🎀1🎀

Cloud Computing
Unit 1
Cloud Reference Architectures and Security

The NIST definition of Cloud Computing

- The National Institute of Standards and Technology (NIST)

- NIST is responsible for developing standards and
guidelines, including minimum requirements, for providing
adequate information security for all agency operations
and assets; but such standards and guidelines shall not
apply to national security systems
- This guideline has been prepared for use by Federal
agencies. It may be used by nongovernmental
organizations on a voluntary basis and is not subject to
copyright, though attribution is desired

Cloud computing is a model for enabling ubiquitous, convenient,

on-demand network access to a shared pool of configurable
computing resources (e.g., networks, servers, storage,
applications, and services) that can be rapidly provisioned and
released with minimal management effort or service provider
interaction.
This cloud model is composed of five essential characteristics,
three service models, and four deployment models.
Essential Characteristics:
1. On-demand self-service. A consumer can unilaterally
provision computing capabilities, such as server time and
network storage, as needed automatically without requiring
human interaction with each service provider.
2. Broad network access. Capabilities are available over the
network and accessed through standard mechanisms that
 🎀2🎀

promote use by heterogeneous thin or thick client platforms

(e.g., mobile phones, tablets, laptops, and workstations).
3. Resource pooling. The provider’s computing resources are
pooled to serve multiple consumers using a multi-tenant
model, with different physical and virtual resources
dynamically assigned and reassigned according to consumer
demand. There is a sense of location independence in that
the customer generally has no control or knowledge over the
exact location of the provided resources but may be able to
specify location at a higher level of abstraction (e.g.,
country, state, or datacenter). Examples of resources include
storage, processing, memory, and network bandwidth.
4. Rapid elasticity. Capabilities can be elastically provisioned
and released, in some cases automatically, to scale rapidly
outward and inward commensurate with demand. To the
consumer, the capabilities available for provisioning often
appear to be unlimited and can be appropriated in any
quantity at any time.
5. Measured service. Cloud systems automatically control and
optimize resource use by leveraging a metering capability1
at some level of abstraction appropriate to the type of
service (e.g., storage, processing, bandwidth, and active
user accounts). Resource usage can be monitored,
controlled, and reported, providing transparency for both the
provider and consumer of the utilized service.

Service Models:
1. Software as a Service (SaaS). The capability provided to the
consumer is to use the provider’s applications running on a
cloud infrastructure2 . The applications are accessible from
various client devices through either a thin client interface,
such as a web browser (e.g., web-based email), or a program
interface. The consumer does not manage or control the
underlying cloud infrastructure including network, servers,
 🎀3🎀

operating systems, storage, or even individual application

capabilities, with the possible exception of limited user
specific application configuration settings.
2. Platform as a Service (PaaS). The capability provided to the
consumer is to deploy onto the cloud infrastructure
consumer-created or acquired applications created using
programming languages, libraries, services, and tools
supported by the provider.3 The consumer does not manage
or control the underlying cloud infrastructure including
network, servers, operating systems, or storage, but has
control over the deployed applications and possibly
configuration settings for the application-hosting
environment.
3. Infrastructure as a Service (IaaS). The capability provided to
the consumer is to provision processing, storage, networks,
and other fundamental computing resources where the
consumer is able to deploy and run arbitrary software, which
can include operating systems and applications. The
consumer does not manage or control the underlying cloud
infrastructure but has control over operating systems,
storage, and deployed applications; and possibly limited
control of select networking components (e.g., host
firewalls).

Deployment Models:
1. Private cloud. The cloud infrastructure is provisioned for
exclusive use by a single organization comprising multiple
consumers (e.g., business units). It may be owned,
managed, and operated by the organization, a third party, or
some combination of them, and it may exist on or off
premises.
2. Community cloud. The cloud infrastructure is provisioned for
exclusive use by a specific community of consumers from
organizations that have shared concerns (e.g., mission,
 🎀4🎀

security requirements, policy, and compliance

considerations). It may be owned, managed, and operated
by one or more of the organizations in the community, a
third party, or some combination of them, and it may exist
on or off premises.
3. Public cloud. The cloud infrastructure is provisioned for open
use by the general public. It may be owned, managed, and
operated by a business, academic, or government
organization, or some combination of them. It exists on the
premises of the cloud provider. Hybrid cloud. The cloud
infrastructure is a composition of two or more distinct cloud
infrastructures (private, community, or public) that remain
unique entities, but are bound together by standardized or
proprietary technology that enables data and application
portability (e.g., cloud bursting for load balancing between
clouds).

Cloud Computing reference architecture

IAAS, PAAS, SAAS - covered in the previous topic

Cloud Computing use cases

1. Storage
Public cloud storage consists of storage capacity and technology
as-a-service, which helps organizations reduce or eliminate the
capital costs of building and maintaining in-house storage
capabilities. By storing the same company data on multiple
machines, cloud storage offers the redundancy needed to support
business continuity in the face of a natural disaster, an outage or
other emergencies.

2. Dynamic resource allocation

 🎀5🎀

A public cloud gives companies the elasticity to scale resources

up or down depending on business needs. For instance, an e-
commerce site with highly seasonal sales can quickly expand its
online services with a public cloud. They only pay for added
capacity during peak periods and then can scale back down
during regular sales.

3. Development and testing

A public cloud setting offers an ideal environment for developing
and testing new applications compared to the traditional waterfall
method, which can be far costlier and more time-consuming. For
instance, in just minutes, developers can provision testing
environments on public cloud-based virtual machines (VMs).
When developers finish using a testing environment, they can
easily take it down.

4. Cloud-native applications and DevOps

A public cloud setting supports cloud-native applications—
software programs that consist of multiple small, interdependent
services called microservices, a crucial part of DevOps practices.
Developers use DevOp tools to automate cloud-native
development and rapid delivery of high-quality software, building
containerized applications once and deploying them anywhere.

5. Low code
Low code is a visual approach to software featuring a graphical
user interface with drag-and-drop features that support the
automation of the development process. Low-code platforms
democratize app development for “citizen” developers—users
with little formal coding experience. Low code helps businesses
streamline workflows and accelerate the development of websites
and mobile apps, the integration of external plugins, and cloud-
based next-gen technologies, like artificial intelligence (AI) and
machine learning (ML).
 🎀6🎀

6. Analytics
With the rise of data collected from mobile phones, the Internet of
Things (IoT), and other smart devices, companies need to analyze
data more quickly than ever before. Big data analytics—the use of
advanced analytic techniques against very large, diverse big data
sets—has become crucial to business success. A public cloud
environment provides the computing and networking
infrastructure needed to support big data so companies can make
faster data-driven decisions and deliver better customer
experiences in real-time and at scale.

7. Hybrid multi cloud strategy

A public cloud is pivotal to a hybrid multi cloud strategy. By
integrating public cloud services with private cloud or on-
premises infrastructure, organizations can choose where to run
workloads and select the best services from different CSPs. For
instance, a financial institution may want to use the public cloud
to test and develop new applications while deploying workloads
sensitive to fraud and subject to regulation on a private cloud
hosted by a dedicated CSP.

8. Generative AI
With its massive need for compute, storage and networking
capabilities, generative AI needs the cloud to process data in real-
time and at scale. Public cloud providers offer companies the
capability to access data and harness processing power from
multiple distributed data centers that can support generative AI
workloads.

9. Edge computing
Edge computing brings enterprise applications closer to data
sources (e.g., mobile phones, sensors, IoT, devices or local edge
servers) for faster insights, improved response times and better
 🎀7🎀

bandwidth. For instance, edge devices help monitor power grid

operations to reduce energy waste in the energy sector. A public
cloud works synergistically with edge services by connecting
them to a centralized public cloud or other edge data centers.
Most often, only the most relevant data is processed at the edge.
In contrast, less critical data is sent to a primary public cloud data
center for processing, freeing up computing resources to ensure
low latency.

10. Quantum computing

Quantum computing uses computer hardware, algorithms and
other quantum mechanics technology to solve complex problems.
While quantum computing for business is still in its early stages,
organizations in industries that require vast computing
capabilities (e.g., chemistry, biology, healthcare, finance) are
beginning to tap into quantum’s potential to transform the way
they do business. Today’s public cloud service providers have
started to offer services involving renting quantum machines,
platforms for developing utility-scale quantum algorithms and
applications and more.

Cloud Computing standards

1. NIST (National Institute of Standards and Technology)

NIST is a federal organization in the US that creates metrics and
standards to boost competition in the scientific and technology
industries. The National Institute of Regulations and Technology
(NIST) developed the Cybersecurity Framework to comply with US
regulations such as the Federal Information Security Management
Act and the Health Insurance Portability and Accountability Act
(HIPAA) (FISMA). NIST places a strong emphasis on classifying
assets according to their commercial value and adequately
protecting them.
 🎀8🎀

2. ISO-27017
A development of ISO-27001 that includes provisions unique to
cloud-based information security. Along with ISO-27001
compliance, ISO-27017 compliance should be taken into account.
This standard has not yet been introduced to the marketplace. It
attempts to offer further direction in the cloud computing
information security field. Its purpose is to supplement the advice
provided in ISO/IEC 27002 and various other ISO27k standards,
such as ISO/IEC 27018 on the privacy implications of cloud
computing, and ISO/IEC 27031 on business continuity.

3. ISO-27018
The protection of personally identifiable information (PII) in public
clouds that serve as PII processors is covered by this standard.
Despite the fact that this standard is especially aimed at public-
cloud service providers like AWS or Azure, PII controllers (such as
a SaaS provider processing client PII in AWS) nevertheless bear
some accountability. If you are a SaaS provider handling PII, you
should think about complying with this standard.

4. CIS controls
Organizations can secure their systems with the help of Internet
Security Center (CIS) Controls, which are open-source policies
based on consensus. Each check is rigorously reviewed by a
number of professionals before a conclusion is reached.
To easily access a list of evaluations for cloud security, consult
the CIS Benchmarks customized for particular cloud service
providers. For instance, you can use the CIS-AWS controls, a set
of controls created especially for workloads using Amazon Web
Services (AWS).

5. FISMA
In accordance with the Federal Information Security Management
Act (FISMA), all federal agencies and their contractors are
 🎀9🎀

required to safeguard information systems and assets. NIST, using

NIST SP 800-53, was given authority under FISMA to define the
framework security standards.

6. Cloud Architecture Framework

These frameworks, which frequently cover operational
effectiveness, security, and cost-value factors, can be viewed as
best parties standards for cloud architects. This framework,
developed by Amazon Web Services, aids architects in designing
workloads and applications on the Amazon cloud. Customers have
access to a reliable resource for architecture evaluation thanks to
this framework, which is based on a collection of questions for the
analysis of cloud environments.

7. General Data Protection Regulation (GDPR)

For the European Union, there are laws governing data protection
and privacy. Even though this law only applies to the European
Union, it is something you should keep in mind if you store or
otherwise handle any personal information of residents of the EU.

8. SOC Reporting
A form of audit of the operational processes used by IT businesses
offering any service is known as a “Service and Organization
Audits 2” (SOC 2). A worldwide standard for cybersecurity risk
management systems is SOC 2 reporting. Your company’s
policies, practices, and controls are in place to meet the five trust
principles, as shown by the SOC 2 Audit Report. The SOC 2 audit
report lists security, availability, processing integrity,
confidentiality, and confidentiality as security principles. If you
offer software as a service, potential clients might request proof
that you adhere to SOC 2 standards.

9. PCI DSS
 🎀10🎀

For all merchants who use credit or debit cards, the PCI DSS
(Payment Card Industry Data Security Standard) provides a set of
security criteria. For businesses that handle cardholder data,
there is PCI DSS. The PCI DSS specifies fundamental technological
and operational criteria for safeguarding cardholder data.
Cardholders are intended to be protected from identity theft and
credit card fraud by the PCI DSS standard.

10. HIPAA
The Health Insurance Portability and Accountability Act (HIPAA),
passed by the US Congress to safeguard individual health
information, also has parts specifically dealing with information
security. Businesses that handle medical data must abide by
HIPAA law. The HIPAA Security Rule (HSR) is the best choice in
terms of information security. The HIPAA HSR specifies rules for
protecting people’s electronic personal health information that a
covered entity generates, acquires, makes use of or maintains.

Cloud Computing Security Basic Terms and Concepts

Types of Cloud Computing Security Controls :

There are 4 types of cloud computing security controls i.e.
1. Deterrent Controls : Deterrent controls are designed to block
nefarious attacks on a cloud system. These come in handy
when there are insider attackers.
2. Preventive Controls : Preventive controls make the system
resilient to attacks by eliminating vulnerabilities in it.
3. Detective Controls : It identifies and reacts to security
threats and control. Some examples of detective control
software are Intrusion detection software and network
security monitoring tools.
4. Corrective Controls : In the event of a security attack these
controls are activated. They limit the damage caused by the
attack.
 🎀11🎀

Importance of cloud security :

For the organizations making their transition to cloud, cloud
security is an essential factor while choosing a cloud provider. The
attacks are getting stronger day by day and so the security needs
to keep up with it. For this purpose it is essential to pick a cloud
provider who offers the best security and is customized with the
organization’s infrastructure. Cloud security has a lot of benefits –
1. Centralized security : Centralized security results in
centralizing protection. As managing all the devices and
endpoints is not an easy task, cloud security helps in doing
so. This results in enhancing traffic analysis and web filtering
which means less policy and software updates.
2. Reduced costs : Investing in cloud computing and cloud
security results in less expenditure in hardware and also less
manpower in administration
3. Reduced Administration : It makes it easier to administer the
organization and does not have manual security
configuration and constant security updates.
4. Reliability : These are very reliable and the cloud can be
accessed from anywhere with any device with proper
authorization.

Some cloud security challenges are:

1. Control over cloud data
2. Misconfiguration
3. Ever changing workload
4. Access Management
5. Disaster recovery

Threat Agents

A threat agent is an entity that poses a threat because it is

capable of carrying out an attack.
 🎀12🎀

Cloud security threats can originate either internally or externally

from humans or software programs
1. Anonymous Attacker An anonymous attacker is a non-
trusted cloud service consumer without permissions in the
cloud . It typically exists as an external software program
that launches network-level attacks through public networks.
When anonymous attackers have limited information on
security policies and defenses, it can inhibit their ability to
formulate effective attacks. Therefore, anonymous attackers
often resort to committing acts like bypassing user accounts
or stealing user credentials, while using methods that either
ensure anonymity or require substantial resources for
prosecution
2. Malicious Service Agent A malicious service agent is able to
intercept and forward the network traffic that flows within a
cloud. It typically exists as a service agent (or a program
pretending to be a service agent) with compromised or
malicious logic. It may also exist as an external program able
to remotely intercept and potentially corrupt message
contents.
3. Trusted Attacker. A trusted attacker shares IT resources in
the same cloud environment as the cloud consumer and
attempts to exploit legitimate credentials to target cloud
providers and the cloud tenants with whom they share IT
resources. Unlike anonymous attackers (which are
nontrusted), trusted attackers usually launch their attacks
from within a cloud’s trust boundaries by abusing legitimate
credentials or via the appropriation of sensitive and
confidential information.
4. Malicious Insider Malicious insiders are human threat agents
acting on behalf of or in relation to the cloud provider. They
are typically current or former employees or third parties
with access to the cloud provider’s premises. This type of
threat agent carries tremendous damage potential, as the
 🎀13🎀

malicious insider may have administrative privileges for

accessing cloud consumer IT resources

Cloud Security Threats

This section introduces several common threats and

vulnerabilities in cloud-based environments and describes the
roles of the aforementioned threat agents.
1. Traffic Eavesdropping Traffic eavesdropping occurs when
data being transferred to or within a cloud (usually from the
cloud consumer to the cloud provider) is passively
intercepted by a malicious service agent for illegitimate
information gathering purposes. The aim of this attack is to
directly compromise the confidentiality of the data and,
possibly, the confidentiality of the relationship between the
cloud consumer and cloud provider. Because of the passive
nature of the attack, it can more easily go undetected for
extended periods of time.
2. Malicious Intermediary The malicious intermediary threat
arises when messages are intercepted and altered by a
malicious service agent, thereby potentially compromising
the message’s confidentiality and/or integrity. It may also
insert harmful data into the message before forwarding it to
its destination.
3. Denial of Service The objective of the denial of service (DoS)
attack is to overload IT resources to the point where they
cannot function properly. This form of attack is commonly
launched in one of the following ways:
• The workload on cloud services is artificially increased with
imitation messages or repeated communication requests.
• The network is overloaded with traffic to reduce its
responsiveness and cripple its performance.
 🎀14🎀

• Multiple cloud service requests are sent, each of which is

designed to consume excessive memory and processing
resources.
4. Insufficient Authorization The insufficient authorization
attack occurs when access is granted to an attacker
erroneously or too broadly, resulting in the attacker getting
access to IT resources that are normally protected. This is
often a result of the attacker gaining direct access to IT
resources that were implemented under the assumption that
they would only be accessed by trusted consumer programs
5. Virtualization Attack A virtualization attack exploits
vulnerabilities in the virtualization platform to jeopardize its
confidentiality, integrity, and/or availability. With public
clouds, where a single physical IT resource may be providing
virtualized IT resources to multiple cloud consumers, such an
attack can have significant repercussions.
6. Overlapping Trust Boundaries If physical IT resources within
a cloud are shared by different cloud service consumers,
these cloud service consumers have overlapping trust
boundaries. Malicious cloud service consumers can target
shared IT resources with the intention of compromising cloud
consumers or other IT resources that share the same trust
boundary. The consequence is that some or all of the other
cloud service consumers could be impacted by the attack
and/or the attacker could use virtual IT resources against
others that happen to also share the same trust boundary.

Cloud Security Mechanisms

Encryption:
The data, by default, is coded in a readable form known as
plaintext. When transmitted over a network, the risk is
unauthorized and potentially dangerous access.
 🎀15🎀

Encryption technology relies on a standard algorithm called cipher

to convert original text data into encrypted data, called
ciphertext. Access to ciphertext does not disclose the exact
details of writing, with the exception of other metadata types,
such as message length and creation date. When encryption is
used for listening data, data is paired with a string of characters
called an encryption key. The encryption key is used to encrypt
ciphertext back to its original writing format.
Asymmetric Encryption-A malicious service provider cannot
retrieve data from encrypted messages. Refund attempt may also
reveal to the cloud service customer

Hashing:
Hashing is the conversion of a string of characters into a limited
number of short lengths or a key that reflects the original string.
Hashing is used to identify and retrieve items from the database
because it is faster to find an object using the shorter hashed key
than to find it using the original value. It is also used in many
encryption algorithms.
There are many well-known hash functions used in cryptography.
These include message-digest hash works MD2, MD4, and MD5,
which is used to incorporate digital signatures into a short form
called message-digest, and the Secure Hash Algorithm (SHA), a
standard algorithm, which makes it large (60- bit) digestion
message and similar to MD4. An effective hash function for
storing and retrieving, however, may not work for cryptographic
detection purposes or errors.

Malware hashes are used by anti-virus programs to identify

viruses. They contain the numerical values of the code that differs
from this virus. Anti-virus software compares malware hashes and
software-hardware hashes within a computer program to detect
malware.
 🎀16🎀

The authors of Malware have learned to customize viruses on

each infected machine, creating unique hashes for each copy
submitted challenging the anti-virus programs.

Digital Signatures:
The digital signature mechanism is a means of providing data
integrity, data authenticity through authentication, and non-
repudiation. A message is assigned a digital signature prior to
transmission, and if the message experiences any subsequent,
unauthorized modifications then it is rendered as invalid. A digital
signature provides evidence that the message received is the
same as the original message sent by the rightful sender.

Both hashing and asymmetrical encryption are involved in the

creation of a digital signature, which exists as a message digest
that was encrypted by a private key and appended to the original
message. To decrypt the digital signature’s encrypted hash, the
recipient verifies the signature validity by using the corresponding
public key, which produces the message digest. To produce the
message digest hashing mechanism is applied to the original
message. Identical results from the two different processes is an
indication that the message maintained its integrity.

Single Sign-On:
The single sign-on (SSO) mechanism enables one cloud service
consumer to be authenticated by a security broker, which
establishes a security context while the cloud service consumer
accesses cloud-based IT resources. Otherwise, with every
subsequent request, the service consumer would need to re-
authenticate itself.
The advantage to the SSO machine is how it enables independent
IT resources to generate and distribute operational authorization
and validation signals. The information originally provided by the
cloud client remains active during the user’s session, while its
 🎀17🎀

security information is shared with other IT resources. SSO

Security Vendor assists when a cloud buyer needs access to
cloud-based cloud services.

Public Key Infrastructure:

A common approach for managing the issuance of asymmetric
keys is based on the PKI (public key infrastructure) mechanism,
which exists as a system of protocols, practices, rules, and data
formats that enable large-scale systems to securely use public-
key cryptography. This system is used to associate public keys
with their corresponding key owners (known as public-key
identification) while enabling the verification of key validity. PKIs
have digitally signed data structures that rely on the use of digital
certificates, that bind public keys to certificate owner identities,
as well as to related information, such as validity periods. A third-
party certificate authority (CA) digitally signs the Digital
certificates.

The components of a PKI include a CA that issues the certificates,

a registration authority (RA) to approve the issuance of the
certificates, a public directory containing the issued certificates,
and the certificate revocation list (CRL).

Identity and Access Management:

Cloud Identity and Access Management typically include the
following features:
Single Access Control Interface: Cloud IAM solutions provide a
clean and consistent access control interface for all cloud platform
services. All cloud services can use the same interface.
Enhanced Security: You can define increased security for critical
applications.
Resource-level Access Control. You can define roles and grant
permissions to users for allowing them to access resources at
different granularity levels.
 🎀18🎀

Cloud based Security Groups

The security group functions as a virtual firewall to regulate the

inbound and outgoing traffic for Amazon EC2 instances or other
AWS resources in a VPC. We shall go over a security group’s
terms:

1. Security Group: It performs the function of a virtual firewall,

managing the inbound and outbound traffic for one or more
Amazon EC2 instances or other AWS services within a VPC.
2. Inbound Rules: These outline the types of traffic that are
permitted to use the resources. It serves as a virtual firewall,
controlling the traffic going in and coming out of a VPC for
one or more Amazon EC2 instances or other AWS services.
3. Outbound Rules: These regulate the traffic that is permitted
to depart from the resources. The destination for incoming
traffic is dealt with by outbound rules. They may be
forwarded to an alternative Security Group, a CIDR block, a
single IPv4 or IPv6 address, or all three.
4. Amazon EC2: A web service called Amazon Elastic Compute
Cloud offers scalable computation capability in the cloud. For
developers, it is intended to make web-scale cloud
computing simpler.
5. VPC: A virtual network called a virtual private cloud enables
you to launch Amazon resources into a defined virtual
network.
6. CIDR: A technique for allocating IP addresses and rerouting
Internet Protocol packets is called classless inter-domain
routing (CIDR).
7. Protocol: A protocol is a collection of guidelines that controls
how two devices communicate with one another.
8. Port: A port on a computer serves as the communication
endpoint for a particular process or service.
 🎀19🎀

Hardened Virtual Server Images.

Hardened virtual server images are pre-configured virtual server
images that have been hardened to enhance security by reducing
the attack surface and implementing security best practices.
These images typically include security measures such as firewall
configurations, intrusion detection systems, encryption, and
access controls to protect against unauthorized access and data
breaches.

In cloud security, hardened virtual server images are used to

ensure that the virtual servers deployed in the cloud environment
are secure and protected from potential security threats. By using
hardened virtual server images, organizations can reduce the risk
of security vulnerabilities and minimize the effort required to
configure and maintain the security of virtual servers.