
infrastructures because they are not
convinced that cloud computing is ready for
prime time.

10
• IT executives fear their data won’t be safe in
the hands of cloud providers and that they
won’t be able to manage cloud resources
effectively.
• They may also worry that the new technology
will threaten their own data centers and staff.
• Collectively, these fears tend to hold back
the cloud computing market.

11
• Moving critical applications and sensitive data to
public and shared cloud environments is of great
concern for those corporations that are moving
beyond their data center’s network perimeter defense.
• To alleviate these concerns, a cloud solution provider
must ensure that customers will continue to have the
same security and privacy controls over their
applications and services, provide evidence to
customers that their organization and customers are
secure and they can meet their service-level
agreements, and that they can prove compliance to
auditors.
12
 2. Cloud Security Challenges
• In the cloud, you lose control over assets in
some respects, so your security model must
be reassessed.
• Enterprise security is only as good as the least
reliable partner, department, or vendor.
• Can you trust your data to your service
provider?

13
• With the cloud model, you lose control over physical
security.
• In a public cloud, you are sharing computing resources
with other companies.
• In a shared pool outside the enterprise, you don’t have
any knowledge or control of where the resources run.
• Exposing your data in an environment shared with
other companies could give the government
“reasonable cause” to seize your assets because
another company has violated the law.

14
• Storage services provided by one cloud vendor may
be incompatible with another vendor’s services
should you decide to move from one to the other.
• Vendors are known for creating what the hosting world
calls “sticky services”—services that an end user
may have difficulty transporting from one cloud
vendor to another
• (e.g., Amazon’s “Simple Storage Service” [S3] is
incompatible with IBM’s Blue Cloud, or Google, or
Dell).
15
• If information is encrypted while passing through the
cloud, who controls the encryption/decryption keys?
• Is it the customer or the cloud vendor?
• Most customers probably want their data encrypted
both ways across the Internet using SSL (Secure Sockets
Layer protocol). They also most likely want their data
encrypted while it is at rest in the cloud vendor’s storage
pool.
• Be sure that you, the customer, control the
encryption/decryption keys, just as if the data were still
resident on your own servers.
16
• Data integrity means ensuring that data is identically
maintained during any operation (such as transfer,
storage, or retrieval).
• Put simply, data integrity is assurance that the data is
consistent and correct.
• Ensuring the integrity of the data really means that it
changes only in response to authorized transactions.
• This sounds good, but we must remember that a
common standard to ensure data integrity does not
yet exist.
17
• Cloud applications undergo constant feature additions,
and users must keep up to date with application
improvements to be sure they are protected.
• The speed at which applications will change in the cloud
will affect both the SDLC and security.
• For example, Microsoft’s SDLC assumes that mission-
critical software will have a three- to five-year period in
which it will not change substantially, but the cloud
may require a change in the application every few
weeks.

18
• Even worse, a secure SDLC will not be able to
provide a security cycle that keeps up with
changes that occur so quickly.
• This means that users must constantly
upgrade, because an older version may not
function, or protect the data.

19
• Having proper fail-over technology is a
component of securing the cloud that is often
overlooked.
• The company can survive if a non-mission
critical application goes offline, but this may
not be true for mission-critical applications.

20
• Security needs to move to the data level, so
that enterprises can be sure their data is
protected wherever it goes.
• Sensitive data is the domain of the
enterprise, not the cloud computing provider.
One of the key challenges in cloud computing
is data-level security.

21
• Most compliance standards do not envision
compliance in a world of cloud computing.
• There is a huge body of standards that apply
for IT security and compliance, governing most
business interactions that will, over time, have
to be translated to the cloud.
• Many compliance regulations require that
data not be intermixed with other data, such
as on shared servers or databases.
22
• Some countries have strict limits on what data about
its citizens can be stored and for how long,
and some banking regulators require that customers’
financial data remain in their home country.
• Compliance with government regulations such as the
Sarbanes-Oxley Act (SOX), the Gramm-Leach-Bliley
Act (GLBA), and the Health Insurance Portability and
Accountability Act (HIPAA), and industry standards
such as the PCI DSS, will be much more challenging in
the SaaS environment.
23
• There is a perception that cloud computing
removes data compliance responsibility;
however, it should be emphasized that the
data owner is still fully responsible for
compliance.
• Those who adopt cloud computing must
remember that it is the responsibility of the
data owner, not the service provider, to
secure valuable data.
24
• Cloud-based services will result in many
mobile IT users accessing business data and
services without traversing the corporate
network.
• This will increase the need for enterprises to
place security controls between mobile users
and cloud-based services.

25
• Placing large amounts of sensitive data in a
globally accessible cloud leaves organizations
open to large distributed threats—attackers
no longer have to come onto the premises
to steal data, and they can find it all in the
one “virtual” location.
• Virtualization efficiencies in the cloud require
virtual machines from multiple organizations to
be co-located on the same physical resources.
26
• Although traditional data center security still
applies in the cloud environment, physical
segregation and hardware-based security
cannot protect against attacks between
virtual machines on the same server.
• Administrative access is through the Internet
rather than the controlled and restricted direct
or on-premises connection that is adhered to in
the traditional data center model.
27
• This increases risk and exposure and will require
stringent monitoring for changes in system control
and access control restriction.
• The dynamic and fluid nature of virtual machines
will make it difficult to maintain the consistency
of security and ensure the auditability of records.
• The ease of cloning and distribution between
physical servers could result in the propagation of
configuration errors and other vulnerabilities.

28
• The co-location of multiple virtual machines
increases the attack surface and risk of virtual
machine-to-virtual machine compromise.
• Localized virtual machines and physical servers
use the same operating systems as well as
enterprise and web applications in a cloud
server environment, increasing the threat of an
attacker or malware exploiting vulnerabilities
in these systems and applications remotely.
29
• Virtual machines are vulnerable as they move
between the private cloud and the public
cloud.
• A fully or partially shared cloud environment
is expected to have a greater attack surface
and therefore can be considered to be at
greater risk than a dedicated resources
environment.

30
• Operating system and application files are on
a shared physical infrastructure in a
virtualized cloud environment and require
system, file, and activity monitoring to provide
confidence and auditable proof to enterprise
customers that their resources have not been
compromised or tampered with.

31
• In the cloud computing environment, the
enterprise subscribes to cloud computing
resources, and the responsibility for patching is
the subscriber’s rather than the cloud computing
vendor’s.
• The need for patch maintenance vigilance is
imperative. Lack of due diligence in this regard
could rapidly make the task unmanageable or
impossible, leaving you with “virtual patching” as
the only alternative.
32
• Enterprises are often required to prove that their
security compliance is in accord with regulations,
standards, and auditing practices, regardless of the
location of the systems at which the data resides.
• Data is fluid in cloud computing and may reside in
on-premises physical servers, on-premises virtual
machines, or off-premises virtual machines running
on cloud computing resources, and this will require
some rethinking on the part of auditors and
practitioners alike.
33
• In the rush to take advantage of the benefits of
cloud computing, not least of which is significant
cost savings, many corporations are likely rushing
into cloud computing without a serious
consideration of the security implications.
• To establish zones of trust in the cloud, the virtual
machines must be self-defending, effectively
moving the perimeter to the virtual machine itself.

34
• Enterprise perimeter security (i.e., firewalls,
demilitarized zones [DMZs], network segmentation,
intrusion detection and prevention systems
[IDS/IPS], monitoring tools, and the associated
security policies) only controls the data that
resides and transits behind the perimeter.
• In the cloud computing world, the cloud
computing provider is in charge of customer
data security and privacy.

35
 Important Questions
Q1. What are cloud security challenges?
Q2: How is security provided to data at various stages in
context of cloud?
Q3: What are the best practices to overcome the security
challenges in cloud computing?

36
 References
Text Books:-
• 1. Kai Hwang, Geoffrey C. Fox, Jack G.
Dongarra, “Distributed and Cloud Computing,
From Parallel Processing to the Internet of
Things”, Morgan Kaufmann Publishers, 2012.
• 2. Rittinghouse, John W., and James F.
Ransome, ―Cloud Computing:
Implementation, Management and Security,
CRC Press, 2017.
37
Thank You

38