Cloud Computing Threats

Along with efficiency, and flexibility of the cloud services there are also some threats, from which
cloud computing is vulnerable. These threats include Data loss/breach, insecure interfaces and APIs,
malicious insider, privileges escalations, natural disasters, hardware failure, authentication, VM level
attacks and much more.

Data Loss/Breach
Data loss and Data breach are the most common threat to every platform. Improper Encryption or
losing Encryption keys may result in Data modification, erasing, data steal, and misuse.

Abusing Cloud Services

Abusing Cloud Services includes using service for malicious intents as well as using these services
abusively. It can be used to host, malicious data and Botnet command and control, etc.

Insecure Interface and APIs

Software User Interface (UI) and Application Programming Interface (APIs) are the interfaces used by
customers to interact the service. These interfaces can be secure by performing Monitoring,
Orchestration, Management and provisioning. These interfaces must be secure against malicious
attempts

Management
Authentication Loss of encryption Compliance Risk interface
Attacks keys compromise

Conflict between
Incomplete data Network Improper handling
client hardening and
deletion management failure & disposal
cloud platform

Third-party account
Data Breaches Hardware failures VM Level attacks
compromise

Cloud Threats Inadequate

Privileges infrastructure
Insecure APIs DDOS Attacks
Escalation planning &
implementation

Licensing Service termination

Data Loss Lorem Ipsum
Issues or Failure

Account Hijacking Loss of Operational Isolation Issues Malicious Insider

and Security logs
Cloud Computing Attacks
Following are the most common attacks that are being in used by an attacker to extract sensitive
information such as credentials or gaining unauthorized access.
 Service Hijacking using Social
Engineering Attacks
 Session Hijacking using XSS Attack
 Domain Name System (DNS) Attack
 SQL Injection Attack
 Wrapping Attack
Attack
Service Hijacking (Social Engineering)
Service Hijacking (Network Sniffing)
Session Hijacking (XSS Attack)
Session Hijacking (Session Riding)
Domain Name System (DNS) Attacks
Side Channel Attacks
 Service Hijacking using Network
Sniffing
 Session Hijacking using Session Riding
 Side Channel Attack or Cross-guest
VM Breaches
 Cryptanalysis
 Dos / DDoS Attacks
Description
Using Social Engineering techniques, the attack may
attempt to guess the password. Social Engineering
attacks result in unauthorized access exposing sensitive
information according to the privilege level of the
compromised user.
Using Packet Sniffing tools by placing himself in the
network, an attacker can capture sensitive information
such as passwords, session ID, cookies, and another web
service-related information such as UDDI, SOAP, and
WSDL
By launching Cross-Site Scripting (XSS), the attacker can
steal cookies by injecting malicious code into the
website
Session Riding is intended for session hijacking. An
attacker may exploit it by attempting cross-site request
forgery. The attacker uses currently active session and
rides on it by executing the requests such as
modification of data, erasing data, online transactions
and password change by tracking the user to click on a
malicious link
Using Social Engineering techniques, the attack may
attempt to guess the password. Social Engineering
attacks result in unauthorized access exposing sensitive
information according to the privilege level of the
compromised user. Domain Name System (DNS) attacks
include DNS Poisoning, Cybersquatting, Domain hijacking
and Domain Snipping. An attacker may attempt to spoof
by poisoning the DNS server or cache to obtain
credentials of internal users. Domain Hijacking involves
stealing cloud service domain name. Similarly, through
Phishing scams, users can be redirected to a fake
website
Side Channel Attacks or Cross-Guest VM Breach is an
attack which requires the deployment of a malicious
virtual machine on the same host
 Other Attacks • SQL Injection attack (injecting malicious SQL
statements to extract information)
• Cryptanalysis Attacks (weak or obsolete
encryption)
• Wrapping Attack (duplicating the body of
message),
• Denial-of-Service (DoS)
• Distributed Denial-of-Service (DDoS) Attacks.

Cloud Security

Cloud Computing Security is handled through security implementations, deployments, and

preventions to defend against security threats. Cloud Security includes Control policies, deployment
of security devices such as application firewalls, Next Generation IPS devices and hardening the
infrastructure of Cloud computing. It also includes some activities that are to be taken from the
service providers end as well as actions that should be taken at the user end.

Application Layer
There are several security mechanisms, devices, and policies that provide support at different cloud
security controls layers. At the Application layer, Web application firewalls are deployed to filter the
traffic and observe the behaviour of traffic. Similarly, Systems Development Life Cycle (SDLC), Binary
Code Analysis, Transactional Security provide security for online transactions, and script analysis, etc.

Load Balancing Backup SSL VPN

Cloud
DR Plans Patching & Updates SLA
Monitoring

Supply chain
Data Integrity Key Management Hi Multi tenancy
management

Cloud Security
Privileges Prohibit credential
Compliance Audits DDOS Attacks
Escalation sharing

Licensing Strong AAA Implement

Data Loss
Issues implementation Cryptography

Account Hijacking Loss of Operational Reliability QoS

and Security logs

Information
In Cloud Computing, to provide confidentiality and integrity of information that is being
communicated between client and server, different policies are configured to monitor any data loss.
These policies include
Data Loss Prevention (DLP)
Data Loss Prevention (DLP) is the feature which offers to prevent the leakage of information to
outside the network. Traditionally this information may include company or organizations
confidential information, proprietary, financial and other secret information. Data Loss Prevention
feature also ensures the enforcement of compliance with the rules and regulations using Data Loss
Prevention policies to prevent the user from intentionally or unintentionally sending this confidential
information.

Management
Security of Cloud Computing regarding management is performed by different approaches such as
Governance, Risk Management, and Compliance (GRC), Identity and Access Management (IAM),
Patch and Configuration management. These approaches help to control the secure access to the
resources and manage them.

Network layer
There are some solutions available to secure the network layer in cloud computing such as the
deployment of Next-Generation IDS/IPS devices, Next-Generation Firewalls, DNSSec, Anti-DDoS,
OAuth and Deep Packet Inspection (DPI), etc. Next-Generation Intrusion Prevention System, known
as NGIPS, is one of the efficiently proactive components in the Integrated Threat Security Solution.
NGIPS provide stronger security layer with deep visibility, enhanced security intelligence and
advanced protection against emerging threat to secure complex infrastructures of networks. Cisco
NGIPS Solution provides deep network visibility, automation, security intelligence, and next-level
protection. It uses the most advanced and effective intrusion prevention capabilities to catch
emerging sophisticated network attacks. It continuously collects information regarding the network,
including operating systems information, files and applications information, devices and user’s
information. This information helps NGIPS to determine network maps and host profiles which lead
to contextual information to make better decisions about intrusive events.

Trusted Computing
The root of Trust (RoT) is established by validating each component of hardware and software from
the end entity up to the root certificate. It is intended to ensure that only trusted software and
hardware can be used while still retaining flexibility.

Computer and Storage

Computing and Storage in cloud computing can be secured by implementing Host-based Intrusion
Detection or Prevention Systems HIDS/HIPS. Configuring Integrity check, File system monitoring and
Log File Analysis, Connection Analysis, Kernel Level detection, Encrypting the storage, etc. Host-
based IPS/IDS is normally deployed for the protection of specific host machine, and it works closely
with the Operating System Kernel of the host machine. It creates a filtering layer and filters out any
malicious application call to the OS.

Physical Security
Physical Security is always required on priority to secure anything. As it is also the first layer OSI
model, if the device is not physically secured, any sort of security configuration will not be effective.
Physical security includes protection against man-made attacks such as theft, damage, unauthorized
physical access as well as environmental impact such as rain, dust, power failure, fire, etc.
Responsibilities of Cloud Security
Cloud Service Provider
Web Application Firewall (WAF)
Real Traffic Grabber (RTG)
Firewall Data Loss Prevention (DLP)
Intrusion Prevention Systems
Secure Web Gateway (SWG)
Application Security (App Sec)
Virtual Private Network (VPN)
Load Balancer
CoS/QoS
Trusted Platform Module
NetFlow
AWS Security Best Practices
XCloud Component Best Practice
Cloud Service Consumer
Public Key Infrastructure (PKI).
Security Development Life Cycle (SDLC).
Web Application Firewall (WAF)
Firewall
Encryption
Intrusion Prevention Systems
Secure Web Gateway
Application Security
Virtual Private Network (VPN)
 IAM Avoid using AWS root account user access keys as it gives full
access to all resources.
MFA authentication is enabled for the root account to provide
two-factor authentication.
Assign individual IAM users with necessary permissions to enable
login.
Ensure User Accounts also have MFA authentication.
IAM Access Keys must be rotated at periodic intervals. 
Ensure a strong password policy for users.
Assign permissions to users based on User Groups, instead
of individual IAM users.
Provide access to a resource through IAM Roles
Grant least access while creating IAM Policies, needed to
perform the necessary actions
Attach IAM Policies to Groups or Roles on creation
If required, conditions can be defined for Policies under
which access is granted to a resource
Get rid of unnecessary IAM credentials, those with are
inactive or unused
Use IAM Roles to grant access to applications on EC2
Instances
 
S3 Ensure S3 buckets are not publicly accessible (public read or
write permissions) — users can enable Amazon S3 to block
public access.
Make use of object-level or bucket-level permissions in
addition to IAM Policies to grant access to resources.
Enable MFA Delete to prevent accidental deletion of
buckets.
Consider encryption of stored data, which can be done in
two ways — server-side and client-side encryption.
Enable encryption of inbound and outbound data traffic,
through SSL endpoints.
Configure S3 lifecycle management through rule-based
actions and use versioning to store and retrieve multiple
versions of an object in a bucket, to deal with accidental
deletions.
Ensure S3 access logging is enabled.
Constantly audit and monitor S3 buckets using CloudWatch
metrics.
 
EC2, VPC, and EBS Ensure data and disk volumes in EBS are encrypted with AES-
256, the industry-standard algorithm.
 Restrict access to instances from limited IP ranges using a
Security Group.
Limit the range of open ports on EC2 security groups, to
prevent exposure to vulnerabilities.
Ensure ELBs have a valid security group attached to it.
Monitor and optimize default security groups, as they allow
unrestricted access for inbound and outbound traffic.
Ensure restricted inbound access to SSH, FTP, SMTP, MySQL,
PostgreSQL, MongoDB, MSSQL, CIFS, etc. to required entities
only.
Use IAM roles to grant access to EC2, instead of access keys
for temporary requirements.
If you’re using IAM user access keys for long term
permissions, ensure that you don’t embed the keys directly
into code, generate different keys for different applications,
rotate your access keys, use MFA authentication and
decommission unused key pairs.
Enable and activate your VPC flow logs to record inbound
and outbound traffic in your VPC for better monitoring and
early diagnosis.
Delete unused Virtual Private Gateways and VPC Internet
Gateways.
Make sure that no VPC endpoints are exposed, by checking
the principal value in the policy.
Ensure no ACLs allow unrestricted inbound or outbound
access.
 
CloudTrail Ensure CloudTrail is activated across all regions, and for
global services like IAM, STS, etc.
It is recommended to log to a centralized S3 bucket.
Make sure both CloudTrail itself and CloudTrail logging are
enabled for all regions. 
Ensure CloudTrail log file integrity validation is enabled.
Ensure CloudTrail log files are encrypted. 
 
RDS Ensure RDS security groups do not allow unrestricted
access. 
Ensure encryption of the RDS instances and snapshots, using
AES-256 level encryption.
Protect data in transit to RDS through SSL endpoints.
Monitor control to RDS using AWS KMS and Customer
Managed Keys.
Configure AWS Secrets Manager to automatically rotate the
secrets for Amazon RDS.
 Ensure RDS database instances and snapshots are not
publicly accessible.
Enable the auto minor upgrade feature for RDS

AWS Tools

Tool Purpose
Amazon CloudWatch Arguably the most important monitoring solution
in AWS, CloudWatch monitors your AWS Cloud
resources and the applications you run on AWS.
You can set alarms in CloudWatch based on
metrics or thresholds that you define that you
define.
AWS CloudTrail  logs every AWS API call and related events made
by or on behalf of an AWS account.
Amazon CloudFront  logs user requests that CloudFront receives.
Moreover, CloudFront provides mechanisms for
secure distribution data and monitoring of those
data flows.
AWS Config  provides detailed historical information about the
configuration of your AWS resources, including
your IAM users, groups, roles, and policies. For
example, you can use AWS Config to determine the
permissions that belonged to a user or group at a
specific time.
AWS Service Catalog  allows IT administrators to create, manage,
monitor, and distribute portfolios of approved
products to end users, who can then access the
products they need in a personalized portal.
Typical products include servers, databases,
websites, or applications that are deployed using
AWS resources (for example, an Amazon EC2
instance or an Amazon RDS database). You can
control which users have access to specific
products to enforce compliance with
organizational business standards and to manage
product lifecycles
AWS Trusted Advisor  AWS Premium Support plans include access to the
Trusted Advisor tool, which offers a one-view
snapshot of your service and helps identify
common security misconfigurations, suggestions
for improving system performance, and
underutilized resources
Amazon GuardDuty  uses integrated threat intelligence such as lists of
known malicious IP addresses, anomaly detection,
and machine learning to identify activity associated
with threats, such as compromised EC2 instances
 mining Bitcoin or an attacker scanning your web
servers for known application vulnerabilities. It
also monitors AWS account access behaviour for
signs of compromise, such as detecting an atypical
instance type deployed by a user from an unusual
geo-location, or an attempt to disable CloudTrail
logging or to snapshot a database from a
suspicious IP address

AWS Application hosting reference architecture

Three tier web application Reference Architecture

Web Application Media server

Customer Responsibility for AWS services (NIST checklist)

AWS_services_custo
mer_responsibility.xlsx