Unit 7

UNIT 7 SECURITY ISSUES IN CLOUD
COMPUTING
Structure
7.0 Introduction
7.1 Objectives
7.2 Cloud Security
7.2.1 How Cloud Security is Different from Traditional IT Security?
7.2.2 Cloud Computing Security Requirements
7.3 Security Issues in Cloud Service Delivery Models
7.4 Security Issues in Cloud Deployment Models
7.4.1 Security Issues in Public Cloud

7.4.2 Security Issues in Private Cloud
7.4.3 Security Issues in Hybrid Cloud
7.5 Ensuring Security in Cloud Against Various Types of Attacks
7.6 Identity and Access Management (IAM)
7.6.1 Benefits of IAM
7.6.2 Types of Digital Authentication
7.6.3 IAM and Cloud Security
7.6.4 Challenges in IAM
7.6.5 Right Use of IAM Security
7.7 Security as a Service (SECaaS)
7.7.1 Benefits of SECaaS
7.8 Multi-Cloud Computing
7.8.1 Benefits of Multi-Cloud
7.9 Summary
7.10 Solutions/Answers
7.11 Further Readings
7.0 INTRODUCTION
The rise of cloud computing as an ever-evolving technology brings with it a

number of opportunities and challenges. Cloud is now becoming the back end
for all forms of computing, including the ubiquitous Internet of Things.
In the earlier unit, we had studied Load Balancing in Cloud computing and in
this unit we will focus on another important aspect namely Cloud Security in
cloud computing.
Cloud security is a discipline of cyber security dedicated to secure cloud

computing systems. This includes keeping data private and safe across online-
based infrastructure, applications, and platforms. Securing these systems
involves the efforts of cloud providers and the clients that use them, whether
an individual, small to medium business, or enterprise uses.
Cloud providers host services on their servers through always-on internet

connections. Since their business relies on customer trust, cloud security
1
Resource Provisioning,
Load Balancing and methods are used to keep client data private and safely stored. However, cloud
Security security also partially rests in the client’s hands as well. Understanding both
facets is pivotal to a healthy cloud security solution.
At its core, cloud security is composed of the following components:
• Data security
• Identity and access management (IAM)
• Governance (policies on threat prevention, detection, and mitigation)
• Data retention (DR) and business continuity (BC) planning
• Legal compliance
In this unit, you will study what is cloud security, how it is different from
traditional(legacy) IT security, cloud computing security requirements,
challenges in providing cloud security, threats, ensuring security, Identity and
Access management and Security-as-a-Service.
7.1 OBJECTIVES
After going through this unit, you shall be able to:
• understand cloud security and how it is different to that of traditional IT

security;
• list and describe various cloud computing security requirements;
• describe the challenges in providing cloud security;
• discuss various types of threats with respect to types of cloud services
and cloud deployment models;
• discuss different techniques to ensure cloud security against various
types of threats,
• elucidate the importance of identity and access management; and
• explain Security-as-a-Service
7.2 CLOUD SECURITY
Cloud security is the whole bundle of technology, protocols, and best practices
that protect cloud computing environments, applications running in the cloud,
and data held in the cloud. Securing cloud services begins with understanding
what exactly is being secured, as well as, the system aspects that must be
managed.
As an overview, backend development against security vulnerabilities is

largely within the hands of cloud service providers. Aside from choosing a
security-conscious provider, clients must focus mostly on proper service
configuration and safe use habits. Additionally, clients should be sure that any
end-user hardware and networks are properly secured.
The full scope of cloud security is designed to protect the following, regardless
of your responsibilities:
2
Security Issues in
• Physical networks — routers, electrical power, cabling, climate Cloud Computing
controls, etc.
• Data storage — hard drives, etc.
• Data servers — core network computing hardware and software
• Computer virtualization frameworks — virtual machine software,
host machines, and guest machines
• Operating systems (OS) — software that houses
• Middleware — application programming interface (API) management,
• Runtime environments — execution and upkeep of a running program
• Data — all the information stored, modified, and accessed
• Applications — traditional software services (email, tax software,
productivity suites, etc.)
• End-user hardware — computers, mobile devices, Internet of Things
(IoT) devices etc..
Cloud security may appear like traditional (legacy) IT security, but this
framework actually demands a different approach. Before diving deeper, let’s
first look how this is different to that of legacy IT security in the next section.
7.2.1 How Cloud Security is Different from Traditional IT Security?
Traditional IT security has felt an immense evolution due to the shift to cloud-
based computing. While cloud models allow for more convenience, always-on
connectivity requires new considerations to keep them secure. Cloud security,
as a modernized cyber security solution, stands out from legacy IT models in a
few ways.
Data storage: The biggest distinction is that older models of IT relied heavily
upon onsite data storage. Organizations have long found that building all IT
frameworks in-house for detailed, custom security controls is costly and rigid.
Cloud-based frameworks have helped offload costs of system development and
upkeep, but also remove some control from users.
Scaling speed: On a similar note, cloud security demands unique attention

when scaling organization IT systems. Cloud-centric infrastructure and apps
are very modular and quick to mobilize. While this ability keeps systems
uniformly adjusted to organizational changes, it does poses concerns when an
organization’s need for upgrades and convenience outpaces their ability to
keep up with security.
End-user system interfacing: For organizations and individual users alike,

cloud systems also interface with many other systems and services that must be
secured. Access permissions must be maintained from the end-user device
level to the software level and even the network level. Beyond this, providers
and users must be attentive to vulnerabilities they might cause through unsafe
setup and system access behaviors.
Proximity to other networked data and systems: Since cloud systems are a
persistent connection between cloud providers and all their users, this
substantial network can compromise even the provider themselves. In
networking landscapes, a single weak device or component can be exploited to
infect the rest. Cloud providers expose themselves to threats from many end-
3
Load Balancing and users that they interact with, whether they are providing data storage or other
Security services. Additional network security responsibilities fall upon the providers
who otherwise delivered products live purely on end-user systems instead of
their own.
Solving most cloud security issues means that users and cloud providers, both
in personal and business environments, both remain proactive about their own
roles in cyber security. This two-pronged approach means users and providers
mutually must address:
• Secure system configuration and maintenance.

• User safety education, both behaviorally and technically.
Ultimately, cloud providers and users must have transparency and

accountability to ensure both parties stay safe.
7.2.2 Cloud Computing Security Requirements
There are four main cloud computing security requirements that help to ensure
the privacy and security of cloud services: confidentiality, integrity,
availability, and accountability.
Confidentiality
Confidentiality requires blocking unauthorized exposure of cloud computing

service user’s information. Cloud providers charge users to guarantee
confidentiality, the focus will be on authentication of cloud resources (e.g.,
requiring a username and password for each user). Moreover, access control is
an important part of confidentiality in cloud computing. Neither access control
nor authentication works with a compromised cloud computing system, as it is
much harder to block unauthorized information disclosure on such a system.
Many approaches to protecting users’ sensitive cloud data are based on
encryption and data segmentation. If a provider’s server is compromised, data
segmentation reduces the amount of sensitive data that is disclosed. Data
segmentation also has other advantages; for instance, if the entire server is
compromised, only a small amount of user data is leaked, and downtime is
reduced. A cover channel is another potential confidentiality issue in a cloud
computing system; cover channels can cause information leaks through
unauthorized transmission paths.
Cloud computing providers use service-level agreements (SLAs) method to

resolve security issues for customer. Thus, providers of cloud services should
join to create standards for SLAs. Virtualization is the main aspect of the cloud
computing system; therefore many researchers have proposed techniques for
using virtualized systems to implement security goals.
Confidentiality is a part of cloud service that the provider must guarantee,

along with control of the cloud infrastructure. The provider should guarantee
confidential access to the data by ensuring trusted data sharing or through the
use of authorized data access. Therefore, there are huge barriers with the
growth of the CC system between the privacy of the user and security of the
data.
4
Security Issues in
Cloud Computing
Integrity
One goal of using cloud computing systems is to utilize a variety of resources.

That is why cloud computing support all data and why many users stick to the
same clouds. Users also desire the ability to change or update existing data or
to add new data to the cloud. Therefore, data access should be controlled to
ensure data integrity. As with confidentiality, integrity requires access control
and authentication. Thus, if the cloud system is compromised by a weak
password, the cloud data’s integrity will not be protected. To overcome this
huge challenge, providers use virtualization-based dynamic integrity to help
clients use cloud services without interrupting the providers’ work with other
clients. Such a method is useful for ensuring integrity and security with
satisfactory performance and cost. Another method, value-atrisk, helps to
ensure suitable security and integrity. The cloud-based governance design
principles guarantees integrity and security by controlling the path between the
provider and the enterprise client. Another method provides a test of
information integrity based on an Service Level Agreement (SLA) between the
provider and the client. The consumer can use this SLA to verify the accuracy
of the cloud information. In a blind execution of services, the client transfers
each type of information through the cloud computing system using a separate
process. In the trusted computing method, blind processing is used to ensure
the integrity of the client’s data. This method separates the execution
environment from the system, so that the system’s hardware and computing
base can be secured and the credentials’ accuracy can be verified.
Availability
Availability is the ability for the consumer to utilize the system as expected.
One of the significant advantages of a cloud computing is its data availability.
Cloud computing enhances availability through authorized entry. In addition,
availability requires timely support and robust equipment. A client’s
availability may be ensured as one of the terms of a contract; to guarantee
availability, a provider may secure huge capacity and excellent architecture.
Because availability is a main part of the cloud computing system, increased
use of the environment will increase the possibility of a lack of availability and
thus could reduce the cloud computing system’s performance. Cloud
computing affords clients two ways of paying for cloud services: on-demand
resources and (the cheaper option) resource reservation. The optimal virtual-
machine (VM) placement mechanism helps to reduce the cost of both payment
methods. By reducing the cost of running VMs for many cloud providers, it
supports expected changes in demand and price. This method involves the
client making a declaration to pay for certain resources owned by the cloud
computing providers using the Session Initiation Protocol (SIP) optimal
solution.
Accountability
Accountability involves verifying the clients’ various activities in the data

clouds. Accountability is achieved by verifying the information that each client
supplies (and that is logged in various places in information clouds). Directly
connecting all activities to a client’s account is not always satisfactory. Neither
5
Load Balancing and the client nor the provider takes all the responsibility for a system breakdown.
Security Thus, both the client and the provider must maintain accountability in case
disputes occur. Thus, one of them will need to log any incidents for future
auditing, clearly identify each incident, and provide the necessary equipment
for logging such transactions. As an example, when a client’s account is
compromised in an attack, the client can no longer perform certain activities.
Thus, the cloud service providers need to have saved sufficient information to
restore the compromised account and identify the exceptional behavior.
Tracing even the smallest actions that happen in the clouds could ensure
accountability; such tracking will identify the client or entity that is responsible
for any given disaster. Evidence should be logged for each activity once it
starts processing. The transaction log can then be used during the examination
to determine the aptness of the evaluation. Accountability is a challenge in a
cloud system because misconfigured devices can produce unreliable
calculation results. In addition, when clients rent insufficient resources for their
tasks, this could reduce the performance of the provided services. A virus can
also destroy clients’ data, and a provider can fail to deliver data on time or
even lose data.
7.2.3 Challenges in Cloud Security
Following are some of the key security challenges in cloud computing:
Authentication: Throughout the internet data stored by cloud user is available

to all unauthorized people. Henceforth the certified user and assistance cloud
must have interchangeability administration entity.
Access Control: To check and promote only legalized users, cloud must have
right access control policies. Such services must be adjustable, well planned,
and their allocation is overseeing conveniently. The approach governor
provision must be integrated on the basis of Service Level Agreement (SLA).
Policy Integration: There are many cloud providers such as Amazon, Google
which are accessed by end users. Minimum number of conflicts between their
policies because they user their own policies and approaches.
Service Management: In this different cloud providers such as Amazon,

Google, comprise together to build a new composed services to meet their
customers need. At this stage there should be procure divider to get the easiest
localized services.
Trust Management: The trust management approach must be developed as

cloud environment is service provider and it should include trust negotiation
factor between both parties such as user and provider. For example, to release
their services provider must have little bit trust on user and users have same
trust on provider.
In the follow sections let us discuss major threats and issues in cloud
computing with respect to the cloud service delivery models and cloud
deployment models.
6
Security Issues in
Cloud Computing
 Check Your Progress 1

1) Why security is important in Cloud?
…………………………………………………………………………………………
…………………………………………………………………………………………
…………………………………………………………………………………………
2) How does cloud security work?
…………………………………………………………………………………………
…………………………………………………………………………………………
3) Mention various cloud security risks and discuss briefly.
…………………………………………………………………………………………
…………………………………………………………………………………………
7.3 SECURITY ISSUES IN CLOUD SERVICE

DELIVERY MODELS
The main concern in cloud environments is to provide security around multi-

tenancy and isolation, giving customers more comfort besides “trust us” idea
of clouds. There has been survey works reported, which classifies security
threats in cloud based on the nature of the service delivery models (SaaS,
PaaS, IaaS) of a cloud computing system. However, security requires a holistic
approach. Service delivery model is one of many aspects that need to be
considered for a comprehensive survey on cloud security. Security at different
levels such as Network level, Host level and Application level is necessary to
keep the cloud up and running continuously. In accordance with these different
levels, various types of security breaches may occur which have been
classified in this section.
• Data Threats including data breaches and data loss

• Network Threats including account or service hijacking, and
denial of service, and
• Cloud Environment Specific Threats including insecure
interfaces and APIs, malicious insiders, abuse of cloud services,
insufficient due diligence, and shared technology vulnerabilities
7.3.1 Data Threats
Data is considered to be one the most important valuable resource of any

organization and the number of customers shifting their data to cloud is
increasing every day. Data life cycle in cloud comprises of data creation,
transit, execution, storage and destruction. Data may be created in client or
server in cloud, transferred in cloud through network and stored in cloud
storage. When required data is shifted to execution environment where it can
7
Load Balancing and be processed. Data can be deleted by its owner to complete its destruction. The
Security biggest challenge in achieving cloud computing security is to keep data secure.
The major issues that arise with the transfer of data to cloud are that the
customers don’t have the visibility of their data and neither do they know its
location. They need to depend on the service provider to ensure that the
platform is secure, and it implements necessary security properties to keep
their data safe. The data security properties that must be maintained in cloud
are confidentiality, integrity, authorization, availability and privacy. However,
many data issues arise due to improper handling of data by the cloud provider.
The major data security threats include data breaches, data loss, unauthorized
access, and integrity violations. All of these issues occur frequently on cloud
data.
7.3.1.1 Data Breaches
Data breach is defined as the leakage of sensitive customer or organization

data to unauthorized user. Data breach from organization can have a huge
impact on its business regarding finance, trust and loss of customers. This may
happen accidently due to flaws in infrastructure, application designing,
operational issues, insufficiency of authentication, authorization, and audit
controls. Moreover, it can also occur due to other reasons such as the attacks
by malicious users who have a virtual machine (VM) on the same physical
system as the one they want to access in unauthorized way. In recent past,
Apple’s iCloud users faced a data leakage attack recently in which an attempt
was made to gain access to their private data. Such attacks have also been done
at other companies cloud such as Microsoft, Yahoo and Google. An example
of data breach is cross VM side channel attack that extracts cryptographic keys
of other VMs on the same system and can access their data.
7.3.1.2 Data Loss
Data loss is the second most important issue related to cloud security. Like
data breach, data loss is a sensitive matter for any organization and can have a
devastating effect on its business. Data loss mostly occurs due to malicious
attackers, data deletion, data corruption, loss of data encryption key, faults in
storage system, or natural disasters. In 2013, 44% of cloud service providers
have faced brute force attacks that resulted in data loss and data leakage.
Similarly, malware attacks have also been targeted at cloud applications
resulting in data destruction.
7.3.1.3 SQL Injection Attacks
SQL injection attacks, are the one in which a malicious code is inserted into a
standard SQL code. Thus the attackers gain unauthorized access to a database
and are able to access sensitive information. Sometimes the hacker’s input data
is misunderstood by the web-site as the user data and allows it to be accessed
by the SQL server and this lets the attacker to have know-how of the
functioning of the website and make changes into that. Various techniques
like: avoiding the usage of dynamically generated SQL in the code, using
filtering techniques to sanitize the user input etc. are used to check the SQL
injection attacks. Some researchers proposed proxy based architecture towards
preventing SQL Injection attacks which dynamically detects and extracts
users’ inputs for suspected SQL control sequences.
8
Security Issues in
7.3.1.4 Cross Site Scripting(XSS) Attacks Cloud Computing
Cross Site Scripting (XSS) attacks, which inject malicious scripts into Web
contents have become quite popular since the inception of Web 2.0. There are
two methods for injecting the malicious code into the web-page displayed to
the user namely - Stored XSS and Reflected XSS. In a Stored XSS, the
malicious code is permanently stored into a resource managed by the web
application and the actual attack is carried out when the victim requests a
dynamic page that is constructed from the contents of this resource. However,
in case of a Reflected XSS, the attack script is not permanently stored; in fact it
is immediately reflected back to the user.
7.3.2 Network Threats
Network plays an important part in deciding how efficiently the cloud services
operate and communicate with users. In developing most cloud solutions,
network security is not considered as an important factor by some
organizations. Not having enough network security creates attacks vectors for
the malicious users and outsiders resulting in different network threats. Most
critical network threats in cloud are account or service hijacking, and denial of
service attacks.
7.3.2.1 Denial of Service(DoS)
Denial of Service (DOS) attacks are done to prevent the legitimate users from
accessing cloud network, storage, data, and other services. DOS attacks have
been on rise in cloud computing in past few years and 81% customers consider
it as a significant threat in cloud. They are usually done by compromising a
service that can be used to consume most cloud resources such as computation
power, memory, and network bandwidth. This causes a delay in cloud
operations, and sometimes cloud is unable to respond to other users and
services. Distributed Denial of Service (DDOS) attack is a form of DOS
attacks in which multiple network sources are used by the attacker to send a
large number of requests to the cloud for consuming its resources. It can be
launched by exploiting the vulnerabilities in web server, databases, and
applications resulting in unavailability of resources.
7.3.2.2 Account or Service Hijacking
Account hijacking involves the stealing of user credentials to get an access to

his account, data or other computing services. These stolen credentials can be
used to access and compromise cloud services. The network attacks includes
phishing, fraud, Cross Site Scripting (XSS), Botnets and software
vulnerabilities such as buffer overflow result in account or service hijacking.
This can lead to the compromise of user privacy as the attacker can eavesdrop
on all his operations, modify data, and redirect his network traffic.
7.3.2.3 Man in the Middle Attack (MITM)
In such an attack, an entity tries to intrude in an ongoing conversation between

a sender and a client to inject false information and to have knowledge of the
important data transferred between them. Various tools implementing strong
9
Load Balancing and encryption technologies like: Dsniff, Cain, Ettercap, Wsniff, Airjack etc. have
Security been developed in order to provide safeguard against them.
Another cause may be due to improper configuration of Secure Socket Layer

(SSL). For example, if SSL was improperly configured, then the middle party
could hew data. The preventive measure for this attack was before
communication with other parties, SSL should be properly organized.
7.3.2.4 Network Sniffing
It is an important dispute in which plain text were hewed over network. An

invader could snip passwords, which were improperly encrypted during
communication. If encryption techniques for data security were not used, then
attacker could enter as a third party and seize the data. Encryption methods are
deployed for securing their data.
7.3.2.5 Port Scanning
It is an important dispute in which an attack might happen as port 80 (HTTP)

was always opened for provisioning web services. Other ports like 21 (FTP),
etc., would be unlocked when needed. Firewall was a counter measure to safe
the data from disruption in port.
7.3.2.6 Conceded Credentials and Wrecked Authentication
Authentication management is always a challenge for organizations to tackle

and solve to close loopholes and prevent attackers from accessing permissions.
Brute Force Attacks: The attacker attempts to crack the password by guessing
all potential passwords.
Shoulder Surfing: This threat is espionage, which means the attacker is

watching and spying on the user’s motions in attempt to know the passwords.
Replay Attacks: Also known as reflection attacks, replay attacks are a type of
attack that targets a user’s authentication process.
Key loggers: This is a program that records every key pressed by the user and
tracks their behavior.
7.3.2.7 Border Gateway Protocol (BGP) Prefix Hijacking
Prefix hijacking is a type of network attack in which a wrong announcement

related to the IP addresses associated with an Autonomous system (AS) is
made. Hence, malicious parties get access to the untraceable IP addresses. On
the internet, IP space is associated in blocks and remains under the control of
ASs. An autonomous system can broadcast information of an IP contained in
its regime to all its neighbours. These ASs communicate using the Border
Gateway Protocol (BGP) model. Sometimes, due to some error, a faulty AS
may broadcast wrongly about the IPs associated with it. In such case, the actual
traffic gets routed to some IP other than the intended one. Hence, data is leaked
or reaches to some other unintended destination.
7.3.2.8 Distributed Denial of Service Attacks (DDoS)

10
Security Issues in
DDoS may be called an advanced version of DoS in terms of denying the Cloud Computing
important services running on a server by flooding the destination sever with
large numbers of packets such that the target server is not able to handle it. In
DDoS the attack is relayed from different dynamic networks which have
already been compromised unlike the DoS attack. The attackers have the
power to control the flow of information by allowing some information
available at certain times. Thus the amount and type of information available
for public usage is clearly under the control of the attacker [87]. The DDoS
attack is run by three functional units: A Master, A Slave and A Victim.
Master being the attack launcher is behind all these attacks causing DDoS,
Slave is the network which acts like a launch pad for the Master. It provides
the platform to the Master to launch the attack on the Victim. Hence it is also
called as co-ordinated attack. Basically a DDoS attack is operational in two
stages: the first one being Intrusion phase where the Master tries to
compromise less important machines to support in flooding the more important
one. The next one is installing DDoS tools and attacking the victim server or
machine. Hence, a DDoS attack results in making the service unavailable to
the authorized user similar to the way it is done in a DoS attack but different in
the way it is launched. A similar case of Distributed Denial of Service attack
was experienced with CNN news channel website leaving most of its users
unable to access the site for a period of three hours. In general, the approaches
used to fight the DDoS attack involve extensive modification of the underlying
network. These modifications often become costly for the users. Swarm based
logic for guarding against the DDoS attack were provided. This logic provides
a transparent transport layer, through which the common protocols such as
HTTP, SMTP, etc. can pass easily. The use of IDS in the virtual machine is
proposed to protect the cloud from DDoS attacks. A SNORT like intrusion
detection mechanism is loaded onto the virtual machine for sniffing all traffics,
either incoming, or outgoing. Another method commonly used to guard against
DDoS is to have intrusion detection systems on all the physical machines
which contain the user’s virtual machines.
7.3.3 Cloud Environment Specific Threats
Cloud service providers are largely responsible for controlling the cloud
environment. Some threats are specific to cloud computing such as cloud
service provider issues, providing insecure interfaces and APIs to users,
malicious cloud users, shared technology vulnerabilities, misuse of cloud
services, and insufficient due diligence by companies before moving to cloud.
7.3.3.1 Insecure Interfaces and API’s
Application Programming Interface (API) is a set of protocols and standards

that define the communication between software applications through Internet.
Cloud APIs are used at all the infrastructure, platform and software service
levels to communicate with other services. Infrastructure as a Service (IaaS)
APIs are used to access and manage infrastructure resources including network
and VMs, Platform as a Service (PaaS) APIs provide access to the cloud
services such as storage and Software as a Service (SaaS) APIs connect
software applications with the cloud infrastructure. The security of various
cloud services depends on the APIs security. Weak set of APIs and interfaces
can result in many security issues in cloud. Cloud providers generally offer
their APIs to third party to give services to customers. However, weak APIs
11
Load Balancing and can lead to the third party having access to security keys and critical
Security information in cloud. With the security keys, the encrypted customer data in
cloud can be read resulting in loss of data integrity, confidentiality and
availability. Moreover, authentication and access control principles can also be
violated through insecure APIs.
7.3.3.2 Malicious Insiders
A malicious insider is someone who is an employee in the cloud organization,

or a business partner with an access to cloud network, applications, services, or
data, and misuses his access to do unprivileged activities. Cloud administrators
are responsible for managing, governing, and maintaining the complete
environment. They have access to most data and resources, and might end up
using their access to leak that data. Other categories of malicious insiders
involve hobbyist hackers who are administrators that want to get unauthorized
sensitive information just for fun, and corporate espionage that involves
stealing secret information of business for corporate purposes that might be
sponsored by national governments.
7.3.3.3 Abuse of Cloud Services
The term abuse of cloud services refers to the misuse of cloud services by the
consumers. It is mostly used to describe the actions of cloud users that are
illegal, unethical, or violate their contract with the service provider. In 2010,
abusing of cloud services was considered to be the most critical cloud threat
and different measures were taken to prevent it. However, 84% of cloud users
still consider it as a relevant threat. Research has shown that some cloud
providers are unable to detect attacks launched from their networks, due to
which they are unable to generate alerts or block any attacks. The abuse of
cloud services is a more serious threat to the service provider than service
users. For instance, the use of cloud network addresses for spam by malicious
users has resulted in blacklisting of all network addresses, thus the service
provider must ensure all possible measures for preventing these threats. Over
the years, different attacks have been launched through cloud by the malicious
users. For example, Amazon’s EC2 services were used as a command and
control servers to launch Zeus botnet in 2009. Famous cloud services such as
Twitter, Google and Facebook as a command and control servers for launching
Trojans and Botnets. Other attacks that have been launched using cloud are
brute force for password cracking of encryption, phishing, performing DOS
attack against a web service at specific host, Cross Site Scripting and SQL
injection attacks.
7.3.3.4 Insufficient Due Diligence
The term due diligence refers to individuals or customers having the complete
information for assessments of risks associate with a business prior to using its
services. Cloud computing offers exciting opportunities of unlimited
computing resources, and fast access due which number of businesses shift to
cloud without assessing the risks associated with it. Due to the complex
architecture of cloud, some of organization security policies cannot be applied
using cloud. Moreover, the cloud customers have no idea about the internal
security procedures, auditing, logging, data storage, data access which results
in creating unknown risk profiles in cloud. In some cases, the developers and
12
Security Issues in
designers of applications maybe unaware of their effects from deployment on Cloud Computing
cloud that can result in operational and architectural issues.
7.3.3.5 Shared Technology Vulnerabilities
Cloud computing offers the provisioning of services by sharing of

infrastructure, platform and software. However, different components such as
CPUs, and GPUs may not offer cloud security requirements such as perfect
isolation. Moreover, some applications may be designed without using trusted
computing practices due to which threats of shared technology arise that can be
exploited in multiple ways. In recent years, shared technology vulnerabilities
have been used by attackers to launch attacks on cloud. One such attack is
gaining access to the hypervisor to run malicious code, get unauthorized access
to the cloud resources, VMs, and customer’s data. Xen platform is an open
source solution used to offer cloud services.
Earlier Xen hypervisors code used to create local privilege escalation (in which
a user can have rights of another user) vulnerability that can launch guest to
host VM escape attack. Later, Xen updated the code base of its hypervisor to
fix that vulnerability. Other companies such as Microsoft, Oracle and SUSE
Linux those based on Xen also released updates of their software to fix the
local privilege escalation vulnerability. Similarly, a report released in 2009,
showed the usage of VMware to run code from guests to hosts showing the
possible ways to launch attacks.
7.3.3.6 Inadequate Change Control and Misconfiguration
If an asset is set up wrong, it may suffer from misconfiguration, making it

exposed to attacks. Misconfiguration has now become a major source of data
leaks and unwarranted resource modification. The lack of adequate change
control may be a prevalent cause of misconfiguration. Depending on the nature
of the misconfiguration and how soon it is recognized and remedied, a
misconfigured item might have a significant business impact. Storage objects
left unsecured, unmodified default passwords and default settings, and
removing basic security safeguards are all examples of misconfiguration.
7.3.3.7 Limited Cloud Usage Visibility
Limited cloud usage visibility means when an organization is unable to

determine whether a service running on its platform is secure or harmful.
Unsanctioned app use and sanctioned app misuse are the two most common
categories. When users use apps and services without permission, the former
occurs. Authorized users utilize a sanctioned application in the latter case. This
could result in unauthorized data access and the entry of malware into the
system.
7.3.3.8 Loss of Operational and Security Logs
The lack of operational logs makes evaluating operational variables difficult.

When data is unavailable for analysis, the options for resolving difficulties are
limited. The loss of security logs poses a threat to the security management
program’s application management
13
Load Balancing and 7.3.3.9 Failure of Isolation
Security
There is a lack of strong isolation or compartmentalization of routing,
reputation, storage, and memory among tenants. Because of the lack of
isolation, attackers attempt to take control of the operations of other cloud
users to obtain unauthorized access to the data.
7.3.3.10 Risks of Noncompliance
Organizations seeking compliance with standards and legislation may be at

danger if the Cloud Service Provider cannot ensure adherence of the
requirements, outsources cloud administration to third parties, and/or refuses to
allow client audits. This danger arises from a lack of oversight over audits and
industry standard evaluation. As a result, cloud platform users are unaware of
provider protocols and practices in the areas of identity management, access,
and separation of roles.
7.3.3.11 Attacks against Cryptography
Cloud services are vulnerable to cryptanalysis due to insecure or outdated

encryption. If criminal users take control of the cloud, data stored there may be
encoded to prevent it from being read. Although fundamental errors in the
design of cryptographic algorithms which may cause suitable encryption
algorithms to become weak, there are also unique ways to break cryptography.
By evaluating accessible places and tracking clients’ query access habits,
incomplete information can be extracted from encrypted data.
7.3.3.12 Attacks through a Backdoor Channel
The attackers can gain access to remote system applications on the victim’s
resource systems via this approach. It’s a passive attack of sorts. Zombies are
sometimes used by attackers to carry out DDoS attacks. Back doors channels,
however, are frequently used by attackers to get control of the victim’s
resources. It has the potential to compromise data security and privacy.
7.4 SECURITY ISSUES IN CLOUD DEPLOYMENT

MODELS
Each of the three ways (Public, Private, Hybrid) in which cloud services can
be deployed has its own advantages and limitations. And from the security
perspective, all the three have got certain areas that need to be addressed with a
specific strategy to avoid them.
7.4.1 Security Issues in a Public Cloud
In a public cloud, there exist many customers on a shared platform and

infrastructure security is provided by the service provider. A few of the key
security issues in a public cloud include:
• The three basic requirements of security: confidentiality, integrity and

availability are required to protect data throughout its lifecycle. Data
must be protected during the various stages of creation, sharing,
14
Security Issues in
archiving, processing etc. However, situations become more Cloud Computing
complicated in case of a public cloud where we do not have any control
over the service provider’s security practices.
• In case of a public cloud, the same infrastructure is shared between
multiple tenants and the chances of data leakage between these tenants
are very high. However, most of the service providers run a multitenant
infrastructure. Proper investigations at the time of choosing the service
provider must be done in order to avoid any such risk.
• In case a Cloud Service Provider uses a third party vendor to provide its
cloud services, it should be ensured what service level agreements they
have in between as well as what are the contingency plans in case of
the breakdown of the third party system.
• Proper SLAs defining the security requirements such as what level of
encryption data should undergo, when it is sent over the internet and
what are the penalties in case the service provider fails to do so.
Although data is stored outside the confines of the client organization in a

public cloud, we cannot deny the possibility of an insider attack originating
from service provider’s end. Moving the data to a cloud computing
environment expands the circle of insiders to the service provider’s staff and
subcontractors. Policy enforcement implemented at the nodes and the data-
centres can prevent a system administrator from carrying out any malicious
action. The three major steps to achieve this are: defining a policy, propagating
the policy by means of a secure policy propagation module and enforcing it
through a policy enforcement module.
7.4.2 Security Issues in a Private Cloud
A private cloud model enables the customer to have total control over the
network and provides the flexibility to the customer to implement any
traditional network perimeter security practice. Although the security
architecture is more reliable in a private cloud, yet there are issues/risks that
need to be considered:
• Virtualization techniques are quite popular in private clouds. In such a

scenario, risks to the hypervisor should be carefully analyzed. There
have been instances when a guest operating system has been able to run
processes on other guest VMs or host. In a virtual environment it may
happen that virtual machines are able to communicate with all the VMs
including the ones who they are not supposed to. To ensure that they
only communicate with the ones which they are supposed to, proper
authentication and encryption techniques such as IPsec [IP level
Security] etc. should be implemented.
• The host operating system should be free from any sort of malware
threat and monitored to avoid any such risk. In addition, guest virtual
machines should not be able to communicate with the host operating
system directly. There should be dedicated physical interfaces for
communicating with the host.
• In a private cloud, users are facilitated with an option to be able to
manage portions of the cloud, and access to the infrastructure is
provided through a web interface or an HTTP end point. There are two
ways of implementing a web-interface, either by writing a whole
15
Load Balancing and application stack or by using a standard applicative stack, to develop
Security the web interface using common languages such as Java, PHP, Python
etc. As part of screening process, Eucalyptus web interface has been
found to have a bug, allowing any user to perform internal port
scanning or HTTP requests through the management node which he
should not be allowed to do. In the nutshell, interfaces need to be
properly developed and standard web application security techniques
need to be deployed to protect the diverse HTTP requests being
performed.
• While we talk of standard internet security, we also need to have a
security policy in place to safeguard the system from the attacks
originating within the organization. This vital point is missed out on
most of the occasions, stress being mostly upon the internet security.
Proper security guidelines across the various departments should exist
and control should be implemented as per the requirements.
Thus we see that although private clouds are considered safer in comparison to
public clouds, still they have multiple issues which if unattended may lead to
major security loopholes as discussed earlier.
7.4.3 Security Issues in a Hybrid Cloud
The hybrid cloud model is a combination of both public and private cloud and
hence the security issues discussed with respect to both are applicable in case
of hybrid cloud.
In the following section the security methods to avoid the exploitation of the
threats will be discussed.
7.5 ENSURING SECURITY IN CLOUD AGAINST

VARIOUS TYPES OF ATTACKS
This section describes the implementation of various security techniques at

different levels to secure cloud from the above said threats.
7.5.1 Protection from Data Breaches
Various security measures and techniques have been proposed to avoid the
data breach in cloud. One of these is to encrypt data before storage on cloud,
and in the network. This will need efficient key management algorithm, and
the protection of key in cloud. Some measures that must be taken to avoid data
breaches in cloud are to implement proper isolation among VMs to prevent
information leakage, implement proper access controls to prevent unauthorized
access, and to make a risk assessment of the cloud environment to know the
storage of sensitive data and its transmission between various services and
networks.
Many researchers worked on the protection of data in cloud storage.

CloudProof is a system that can be built on top of existing cloud storages like
Amazon S3 and Azure to ensure data integrity and confidentiality using
encryption. To secure data in cloud storage attributed based encryption can be
used to encrypt data with a specific access control policy before storage.
16
Security Issues in
Therefore, only the users with access attributes and keys can access the data. Cloud Computing
Another technique to protect data in cloud involves using scalable and fine
grained data access control. In this scheme, access policies are defined based
on the data attributes. Moreover, to overcome the computational overhead
caused by fine grained access control, most computation tasks can be handed
over to untrusted commodity cloud with disclosing data. This is achieved by
combining techniques of attribute based encryption, proxy re-encryption, and
lazy re-encryption.
7.5.2 Protection from Data Loss
To prevent data loss in cloud different security measures can be adopted. One
of the most important measures is to maintain backup of all data in cloud
which can be accessed in case of data loss. However, data backup must also be
protected to maintain the security properties of data such as integrity and
confidentiality. Various data loss prevention (DLP) mechanisms have been
proposed for the prevention of data loss in network, processing, and storage.
Many companies including Symantec, McAfee, and Cisco have also developed
solutions to implement data loss prevention across storage systems, networks
and end points. Trusted Computing can be used to provide data security. A
trusted server can monitor the functions performed on data by cloud server and
provide the complete audit report to data owner. In this way, the data owner
can be sure that the data access policies have not been violated.
In a nutshell, organizations should apply the following mitigation techniques to

protect against this type of threat:
• Provide data-storage and backup mechanisms.

• Use proper encryption techniques.
• Protect in-transit data.
• Generate strong keys and implement advanced storage and
management.
• Legally require suppliers to use reinforcement and maintenance
techniques
7.5.3 Protection from Account or Service Hijacking
Account or service hijacking can be avoided by adopting different security

features on cloud network. These include employing intrusion detection
systems (IDS) in cloud to monitor network traffic and nodes for detecting
malicious activities. Intrusion detection and other network security systems
must be designed by considering the cloud efficiency, compatibility and
virtualization based context. An IDS system for cloud was designed by
combining system level virtualization and virtual machine monitor
(responsible for managing VMs) techniques. In this architecture, the IDSs are
based on VMs and the sensor connectors on Snort which is a well-known IDS.
VM status and their workload are monitored by IDS and they can be started,
stopped and recovered at any time by management system of IDS. Identity and
access management should also be implemented properly to avoid access to
credentials. To avoid account hijacking threats, multi factor authentication for
remote access using at least two credentials can be used. A technique that uses
multi-level authentication at different levels through passwords was made to
access the cloud services. First the user is authenticated by the cloud access
17
Load Balancing and password and in the next level the service access password of user is verified.
Security Moreover, user access to cloud services and applications should be approved
by cloud management. The auditing of all the privileged activities of the user
along with information security events generated from it should also be done to
avoid these threats.

• Appropriate understanding of security policies and SLAs.

• A strong multifactor authentication to provide an extra security check
for the identification of genuine customers and make the cloud
environment more secure and reliable.
• Strict and continuous monitoring to detect unauthorized activities.
• Prevention of credentials being shared among customers and services.
7.5.4 Protection from Denial of Service (DoS) Attacks
To avoid DOS attacks it is important to identify and implement all the basic
security requirements of cloud network, applications, databases, and other
services. Applications should be tested after designing to verify that they have
no loop holes that can be exploited by the attackers. The DDoS attacks can be
prevented by having extra network bandwidth, using IDS that verify network
requests before reaching cloud server, and maintaining a backup of IP pools for
urgent cases. Industrial solutions to prevent DDOS attacks have also been
provided by different vendors. A technique named hop count filtering that can
be used to filter spoofed IP packets, and helps in decreasing DOS attacks by
90%. Another technique for securing cloud from DDoS involves using
intrusion detection system in virtual machine (VM). In this scheme when an
intrusion detection system (IDS) detects an abnormal increase in inbound
traffic, the targeted applications are transferred to VMs hosted on another data
center.
7.5.5 Protection from Insecure Interfaces and APIs
To protect the cloud from insecure API threats it is important for the
developers to design these APIs by following the principles of trusted
computing. Cloud providers must also ensure that all the all the APIs
implemented in cloud are designed securely, and check them before
deployment for possible flaws. Strong authentication mechanisms and access
controls must also be implemented to secure data and services from insecure
interfaces and APIs. The Open Web Application Security Project (OWASP)
provides standards and guidelines to develop secure applications that can help
in avoiding such application threats. Moreover, it is the responsibility of
customers to analyze the interfaces and APIs of cloud provider before moving
their data to cloud.

protect against this type of insecure interfaces and API’s threat:
• Robust authentication and access control methods need to be adopted.

• There need to be encryption of the transmitted data.
18
Security Issues in
• Analysis of the cloud provider interfaces and a proper security model Cloud Computing
for these interfaces.
• Detailed understanding of the dependency chain related to APIs.
7.5.6 Protection from Malicious Insiders
The protection from these threats can be achieved by limiting the hardware and
infrastructure access only to the authorized personnel. The service provider
must implement strong access control, and segregation of duties in the
management layer to restrict administrator access to only his authorized data
and software. Auditing on the employees should also be implemented to check
for their suspicious behavior. Moreover, the employee behavior requirements
should be made part of legal contract, and action should be taken against
anyone involved in malicious activities. To prevent data from malicious
insiders encryption can also be implemented in storage, and public networks.

• Apply human resource management as part of a legal agreement.

• Institute a compliance reporting system to help determine the security
breach notification so that appropriate action may be taken against a
person who has committed a fraud.
• Non-disclosure of the employees’ privileges and how they are
monitored.
• Conduct a comprehensive supplier assessment.
• Need to adopt, transparency of the information security and
management practices.
7.5.7 Protection from Abuse of Cloud Services
The implementation of strict initial registration and validation processes can

help in identifying malicious consumers. The policies for the protection of
important assets of organization must also be made part of the service level
agreement (SLA) between user and service provider. This will familiarize user
about the possible legal actions that can be conducted against him in case he
violates the agreement. The Service Level Agreement definition language
(SLAng) enables to provide features for SLA monitoring, enforcement and
validation. Moreover, the network monitoring should be comprehensive for
detecting malicious packets and all the updated security devices in network
should be installed.

• Strong authorization and authentication mechanisms.

• Continuous examination of the network traffic.
7.5.8 Protection from Insufficient Due Diligence
It is important for organizations to fully understand the scope of risks

associated with cloud before shifting their business and critical assets such as
data to it. The service providers must disclose the applicable logs,
19
Load Balancing and infrastructure such as firewall to consumers to take measures for securing their
Security applications and data. Moreover, the provider must setup requirements for
implementing cloud applications, and services using industry standards. Cloud
provider should also perform risk assessment using qualitative and quantitative
methods after certain intervals to check the storage, flow, and processing of
data.
7.5.9 Protection from Shared Technology Vulnerabilities
In cloud architecture, hypervisor is responsible for mediating interactions of

virtual machines and the physical hardware. Therefore, hypervisor must be
secured to ensure proper functioning of other virtualization components, and
implementing isolation between virtual machines (VMs). Moreover, to avoid
shared technology threats in cloud a strategy must be developed and
implemented for all the service models that include infrastructure, platform,
software, and user security. The baseline requirements for all cloud
components must be created, and employed in design of cloud architecture.
The service provider should also monitor the vulnerabilities in the cloud
environment, and release patches to fix those vulnerabilities regularly.

• Apply good authentication and access control methods.

• Monitor the cloud environment for unauthorized activities.
• Use SLAs for patching the weakness remediation, vulnerability
scanning, and configuration reviews.
7.5.10 Protection from SQL Injection, XSS, Google Hacking and Forced
Hacking
In order to secure cloud against various security threats such as: SQL injection,
Cross Site Scripting (XSS), DoS and DDoS attacks, Google Hacking, and
Forced Hacking, different cloud service providers adopt different techniques.
A few standard techniques to detect the above mentioned attacks include:
• Avoiding the usage of dynamically generated SQL in the code

• Finding the meta-structures used in the code
• Validating all user entered parameters, and
• Disallowing and removal of unwanted data and characters, etc..
A generic security framework needs to be worked out for an optimized cost

performance ratio. The main criterion to be fulfilled by the generic security
framework is to interface with any type of cloud environment, and to be able to
handle and detect predefined as well as customized security policies. A similar
approach is being used by Symantec Message Labs Web Security cloud that
blocks the security threats originating from internet and filters the data before
they reach the network. Web security cloud’s security architecture rests on two
components:
Multi-layer Security: In order to ensure data security and block possible

malwares, it consists of multilayer security and hence it has a strong security
platform.
20
Security Issues in
URL filtering: It is being observed that the attacks are launched through Cloud Computing
various web pages and internet sites and hence filtering of the web-pages
ensures that no such harmful or threat carrying web pages are accessible. Also,
content from undesirable sites can be blocked.
With its adaptable technology, it provides security even in highly conflicting

environments and ensures protection against new and converging malware
threats. The security model of Amazon Web Services, one of the biggest cloud
service providers in the market makes use of multi-factor authentication
technique, ensuring enhanced control over AWS account settings and the
management of AWS services and resources for which the account is
subscribed. In case the customer opts for Multi Factor Authentication (MFA),
he has to provide a 6-digit code in addition to their username and password
before access is granted to AWS account or services. This single use code can
be received on mobile devices every time he tries to login into his/her AWS
account. Such a technique is called multi-factor authentication, because two
factors are checked before access is granted.
A Google hacking database identifies the various types of information such as:
login passwords, pages containing logon portals, session usage information etc.
Various software solutions such as Web Vulnerability Scanner can be used to
detect the possibility of a Google hack. In order to prevent Google hack, users
need to ensure that only those information that do not affect them should be
shared with Google. This would prevent sharing of any sensitive information
that may result in adverse conditions.
7.5.11 Protection from IP Spoofing
In case of IP spoofing an attacker tries to spoof authorized users creating an

impression that the packets are coming from reliable sources. Thus the attacker
takes control over the client’s data or system showing himself/herself as the
trusted party. Spoofing attacks can be checked by using encryption techniques
and performing user authentication based on Key exchange. Techniques like
IPSec do help in mitigating the risks of spoofing. By enabling encryption for
sessions and performing filtering for incoming and outgoing packets, spoofing
attacks can be reduced.
7.6 IDENTITY AND ACCESS MANAGEMENT

(IAM)
Identity and access management (IAM) is a framework of business processes,

policies and technologies that facilitates the management of electronic or
digital identities. With an IAM framework in place, information technology
(IT) managers can control user access to critical information within their
organizations. Systems used for IAM include single sign-on systems, two-
factor authentication, multifactor authentication and privileged access
management. These technologies also provide the ability to securely store
identity and profile data as well as data governance functions to ensure that
only data that is necessary and relevant is shared. IAM systems can be
deployed on premises, provided by a third-party vendor through a cloud-based
subscription model or deployed in a hybrid model.
21
Load Balancing and On a fundamental level, Identity and Access Management encompasses the
Security following components:
• how individuals are identified in a system (understand the

difference between identity management and authentication)
• how roles are identified in a system and how they are assigned to
individuals
• adding, removing and updating individuals and their roles in a system
• assigning levels of access to individuals or groups of individuals, and
• protecting the sensitive data within the system and securing the system
itself.
7.6.1 Benefits of IAM
IAM technologies can be used to initiate, capture, record and manage user
identities and their related access permissions in an automated manner. An
organization gains the following IAM benefits:
• Access privileges are granted according to policy, and all individuals

and services are properly authenticated, authorized and audited.
• Companies that properly manage identities have greater control of user

access, which reduces the risk of internal and external data breaches.
• Automating IAM systems allows businesses to operate more efficiently

by decreasing the effort, time and money that would be required to
manually manage access to their networks.
• In terms of security, the use of an IAM framework can make it easier to

enforce policies around user authentication, validation and privileges,
and address issues regarding privilege creep.
• IAM systems help companies better comply with government

regulations by allowing them to show corporate information is not
being misused. Companies can also demonstrate that any data needed
for auditing can be made available on demand.
7.6.2 Types of Digital Authentication
With IAM, enterprises can implement a range of digital authentication

methods to prove digital identity and authorize access to corporate resources.
Unique passwords: The most common type of digital authentication is the

unique password. To make passwords more secure, some organizations require
longer or complex passwords that require a combination of letters, symbols
and numbers. Unless users can automatically gather their collection of
passwords behind a single sign-on entry point, they typically find remembering
unique passwords onerous.
22
Security Issues in
Pre-Shared Key (PSK): PSK is another type of digital authentication where Cloud Computing
the password is shared among users authorized to access the same resources --
think of a branch office Wi-Fi password. This type of authentication is less
secure than individual passwords. A concern with shared passwords like PSK
is that frequently changing them can be cumbersome.
Behavioral Authentication: When dealing with highly sensitive information

and systems, organizations can use behavioral authentication to get far more
granular and analyze keystroke dynamics or mouse-use characteristics. By
applying artificial intelligence, a trend in IAM systems, organizations can
quickly recognize if user or machine behavior falls outside of the norm and can
automatically lock down systems.
Biometrics: Modern IAM systems use biometrics for more precise

authentication. For instance, they collect a range of biometric characteristics,
including fingerprints, irises, faces, palms, gaits, voices and, in some cases,
DNA. Biometrics and behavior-based analytics have been found to be more
effective than passwords.
7.6.3 IAM and Cloud Security
In cloud computing, data is stored remotely and accessed over the Internet.
Because users can connect to the Internet from almost any location and any
device, most cloud services are device- and location-agnostic. Users no longer
need to be in the office or on a company-owned device to access the cloud.
And in fact, remote workforces are becoming more common.
As a result, identity becomes the most important point of controlling access,

not the network perimeter. One component of a strong security posture takes
on a particularly critical role in the cloud is the identity. The concept of identity
in the cloud can refer to many things, but in this unit we will focus on two
main entities: users and cloud resources.
The user's identity, not their device or location, determines what cloud data
they can access and whether they can have any access at all.
With cloud computing, sensitive files are stored in a remote cloud server.
Because employees of the company need to access the files, they do so by
logging in via browser or an app. IAM helps prevent identity-based attacks and
data breaches that come from privilege escalations (when an unauthorized user
has too much access). Thus, IAM systems are essential for cloud computing,
and for managing remote teams. It is a cloud service that controls the
permissions and access for users and cloud resources. IAM policies are sets of
permission policies that can be attached to either users or cloud resources to
authorize what they access and what they can do with it.
The concept “identity is the new perimeter” goes, when AWS first announced
their IAM service in 2012. We are now witnessing a renewed focus on IAM
due to the rise of abstracted cloud services and the recent wave of high-profile
data breaches.
Services that don’t expose any underlying infrastructure rely heavily on IAM
for security. Managing a large number of privileged users with access to an
23
Load Balancing and ever-expanding set of services is challenging. Managing separate IAM roles
Security and groups for these users and resources adds yet another layer of complexity.
Cloud providers like AWS and Google Cloud help customers solve these
problems with tools like the Google Cloud- IAM recommender (currently in
beta) and the AWS- IAM access advisor. These tools attempt to analyze the
services last accessed by users and resources, and help you find out which
permissions might be over-privileged. These tools indicate that cloud providers
recognize these access challenges, which is definitely a step in the right
direction. However, there are a few more challenges we need to consider.
7.6.4 Challenges in IAM
Following are some of the challenges in using identity and access

management:
• IAM and Single-Sign-On (SSO): Most businesses today use some

form of single sign-on (SSO), such as Okta, to manage the way users
interact with cloud services. This is an effective way of centralizing
access across a large number of users and services. While using SSO to
log into public cloud accounts is definitely the best practice, the
mapping between SSO users and IAM roles can become challenging, as
users can have multiple roles that span several cloud accounts.
• Effective Permissions: Considering that users and services have more

than one permission-set attached to them, understanding the effective
permissions of an entity becomes difficult.
o What can s/he access?
o Which actions can s/he perform on these services?
o If s/he accesses a virtual machine, does s/he inherit the IAM
permissions of that resource?
o Is s/he part of a group that grants her additional permissions?
o With layers upon layers of configurations and permission
profiles, questions like these become difficult to answer.
o
• Multi-cloud: According to RightScale, more than 84% of organizations
use a multi-cloud strategy. Each provider has its own policies, tools and
terminology. There is no common language that helps you understand
relationships and permissions across cloud providers.
7.6.5 Right Use of IAM Security
IAM is crucial aspect of cloud security. Businesses must look at IAM as a part
of their overall security posture and add an integrated layer of security across
their application lifecycle.
Cloud providers deliver a great baseline for implementing a least-privileged

approach to permissions. As cloud adoption scales in your organization, the
challenges mentioned above and more will become apparent, and you might
need to look at multi-cloud solutions to solve them. Some important aspects
are as follows:
• Don’t use root accounts - Always create individual IAM users with
relevant permissions, and don’t give your root credentials to anyone.
24
Security Issues in
• Adopt a role-per-group model - Assign policies to groups of users Cloud Computing
based on the specific things those users need to do. Don’t “stack” IAM
roles by assigning roles to individual users and then adding them to
groups. This will make it hard for you to understand their effective
permissions.
• Grant least-privilege - Only grant the least amount of permissions

needed for a job, just like we discussed with the Lambda function
accessing DynamoDB. This will ensure that if a user or resource is
compromised, the blast radius is reduced to the one or few things that
entity was permitted to do. This is an ongoing task. As your application
is constantly changing, you need to make sure that your permissions
adapt accordingly.
• Leverage cloud provider tools - Managing many permission profiles

at scale is challenging. Leverage the platforms you are already using to
generate least-privilege permission sets and analyze your existing
services. Remember that the cloud provider recommendation is to
always manually review the generated profiles before implementing
them.
7.7 SECURITY AS A SERVICE (SECaaS)
Security as a Service (SECaaS) can most easily be described as a cloud

delivered model for outsourcing security/cybersecurity services. Much like
Software as a Service, SECaaS provides security services on a subscription
basis hosted by cloud providers. Security as Service solutions have become
increasingly popular for corporate infrastructures as a way to ease the in-house
security team’s responsibilities, scale security needs as the businesses grows,
and avoid the costs and maintenance of on-premise alternatives.
7.7.1 Benefits of SECaaS
Following are some of the benefits of the SECaaS:
• Cost Savings: One of the biggest benefits of a Security as a Service

model is that it saves money. A cloud delivered service is often
available in subscription tiers with several upgrade options so a
business only pays for what they need, when they need. It also
eliminates the need for expertise.
• The Latest Security Tools and Updates: When you implement
SECaaS, you get to work with the latest security tools and resources.
For anti-virus and other security tools to be effective, they must be kept
up to date with the latest patches and virus definitions. By deploying
SECaaS throughout your organization, these updates are managed for
you on every server, PC and mobile device.
• Faster Provisioning and Greater Agility: One of the best things
about as-a-service solutions is that your users can be given access to
these tools immediately. SECaaS solutions can be scaled up or down as
required and are provided on demand where and when you need them.
That means no more uncertainty when it comes to deployment or
25
Load Balancing and updates as everything is managed for you by your SECaaS provider and
Security visible to you through a web-enabled dashboard.
• Free Up Resources: When security provisions are managed externally,
your IT teams can focus on what is important to your organization.
SECaaS frees up resources, gives you total visibility through
management dashboards and the confidence that your IT security is
being managed competently by a team of outsourced security
specialists. You can also choose for your IT teams to take control of
security processes if you prefer and manage all policy and system
changes through a web interface.
Examples of SECaaS include the security services like:
• Continuous Monitoring
• Data Loss Prevention (DLP)
• Business Continuity and Disaster Recovery (BC/DR or BCDR)
• Email Security
• Antivirus Management
• Spam Filtering
• Identity and Access Management (IAM)
• Intrusion Protection
• Security Assessment
• Network Security
• Security Information and Event Management (SIEM)
• Web Security
• Vulnerability Scanning
Combining the most significant features of two distinct cloud service providers
for your IT strategy can create countless possibilities and flexibility by using
the Multi-Cloud computing. Let us study the multi-cloud concept in the next
section.
7.8 MULTI-CLOUD COMPUTING
The term multi-cloud refers to the utilization of virtual data storage or

computing resources from more than one public cloud service provider, with or
without using an existing private cloud and on-premises infrastructure.
Let’s say that you want to develop an app that meets your customer base’s
demands and are looking into public cloud possibilities to support some of the
features. As time goes on, your clients will expect innovations that are only
accessible through an app from a different vendor. Instead of stressing that
you’re locked to a single vendor, consider merging those wanted features with
your existing ones. Although it’s worthwhile for the reasons we list below,
keep in mind that to facilitate mutual scalability, you’ll also need to host your
app in the vendor’s public cloud and buy their app.
Additionally, some businesses pursue multi-cloud strategies due to data

sovereignty concerns. Enterprise data must be physically located in a specific
area per certain laws, regulations, and organizational policies.
26
Security Issues in
Multi-cloud computing can assist the company in meeting those requirements Cloud Computing
as they can choose from multiple IaaS providers’ data center regions or
availability zones. This flexibility in where cloud data is placed also allows
organizations to locate resources close to the end users to achieve the best
performance and minimal latency.
Some businesses are still determining if a cloud strategy is viable, and others
have acted to expand their deployments and establish multi-cloud
environments. Organizations can compete in competitive marketplaces thanks
to the range of options, cost savings, business agility, and innovation prospects.
Multi-cloud adoption decisions are mainly based on 3 main factors:
• Sourcing
• Architecture
• Governance
Combining the most significant features of two distinct cloud service providers
for your IT strategy can create countless possibilities and flexibility. Continue
reading to discover and understand the major benefits of multi-cloud in the
following section.
7.8.1 Benefits of Multi-Cloud
Following are the benefits of adopting multi-cloud by the organizations:
Enhanced service delivery from multiple clouds
Organizations using multi-cloud can reduce downtime for critical services with
the help of a strategy and architecture. The cloud organizations with the lowest
levels of downtime are all those with cloud strategies and architectures.
Additionally, they adopt several other behaviors as following:
• Using a workload allocation method to choose the cloud where an

offering should be implemented to acquire the optimum platform-to-
workload fit.
• Deploying and orchestrating workloads across different clouds while
maximizing performance, availability, and cost through the usage of a
cloud service broker.
• Using a systematic on-boarding approach for cloud workloads.
Consistency and speed are achieved by implementing a deliberate
approach to deploying and utilizing multiple clouds. These companies
can fix issues with cloud-delivered services and resume normal
operations faster than everyone else.
Security
By using a multi-cloud strategy, a company can increase security standards. By

adding new services to the entire corporate portfolio and providing clear
instructions on how users can authenticate data, how it can flow, and where it
can live, IT can lessen the risk of data loss and leakage, shoddy authentication,
and lateral platform compromises.
27
Load Balancing and Cost savings
Security
Overall expenses can be reduced by carefully considering where and how
workloads are distributed across multiple clouds. IT teams can achieve these
savings via a workload placement process. It allows them to consider an
offering’s architecture when determining whether to transfer it to the cloud and
how.
For instance, it might have branches for constructing a platform to use PaaS
choices in an IaaS environment, executing a direct lift and shift on a workload
well suited to IaaS, or performing a rewrite for the cloud.
Creating Redundant Architectures
By diversifying the hosting regions for your infrastructure when you deploy
with multiple clouds, you can ensure high availability for your customers. As a
result, your users will still have access to the features and services deployed on
other clouds, even if one of your cloud providers experiences technical
difficulties.
Fast and Low-latency Infrastructure
A considerably faster, low-latency infrastructure is possible when your

company expands its networks to include multiple providers. Customers will
have a better user experience due to this improvement in application response
times. This highly optimized connection can only occur if there are private
links between two cloud service providers.
Avoid Lock-ins with a Single Vendor
If you build applications for just one cloud vendor, you risk becoming locked
in with them. As a result, switching providers in the future will be considerably
more difficult. Even though that specific vendor was appropriate for you at the
time, it might not be as convenient if you need to scale up or down.
Additionally, you might pass up some future discounts that are much better.
Developers can work to design apps that work across several platforms by
choosing a multi-cloud strategy from the beginning. As a result, you’ll always
have the freedom to benefit from the most excellent offers or features from
other vendors without compromising what you can provide for your clients.
 Check Your Progress 1

1) How to secure the Cloud?
…………………………………………………………………………………
…………………………………………………………………………………
…………………………………………………………………………………
2) What are the various security aspects that one needs to remember while
opting for Cloud services?
28
Security Issues in
………………………………………………………………………………… Cloud Computing
…………………………………………………………………………………
…………………………………………………………………………………
3) How to choose a SECaaS Provider?
…………………………………………………………………………………
…………………………………………………………………………………
…………………………………………………………………………………
7.9 SUMMARY
Cloud computing is getting widely adopted in businesses around the world.

However, there are different security issues associated with it. In order to
maintain the trust of customers, security should be considered as an integral
part of cloud. In this Unit we have focused on most severe threats on cloud
computing that are considered relevant by most users and businesses. We have
divided these threats into categories of data threats, networks threats, and cloud
environment specific threats. The impact of these threats on cloud users and
providers has been illustrated in this unit. Moreover, we also discuss the
security techniques that can be adopted to avoid these threats. Also, towards
the end we had discussed the IAM and SECaaS.
7.10 SOLUTIONS / ANSWERS
Check Your Progress 1
1. In the 1990s, business and personal data stored locally and security was
local as well. Data would be located on a PC’s internal storage at home,
and on enterprise servers, if you worked for a company.
Introducing cloud technology has forced everyone to reevaluate cyber

security. Your data and applications might be floating between local
and remote systems and always Internet-accessible. For example, if you
are accessing Google Docs on your smartphone, or using Salesforce
software to look after your customers, that data could be held
anywhere. Therefore, protecting it becomes more difficult than when it
was just a question of stopping unwanted users from gaining access to
your network. Cloud security requires adjusting some previous IT
practices, but it has become more essential for two key reasons:
Convenience over security: Cloud computing is exponentially

growing as a primary method for both workplace and individual use.
Innovation has allowed new technology to be implemented quicker
than industry security standards can keep up, putting more
responsibility on users and providers to consider the risks of
accessibility.
29
Load Balancing and Centralization and multi-tenant storage: Every component from core
Security infrastructure to small data like emails and documents — can now be
located and accessed remotely on 24X7 web-based connections. All
this data gathering in the servers of a few major service providers can
be highly dangerous. Threat actors can now target large multi-
organizational data centers and cause immense data breaches.
Unfortunately, malicious actors realize the value of cloud-based targets

and increasingly probe them for exploits. Despite cloud providers
taking many security roles from clients, they do not manage everything.
This leaves even non-technical users with the duty to self-educate on
cloud security.
That said, users are not alone in cloud security responsibilities. Being
aware of the scope of your security duties will help the entire system
stay much safer.
2. Every cloud security measure works to accomplish one or more of the

following:
• Enable data recovery in case of data loss

• Protect storage and networks against malicious data theft
• Deter human error or negligence that causes data leaks
• Reduce the impact of any data or system compromise
Data security is an aspect of cloud security that involves the technical end
of threat prevention. Tools and technologies allow providers and clients to
insert barriers between the access and visibility of sensitive data. Among
these, encryption is one of the most powerful tools available. Encryption
scrambles your data so that it's only readable by someone who has the
encryption key. If your data is lost or stolen, it will be effectively
unreadable and meaningless. Data transit protections like virtual private
networks (VPNs) are also emphasized in cloud networks.
Identity and access management (IAM) pertains to the accessibility

privileges offered to user accounts. Managing authentication and
authorization of user accounts also apply here. Access controls are pivotal
to restrict users — both legitimate and malicious — from entering and
compromising sensitive data and systems. Password Management, multi-
factor authentication, and other methods fall in the scope of IAM.
Governance focuses on policies for threat prevention, detection, and

mitigation. With SMB and enterprises, aspects like threat intel can help
with tracking and prioritizing threats to keep essential systems guarded
carefully. However, even individual cloud clients could benefit from
valuing safe user behavior policies and training. These apply mostly in
organizational environments, but rules for safe use and response to threats
can be helpful to any user.
Data retention (DR) and business continuity (BC) planning involve

technical disaster recovery measures in case of data loss. Central to any DR
and BC plan are methods for data redundancy such as backups.
30
Security Issues in
Additionally, having technical systems for ensuring uninterrupted Cloud Computing
operations can help. Frameworks for testing the validity of backups and
detailed employee recovery instructions are just as valuable for a thorough
business continuity plan.
Legal compliance revolves around protecting user privacy as set by

legislative bodies. Governments have taken up the importance of protecting
private user information from being exploited for profit. As such,
organizations must follow regulations to abide by these policies. One
approach is the use of data masking, which obscures identity within data
via encryption methods.
3. Some common cloud security risks/threats include:
• Risks of cloud-based infrastructure including incompatible legacy IT

frameworks, and third-party data storage service disruptions.
• Internal threats due to human error such as misconfiguration of user
access controls.
• External threats caused almost exclusively by malicious actors, such
as malware, phishing, and DDoS attacks.
The biggest risk with the cloud is that there is no perimeter. Traditional
cyber security focused on protecting the perimeter, but cloud environments
are highly connected which means insecure APIs (Application
Programming Interfaces) and account hijacks can pose real problems.
Faced with cloud computing security risks, cyber security professionals
need to shift to a data-centric approach.
Interconnectedness also poses problems for networks. Malicious actors

often breach networks through compromised or weak credentials. Once a
hacker manages to make a landing, they can easily expand and use poorly
protected interfaces in the cloud to locate data on different databases or
nodes. They can even use their own cloud servers as a destination where
they can export and store any stolen data.
Third-party storage of your data and access via the internet each pose their
own threats as well. If for some reason those services are interrupted, your
access to the data may be lost. For instance, a phone network outage could
mean you can't access the cloud at an essential time. Alternatively, a power
outage could affect the data center where your data is stored, possibly with
permanent data loss.
Such interruptions could have long-term repercussions. A recent power

outage at an Amazon cloud data facility resulted in data loss for some
customers when servers incurred hardware damage. This is a good example
of why you should have local backups of at least some of your data and
applications.
Check Your Progress 2
1. Fortunately, there is a lot that you can do to protect your own data in
the cloud. Let’s explore some of the popular methods.
31
Load Balancing and Encryption is one of the best ways to secure your cloud computing
Security systems. There are several different ways of using encryption, and they
may be offered by a cloud provider or by a separate cloud security
solutions provider:
• Communications encryption with the cloud in their entirety.
• Particularly sensitive data encryption, such as account credentials.
• End-to-end encryption of all data that is uploaded to the cloud.
Within the cloud, data is more at risk of being intercepted when it is on the
move. When it's moving between one storage location and another, or
being transmitted to your on-site application, it's vulnerable. Therefore,
end-to-end encryption is the best cloud security solution for critical data.
With end-to-end encryption, at no point is your communication made
available to outsiders without your encryption key.
You can either encrypt your data yourself before storing it on the cloud, or
you can use a cloud provider that will encrypt your data as part of the
service. However, if you are only using the cloud to store non-sensitive
data such as corporate graphics or videos, end-to-end encryption might be
overkill. On the other hand, for financial, confidential, or commercially
sensitive information, it is vital.
If you are using encryption, remember that the safe and secure
management of your encryption keys is crucial. Keep a key backup and
ideally don't keep it in the cloud. You might also want to change your
encryption keys regularly so that if someone gains access to them, they will
be locked out of the system when you make the changeover.
Configuration is another powerful practice in cloud security. Many cloud

data breaches come from basic vulnerabilities such as misconfiguration
errors. By preventing them, you are vastly decreasing your cloud security
risk. If you don’t feel confident doing this alone, you may want to consider
using a separate cloud security solutions provider.
Here are a few principles you can follow:
• Never leave the default settings unchanged: Using the default settings
gives a hacker front-door access. Avoid doing this to complicate a
hacker’s path into your system.
• Never leave a cloud storage bucket open: An open bucket could allow
hackers to see the content just by opening the storage bucket's URL.
• If the cloud vendor gives you security controls that you can switch
on, use them. Not selecting the right security options can put you at
risk.
2. Security should be one of the main points to consider when it comes to

choosing a cloud security provider. That’s because your cyber security is
no longer just your responsibility: cloud security companies must do their
part in creating a secure cloud environment and share the responsibility for
data security.
Unfortunately, cloud companies are not going to give you the blueprints to
their network security. This would be equivalent to a bank providing you
32
Security Issues in
with details of their vault, complete with the combination numbers to the Cloud Computing
safe.
However, getting the right answers to some basic questions gives you
better confidence that your cloud assets will be safe. In addition, you will
be more aware of whether your provider has properly addressed obvious
cloud security risks. We recommend asking your cloud provider some
questions of the following questions:
• Security audits: “Do you conduct regular external audits of your

security?”
• Data segmentation: “Is customer data is logically segmented and kept
separate?”
• Encryption: “Is our data encrypted? What parts of it are encrypted?”
• Customer data retention: “What customer data retention policies are
being followed?”
• User data retention: “Is my data is properly deleted if I leave your
cloud service?”
• Access management: “How are access rights controlled?”
You will also want to make sure you’ve read your provider’s terms of
service (TOS). Reading the TOS is essential to understanding if you are
receiving exactly what you want and need.
Be sure to check that you also know all the services used with your
provider. If your files are on Dropbox or backed up on iCloud (Apple's
storage cloud), that may well mean they are actually held on Amazon's
servers. So, you will need to check out AWS, as well as, the service you
are using directly.
3. Hiring the third party cloud service for the security of your most critical
and sensitive business assets is a massive undertaking. Choosing a SECaaS
provider takes careful consideration and evaluation. Here are some of the
most important considerations when selecting a provider:
• Availability: Your network must be available 24 hours a day and so

should your SECaaS provider. Vet out the vendor’s SLA to make sure
they can provide the uptime your business needs and to know how
outages are handled.
• Fast Response Times: Fast response times are just as important as

availability. Look for providers that offer guaranteed response times for
incidents, queries and system updates.
• Disaster Recovery Planning: Your provider should work closely with

you to understand the vulnerabilities of your infrastructure and the
external threats that are most likely to cause the most damage. From
vandalism to weather disasters, your provider should ensure your
business can recover quickly from these disruptive events.
• Vendor Partnerships: A SECaaS provider is only ever as good as the

vendors that have forged partnerships with. Look for providers that
33
Load Balancing and work with best in class security solution vendors and who also have the
Security expertise to support these solutions.
7.11 FURTHER READINGS
1. Cloud Computing: Principles and Paradigms, Rajkumar Buyya, James

Broberg and Andrzej M. Goscinski, Wiley, 2011.
2. Mastering Cloud Computing, Rajkumar Buyya, Christian Vecchiola,
and Thamarai Selvi, Tata McGraw Hill, 2013.
3. Essentials of cloud Computing: K. Chandrasekhran, CRC press, 2014.
4. Cloud Computing, Sandeep Bhowmik, Cambridge University Press,
2017.
34

Unit 7

Uploaded by

Copyright:

Available Formats

Unit 7

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Unit 7

Uploaded by

Copyright:

Available Formats

UNIT 7 SECURITY ISSUES IN CLOUD

7.4.1 Security Issues in Public Cloud

The rise of cloud computing as an ever-evolving technology brings with it a

Cloud security is a discipline of cyber security dedicated to secure cloud

Cloud providers host services on their servers through always-on internet

At its core, cloud security is composed of the following components:

After going through this unit, you shall be able to:

• understand cloud security and how it is different to that of traditional IT

7.2 CLOUD SECURITY

As an overview, backend development against security vulnerabilities is

7.2.1 How Cloud Security is Different from Traditional IT Security?

Scaling speed: On a similar note, cloud security demands unique attention

End-user system interfacing: For organizations and individual users alike,

• Secure system configuration and maintenance.

Ultimately, cloud providers and users must have transparency and

7.2.2 Cloud Computing Security Requirements

Confidentiality requires blocking unauthorized exposure of cloud computing

Cloud computing providers use service-level agreements (SLAs) method to

Confidentiality is a part of cloud service that the provider must guarantee,

One goal of using cloud computing systems is to utilize a variety of resources.

Accountability involves verifying the clients’ various activities in the data

7.2.3 Challenges in Cloud Security

Following are some of the key security challenges in cloud computing:

Authentication: Throughout the internet data stored by cloud user is available

Service Management: In this different cloud providers such as Amazon,

Trust Management: The trust management approach must be developed as

 Check Your Progress 1

7.3 SECURITY ISSUES IN CLOUD SERVICE

The main concern in cloud environments is to provide security around multi-

• Data Threats including data breaches and data loss

7.3.1 Data Threats

Data is considered to be one the most important valuable resource of any

7.3.1.1 Data Breaches

Data breach is defined as the leakage of sensitive customer or organization

7.3.1.2 Data Loss

7.3.1.3 SQL Injection Attacks

7.3.2 Network Threats

7.3.2.1 Denial of Service(DoS)

7.3.2.2 Account or Service Hijacking

Account hijacking involves the stealing of user credentials to get an access to

7.3.2.3 Man in the Middle Attack (MITM)

In such an attack, an entity tries to intrude in an ongoing conversation between

Another cause may be due to improper configuration of Secure Socket Layer

7.3.2.4 Network Sniffing

It is an important dispute in which plain text were hewed over network. An

7.3.2.5 Port Scanning

It is an important dispute in which an attack might happen as port 80 (HTTP)

7.3.2.6 Conceded Credentials and Wrecked Authentication

Authentication management is always a challenge for organizations to tackle

Shoulder Surfing: This threat is espionage, which means the attacker is

7.3.2.7 Border Gateway Protocol (BGP) Prefix Hijacking

Prefix hijacking is a type of network attack in which a wrong announcement

7.3.2.8 Distributed Denial of Service Attacks (DDoS)

7.3.3 Cloud Environment Specific Threats

7.3.3.1 Insecure Interfaces and API’s

Application Programming Interface (API) is a set of protocols and standards

7.3.3.2 Malicious Insiders

A malicious insider is someone who is an employee in the cloud organization,

7.3.3.3 Abuse of Cloud Services