MODULE 6- CLOUD MODELS

What are the main cloud computing security issues?

Poor Access Management

Data Breach and Data Leak - the main cloud security concernsData Loss

Misconfigured Cloud Storage

DoS Attack - Denial-of-service attack

 Cloud Security Risks and Countermeasures

Risk 1 - Data Breaches

● A data breach is a scenario where confidential, secured, private or sensitive information comes out, accessed, stolen, or used by
unauthorized people.
● It may arise because of any human mistakes, software or application vulnerabilities, or wrong security measures.

Countermeasures -

● The best way to handle data breaches is to create an effective security program at an organizational level.
● This security program must contain Multifactor Authentication (MFA) and Encryption.
Risk 2 - System Vulnerabilities
● System vulnerabilities are exploitable bugs in programs that attackers can use to infiltrate a computer system to steal data, take control of the system, or disrupt
service operations.
● Using vulnerabilities within the components of the operating system like the system kernel, libraries, and application tools; put the security of all services and data
at significant risk.

Countermeasures -

● System vulnerabilities can be handled by the administration of basic IT processes. Such as regular vulnerability scanning, prompt patch management, and a quick
follow-up on reported system threats.
● Vulnerability scanning is the automated process of those identifying security vulnerabilities of computing systems in a network.

Risk 3 - Account Hijacking

● It is an old method in which credentials and passwords are reused, to increase the impact of such attacks.
● In this attacker intrudes into the user's credentials, the attacker then eavesdrops user's activities and transactions, which allows the attacker to manipulate the
user's data, return falsified information, and redirect clients of users to illegitimate sites.

Countermeasures -

● The organization should avoid the sharing of account credentials between the users and services.
● Apply two-factor authentication techniques where ever possible.
● All accounts and activities of the account should be monitored and traceable to the actual owner of the account.
Risk 4 - Permanent Data Loss
● Permanent data loss because of cloud service providers' fault is a very rare incident.
● But still, there is a little bit chance of permanent data loss in the cloud because of some unethical hackers that try to delete cloud data permanently to harm businesses and
any sudden, unexpected natural calamities can destroy cloud data centers.

Countermeasures -

● Users can encrypt data before uploading into the cloud, and then users must carefully protect the encryption key because, once the key is lost, so the data is also lost.
● Some cloud providers distribute data and applications across multiple zones for more protection.
Risk 5 - Denial of Service (DoS)
● It is the most common attack in which authorized users can not able to access their data or their applications.
● When the cloud faces a DoS attack, the targeted cloud service consumes inordinate amounts of finite system resources such as processor power, memory, disk space, or
network bandwidth.
● This causes an intolerable system slowdown and leaves all authorized service users confused and angry as to why the service is not responding.
● DoS attacks utilize large amounts of processing power, a bill the user, unfortunately, has to pay.

Countermeasures -

● No way can completely prevent DoS attacks but some measures can reduce the risk of DoS attacks in the cloud.
● Use DoS attack detection technology.
 What Is Cloud Data Protection?
Cloud data protection is a set of practices that aim to secure data in a cloud environment. These practices apply to data
regardless of where it is stored or how it is managed, whether internally or by third-parties. Cloud data protection practices
have become key aspects of data security as companies increase the amount of data stored in the cloud.

Data Protection Challenges in the Cloud

When setting up data protection in the cloud, your organization is likely to face several of the following challenges:

● Integrity—systems need to be designed to ensure that only authorized access is granted. Configurations should also
ensure that permissions to modify or delete data are restricted to appropriate users.
● Locality—data regulations are applied by the physical location of data, where it is collected, and where it is used. In a
distributed system, this can be difficult to determine and control. Systems should be designed in a way that clearly
defines where data is located at all times.
● Confidentiality—data needs to be secured according to its confidentiality level. This requires properly restricting
permissions and applying encryptions to restrict readability. Likewise, admin credentials and encryption keys need to
be protected to ensure that these restrictions are maintained.
● Storage—cloud infrastructure is entirely controlled by the vendor. This means that companies must rely on vendors to
ensure that physical infrastructures, networks, and data centers are secure.
What is SAML?

SAML is an acronym used to describe the Security Assertion Markup Language (SAML). Its
primary role in online security is that it enables you to access multiple web applications using
one set of login credentials. It works by passing authentication information in a particular format
between two parties, usually an identity provider (idP) and a web application.

What SAML is and How it Works

SAML is an open standard used for authentication. Based upon the Extensible Markup
Language (XML) format, web applications use SAML to transfer authentication data between
two parties - the identity provider (IdP) and the service provider (SP).
How Does SAML Work?

SAML works by exchanging user information, such as logins, authentication state, identifiers,
and other relevant attributes between the identity and service provider. As a result, it simplifies
and secures the authentication process as the user only needs to log in once with a single set of
authentication credentials. So, when the user tries to access a site, the identity provider passes
the SAML authentication to the service provider, who then grants the user entry. Let's illustrate
this concept with a real-world analogy.
OAuth 2.0

OAuth 2.0, which stands for “Open Authorization”, is a standard designed to allow a website or application to access
resources hosted by other web apps on behalf of a user. It replaced OAuth 1.0 in 2012 and is now the de facto industry
standard for online authorization. OAuth 2.0 provides consented access and restricts actions of what the client app can
perform on resources on behalf of the user, without ever sharing the user's credentials.

Although the web is the main platform for OAuth 2, the specification also describes how to handle this kind of delegated
access to other client types (browser-based applications, server-side web applications, native/mobile apps, connected
devices, etc.)

OAuth 2.0 is the industry-standard protocol for authorization. OAuth 2.0 focuses on client developer simplicity while
providing specific authorization flows for web applications, desktop applications, mobile phones, and living room devices.
This specification and its extensions are being developed within the IETF OAuth Working Group.

OAuth 2.1 is an in-progress effort to consolidate OAuth 2.0 and many common extensions under a new name.
OAuth 2.0 is an authorization protocol and NOT an authentication protocol. As
such, it is designed primarily as a means of granting access to a set of resources,
for example, remote APIs or user data.
OAuth2.0 Roles

The idea of roles is part of the core specification of the OAuth2.0 authorization framework. Thesedefine the
essential components of an OAuth 2.0 system, and are as follows:
● Resource Owner: The user or system that owns the protected resources and can grantaccess to
them.
● Client: The client is the system that requires access to the protected resources. To accessresources,
the Client must hold the appropriate Access Token.
● Authorization Server: This server receives requests from the Client for Access Tokens andissues them
upon successful authentication and consent by the Resource Owner. The authorization server exposes
two endpoints: the Authorization endpoint, which handles the interactive authentication and consent of
the user, and the Token endpoint, which is involvedin a machine to machine interaction.
● Resource Server: A server that protects the user’s resources and receives access requestsfrom the
Client. It accepts and validates an Access Token from the Client and returns the appropriate
resources to it.