UNIT-5

SECURITY

By: Niral Jadav

CLOUD SECURITY

 Cloud security, also known as cloud computing

security, consists of a set of policies, controls, procedures and
technologies that work together to protect cloud-based
systems, data, and infrastructure.
 These security measures are configured to protect cloud data,
support regulatory compliance and protect customers'
privacy as well as setting authentication rules for individual
users and devices.
CLOUD SECURITY CHALLENGES AND
RISKS
Data Loss
 Data loss is the most common cloud security risks of cloud
computing. It is also known as data leakage.
 Data loss is the process in which data is being deleted,
corrupted, and unreadable by a user, software, or application.
 In a cloud computing environment, data loss occurs when our
sensitive data is somebody else's hands, one or more data
elements can not be utilized by the data owner, hard disk is not
working properly, and software is not updated.
Hacked Interfaces and Insecure APIs
 APIs are the easiest way to communicate with most of the
cloud services.
 In cloud computing, few services are available in the public
domain. These services can be accessed by third parties, so
there may be a chance that these services easily harmed and
hacked by hackers.
 Data Breach
 Data Breach is the process in which the confidential data is
viewed, accessed, or stolen by the third party without any
authorization, so organization's data is hacked by the hackers.
Vendor lock-in
 Vendor lock-in is the of the biggest security risks in cloud
computing.
 Organizations may face problems when transferring their
services from one vendor to another.
 As different vendors provide different platforms, that can
cause difficulty moving one cloud to another.
 Increased complexity strains IT staff
 Migrating, integrating, and operating the cloud services is
complex for the IT staff.
 IT staff must require the extra capability and skills to manage,
integrate, and maintain the data to the cloud.
Denial of Service (DoS) attacks
 Denial of service (DoS) attacks occur when the system
receives too much traffic to buffer the server.
 Mostly, DoS attackers target web servers of large
organizations such as banking sectors, media companies, and
government organizations.
 To recover the lost data, DoS attackers charge a great deal of
time and money to handle the data.
SOFTWARE-AS-A SERVICE SECURITY

 SaaS security is the managing, monitoring, and safeguarding

of sensitive data from cyber-attacks.
 SaaS Security refers to securing user privacy and corporate
data in subscription-based cloud applications.
 SaaS security refers to the practices and policies implemented
by the providers of software-as-a-service (SaaS) to ensure the
privacy and security of customer data and other information
assets. These security policies make SaaS apps safe and
trustworthy.
CLOUD COMPUTING SECURITY
ARCHITECTURE
 The Cloud Security Alliance (CSA) stack model defines the
boundaries between each service model and shows how
different functional units relate.
 A particular service model defines the boundary between the
service provider's responsibilities and the customer.
 IaaS is the most basic level of service, with PaaS and SaaS
next two above levels of services.
 Moving upwards, each service inherits the capabilities and
security concerns of the model beneath.
 IaaS provides the infrastructure, PaaS provides the platform
development environment, and SaaS provides the operating
environment.
 IaaS has the lowest integrated functionality and security level,
while SaaS has the highest.
 This model describes the security boundaries at which cloud
service providers' responsibilities end and customers'
responsibilities begin.
 Any protection mechanism below the security limit must be
built into the system and maintained by the customer.
SECURING DATA
 Back up your data
 Use strong passwords
 Take care when working remotely
 Be wary of suspicious emails
 Install anti-virus and malware protection
 Make sure your Wi-Fi is secure
 Lock your screen when you’re away from your desk
 Don’t keep data for longer than you need it
APPLICATION SECURITY

 Application security is the process of developing, adding, and

testing security features within applications to prevent
security vulnerabilities against threats such as unauthorized
access and modification.
 Application security aims to protect software application code
and data against cyber threats.
 You can and should apply application security during all
phases of development, including design, development, and
deployment.
TYPES OF APPLICATION SECURITY
Authentication:
 When software developers build procedures into an
application to ensure that only authorized users gain access
to it.
 Authentication procedures ensure that a user is who they say
they are. This can be accomplished by requiring the user to
provide a user name and password when logging in to an
application
Authorization:
 After a user has been authenticated, the user may be
authorized to access and use the application.
 The system can validate that a user has permission to access
the application by comparing the user’s identity with a list of
authorized users
 Encryption:
 In cloud-based applications, where traffic containing sensitive
data travels between the end user and the cloud, that traffic
can be encrypted to keep the data safe.
Logging:
 If there is a security breach in an application, logging can help
identify who got access to the data and how.
 Application log files provide a time-stamped record of which
aspects of the application were accessed and by whom.
Application security testing:
 A necessary process to ensure that all of these security
controls work properly.
VIRTUAL MACHINE SECURITY

 Virtualized security, or security virtualization, refers to

security solutions that are software-based and designed to
work within a virtualized IT environment.
 This differs from traditional, hardware-based network
security, which is static and runs on devices such as
traditional firewalls, routers, and switches.
IDENTITY MANAGEMENT AND ACCESS
CONTROL
 Identity and access management (IAM) is a framework of
business processes, policies and technologies that facilitates
the management of electronic or digital identities.
 With an IAM framework in place, information technology (IT)
managers can control user access to critical information
within their organizations.
IAM TECHNOLOGIES
Security Access Markup Language (SAML)
 SAML is an open standard used to exchange authentication
and authorization information between an identity provider
system such as an IAM and a service or application.
 This is the most commonly used method for an IAM to
provide a user with the ability to log in to an application that
has been integrated with the IAM platform.
 OpenID Connect (OIDC)
 OIDC is a newer open standard that also enables users to log
in to their application from an identity provider.
 It is very similar to SAML, but is built on the OAuth 2.0
standards and uses JSON to transmit the data instead of XML
which is what SAML uses.
 System for Cross-domain Identity Management (SCIM)
 SCIM is standard used to automatically exchange identity
information between two systems.
 Though both SAML and OIDC can pass identity information to
an application during the authentication process, SCIM is
used to keep the user information up to date whenever new
users are assigned to the service or application, user data is
updated, or users are deleted.
 SCIM is a key component of user provisioning in the IAM
space.
STORAGE AREA NETWORKS
 A SAN (storage area network) is a network of storage devices
that can be accessed by multiple servers or computers,
providing a shared pool of storage space.
 Each computer on the network can access storage on the SAN
as though they were local disks connected directly to the
computer.
HOW DOES SAN STORAGE WORK?

 The components of SAN include cabling, host bus

adapters, and SAN switches attached to storage arrays
and servers.
 SANs use block-based storage and high-speed
architecture to connect servers to logical disk units
(LUNs), a range of block storage from a pool of shared
storage, and appear to the server as a logical disk.
 A SAN comprises three distinct layers: host, fabric, and
storage.
HOST LAYER

 The host layer is made up of the servers attached to the

SAN, which run enterprise workloads that require access
to storage, e.g. databases.
FABRIC LAYER

 The fabric layer comprises the cabling and network

devices that make up the network fabric that
interconnects SAN hosts and storage.
 SAN networking devices can include SAN switches,
gateways, routers, and protocol bridges.
STORAGE LAYER

The storage layer comprises several storage devices,

which are typically hard disk drives (HDDs), but can
include SSDs, CDs, DVDs, and tape drives.
 Storage devices within a SAN can be organized into
RAID groups to increase storage capacity and improve
reliability.
DISASTER RECOVERY IN CLOUDS.
 Cloud disaster recovery (CDR) is a cloud-based managed
service that helps you quickly recover your organization’s
critical systems after a disaster and provides you remote
access to your systems in a secure virtual environment.
 Cloud disaster recovery takes a very different approach than
traditional DR.
 Instead of loading the servers with the OS and application
software and patching to the last configuration used in
production, cloud disaster recovery encapsulates the entire
server, which includes the operating system, applications,
patches, and data into a single software bundle or virtual
server.
THANK YOU