security, consists of a set of policies, controls, procedures and technologies that work together to protect cloud-based systems, data, and infrastructure. These security measures are configured to protect cloud data, support regulatory compliance and protect customers' privacy as well as setting authentication rules for individual users and devices. CLOUD SECURITY CHALLENGES AND RISKS Data Loss Data loss is the most common cloud security risks of cloud computing. It is also known as data leakage. Data loss is the process in which data is being deleted, corrupted, and unreadable by a user, software, or application. In a cloud computing environment, data loss occurs when our sensitive data is somebody else's hands, one or more data elements can not be utilized by the data owner, hard disk is not working properly, and software is not updated. Hacked Interfaces and Insecure APIs APIs are the easiest way to communicate with most of the cloud services. In cloud computing, few services are available in the public domain. These services can be accessed by third parties, so there may be a chance that these services easily harmed and hacked by hackers. Data Breach Data Breach is the process in which the confidential data is viewed, accessed, or stolen by the third party without any authorization, so organization's data is hacked by the hackers. Vendor lock-in Vendor lock-in is the of the biggest security risks in cloud computing. Organizations may face problems when transferring their services from one vendor to another. As different vendors provide different platforms, that can cause difficulty moving one cloud to another. Increased complexity strains IT staff Migrating, integrating, and operating the cloud services is complex for the IT staff. IT staff must require the extra capability and skills to manage, integrate, and maintain the data to the cloud. Denial of Service (DoS) attacks Denial of service (DoS) attacks occur when the system receives too much traffic to buffer the server. Mostly, DoS attackers target web servers of large organizations such as banking sectors, media companies, and government organizations. To recover the lost data, DoS attackers charge a great deal of time and money to handle the data. SOFTWARE-AS-A SERVICE SECURITY
SaaS security is the managing, monitoring, and safeguarding
of sensitive data from cyber-attacks. SaaS Security refers to securing user privacy and corporate data in subscription-based cloud applications. SaaS security refers to the practices and policies implemented by the providers of software-as-a-service (SaaS) to ensure the privacy and security of customer data and other information assets. These security policies make SaaS apps safe and trustworthy. CLOUD COMPUTING SECURITY ARCHITECTURE The Cloud Security Alliance (CSA) stack model defines the boundaries between each service model and shows how different functional units relate. A particular service model defines the boundary between the service provider's responsibilities and the customer. IaaS is the most basic level of service, with PaaS and SaaS next two above levels of services. Moving upwards, each service inherits the capabilities and security concerns of the model beneath. IaaS provides the infrastructure, PaaS provides the platform development environment, and SaaS provides the operating environment. IaaS has the lowest integrated functionality and security level, while SaaS has the highest. This model describes the security boundaries at which cloud service providers' responsibilities end and customers' responsibilities begin. Any protection mechanism below the security limit must be built into the system and maintained by the customer. SECURING DATA Back up your data Use strong passwords Take care when working remotely Be wary of suspicious emails Install anti-virus and malware protection Make sure your Wi-Fi is secure Lock your screen when you’re away from your desk Don’t keep data for longer than you need it APPLICATION SECURITY
Application security is the process of developing, adding, and
testing security features within applications to prevent security vulnerabilities against threats such as unauthorized access and modification. Application security aims to protect software application code and data against cyber threats. You can and should apply application security during all phases of development, including design, development, and deployment. TYPES OF APPLICATION SECURITY Authentication: When software developers build procedures into an application to ensure that only authorized users gain access to it. Authentication procedures ensure that a user is who they say they are. This can be accomplished by requiring the user to provide a user name and password when logging in to an application Authorization: After a user has been authenticated, the user may be authorized to access and use the application. The system can validate that a user has permission to access the application by comparing the user’s identity with a list of authorized users Encryption: In cloud-based applications, where traffic containing sensitive data travels between the end user and the cloud, that traffic can be encrypted to keep the data safe. Logging: If there is a security breach in an application, logging can help identify who got access to the data and how. Application log files provide a time-stamped record of which aspects of the application were accessed and by whom. Application security testing: A necessary process to ensure that all of these security controls work properly. VIRTUAL MACHINE SECURITY
Virtualized security, or security virtualization, refers to
security solutions that are software-based and designed to work within a virtualized IT environment. This differs from traditional, hardware-based network security, which is static and runs on devices such as traditional firewalls, routers, and switches. IDENTITY MANAGEMENT AND ACCESS CONTROL Identity and access management (IAM) is a framework of business processes, policies and technologies that facilitates the management of electronic or digital identities. With an IAM framework in place, information technology (IT) managers can control user access to critical information within their organizations. IAM TECHNOLOGIES Security Access Markup Language (SAML) SAML is an open standard used to exchange authentication and authorization information between an identity provider system such as an IAM and a service or application. This is the most commonly used method for an IAM to provide a user with the ability to log in to an application that has been integrated with the IAM platform. OpenID Connect (OIDC) OIDC is a newer open standard that also enables users to log in to their application from an identity provider. It is very similar to SAML, but is built on the OAuth 2.0 standards and uses JSON to transmit the data instead of XML which is what SAML uses. System for Cross-domain Identity Management (SCIM) SCIM is standard used to automatically exchange identity information between two systems. Though both SAML and OIDC can pass identity information to an application during the authentication process, SCIM is used to keep the user information up to date whenever new users are assigned to the service or application, user data is updated, or users are deleted. SCIM is a key component of user provisioning in the IAM space. STORAGE AREA NETWORKS A SAN (storage area network) is a network of storage devices that can be accessed by multiple servers or computers, providing a shared pool of storage space. Each computer on the network can access storage on the SAN as though they were local disks connected directly to the computer. HOW DOES SAN STORAGE WORK?
The components of SAN include cabling, host bus
adapters, and SAN switches attached to storage arrays and servers. SANs use block-based storage and high-speed architecture to connect servers to logical disk units (LUNs), a range of block storage from a pool of shared storage, and appear to the server as a logical disk. A SAN comprises three distinct layers: host, fabric, and storage. HOST LAYER
The host layer is made up of the servers attached to the
SAN, which run enterprise workloads that require access to storage, e.g. databases. FABRIC LAYER
The fabric layer comprises the cabling and network
devices that make up the network fabric that interconnects SAN hosts and storage. SAN networking devices can include SAN switches, gateways, routers, and protocol bridges. STORAGE LAYER
The storage layer comprises several storage devices,
which are typically hard disk drives (HDDs), but can include SSDs, CDs, DVDs, and tape drives. Storage devices within a SAN can be organized into RAID groups to increase storage capacity and improve reliability. DISASTER RECOVERY IN CLOUDS. Cloud disaster recovery (CDR) is a cloud-based managed service that helps you quickly recover your organization’s critical systems after a disaster and provides you remote access to your systems in a secure virtual environment. Cloud disaster recovery takes a very different approach than traditional DR. Instead of loading the servers with the OS and application software and patching to the last configuration used in production, cloud disaster recovery encapsulates the entire server, which includes the operating system, applications, patches, and data into a single software bundle or virtual server. THANK YOU