CLOUD SECURITY

Cloud computing which is one of the most demanding technologies of the current
time, starting from small to large organizations have started using cloud computing
services. Cloud computing security or cloud security is an important concern which
refers to the act of protecting cloud environments, data, information and applications
against unauthorized access, DDOS attacks, malwares, hackers and other similar
attacks.

Planning of security in Cloud Computing :

As security is a major concern in cloud implementation, so an organization have to

plan for security based on some factors like below represents the three main factors
on which planning of cloud security depends.

• Resources that can be moved to the cloud and test its sensitivity risk are
picked.
• The type of cloud is to be considered.
• The risk in the deployment of the cloud depends on the types of cloud and
service models.

Types of Cloud Computing Security Controls:

There are 4 types of cloud computing security controls i.e.

• Deterrent Controls: Deterrent controls are designed to block nefarious attacks

on a cloud system. These come in handy when there are insider attackers.
• Preventive Controls: Preventive controls make the system resilient to attacks
by eliminating vulnerabilities in it.
• Detective Controls: It identifies and reacts to security threats and control.
Some examples of detective control software are Intrusion detection software
and network security monitoring tools.
• Corrective Controls: In the event of a security attack these controls are
activated. They limit the damage caused by the attack.
Importance of cloud security:

For the organizations making their transition to cloud, cloud security is an essential
factor while choosing a cloud provider. The attacks are getting stronger day by day
and so the security needs to keep up with it. For this purpose, it is essential to pick a
cloud provider who offers the best security and is customized with the organization’s
infrastructure. Cloud security has a lot of benefits –

• Centralized security: Centralized security results in centralizing protection. As

managing all the devices and endpoints is not an easy task cloud security helps
in doing so. This results in enhancing traffic analysis and web filtering which
means less policy and software updates.
• Reduced costs: Investing in cloud computing and cloud security results in less
expenditure in hardware and also less manpower in administration
• Reduced Administration: It makes it easier to administer the organization and
does not have manual security configuration and constant security updates.
• Reliability: These are very reliable and the cloud can be accessed from
anywhere with any device with proper authorization.

When we are thinking about cloud security it includes various types of security like
access control for authorized access, network segmentation for maintaining isolated
data, encryption for encoded data transfer, vulnerability check for patching
vulnerable areas, security monitoring for keeping eye on various security attacks and
disaster recovery for backup and recovery during data loss.

There are different types of security techniques which are implemented to make the
cloud computing system more secure such as SSL (Secure Socket Layer) Encryption,
Multi Tenancy based Access Control, Intrusion Detection System, firewalls,
penetration testing, tokenization, VPN (Virtual Private Networks), and avoiding public
internet connections and many more techniques.

But, even implementation of number of security techniques there is always security

issues are involved for the cloud system. As cloud system is managed and accessed
over internet so a lot of challenges arises during maintaining a secure cloud. Some
cloud security challenges are

• Control over cloud data

• Misconfiguration
• Ever changing workload
• Access Management
• Disaster recovery
 CLOUD INFRASTRUCTURE SECURITY
Cloud infrastructure security is the practice of securing resources deployed in a cloud
environment and supporting systems.

Public cloud infrastructure is, in many ways, more vulnerable than on-premises
infrastructure because it can easily be exposed to public networks, and is not located
behind a secure network perimeter. However, in a private or hybrid cloud, security is
still a challenge, as there are multiple security concerns due to the highly automated
nature of the environment, and numerous integration points with public cloud
systems.

Cloud infrastructure is made up of at least 7 basic components, including user

accounts, servers, storage systems, and networks. Cloud environments are dynamic,
with short-lived resources created and terminated many times per day. This means
each of these building blocks must be secured in an automated and systematic
manner.

Securing Public, Private, and Hybrid Clouds

Cloud security has different implications in different cloud infrastructure models.

Here are considerations for security in each of the three popular models—public
cloud, private cloud, and hybrid cloud.

Public Cloud Security

In a public cloud, the cloud provider takes responsibility for securing the
infrastructure, and provides tools that allow the organization to secure its workloads.
Your organization is responsible for:

• Securing workloads and data, fully complying with relevant compliance

standards, and ensuring all activity is logged to enable auditing.
 • Ensuring cloud configurations remain secure, and any new resources on the
cloud are similarly secured, using automated tools such as a Cloud Security
Posture Management (CSPM) platform.
• Understanding which service level agreements (SLA), supplied by your cloud
provider, deliver relevant services and monitoring.
• If you use services, machine images, container images, or other software from
third-party providers, performing due diligence on their security measures and
replacing providers if they are insufficient.

Private Cloud Security

The private cloud model gives you control over all layers of the stack. These resources
are commonly not exposed to the public Internet. This means that you can achieve a
certain level of security using traditional mechanisms that protect the corporate
network perimeter. However, there are additional measures you should take to secure
your private cloud:

• Use cloud native monitoring tools to gain visibility over any anomalous behavior
in your running workloads.
• Monitor privileged accounts and resources for suspicious activity to detect
insider threats. Malicious users or compromised accounts can have severe
consequences in a private cloud, because of the ease at which resources can be
automated.
• Ensure complete isolation between virtual machines, containers, and host
operating systems, to ensure that compromise of a VM or container does not
allow compromise of the entire host.
• Virtual machines should have dedicated NICs or VLANs, and hosts should
communicate over the network using a separate network interface.
• Plan ahead and prepare for hybrid cloud by putting security measures in place
to ensure that you can securely integrate with public cloud services
Hybrid Cloud Security

Hybrid clouds are a combination of on-premise data center, public cloud, and private
cloud. The following security considerations are important in a hybrid cloud
environment:

• Ensure public cloud systems are secured using all the best practices.
• Private cloud systems should follow private cloud security best practices, as
well as traditional network security measures for the local data center.
• Avoid separate security strategies and tools in each environment—adopt a
single security framework that can provide controls across the hybrid
environment.
• Identify all integration points between environments, treat them as high-risk
components and ensure they are secured
 NETWORK LEVEL SECURITY
Network security is an operation designed for protecting the integrity and usability of
one’s network and data. It comprises of both software as well as the hardware
technologies. An effective network security deals with access over a network. It aims
at a variety of attacks and restricts hackers from entering or performing their
intended threats over the network. A network security solution comprises of standards
and approaches adopted to achieve prevention against the data misuse, irrelevant
modifications, and other mishaps over the web platform.

Different Types of Network Security

Network security solutions act as a strong wall in between your network and malicious
activity. Well, this will remain vulnerable until customers don’t wake up and opt for
the best approach to secure it. Following listed are different types of network
security to assist organizations with what they can pick for their sake:

• Antivirus and Antimalware Tools – The term ‘malware’ is the short form of
‘malicious software’, which comprises of worms, ransomware, spyware,
Trojans, and viruses. Sometimes a malware infects a network but, afterward, it
gets inactive for many weeks or days. This inactive state might be due to the
preparation of something more dangerous with the advancement in malware.
Therefore, companies have to adopt the best antivirus and antimalware
products, which not only scan for malware on their entry but also, regularly
track documents afterward. This tool’s functionality addresses anomalies,
removes malware, and fixes the damage.
• Application Security – The name defines its functionality! Application
security is a product meant to protect the loopholes of business apps from
perpetrators. It widely tracks the procedures of determining the product’s
vulnerabilities followed by resolving and preventing the network from
Cybercrimes. Software, procedures, and proper hardware configurations are
used to maintain the assets integrity.
• Behavioral Analytics – This type of network security can be stated as the use of
products to address a change in an existing pattern over the network. The
analytics products detect the anomaly and immediately warn the concerned
executives to take the required set of actions. A behavior malware detection
app looks for signal, which can flag the components of the software as
unauthentic and if true, declare it as a malware. However, it is not enough to
have only this approach for network security in a business. A combination of
behavior-based and signature-based detection program can help users to come
up with more protective approaches.
• Data Loss Prevention – Enterprises must ensure that their employees don’t
share sensitive resources with the external unknown entities. For this,
companies have to adopt data loss prevention technologies to secure the
organizational network communication for protecting the sensitive content
from being getting exposed. Officials should be not allowed to forward, upload,
or share the confidential business information without giving notice to higher
authorities.
• Access Control – Not every individual should have the privilege to access the
business network. In order to keep potential attackers away from your
network, you have to recognize and keep a record of each employee’s devices
in your company. After this, you can implement network security standards and
block noncompliant endpoint devices. If wish, industries can provide limited
access to their employees. Only in case an official demands for access to your
confidential resources, ask him or her to put a request email. After this, it is
your duty to analyze whether it is safe to give access permissions for a certain
time period or no. If no, simply delete the request; else permit the individual
to access data on your risk.
 HOST LEVEL SECURITY
Most cloud computing is delivered through data centers and cloud computing is
accessible anywhere in the world. How security gets integrated in cloud computing is
important as host level security in cloud computing needs to prevent attacks on the
system.

How security gets integrated in cloud computing is by means of host level security in
cloud computing. The host can be public clouds such as Amazon or Microsoft. Hosts
like this provide services and infrastructure which are shared by all customers.

Public clouds have lots of scalable space. Host level security in cloud computing isn’t
only a public cloud but a private cloud too. Host level security in cloud computing,
therefore, has 3 or 4 cloud computing services delivery models. With Public Cloud,
the cloud is made available to the general public and owned by an organization that
sells these cloud services. Host level security in cloud computing extends to the
private cloud too. It is operated by a single company or organization. It can be
managed by the organization or 3rd party.
 APPLICATION LEVEL SECURITY
Cloud application security is a series of defined policies, processes, controls, and
technology governing all information exchanges that happen in collaborative cloud
environments like Microsoft Office 365, Google G Suite, Slack, and Box (to name a
few).

So, if you or your employees frequently store and share data in cloud applications like
the ones listed above (or any of the tens of thousands available), it is absolutely
necessary to add a cloud application “safety net” to your zero trust security
infrastructure.

CLOUD APPLICATION SECURITY THREATS

It is no secret that there are security issues in cloud computing that IT teams must be
aware of. According to the 2018 Cybersecurity Insider Report, the four most common
cloud application security threats that IT teams are facing include:

1. Misconfiguration of application setup is the single biggest threat to cloud

security because data breaches tend to happen when services are accidentally
exposed to the public internet.

2. Unauthorized access to a website, server, service, or other system is also an

area for great concern because once they’re in, there’s no telling what
unauthorized users will do to create chaos.

3. Insecure APIs and interfaces present easy opportunities for attackers to

breach systems because they are the only asset(s) outside of the organizational
boundary with a public IP address.

Account hijacking is feared because so much sensitive data and resources is stored
and accessed on devices shared by many different users—and because keeping tabs on
rogue employees is difficult.
 DATA SECURITY AND STORAGE
In today’s world of (network-, host-, and application-level) infrastructure security,
data security becomes more important when using cloud computing at all “levels”:
infrastructure-as-a-service (IaaS), platform-as-a-service (PaaS), and software-as-a-
service (SaaS). This chapter describes several aspects of data security, including:

• Data-in-transit

• Data-at-rest

• Processing of data, including multitenancy

• Data lineage

• Data provenance

• Data remanence

The objective of this chapter is to help users evaluate their data security scenarios
and make informed judgments regarding risk for their organizations. As with other
aspects of cloud computing and security, not all of these data security facets are of
equal importance in all topologies (e.g., the use of a public cloud versus a private
cloud, or non-sensitive data versus sensitive data).

Aspects of Data Security

To understand this requirement when using a public cloud, regardless of whether it is

IaaS, PaaS, or SaaS. It is also important to ensure that a protocol provides
confidentiality as well as integrity (e.g., FTP over SSL [FTPS], Hypertext Transfer
Protocol Secure [HTTPS], and Secure Copy Program [SCP])—particularly if the protocol
is used for transferring data across the Internet. Merely encrypting data and using a
non-secured protocol (e.g., “vanilla” or “straight” FTP or HTTP) can provide
confidentiality, but does not ensure the integrity of the data.
 DATA SECURITY AND PRIVACY ISSUES
Cloud technology has given opportunities to many businesses to showcase their
potential in the business world. SMEs are not only getting an opportunity to grow,
they are also taking their business operations to the next level. Cloud technology has
opened a door for small & medium scale companies to acquire market share by
entering the yard of bigger players. As the business requirements have become on-
demand and need-based, it gave many companies a significant edge and allow them
to complete in a much larger business space.

Cloud technology provides various advantages. Starting from data management, data
storage, 0% downtime, CRM management, resource optimization to entire business
automation. It also reduces a high amount of investment and saves a lot of time.

At the same time, cloud computing has raised multiple eyebrows with IT
management, especially when it comes to data security in the cloud computing. Data
security and privacy protection are two major factors. These two factors are
becoming more important for the future development of cloud computing technology
in business, industry, and government.

Challenges:

• Data Replication

Every business faces this challenge. Snapshots and data backups are taken on a daily
basis. They automatically stored in the cloud. Are you aware where they have been
stored and who can see and access them? Can you identify and control unauthorised
copying of your data?

• Data Loss

Data loss can be a disaster for any business. Virtual data can be easily lost or exposed
as it moves between VMs or in the cloud. Are you sure that authorised users are
accessing your data within predefined policies? Do you have the authority to block any
user who is violating data use policies?
 • New Class of Users

Cloud computing need cooperation between security, storage, application, and

security admins. They all manage your sensitive business data. With more number of
users, the risk also increases. If one admin went wrong, entire data in the system will
be at risk.

• Insecure APIs

Application Programming Interfaces (API) allow users to customize their cloud

computing practices. APIs can be a threat to cloud security because of their nature.
APIs give developers the tools to build solutions to integrate their applications with
other software. The vulnerability of an API depends on the communication that takes
place between applications. While this can help developers and businesses, they also
issue serious security concerns.

• Internal Threat

Never keep this point out of your mind. You may be thinking data is safe inside. But
this is one of the biggest challenge company’s face. Employees can use their access to
an organisation’s cloud-based services to misuse or access information related to
finance, customer details etc.

Solutions:

• Always keep backup locally

When it comes to business data, you have to be extra conscious. Always have a
backup for your data. It is always good to create hard copies of your business data and
keep it with yourself so that you can have access them even if you lost the original
one. You can use any cloud storage solutions to store your data. You can set up a
cloud account & can keep the backup copies. You have another option of keeping the
backup data in an external storage device also like a hard disk or a thumb drive. This
will allow you to access the information even if without the internet.
 • Don’t store sensitive data

Technology is changing. Businesses are also changing as per the technology. Data is
playing an important role in businesses today. So, data privacy is one of the primary
aspects of any business. But if something is there on the internet, it is hard to trust it
is safe. So, one should avoid storing the most sensitive files or information in the
cloud. Identity theft is on rising and you can’t take any risk. You should keep those
files in cloud platform which you access frequently and should avoid putting
information related to financial details, competitor details, client details, contact
details like phone number/address etc. If you are keeping these files, make sure you
encrypt them before uploading.

• Data encryption

One of the best ways to protect your data while using cloud storage is to do data
encryption. This is the best form of security because you need decryption before
accessing the data. This will protect data against service providers and users also. To
make it more protected, you can also ensure cloud encryption during uploading and
downloading phases. But, this will make data sharing and sync in the cloud platform
little slow.

• Encrypted cloud service

There are few cloud services which provide local encryption and decryption of your
files and information inside that other than storage and backup. This means the
service takes care of both encrypting your files and storing them safely in the cloud.
This will ensure that no one including the service provider or the administrators can
have the access to your data files. There are many free versions and also trial versions
available in the market. You can use them to learn how it works and later can
upgrade to enjoy more space.

• Using password

The first thing which can be done is to put strong password which can stand a
hacking. You can take the help of internet to learn how to create a strong password.
It is very important to change your password frequently and never use the same
password for all the accounts or folders. You can opt for 2-step verification for login if
your cloud service offers that option. Google drive use 2 phase log in option, consist
of password & code sent to the registered number. This added security will make your
data much safer.
 IDENTITY AND ACCESS MANAGEMENT
IAM is a cloud service that controls the permissions and access for users and cloud
resources. IAM policies are sets of permission policies that can be attached to either
users or cloud resources to authorize what they access and what they can do with it.

The concept “identity is the new perimeter” goes as far back as the ancient times of
2012, when AWS first announced their IAM service. We’re now seeing a renewed focus
on IAM due to the rise of abstracted cloud services and the recent wave of high-
profile data breaches.

Services that don’t expose any underlying infrastructure rely heavily on IAM for
security. For example, consider an application that follows this flow: a Simple
Notification Service (SNS) topic triggers a Lambda function, which in turn puts an item
in a DynamoDB table. In this type of application, there is no network to inspect, so
identity and permissions become the most significant aspects of security.

As an example of the impact of a strict (or over-permissive) IAM profile, let’s consider
the Lambda function. The function is only supposed to put items in the DynamoDB
table. What happens if the function has full DynamoDB permissions? If the function is
compromised for whatever reason, the DynamoDB table is immediately compromised
as well, since the function could be leveraged to exfiltrate data.

If the IAM profile follows the “least-privilege” principle and only allows the function
to put items in the table, the blast radius will be greatly reduced in the case of an
incident. A hands-on example of this can be found in this CNCF webinar.

Managing a large number of privileged users with access to an ever-expanding set of

services is challenging. Managing separate IAM roles and groups for these users and
resources adds yet another layer of complexity. Cloud providers like AWS and Google
Cloud help customers solve these problems with tools like the Google Cloud IAM
recommender (currently in beta) and the AWS IAM access advisor. These tools attempt
to analyze the services last accessed by users and resources, and help you find out
which permissions might be over-privileged.

These tools indicate that cloud providers recognize these access challenges, which is
definitely a step in the right direction. However, there are a few more challenges we
need to consider.

Identity and Access Challenges

IAM and SSO

Most businesses today use some form of single sign-on (SSO), such as Okta, to manage
the way users interact with cloud services. This is an effective way of centralizing
access across a large number of users and services. While using SSO to log into public
cloud accounts is definitely the best practice, the mapping between SSO users and
IAM roles can become challenging, as users can have multiple roles that span several
cloud accounts.

Effective permissions

Considering that users and services have more than one permission set attached to
them, understanding the effective permissions of an entity becomes difficult.

Example: “What can Mary access? Which actions can she perform on these services? If
she accesses a virtual machine, does she inherit the IAM permissions of that resource?
Is she part of a group that grants her additional permissions?” With layers upon layers
of configurations and permission profiles, questions like these become difficult to
answer.
 Access Control in Cloud Security
Access Control in cloud security is a system with which a company can regulate and
monitor permissions, or access to their business data by formulating various policies
suited chosen by the company. Access control in cloud security helps companies gain
macro-level visibility into their data and user behavior, which a cloud app may not be
able to offer, given their on-demand services and mobility.

Today, data is the most valuable asset of a company, safeguarding it is the next thing
to do! Access Control in cloud computing gives companies the control to restrict
unauthorized user access and, at the same time, give enough access for smooth
functioning at work.

CloudCodes Access Control in cloud security lets companies formulate policies to

restrict access through specific IP addresses, browsers, devices, and during specified
time shifts. Here's an in-depth view of our Access Control in cloud computing solution.

Security Features Under Access Control

IP Restriction

IP based access control in cloud computing, let's you to enforce of IP restriction policy
that enables IT admin, to restrict user access to business data only through one or
more specified IP address(es) only. This ensures that no business data is accessed in
an unsecured, public, or unregistered IP address.

• Restrict a single user, a subset of users or entire organization to IP restriction

policy

• Policy-based restriction for providing strong granular control to the business

• Customize mapping of users over one or more IP addresses

• No firewall settings or local installation are required for this feature

• Easy to set up IP restriction policies

Browser Restriction

This feature includes the restriction of end-users from accessing confidential files and
folders on any web browser. Access Control in cloud computing ensures users can
access business data from browsers specified through policy by the IT admin of an
enterprise.

• Applicable to any of the trending web browsers like Mozilla Firefox, Safari, IE,
Chrome, etc.

• Manages Google Chrome using Google admin chrome management console

• Pushes the applications and extensions through the Chrome Management

• Organizational unit based granular control policies

• Easy and automated rollout

Device Restriction

Access Control in cloud security, restrict users from accessing corporate data from
unknown, public, or unauthorized devices. This ensures no business data is copied,
transferred, virus-infected, or so to and from a personal or public device.

• The policy is setup using the device's unique MAC Id

• Does not allow business data from personal machines, unless specified by IT
admin

• Policy violation report sent to admin on a daily basis

• Self-service rollout

• Supports Linux, MAC, Windows, Chromebook

 TRUST
Expectancy, belief, and readiness to take risks are the three components of trust.
Trust in cloud computing is a measure of the reputation of a particular CSP that
provides some set of resources to users. Trust in the cloud is essential for the cloud
business to develop and the provider to prosper. Some factors are required to help
the user choose a CSP in order to make the provider trustworthy.

Types of Trust

The trust in cloud computing is divided into various categories namely Reputation
Based Trust, SLA verification-based trust, Policy-based trust, Evidence-based trust
and Societal trust.

1. Reputation Based Trust

The reputation of an entity in Reputation Based Trust is the collective evaluation of

the public’s trust in that entity. Many entities in a community generally trust an
entity with a good reputation; an entity that needs to make a trust decision on a
trustee utilizes the trustee’s reputation to compute or estimate the trustee’s trust
level. Because cloud reputation influences the selection of cloud services, CSPs strive
to build and maintain a better reputation. A broad score indicating the overall
viewpoint, or a modest number of scores on several key characteristics of
performance, is how reputation is traditionally represented.

2. SLA verification based trust

After establishing preliminary trust and using a cloud service, the cloud user must
check and re-examine the trust value under SLA verification based trust. A service
level agreement (SLA) is a legally binding agreement between two communicating
parties: the user and the supplier. As a result, monitoring QoS(Quality of service)
parameters and verifying SLA documents are critical components of cloud computing
trust management. These types of services must be provided by a thirdparty CSP.
 3. Policy-based trust

It is necessary to build a "formal" in policy based trust. In a similar domain, Public Key
Infrastructure (PKI) is a widely used technology that supports key certification, digital
signature, and validation through the use of "formal" trust procedures. It also allows
for the verification and validation of data attributes. In this case, confidence in a
Certification Authority (CA) is 9 based on the CA’s certification of specific certificate
policies. It refers to the process of delivering and storing validated public key
certificates. PKI trust is heavily reliant on certificate policies.

4. Evidence-based trust

Evidence-based trust is defined as a trustor’s belief in the trustee’s predictable

behaviour based on evidence of traits such as adaptability, helpfulness, and honesty.

5. Societal trust

Any individual or corporation can be a part of societal trust. Each entity in the cloud
must also be trusted. In the information security services industry, trust between the
supplier and the client is critical to the business’s success.
 RISKS
Cloud computing provides various advantages, such as improved collaboration,
excellent accessibility, Mobility, Storage capacity, etc. But there are also security
risks in cloud computing.

Some most common Security Risks of Cloud Computing are given below-

1. Data Loss

Data loss is the most common cloud security risks of cloud computing. It is also known
as data leakage. Data loss is the process in which data is being deleted, corrupted,
and unreadable by a user, software, or application. In a cloud computing
environment, data loss occurs when our sensitive data is somebody else's hands, one
or more data elements can not be utilized by the data owner, hard disk is not working
properly, and software is not updated.

2. Hacked Interfaces and Insecure APIs

As we all know, cloud computing is completely depends on Internet, so it is

compulsory to protect interfaces and APIs that are used by external users. APIs are
the easiest way to communicate with most of the cloud services. In cloud computing,
few services are available in the public domain. These services can be accessed by
third parties, so there may be a chance that these services easily harmed and hacked
by hackers.

3. Data Breach

Data Breach is the process in which the confidential data is viewed, accessed, or
stolen by the third party without any authorization, so organization's data is hacked
by the hackers.

4. Vendor lock-in

Vendor lock-in is the of the biggest security risks in cloud computing. Organizations
may face problems when transferring their services from one vendor to another. As
different vendors provide different platforms, that can cause difficulty moving one
cloud to another.

5. Increased complexity strains IT staff

Migrating, integrating, and operating the cloud services is complex for the IT staff. IT
staff must require the extra capability and skills to manage, integrate, and maintain
the data to the cloud.

6. Spectre & Meltdown

Spectre & Meltdown allows programs to view and steal data which is currently
processed on computer. It can run on personal computers, mobile devices, and in the
cloud. It can store the password, your personal information such as images, emails,
and business documents in the memory of other running programs.

7. Denial of Service (DoS) attacks

Denial of service (DoS) attacks occur when the system receives too much traffic to
buffer the server. Mostly, DoS attackers target web servers of large organizations such
as banking sectors, media companies, and government organizations. To recover the
lost data, DoS attackers charge a great deal of time and money to handle the data.

8. Account hijacking

Account hijacking is a serious security risk in cloud computing. It is the process in

which individual user's or organization's cloud account (bank account, e-mail account,
and social media account) is stolen by hackers. The hackers use the stolen account to
perform unauthorized activities.
 AUTHENTICATION IN CLOUD COMPUTING
The purpose of cloud-based authentication is to protect companies from hackers
trying to steal confidential information. Cloud authentication allows authorized users
across networks and continents to securely access information stored in the cloud
with authentication provided through cloud-based services.

Global IT and data-driven operations are largely in the cloud. That’s not surprising,
considering that infrastructure provides a type of flexibility, resiliency, and scalability
that most organizations aren’t going to find in traditional on-premise solutions.

Many of the same security and compliance issues that were challenges for on-premise
technology persist in the cloud, and many of those challenges are amplified. That’s
because infrastructure—storage, applications, analytics, and tools—must have a
connection to users that is secure and compliant without sacrificing usability.
Furthermore, these environments are heterogeneous and global. Security is a real
issue with different components and tools working together to provide real value to
users everywhere.

This is where cloud-based authentication comes into play. Much like traditional
authentication, cloud verification serves as an identity verification system for
services. Users provide credentials proving their identity and gain access to system
resources or services, like apps.

However, cloud-based identification faces a few challenges:

1. Security of Passwords: Password and credential lookups can happen in a

number of ways, and one of the most common forms of password confirmation
is through database lookups. These lookups make it relatively easy for hackers
to steal password information through a security breach. This problem is
compounded when considering how most users regularly use the same password
over multiple platforms and accounts. Additionally, multiple accounts on
multiple services create a larger attack surface for a given user’s data
regardless of how well they manage their credentials.
 2. Cohesion: Distributed environments are not a singular entity, but a collection
of hardware, tools, and configurations working together. It’s most likely the
case that credential validation can occur through one of the multiple
technologies, such as LDAP, Kerberos, database lookups, etc. This makes it that
much more challenging to manage users across systems effectively and
securely.

3. Transparency and Privacy: With multiple platforms, it’s nearly impossible for
a business user to understand the entirety of their risk profile. A provider could
hinder that understanding by making it difficult, if not impossible, for users to
understand the methods in place. With the distributed nature of cloud
computing, it’s nearly impossible using traditional methods to fully verify that
the user accessing a system is who they claim to be.

One of the major innovations in authentication that help providers mitigate these
challenges is to switch to a different identity verification approach.

Authentication Services and Authentication-as-a-Service

Authentication modernization includes incorporating identification methods into

technology to better serve users and administrators of those same services. This
approach is often referred to as “Authentication-as-a-Service” (AaaS).

AaaS addresses two significant challenges to identity verification:

1. Providing strong, secure, and distributed authentication for services.

2. Offering users a smooth and streamlined experience.

Much like any other service model (Saas, IaaS, etc.), AaaS provides secure processes
as a microservice, so providers (and any services operating on platforms) can leverage
secure identification without running into the challenges of fragmentation, lack of
cohesion, or lack of scalability. At the same time, it leverages modern technology
(Single Sign-On, MFA, etc.) and provides them to all users of platforms equally.
To provide that level of security and usability, AaaS solutions typically implement one
or more of the following technologies to make up a larger identity-verification
architecture:

1. Identity Management: AaaS provides robust controls for managing user

identities and accounts, including the ability to centralize control over account
maintenance, e.g., removing access to individuals who no longer may access a
system.

2. Authentication Mechanisms: Passwords, MFA, SMS tokens or any form or

combination of authentication methods are used to verify identity.

3. Authorization/Access Control: AaaS provides controls that verify users across a

system’s resources, and manage what users can access what resources and
how.

4. Security Policies: A strength of AaaS is that it can also better centralize and
support security policies related to auditing and monitoring, password policies,
service-level agreements, and other policies and agreements between end
users, companies, and providers.

5. Fraud Detection: Audit logging and reporting on user activity determines,

through human or AI-driven analytics, any evidence of fraud or hacking.

Primarily, cloud-based authentication works through Single Sign-On (SSO) strategies in

a way that allows users to access resources on the cloud through different devices
connected to the cloud. By using cloud-based authentication, your business can
leverage more comprehensive features across multiple devices without losing out on
user experience. These include the following:

1. Cloud-Based LDAP: Lightweight Directory Access Protocol (LDAP) provides a

client-server model of authentication where the client provides credentials
with a request for resources or information. The credentials are compared
against a database of user credentials and authenticated before releasing any
 information. Cloud-based LDAP systems use this model but within a cloud
framework.

2. Security Assertion Markup Language (SAML): SAML is a form of federated

authentication that allows separation to exist between service providers and
services. This empowers the use of identity providers across many different
platforms or services.

3. OAuth: OAuth is an open protocol that allows the use of authorization tokens
across multiple sites. Somewhat similar to SAML, OAuth provides authentication
across multiple platforms. OAuth relies more heavily on API calls between
different platforms, while SAML relies more on browsers and cookies containing
XML. This makes OAuth more intuitive and robust for use in mobile apps,
games, etc.
 COMMERCIAL AND BUSINESS CONSIDERATIONS
BUSINESS CONSIDERATIONS

Organizations that want to migrate its business technologies to the cloud should align
the company mindset from the top down. Moving from on-premises technology to
cloud computing requires more than simply moving data from one place to another.
Finding success in the cloud requires a well-thought-out migration plan, which means
you need to first understand your overall business objectives. Start by deciding
whether a move to the cloud will actually help meet your business goals. Investing
time and developing a formal plan is essential for a successful transition. Some of the
business considerations for moving to cloud are:

1. Identify Business Objectives

Pinpointing the exact need for moving your business systems to cloud computing is
critical. If you decide to migrate your current infrastructure to the cloud without a
clear understanding of the business needs, or without a detailed plan, it could end up
costing more in the long run.

Common business drivers for moving to the cloud include:

• Improving disaster recovery

• Increasing computer resources
• Minimizing performance issues
• Optimizing application or hardware upgrades
• Meeting compliance requirements
• Increasing efficiency or flexibility
If you’ve already made the switch to virtualized platforms then moving to the cloud
won’t be much different, but developing a plan that helps shift your business model
to cloud computing will improve efficiency and reduce costs.

2. Talk To Internal Users

Don’t automatically assume that you know what technologies are best to run the
business. Speak with departmental teams to understand what challenges they face
and what cloud-based systems may help improve. Don’t hesitate to request feedback.
Taking these steps will help you evaluate the most beneficial cloud technologies for
internal teams and will help speed up user adoption once the migration happens.

Preparing employees for the shift and getting them up to speed on the solutions once
they have access is a critical part in a successful cloud transition. It’s important for
management to identify who will be working with the cloud solutions and what
training may be needed.

3. Use The Correct Cloud for Each Process

Different portions of your business may require other cloud deployment
models. Compliance standards could be a requirement for either financial or sensitive
data. Some sectors may require private cloud, while other areas may be able to use
shared cloud services.

If your company hasn’t moved any systems to a virtualized platform, then you may
consider a hybrid approach before moving everything to the cloud.

4. Don’t Overlook Ongoing Operations

Migrating your systems is only the first step in moving to the cloud. Once everything is
in the cloud, you need to have a plan for ongoing operations to maintain security,
updates, and performance. If the IT team doesn’t have the personnel or skills to
manage the cloud environment, you need to work with a managed services partner.

Having someone dedicated to managing the cloud environment ensures that systems
stay updated and monitored to protect against unauthorized access. A dedicated team
also ensures the newest features are available to end-users and that accurate
reporting on performance and IT initiatives are provided to company executives.

Moving to the cloud for any business can be financially and operationally beneficial if
it’s done right. But in order to do so, first, you must understand the full scope of
migrating your systems and secondly, you must be willing to shift the corporate
mindset. This is vital to the success of your business and a transition to cloud services.
COMMERCIAL CONSIDERATIONS

A genuine cloud service is standard, with little - if any opportunity to bespoke the
service (although consumers may have opportunities to choose additional
standardized service features, and some SaaS services may require an initial
configuration or enable "skinning" of the application to reflect the consumer's own
branding). Standardization allows cloud providers to achieve significant economies of
scale which will be passed through to consumers in the form of highly competitive
pricing and more stable services.

Therefore, cloud contracts are generally standardized too, with little, if any, scope
for negotiation, as it does not make economic sense for a cloud provider to manage
non-standard contracts against a standardized service. Within this context, there are
a number of contract types:

Consumer to business: Typically, these contracts relate to free cloud services, such
as Facebook, where the cloud provider makes its money through advertising and/or
the secondary processing of customer data. This type of contract has no scope for
negotiation, and consumers generally have few rights under the contract.

Business to business: these contracts generally relate to services which an enterprise

is paying for. There is usually little scope for negotiation, but the contract will usually
vest more rights to the consumer although the cloud provider's liability for service
performance (including data damage and loss) may in some cases be very limited. The
contract may also permit the cloud provider to unilaterally modify both the service
and the contract, and place technical and contractual constraints on switching from
one provider to another. Cloud providers can offer additional contractual terms, e.g.
enterprise agreements or adherence to the EU Model Contract Clauses relating to data
protection, over and above the default terms,

Bespoke contracts; whilst cloud providers rarely offer scope for negotiation of their
contracts, it is not correct to say that there is never any negotiation. Cloud providers
have been known to negotiate specific agreements with those consuming
organizations viewed as particularly influential or large volume.
As with any contract, cloud contracts vary: some are balanced and fair to both
parties, whilst others are unbalanced, favoring the cloud provider. Organizations need
to take a number of key considerations into account, to ensure their legal and
regulatory obligations can be fulfilled, that the jurisdictional implications are
understood, that the data in their care is not exposed to unacceptable risk, and that
the contract is fair and equitable, giving adequate protection to the consuming
organization should anything go wrong.
 DROPS: DIVISION AND REPLICATION OF DATA IN THE
CLOUD FOR OPTIMAL PERFORMANCE AND SECURITY
In a cloud environment, a file in its totality, stored at a node leads to a single point of
failure. A successful attack on a node might put the data confidentiality or integrity,
or both at risk. The aforesaid scenario can occur both in the case of intrusion or
accidental errors. In such systems, performance in terms of retrieval time can be
enhanced by employing replication strategies. However, replication increases the
number of file copies within the cloud. Thereby, increasing the probability of the
node holding the file to be a victim of attack. Security and replication are essential
for a large-scale system, such as cloud, as both are utilized to provide services to the
end user. Security and replication must be balanced such that one service must not
lower the service level of the other.

The DROPS methodology proposes not to store the entire file at a single node.
Instead, it fragments the file and makes use of the cloud for replication. The
fragments are distributed such that no node in a cloud holds more than a single
fragment, so that even a successful attack on the node leaks no significant
information. The DROPS methodology uses controlled replication where each of the
fragments is replicated only once in the cloud to improve the security. Although, the
controlled replication does not improve the retrieval time to the level of full-scale
replication, it significantly improves the security.

In the DROPS methodology, user sends the data file to cloud. The cloud manager
system (a user facing server in the cloud that entertains user’s requests) upon
receiving the file performs: (a) fragmentation, (b) first cycle of nodes selection and
stores one fragment over each of the selected node, and (c) second cycle of nodes
selection for fragments replication.

The cloud manager keeps record of the fragment placement and is assumed to be a
secure entity. The fragmentation threshold of the data file is specified to be
generated by the file owner. The file owner can specify the fragmentation threshold
in terms of either percentage or the number and size of different fragments. The
percentage fragmentation threshold, for instance, can dictate that each fragment will
be of 5 percent size of the total size of the file. Alternatively, the owner may
generate a separate file containing information about the fragment number and size,
for instance, fragment 1 of size 5,000 Bytes, fragment 2 of size 8,749 Bytes. We argue
that the owner of the file is the best candidate to generate fragmentation threshold.
The owner can best split the file such that each fragment does not contain significant
amount of information as the owner is cognizant of all the facts pertaining to the
data. The default percentage fragmentation threshold can be made a part of the
service level agreement (SLA), if the user does not specify the fragmentation
threshold while uploading the data file.

Once the file is split into fragments, the DROPS methodology selects the cloud nodes
for fragment placement. The selection is made by keeping an equal focus on both
security and performance in terms of the access time. We choose the nodes that are
most central to the cloud network to provide better access time. For the aforesaid
purpose, the DROPS methodology uses the concept of centrality to reduce access
time. Three centrality measures are implemented, namely: (a) betweenness, (b)
closeness, and (c) eccentricity centrality. However, if all of the fragments are placed
on the nodes based on the descending order of centrality, then there is a possibility
that adjacent nodes are selected for fragment placement. Such a placement can
provide clues to an attacker as to where other fragments might be present, reducing
the security level of the data.

To deal with the security aspects of placing fragments, we use the concept of T-
coloring that was originally used for the channel assignment problem. We generate a
non-negative random number and build the set T starting from zero to the generated
random number. we assign colors to the nodes, such that, initially, all of the nodes
are given the open_color. Once a fragment is placed on the node, all of the nodes
within the neighborhood at a distance belonging to T are assigned close_color. In the
aforesaid process, we lose some of the central nodes that may increase the retrieval
time but we achieve a higher security level. If somehow the intruder compromises a
node and obtains a fragment, then the location of the other fragments cannot be
determined. The attacker can only keep on guessing the location of the other
fragments. The process is repeated until all of the fragments are placed at the nodes.

In addition to placing the fragments on the central nodes, we also perform a

controlled replication to increase the data availability, reliability, and improve data
retrieval time. We place the fragment on the node that provides the decreased access
cost with an objective to improve retrieval time for accessing the fragments for
reconstruction of original file. While replicating the fragment, the separation of
fragments as explained in the placement technique through T-coloring, is also taken
care off. In case of a large number of fragments or small number of nodes, it is also
possible that some of the fragments are left without being replicated because of the
T-coloring. As discussed previously, T-coloring prohibits to store the fragment in
neighborhood of a node storing a fragment, resulting in the elimination of a number
of nodes to be used for storage. In such a case, only for the remaining fragments, the
nodes that are not holding any fragment are selected for storage randomly

Various Attacks Handled by DROPS Methodology

• Data Recovery: Rollback of VM to some previous state. May expose previously

stored data.
• Cross VM attack: Malicious VM attacking co-resident VM that may lead to data
breach.
• Improper media sanitization: Data exposure due to improper sanitization of
storage devices.
• E-discovery: Data exposure of one user due to seized hardware for
investigations related to some other users.
• VM escape: A malicious user or VM escapes from the control of VMM. Provides
access to storage and compute devices.
• VM rollback: Rollback of VM to some previous state. May expose previously
stored data.
 CLIENT ACCESS IN CLOUD
A cloud client consists of computer hardware and/or computer software which relies
on cloud computing for application delivery, or which is specifically designed for
delivery of cloud services and which, in either case, is essentially useless without it. A
cloud client is an interface of the cloud to the common computer user through web
browsers and thin computing terminals. So the term cloud client describes a piece of
hardware, a piece of software or both, that is specifically designed for a cloud
service. Following are the types of clients:

Hardware Clients

Thick Client: The so-called thick client consists of many interfaces, intern memory,
I/O devices etc. It is a full-featured computer, which is functional, whether it is
connected to a network or not. It is possible to use the thick client for many different
tasks; a good example is the well-known standard desktop PC. Most of the cloud
services available can be used with a thick client, for example the Amazon Simple
Storage Service (S3) , the Elastic Compute Cloud (EC2) or Microsoft LiveMesh

Thin Client: The thin client on the other hand has only the necessary components for
one specific task, in the most extreme form only input and output interfaces. It
doesn't have a hard drive and therefore no software can be installed on it. Instead, it
runs programs and accesses data from a server and has a very specific application. An
example is the OnLive hardware that is about to start end of 2009. It is ought to
provide games on-demand. The games are executed on the OnLive server that is in
the cloud. The OnLive MicroConsole receives input from keyboard, gamepad or mouse
and sends it to the cloud. The graphics and sound output are streamed to the
MicroConsole, which displays it on a TV-set. That is all this piece of hardware is
capable of

Smartphones: Finally, the third type of hardware are smartphones. They let you
access cloud services from everywhere; examples are the iPhone, Android based
phones and phones with the windows mobile operating system. Some cloud services
can be used on smartphones, an example is the Salesforce.com Mobile Lite Client.
Salesforce.com is a purely cloud based CRM system for companies.

Software Clients

Rich or Fat Client: Desktop applications connected to the Internet or Fat Clients are
applications that make use of network support, but also run offline, sometimes with
limited functionality. Examples are the e-mail client Microsoft Outlook or the media
player iTunes. These applications need to be installed on the user's machine.

Smart Clients: A Smart Client also has to be installed locally, but installation and
updating is done automatically over some kind of network.

Web-applications/Thin Clients: Web-applications/Thin Clients rarely have to be

installed by the user. An example is is the online agenda application Google Calendar.
Applications of this kind often run in a web-browser.

Client Access Control

Access control determines who has permission to access services and resources in a
Cloud project. There are a few separate use cases for setting up access control:

• Granting team members access to your Cloud project so they can set up
services and deploy apps: This is generally done by opening the cloud console
and selecting the project or opening it. Find the add/add user button and enter
the email address. Select the roles that give access of the cloud features to the
user and click save/grant.

• Granting your app access to Cloud services, such as Cloud Storage. All Cloud
services require authentication and authorization for every API call, including
calls from your application. By default, calls from your App Engine app to
services in the same project are authorized. Here's how the default flow works:

o To initiate calls to a Cloud service, your app creates a client object,

which contains the credentials and other data your app needs to interact
 with the service. If you don't specify credentials in the client's
constructor, the client looks for credentials in the app's environment

o You can also specify credentials when you instantiate the Client object
for a Cloud service. For example, if your app is calling a Cloud service in
a different project, you may need to pass credentials manually

• Granting your users access to resources in a Cloud project. While this use case
isn't common, there may be cases in which your app needs to request access to
a Cloud resource on behalf of a user. For example, your app may need to
access data that belongs to your users.
 Jurisdictional Issues Raised by Data Location
Some of the Jurisdictional issues related to cloud computing are:

• Data Location—This may breach contractual agreements without the

organization being aware of it;
• Having the right to audit a cloud supplier to ensure that the Organization’s
requirements are met;
• How backups are managed to meet legislative, regulatory, and Organization
requirements, and how these are regularly tested;
• How the cloud supplier can guarantee service continuity;
• How the cloud supplier screens its employees;
• How the cloud supplier undertakes an investigation in the cloud;
• The ability to prove compliance to a third party;
• The eventual responsibility in case of breach;
• The possibility of unequal contracting parties;
• Who else can access the Organization’s information (and so Client data).

Jurisdictional issues are mostly related to location of data and the specific laws that
apply in that location. Cloud service providers locate their datacenters in order to
reduce their operational costs. The placement of datacenters is influenced by the
desire to optimally serve customers on a global scale. For this reason it is quite
common to distribute the infrastructure of a single cloud provider over the globe.

Specific issues arise from the different laws that are applied for the protection of
data. For instance, the EU directive states that any personal data generated within
the European Union are subject to European law as well as concerning the export of
these data to a third-party country. This limits the mobility of data among
datacenters located in different countries, if an appropriate level of data protection
is not guaranteed.
Furthermore, SLAs are agreed to within a context defined by a specific governing law,
but due to the mobility of data, such laws might not be effective and could fail in
their purpose of protecting customer rights. The condition is even worse when there is
no specific statement indicating the governing law under which the agreement was
signed.

Jurisdictional issues may also arise in the case of subcontracting. This is a quite
common scenario in the case of cloud federation: A cloud provider leverages other
providers’ services and facilities to provide services to customers. This is mostly done
transparently to the user. In case of failure in service delivery, it will be difficult for
the cloud user to identity the real causes. In this case, the scenario is complicated by
the fact that, besides different geographies, different organizations are involved in
delivering the service to the end user.

Different jurisdictions lead to what is also called the conflict of laws, which
acknowledges the fact that laws of different countries may operate in opposition to
each other, even if they relate to the same subject matter. The general rule of thumb
is that, since each nation is sovereign within its own territory, the laws of a country
will affect all the people and property within it, including contracts made and actions
carried out within its borders. As already observed, the SLA should clearly specify the
governing law as well as the other potential jurisdictions that may be involved in
delivering the service to the end user.
 Cloud Contracting Model
The contracts of cloud computing are made by keeping in mind the following aspects:

• Pre-Contractual Aspects:
o Verification of mandatory law and other requirements: The legal
framework applicable to the customer, the provider or both may impose
conditions for entering into a cloud computing contract. The parties
should in particular be aware of laws and regulations related to personal
data, consumer protection, cybersecurity, export control, customs, tax,
trade secrets, IP-specific and sector-specific regulation that may be
applicable to them and their future contract. Non-compliance with
mandatory requirements may have significant negative consequences,
including invalidity or unenforceability of a contract or part thereof,
administrative fines and criminal liability
o Pre-contractual risk assesment: The applicable mandatory law may
require a risk assessment as a precondition to entering into a cloud
computing contract to identify risk mitigation strategies, including the
negotiation of appropriate contractual clauses
o Other pre-contractual issues: These include diclosure of information,
confidentiality, and migration to the cloud.
• Drafting a contract
o General considerations: This include freedom of contract (that parties to
enter into a contract and to determine its content), contract formation,
contact service agreement (may comprise one or more documents such
as an acceptable use policy (AUP), a service level agreement (SLA), a
data processing agreement or data protection policy, security policy and
licence agreement), definition and terminology (The glossary of terms to
avoid ambiguities in their interpretation), and usual contract content
(like duration of contract and termination).
o Identification of contracting parties: The correct identification of
contracting parties may have a direct impact on the formation and
enforceability of the contract
o Defining the scope and the object of the contract: The description of the
object of the contract usually includes a description of a type of cloud
computing services (SaaS, PaaS, IaaS or a combination thereof), their
deployment model (public, community, private or hybrid), and I uually
done in SLA’s and such documents
o Rights to customer data and other content audits and monitoring:
Providers usually reserve the right to access customer data on a
“needto-know” basis. Certain rights to access customer data can be
considered to be implicitly granted by the customer to the provider by
requiring a certain service or feature
o Changes in services: Cloud computing services are by nature flexible and
fluctuating. The elasticity, scalability and on-demand self-service
characteristics of cloud computing services are usually enabled through
many contractual options that the customer may use to adjust the
consumption of services according to its needs without having to
renegotiate the contract everytime.
o Suspension of services: The providers’ standard terms may contain the
right of the provider to suspend services, at its discretion, at any time.
“Unforeseeable events” is a common justification
o Liability: The data protection law of certain jurisdictions imposes more
liability on the data controller than on data processors of personal data
o Remedies for breach of the contract: The parties are free to select
remedies within the limits of applicable law like termination of service,
suspension of service or service credits
o Term and termination of the contract: The effective start date and
duration of the contract are defined along with possible reasons for
earlier termination, termination of contract for convinience, for breach,
 for unacceptable modifications to the contract, for change of control
etc.
o End-of-service commitments: End-of-service commitments may be the
same regardless of the cause of termination of the contract or may be
different depending on whether termination is for breach of contract or
other reason
o Dispute resolution: The parties may agree on the method to settle their
contractual disputes like negotiation, mediation, online dispute
resolution (ODR), arbitration and judicial proceedings.
o Choice of law and choice of forum: Freedom of contract usually allows
parties to choose the law that will be applicable to their contract and
the jurisdiction or forum where disputes will be considered
o Notifications: Notification clauses usually address the form, language,
recipient and means of notification, as well as when the notification
becomes effective (upon delivery, dispatch or acknowledgment of
receipt)
o Amendment of the contract: Amendments to the contract could be
triggered by either party. The contract would address the procedure for
introducing amendments and making them effective. The contract may
also need to address the consequences of rejection of amendments by
either party