Unit 5 - Security in Cloud

Computing
● Risks in Cloud Computing: Risk Management, Enterprise-Wide Risk Management,
Types of Risks in Cloud Computing.
● Data Security in Cloud: Security Issues, Challenges, advantages, Disadvantages,
Cloud Digital persona and Data security, Content Level Security.
● Cloud Security Services: Confidentiality, Integrity and Availability, Security
Authorization Challenges in the Cloud, Secure Cloud Software Requirements, Secure
Cloud Software Testing.

● #Exemplar/Case Studies - Cloud Security Tool: Acunetix.

● *Mapping of Course - Outcomes for Unit V CO5

Cloud Security
● Protection of data

● Which is stored online, Via cloud computing platforms

● From - Theft, Leakage And Deletion

Methods of Providing Cloud Security -
● Firewalls
● Penetration Testing
● Tokenization
● VPN
● Avoiding public internet connections
● A firewall is - a network security device
○ that monitors incoming and outgoing network traffic
○ and decides whether to allow or block specific traffic
○ based on a defined set of security rules.

● Firewalls have been a first line of defense in network security for over 25 years.
● Penetration testing (or pen testing)
○ is a security exercise
○ where a cyber-security expert
○ attempts to find and exploit vulnerabilities in a computer system.

● The purpose of this simulated attack is

● to identify any weak spots in a system's defenses
● which attackers could take advantage of.
● Penetration testing, or "pentesting,"
○ is a simulated cyber attack
○ used to identify vulnerabilities in a system
○ before real attackers can exploit them.

○ It involves security experts

○ attempting to breach systems
○ to expose weaknesses
○ and improve security measures.
● Tokenization → is the process of → replacing sensitive data with unique
identification symbols
● These symbols retain all the essential information about the data,
● without compromising its security.

● Tokenization minimizes the amount of sensitive data

● has become a popular way for small and midsize businesses
● to bolster the security of credit card and e-commerce transactions
● Tokenization is used to protect →
○ credit card data,
○ bank account information
○ and other sensitive data handled by payment processors.

● Payment processing use cases that tokenize sensitive credit card information include the
following:
○ mobile wallets, such as Google Pay and Apple Pay;
○ e-commerce sites; and
○ businesses that keep customers' cards on file.
How tokenization works -
● Tokenization substitutes sensitive information with equivalent nonsensitive
information.
● The nonsensitive, replacement information is called a token.

Tokens can be created in the following ways:

● using a mathematically reversible cryptographic function with a key;
● using a nonreversible function, such as a hash function; or
● using an index function or randomly generated number.
As a result, the token becomes the exposed information, and the sensitive information that
the token stands in for is stored safely in a centralized server known as a token vault. The
token vault is the only place where the original information can be mapped back to its
corresponding token.
Here is one real-world example of how tokenization with a token vault works.
● A customer provides their payment details at a point-of-sale (POS) system or
online checkout form.
● The details, or data, are substituted with a randomly generated token, which is
generated in most cases by the merchant's payment gateway.
● The tokenized information is then encrypted and sent to a payment processor. The
original sensitive payment information is stored in a token vault in the merchant's
payment gateway. This is the only place where the token can be mapped to the
information it represents.
● The tokenized information is encrypted again by the payment processor before
being sent for final verification.
On the other hand, some tokenization is vaultless. Instead of storing the sensitive
information in a secure database, vaultless tokens are stored using an algorithm. If the
token is reversible, then the original sensitive information is generally not stored in a
vault.
In cybersecurity, tokenization replaces sensitive data with non-sensitive substitutes called tokens, enhancing
security by making the original data unreadable and unexploitable if breached.

Here's a more detailed explanation:

What is Tokenization?
● Tokenization is a data security technique that substitutes sensitive data elements with non-sensitive
equivalents, known as tokens.

● These tokens are unique identifiers that map back to the original data but have no inherent meaning
or value on their own.

● The original sensitive data is stored securely, separate from the tokens, in a secure vault or database.
How it Works
● When sensitive data needs to be used (e.g., for processing a payment), the system
requests the token instead of the actual data.
● The tokenization system then retrieves the original data from the secure vault, performs
the necessary operation, and then replaces the data with the token again.

Benefits of Tokenization
● Enhanced Security: Even if a system is breached, the tokens are meaningless, making
the sensitive data unreadable and unexploitable.
● Compliance: Tokenization can help organizations comply with data security regulations,
such as PCI DSS, by reducing the scope of data that needs to be protected.
● Reduced Risk: Tokenization minimizes the risk of data breaches and the potential
financial and reputational damage they can cause.
● Improved Customer Trust: By demonstrating a commitment to data security, tokenization
can build customer trust and confidence
● A Virtual Private Network (VPN)
● creates a secure, encrypted connection over a public network (like the
internet),
● enabling users to access a private network or the internet
● anonymously and securely
● A virtual private cloud (VPC)
● is a secure, isolated private cloud hosted within a public cloud.
● VPC customers can run code, store data, host websites, and do
anything else they could do in an ordinary private cloud,
● but the private cloud is hosted remotely by a public cloud provider.
● (Not all private clouds are hosted in this fashion.)
● VPCs combine the scalability and convenience of public cloud
computing with the data isolation of private cloud computing.
● Why Virtual Private Network?

● By using a VPN (Virtual Private Network) account

● User will be able to access the Internet
● through a secure encrypted connection
● and bypass restrictions in your country.

● No more restrictions on any website that you want to surf.

Cloud Security
Cloud Security refers to -
● Set of policies,
● Technological procedures
● Service
● And solutions

● Designed to support safe functionality

● When building, deploying and managing cloud based applications and
associated data
Cloud Security is designed to protect the following
1. Physical networks - routers, electrical power, cabling, climate control, etc.
2. Data storage - hard drives, etc.
3. Data servers - core network computing hardware and software
4. Computer virtualization frameworks - virtual machine software, host machines
and guest machines
5. Operating systems
6. Middleware - API management
7. Runtime Environments - execution and upkeep of a running program
8. Data - all the information stored, modified and accessed.
9. Applications - traditional software services - like - email, tax software,
productivity suits etc.
10. End user hardware - computers, mobile devices, IOT devices etc.
● Cloud computing security addresses both - physical and logical security issues

● Across all the different service models -

● SaaS, PaaS, IaaS.

● It also addresses -
● How these services are delivered in -
● public, private, hybrid and community delivery models
Risk Management
1. Used to balance - operational and economic costs
2. Used to identify, control and minimize the impact of uncertain events.
3. Reduces the risk of performing some activity - to an acceptable level

● Threat -
● is a cause of incident,
● that may result in harm to a system or an organization

● Vulnerability -
● is a weakness of a resource
● that can be exploited by one or more threats.
● Risk Control - determines what to do with uncontrolled risks.
Risk management process is as follows -

1. Define objective
2. Identify risk
3. Evaluate risk
4. Options and assortment of risk
5. Decision about implementation
6. Evolution and review
Six step risk administration process

Parameters Remarks

Define object ● Administration Program

Identify risk ● Check list, Flow chart

● Inspections
● Internal records

Evaluate risk ● Significant or insignificant risk

Options and assortment of risk ● How to deal with risk

Decision about implementation ● Methods

● Risks Remedy

Evolution and review ● Risk Administration

Types of Risks in Cloud Computing
1. Loss of Data -
○ Data stored on cloud servers can be lost through
○ a natural disaster, malicious attacks, or a data wipe by a service provider

2. Increased Customer Agitation (ग्राहकांचा वाढता उत्साह) -

○ Growing number of cloud service critics
○ Are keen to see which cloud providers have weak security protocols
○ And encourage customers to avoid them
3. Attacks to deny service to legitimate users

4. Shared vulnerabilities -
cloud security is responsibility of all concerned parties in a business agreement

5. Contracts with clients -

contracts restricts how clients use data and who is accessing it

6. Malware attacks
● Top threats identified by cloud security alliance (CSA) are -
1. Insecure interfaces and APIs -
2. Malicious insiders -
3. Shared technology issues -
4. Data loss or leakage -
5. Account or service hijacking -
1. Insecure interfaces and APIs

● APIs and Interfaces

● Are used by customers - To manage and interact with cloud services

● Provisioning, management, orchestration and monitoring

● are all performed using these interfaces.

● Remediation - Analyze the security model of cloud provider interfaces

2. Malicious insiders

● Administrator of the cloud services provider

● May give some wrong / incorrect service
● To the customer
● Intentionally.

● So the customer will get improper services and

● Will not be happy from the cloud service provider
3. Shared technology issues

● IaaS vendors deliver their services in a scalable way

● By sharing infrastructure

● Remediation -
1. implement security practices for installation/configuration.
2. Monitor environment for unauthorized changes / activity.
4. Data loss or leakage

● There are many ways to compromise data

● For ex. Deletion or alteration of records without backup

● Remediation - encrypt and protect data integrity in transit.

5. Account or service hijacking

● Attack methods such as -

● Phishing, fraud and exploitation of software vulnerabilities Still achieve results
● Credentials and password are often reused, Which amplifies the impact of
such attacks

● Remediation -
● Prohibit the sharing of account credentials between users and services
● Use two-factor authentication techniques
● Employ proactive monitoring to detect unauthorized activity
 Data Security in Cloud :
Security Issues and Challenges
● CC security challenges fall into 3 categories →
1. Data Protection :
● securing your data both at rest and in transit
● Data needs to be encrypted at all times, with proper encryption keys

1. User Authentication :
● Limiting access to data and monitoring who accesses the data
● data access logs and audit trails can be used
● To verify that, only authorized users are accessing the data

1. Disaster and data breach :

● As the cloud is a single central repository of the organization’s data,
● This data can be compromised due to -
● a data breach or temporary made unavailable → due to natural disaster
Security challenges for cloud service customers
1. Loss of trust
2. Loss of governance
3. Loss of privacy
4. Cloud service provider lock-in
5. Misappropriation of intellectual property
6. Loss of software integrity
1. Loss of Trust
● As, security implementation details are hidden from customer
● Customer will not have faith on
● the Security mechanisms used by the CSP
2. Loss of Governance
● When customer uses cloud services,
● It has to provide certain privileges to the Cloud service provider (CSP)

● For handling the data in the cloud

● This may result in misconfiguration or an attack
3. Loss of Privacy
● Privacy of customer may be violated
● Due to the leakage of private information
● Which is handled by the CSP
4. Cloud Service Provider Lock-in
● The use of non standard functions and cloud framework
● Makes the provider
● non-interoperable with other providers.

● And also leaves the customer open to security attacks

5. Misappropriation of intellectual property
● Customers data on the cloud might leak to third parties
● That are using the same CSP

● This leakage may violate the customer’s copyrights

● And may result in the disclosure of customer’s private data
6. Loss of Software Integrity
● Customer’s software is running in the cloud, once it is given to the CSP.
● This software may be tampered or affected
● And is not in customer’s control
● Resulting in customers loss over its software
 Advantages of - Data Security in Cloud
● Data centralization -
○ service provider takes responsibility of storage
○ and small organization need not spend more money
○ for personal storage device.
● Incident response -
○ IaaS providers contribute
○ dedicated legal server
○ which can be used on demand
● Logging -
○ storage requirement for benchmark logs
○ is mechanically solved
 Disadvantages of - Data Security in Cloud
● Loss of control
● Reduced visibility and control
● Data segregation
● Unsecure API and Interfaces
Content Level Security
● Restricting - Who can open, email, print or edit a piece of content
● And placing a time limit on - how long a user can access a given piece of
content

● Content can expire from a given repository

● and no longer be viewable by anyone.

● CLS defines and controls -

● the scope of actions available for the users
Cloud Security Services
● Confidentiality
● Integrity
● Availability
1. Confidentiality -
● Limiting information access
● Sensitive information should be kept secret
● Stored data and data in transit should be protected

● Data Confidentiality -
● Authentication and Access Control strategies are used to ensure data
confidentiality
2. Integrity -
● Protect data from malicious modification
● Data integrity - Data in transit must not be changed by unauthorized users

● Integrity can extend to -

● How data is stored, processed and retrieved by cloud services and resources
3. Availability -
● Assures that - Data stored in the cloud is available to each users retrieval
request

● Data Availability - User can access the data - in accidents like - hard disk
damage, fire, network failure

● Disaster Recovery Plan - recovers all the business processes during disaster
within a limited amount of time
Security Authorization Challenges in the cloud
1. Authorization
2. Auditing
3. Functions performed by IT auditors
4. Accountability
Security Authorization Challenges in the cloud
● Authorization -
● is a process of - specifying access rights / privileges to resources
● Determines - what the user can access and what he cant access
● Auditing -
● Cloud security audit can be done -
○ By assessing and prioritizing risks
○ Evaluating current controls
○ Identifying the gaps in existing cloud security strategy

● Functions performed by IT auditors

○ Backup control
○ Data center security
○ System development standards
○ System and transaction controls
○ Contingency plan
● Accountability
● Keeps track of users activity, while attached to the system
● The trail included -
○ the amount of time attached,
○ the resources accessed,
○ and how much data transferred.

● Accountability data is used for

○ trending, detecting breaches and forensics investigating

● Keeping track of users and their activities serves many purposes

Secure Cloud Software Requirements
● Secure development practices
● Includes -
○ data handling,
○ code practices,
○ language options,
○ input validation and content injection,
○ physical security of the system
● Approaches to cloud software requirements engineering
● Includes -
○ Cloud software security requirements
○ Goal-oriented software security requirements
○ And monitoring internal and external requirements
● Cloud security policy implementation and decomposition
● Includes -
○ Implementation issues
○ Decomposing critical security issues into secure cloud software
requirements
○ (confidentiality, integrity, availability, authentication and identification,
authorization, auditing)
Secure Cloud Software Testing
● Cloud testing -
○ Is an assessment of
○ A web based application performance, Reliability, scalability and security
○ In a cloud computing environment
● In a cloud environment, following types of testing can be done on applications
● Functional testing -
○ ensures that - the software meets functional requirements
○ Checks all the features and functions of software
○ And its interaction with hardware
○ Tools used are - Rapise, Sauce Labs, TimeShiftX
● Non-functional testing -
○ also known as performance testing

○ ensures that - the software meets non functional aspects

○ Like - performance, usability and reliability
○ Tools used are - CloudTest, AppPerfect, CloudTest Go, AppLoader
● Ability testing -
○ ensures,
○ whether users will receive application services from the cloud
environment, on demand
● Cloud testing focuses on the core components like -
● Application -
● it covers - testing of - functions, end-to-end business workflows, data security,
browser compatibility etc.
● Network -
● includes, testing various network bandwidths, protocols and successful
transfer of data through networks
● Infrastructure -
● it covers - disaster recovery test, backups, secure connection and storage
policies.
● The infrastructure needs to be validated for regulatory compliances
Types of Testing in a Cloud
● Testing of the whole cloud
● Testing within the cloud
● Testing across cloud
● SaaS testing in the cloud
Benefit of Cloud Based Testing
● Scalability - testers can increase or decrease computing resources according
to their need
● Cost cutting - pay per use
● Easily customizable - tester can emulate end user centric environment with
minimum cost and time
● Properly configured test environment - Ensure comprehensive testing
● Faster testing - cloud based testing tools ensure automated testing, which
reduces time
● Constant availability - software for testing, in a cloud is available for testers at
any time