UNIT-3

Cloud computing software security

fundamentals
List of Cloud Security Services:

• Data Encryption:
• A huge amount of data is stored in the cloud systems by enterprises and this data is crucial for the survival of
the enterprise itself. If the data get stolen, it can be sold to the competitive company and they can make use of
this data to develop products making market competition worse. Considering the data that is no longer used in
the daily activities, we can call this Data at rest. It is good to encrypt the data at rest as this data will have all
the charts and studies about the market trends and the upcoming products of the same company. This data at
rest encryption is important in Cloud Security Services as it alerts the users when hackers try to access the
data at rest.
• Firewall Protection:
• When the user initially tries to access any cloud system from the system, they will be prevented to do so as
per firewall protection. The device must be registered in the firewall security settings after which the user can
access the data in the cloud system. This internal and external firewall protection is configured by cloud
systems so that any unauthorized sign-ins are prevented by the firewall. When data is sent across the same IP
address, the source and destination of the packet are verified by the firewall. Also, the stability of the packet is
checked to ensure the authenticity of the data packet. Some firewalls will check the content of the data packet
to establish that there are no viruses or malware attached to it. External and internal firewalls are important to
verify that the data is not compromised to outsiders in any form.
• Monitoring:
• All the IDs that are being logged into the system are monitored and noted in the cloud logging
system so that when any security threat occurs and if it is from inside, this tracking helps to identify
the individual who logged in at a particular time. Even firewall rules are updated to prevent
suspicious logging attempts thus making the data secure in the cloud storage. Monitoring usually
checks for the authentication rules and IP addresses so that if any suspicious logins are detected, they
are prevented from accessing the data in the storage. This is done at the granular level so that
permissions are not given to an individual directly but to a group of people where the responsibilities
are shared. This helps in monitoring the activities of other people and notifying the security team of
any unauthorized data modulation.
•
• Security at Data centers:
• If all the ways to access data via the system is failed, there is a way for hackers to access data via
server directly. This does not check for firewall protection and there are no authentication rules. This
is why all the physical servers are monitored closely by physical security and watched using CCTV
cameras 24 hours a day. Biometrics are also present in the server rooms where only authorized
security personnel and maintenance officials can enter and check the servers working. Also, logs are
enabled for those who enter and leave the room and the time taken inside the server room. When the
concerned personnel proceeds with more time than permitted, alerts are sent to the security so that
they can check the server rooms for unauthorized personnel.
• Isolated networks:
• When there is an important deployment in the cloud system and the data must be kept
hidden from the corresponding resource group members, it is good to do the deployment
in virtually isolated networks. Security policies should be implemented in all the
networking systems and the system itself should be protected from malicious threats and
virus attacks. The accesses and authentications should be customized and dedicated
network links must be used to transfer the data to higher environments.

• Anomaly detection:
• When the logs are huge, it is difficult to manage the logs manually for which cloud
vendors utilize AI-based algorithms to describe the anomaly in the logging pattern. This
helps to manage the logging details and monitor the discrepancies in the logs. Also,
vulnerability can be scanned and thus made to know which computing service has less
security systems. This makes the system improve security and protect the data to the core.
The location of the databases can be kept under surveillance so that we can be sure that
data is not stored in unauthenticated databases. Checkpoints are installed in all the
deployment of data into the cloud and higher environments to ensure that the data is kept
in the proper cloud storage and in the proper format of folder details.
•
• Protection through APIs:
• To protect data from the hands of unauthorized personnel, cloud users can
employ APIs and web apps for the security of data. This helps in protecting
the containers and virtual machines from unsecured logins. Auto incidents
can be raised for unofficial logins which helps to protect the systems and
thus the cloud-stored data. And if the threats pose heavy risks, real-time
alerts can be set in the cloud storage to prevent them to access the data.
• All our data in our systems, mobile devices, and storage disks are becoming
cloud storage data and hence it is crucial to have good cloud security
services arranged for these devices. Cloud providers offer cloud security
and if one is not satisfied with the same, users can sort out the help of
private software to achieve the security level intended.
•
Relevant Cloud Security Design Principles
• There are six design principles for security in the cloud:

• Implement a strong identity foundation:

• Enable traceability:
• Apply security at all layers:
• Automate security best practices:
• Protect data in transit and at rest:
• Prepare for security events:
Implement a strong identity foundation:
Implement the principle of least privilege and enforce
separation of duties with the appropriate authorization for each
interaction with your AWS resources. Centralize privilege
management and reduce or even eliminate reliance on long-
term credentials.
Enable traceability:
Monitor, alert, and audit actions and changes to your
environment in real-time. Integrate logs and metrics with
systems to automatically respond and take action.
Apply security at all layers:
Rather than just focusing on protecting a single outer layer, apply a defense-in-depth
approach with other security controls. Apply to all layers, for example, edge network, virtual
private cloud (VPC), subnet, load balancer, every instance, operating system, and
application.
Automate security best practices:
Automated software-based security mechanisms improve your ability to securely scale more
rapidly and cost-effectively. Create secure architectures, including the implementation of
controls that are defined and managed as code in version-controlled templates.
Protect data in transit and at rest:
Classify your data into sensitivity levels and use mechanisms, such as encryption and
tokenization where appropriate. Reduce or eliminate direct human access to data to reduce
the risk of loss or modification.
Prepare for security events:
Prepare for an incident by having an incident management process that aligns with your
organizational requirements. Run incident response simulations and use tools with
automation to increase your speed for detection, investigation, and recovery.
NIST 33 Security Principles

• Principle 1. Establish a sound security policy as the “foundation” for

design
• Principle 2. Treat security as an integral part of the overall system
design.
• Principle 3. Clearly delineate the physical and logical security
boundaries governed by associated security policies.
• Principle 4 (formerly 33). Ensure that developers are trained in how to
develop secure software.
• Principle 5 (formerly 4). Reduce risk to an acceptable level.
• Principle 6 (formerly 5). Assume that external systems are insecure.
• Principle 7 (formerly 6). Identify potential trade-offs between reducing
risk and increased costs and decrease in other aspects of operational
effectiveness.
• Principle 8. Implement tailored system security measures to meet
organizational security goals.
• Principle 9 (formerly 26). Protect information while being processed, in
transit, and in storage.
• Principle 10 (formerly 29). Consider custom products to achieve
adequate security.
• Principle 11 (formerly 31). Protect against all likely classes of “attacks.”
• Principle 12 (formerly 18). Where possible, base security on open
standards for portability and interoperability.
• Principle 13 (formerly 19). Use common language in developing security
requirements.
• Principle 14 (formerly 21). Design security to allow for regular adoption
of new technology, including a secure and logical technology upgrade
process.
• Principle 15 (formerly 27). Strive for operational ease of use
• Principle 16 (formerly 7). Implement layered security (Ensure no single
point of vulerability).
• Principle 17 (formerly 10). Design and operate an IT system to limit
damage and to be resilient in response
• Principle 18 (formerly 13). Provide assurance that the system is, and
continues to be, resilient in the face of expected threats.
• Principle 19 (formerly 14). Limit or contain vulnerabilities.
• Principle 20 (formerly 16). Isolate public access systems from mission
critical resources (e.g., data, processes, etc.).
• Principle 21 (formerly 17). Use boundary mechanisms to separate
computing systems and network infrastructures.
• Principle 22 (formerly 20). Design and implement audit mechanisms to
detect unauthorized use and to support incident investigations.
• Principle 23 (formerly 28). Develop and exercise contingency or disaster
recovery procedures to ensure appropriate availability.
• Principle 24 (formerly 9). Strive for simplicity
• Principle 25 (formerly 11). Minimize the system elements to be trusted.
• Principle 26 (formerly 24). Impleme
• Principle 27 (formerly 25). Do not implement unnecessary security
mechanisms.nt least privilege.
• Principle 28 (formerly 30). Ensure proper security in the shutdown or disposal
of a system.
• Principle 29 (formerly 32). Identify and prevent common errors and
vulnerabilities.
• Principle 30 (formerly 12). Implement security through a combination of
measures distributed physically and logically.
• Principle 31 (formerly 15). Formulate security measures to address multiple
overlapping information domains.
• Principle 32 (formerly 22). Authenticate users and processes to ensure
appropriate access control decisions both within and across domains.
• Principle 33 (formerly 23). Use unique identities to ensure accountability.