09-01-2025

MCA- 4th Semester UNIT-II Cloud Security & Mgmt

Cloud Security Challenges :
1. User Authentication
2. Data Protection
3. Disaster and Data breach/Contingency Planning
SUBJECT : 4. Security
Cloud Computing (CC) 5. Costing Model
6. Charging Model
Text Book : 7. Service Level Agreement
8. Cloud Interoperability Issue
Cloud Computing : A Practical Approach –
Toby Velte, Anthony, & Robert - McGrah
Hill
09-01-2025 1
09-01-2025 B. Varghese, BIT, Durg 2

Cloud Security Challenges Security Management People

• SaaS (Already covered)
• People involved in cloud security management :
• Network Team
• Security Team
• Apps Team
• Compliance Team
• Infrastructure Team
• All who involved in the process

09-01-2025 B. Varghese, BIT, Durg 3 09-01-2025 B. Varghese, BIT, Durg 4

 09-01-2025

Cloud Security Management Cloud Security Management

Cloud Security Management Standards : Security Management in the cloud:
1. ITIL (Information Technology Infrastructure Library) 1. Availability Management (ITIL)
It is a set of best practices and guidelines that define an 2. Access control (ISO/IEC 27002,ITIL)
integrated, process-based approach for managing • Control Access (CA) to information
information technology services.
• Manage user access rights
Information security is considered an iterative process that
must be controlled , planned , implemented , evaluated, & • Encourage good access practices
maintained. • CA to network services/OSs/ Applications/Systems
2. ISO/IEC 27001 & 27002 (ISO-27001) International • CA to SaaS, PaaS & IaaS
Information Security Standards. ISO/IES - International 3. Vulnerability management (ISO/IEC 27002)
Organization for Standardization International 4. Patch management (ITIL)
Electrotechnical Commission
5. Configuration management (ITIL)
6. Incident response (ISO/IEC 27002)
7. System use and access monitoring (ISO/IEC 27002)
09-01-2025 B. Varghese, BIT, Durg 5 09-01-2025 B. Varghese, BIT, Durg 6

Cloud Security Management Security Management & Monitoring Scope

Cloud Security Management :
1. Ensure effective governance and compliance
2. Audit operation and business processes
3. Manage people, roles, and identities
4. Proper protection of data
5. Assess security considerations for cloud applications
6. Cloud networks and connections are secure
7. Evaluate security controls and physical infrastructure

09-01-2025 B. Varghese, BIT, Durg 7 09-01-2025 B. Varghese, BIT, Durg 8

 09-01-2025

Security Governance Security Governance

• Cloud security governance refers to the management
model that facilitates effective and efficient security
management and operations in the cloud environment
so that an enterprise’s business targets are achieved.
• Strategic alignment, value delivery, risk mitigation,
effective use of resources and performance
measurement are key objectives of any IT-related
governance model
• To successfully pursue and achieve these objectives, it is
important to understand the operational culture and
business and customer profiles of an enterprise, so that
an effective security governance model can be
customized for the enterprise.
09-01-2025 B. Varghese, BIT, Durg 9 09-01-2025 B. Varghese, BIT, Durg 10

Why Cloud Security Governance ? Cloud Security Governance Challenges

• Enterprises are increasingly pursuing the business • Lack of senior management participation and buy-in
advantages of migrating technology platforms and services • Lack of Embedded Management Operational Controls
into the cloud environment (Mainly SaaS, PaaS, IaaS). • Lack of operating model, roles, and responsibilities
• Advantages include - rapid information system deployment, • Lack of metrics for measuring performance and risk
significantly reduced operating costs, massive economies of
scale, processing speed, and agility (alertness).
• Data breaches, system vulnerabilities, insufficient identity,
and credential and access management are some of the
typical security challenges in the cloud environment that
subscriber enterprises must address.

09-01-2025 B. Varghese, BIT, Durg 11 09-01-2025 B. Varghese, BIT, Durg 12

 09-01-2025

Key Objectives for Cloud Security Governance Cloud Portfolio Management (CPM)
• Strategic Alignment • It provides a means by which an organization can
• Value Delivery control and govern existing services, new services,
• Risk Mitigation and well as the Cloud providers and the
• Effective Use of Resources
relationship with them
• Sustained Performance
• Another key requirement of Cloud Portfolio
Management is managing the many different Cloud
services from all providers.
• Manage service equivalents across CSPs
• Provide cost-effective service equivalents for redundancy
• Compare compute, storage and network performance, costs and
value across CSPs

09-01-2025 B. Varghese, BIT, Durg 13 09-01-2025 B. Varghese, BIT, Durg 14

Key Characteristics of CPM Key Characteristics of CPM

• Abstracting Multiple Clouds • Automating Lifecycle Management
• It allows you to operate seamlessly across varied cloud services and • It provides a platform to manage cloud-based applications across
private cloud environments their entire lifecycle — from development and test to staging and
• Each cloud will differ in a wide variety of characteristics, including production – with full visibility and version control.
APIs, behaviors (for example how clouds provision storage • It is to provide developers and application teams with self-service
differently), resource sizes and types, and security capabilities. access to cloud services.
• Delivering Self-Service IT • Deliver Application SLA (Service Level Agreement)
• It is to provide developers and application teams with self-service • A CPM solution helps organizations to architect and automate
access to cloud services. applications to deliver both scalability and reliability.
• Providing Governance and Controls
• It includes identity and access controls that define what each user
can do as well as budget controls that ensure costs stay within
approved budgets.

09-01-2025 B. Varghese, BIT, Durg 15 09-01-2025 B. Varghese, BIT, Durg 16

 09-01-2025

Cloud Security Architecture Design Cloud Security Architecture Design

• A cloud security architecture is defined by the security
layers, design, and structure of the platform, tools, software,
infrastructure, and best practices that exist within a cloud
security solution.
• A cloud security architecture provides the written and visual
model to define how to configure and secure activities and
operations within the cloud, including such things such as
• Identity and access management
• Methods and controls to protect applications and data
• Approaches to gain and maintain visibility into
compliance, threat posture, and overall security
• Processes for instilling security principles into cloud
services development and operations
• Policies and governance to meet compliance standards
• Physical infrastructure security components
09-01-2025 B. Varghese, BIT, Durg 17 09-01-2025 B. Varghese, BIT, Durg 18

Key Elements of a Cloud Security Architecture Shared Responsibility within Cloud Security Architectures

The types of service models in use by a business define the

• Security at Each Layer types of cloud security architectures that are most applicable.
The service models are:
• Centralized Management of Components
• Infrastructure as a Service (IaaS)
• Redundant & Resilient Design
• Software as a Service (SaaS)
• Elasticity & Scalability • Platform as a Service (PaaS)

• Appropriate Storage for Deployments

• Alerts & Notifications
• Centralization, Standardization, & Automation

09-01-2025 B. Varghese, BIT, Durg 19 09-01-2025 B. Varghese, BIT, Durg 20

 09-01-2025

Principles of Cloud Security Architecture Cloud Security Architecture Threats

IaaS Cloud Security Threats
• Identification • Availability disruption through denial-of-service attacks
• Security Controls • Injection flaws
• Security by Design • Broken authentication
• Sensitive data exposure
• Compliance • XML external entities
• Perimeter Security • Broken access control
• Security misconfigurations
• Segmentation • Cross-site scripting (XSS)
• User Identity and Access Management • Insecure deserialization
• Data encryption • Using components with known vulnerabilities
• Insufficient logging and monitoring
• Automation • Data leakage (through inadequate ACL)
• Logging and Monitoring • Privilege escalation through misconfiguration
• DoS attack via API
• Visibility • Weak privileged key protection
• Flexible Design • Virtual machine (VM) weaknesses
• Insider data theft
09-01-2025 B. Varghese, BIT, Durg 21 09-01-2025 B. Varghese, BIT, Durg 22

Cloud Security Architecture Threats Cloud Security Architecture Threats

PaaS Cloud Security Threats SaaS Cloud Security Threats
• Privilege escalation via API • Weak or immature identity and access management
• Authorization weaknesses in platform services
• Weak cloud security standards
• Run-time engine vulnerabilities
• Availability disruption through denial-of-service attacks • Zero-day vulnerabilities
• Injection flaws • Shadow IT/unsanctioned cloud applications/software
• Broken authentication • Service disruption through denial-of-service attacks
• Sensitive data exposure • Phishing
• XML external entities
• Credential stuffing attacks
• Broken access control
• Security misconfigurations • Weak compliance and auditing oversight
• Cross-site scripting (XSS) • Stolen or compromised credentials
• Insecure deserialization • Weak vulnerability monitoring
• Using components with known vulnerabilities
• Insufficient logging and monitoring
• Data leakage (through inadequate ACL)
• Privilege escalation through misconfiguration
• DoS attack via API
09-01-2025 B. Varghese, BIT, Durg 23 09-01-2025 B. Varghese, BIT, Durg 24
 09-01-2025

Identity Access Management (IAM) Identity Access Management (IAM)

Why IAM ? Some of the cloud use cases that require IAM support from
• Improve operational efficiency the CSP include:
• Regulatory compliance management • Employees and on-site contractors of an organization
accessing a SaaS service using identity federation (e.g.,
sales and support staff members accessing Salesforce.com
with corporate identities and credentials)
• IT administrators accessing the CSP management console to
provision resources and access for users using a corporate
identity (e.g., IT administrators of Newco.com provisioning
virtual machines or VMs in Amazon’s EC2 service, configured
with identities, entitlements, and credentials for operating the
VMs [i.e., start, stop, suspend, and delete VMs])

09-01-2025 B. Varghese, BIT, Durg 25 09-01-2025 B. Varghese, BIT, Durg 26

Identity Access Management (IAM) Identity Access Management (IAM)

Some of the cloud use cases that require IAM support from Challenges
the CSP include: • One critical challenge of IAM concerns managing access for
• Developers creating accounts for partner users in a PaaS diverse user populations.
platform (e.g., developers from Newco.com provisioning • Another issue is the turnover of users within the organization.
accounts in Force.com for Partnerco.com employees Turnover varies by industry and function - seasonal staffing
contracted to perform business process tasks for fluctuations in finance departments
Newco.com) • Access policies for information are seldom centrally and
• End users accessing storage service in the cloud (e.g., consistently applied
Amazon S3) and sharing files and objects with users, within
and outside a domain using access policy management
features
• An application residing in a cloud service provider (e.g.,
Amazon EC2) accessing storage from another cloud service
(e.g., Mosso)

09-01-2025 B. Varghese, BIT, Durg 27 09-01-2025 B. Varghese, BIT, Durg 28

 09-01-2025

Identity Access Management (IAM) Identity Access Management (IAM)

Definitions (AAA) Definitions (AAA)
• Authentication : Authentication is the process of verifying the • Authorization : Authorization is the process of determining
identity of a user or system (e.g., Lightweight Directory the privileges the user or system is entitled to once the
Access Protocol [LDAP] verifying the credentials presented identity is established. In the context of digital services,
by the user, where the identifier is the corporate user ID that authorization usually follows the authentication step and is
is unique and assigned to an employee or contractor). used to determine whether the user or service has the
Authentication usually connotes a more robust form of necessary privileges to perform certain operations—in other
identification. In some use cases, such as service-to-service words, authorization is the process of enforcing policies.
interaction, authentication involves verifying the network
service requesting access to information served by another
service (e.g., a travel web service that is connecting to a
credit card gateway to verify the credit card on behalf of the
user).

09-01-2025 B. Varghese, BIT, Durg 29 09-01-2025 B. Varghese, BIT, Durg 30

Identity Access Management (IAM) Identity Access Management (IAM)

Definitions (AAA) IAM Architecture :
• Auditing : In the context of IAM, auditing entails the process • it is a collection of technology components, processes, and
of review and examination of authentication, authorization standard practices.
records, and activities to determine the adequacy of IAM • Standard enterprise IAM architecture encompasses several
system controls, to verify compliance with established layers of technology, services, and processes.
security policies and procedures (e.g., separation of duties), • At the core of the deployment architecture is a directory
to detect breaches in security services (e.g., privilege service (such as LDAP or Active Directory)
escalation), and to recommend any changes that are • It acts as a repository for the identity, credential, and user
indicated for countermeasures. attributes of the organization’s user pool. The directory
interacts with IAM technology components such as
authentication, user management, provisioning, and
federation services that support the standard IAM practice
and processes within the organization.

09-01-2025 B. Varghese, BIT, Durg 31 09-01-2025 B. Varghese, BIT, Durg 32

 09-01-2025

Identity Access Management (IAM) Identity Access Management (IAM)

The IAM processes to support the business can be broadly The IAM processes to support the business can be broadly
categorized as follows categorized as follows
• User management : Activities for the effective governance and • Access management : Enforcement of policies for access
management of identity life cycles control in response to a request from an entity (user, services)
wanting to access an IT resource within the organization.
• Authentication management : Activities for the effective
governance and management of the process for determining • Data management and provisioning : Propagation of identity
that an entity is who or what it claims to be and data for authorization to IT resources via automated or
manual processes.
• Authorization management : Activities for the effective
governance and management of the process for determining • Monitoring and auditing : Monitoring, auditing, and reporting
entitlement rights that decide what resources an entity is compliance by users regarding access to resources within the
permitted to access in accordance with the organization’s organization based on the defined policies
policies

09-01-2025 B. Varghese, BIT, Durg 33 09-01-2025 B. Varghese, BIT, Durg 34

Identity Access Management (IAM) Identity Access Management (IAM)

IAM processes support the following operational activities:
• Provisioning : This is the process of on-boarding users to
systems and applications. These processes provide users with
necessary access to data and technology resources.
• Credential and attribute management : These processes are
designed to manage the life cycle of credentials and user
attributes— create, issue, manage, revoke—to minimize the
business risk associated with identity impersonation and
inappropriate account use
• Entitlement management : Entitlements are also referred to
as authorization policies. The processes in this domain address
the provisioning and deprovisioning of privileges needed for the
user to access resources including systems, applications, and
databases

09-01-2025 B. Varghese, BIT, Durg 35 09-01-2025 B. Varghese, BIT, Durg 36

 09-01-2025

Identity Access Management (IAM) Identity Access Management (IAM)

IAM processes support the following operational activities: IAM processes support the following operational activities:
• Compliance management : This process implies that access • Centralization of authentication (authN) and authorization
rights and privileges are monitored and tracked to ensure the (authZ) : A central authentication and authorization
security of an enterprise’s resources. The process also helps infrastructure alleviates the need for application developers to
auditors verify compliance to various internal access control build custom authentication and authorization features into their
policies, and standards that include practices such as applications. Furthermore, it promotes a loose coupling
segregation of duties, access monitoring, periodic auditing, and architecture where applications become agnostic to the
reporting. authentication methods and policies.
• Identity federation management : Federation is the process
of managing the trust relationships established beyond the
internal network boundaries or administrative domain
boundaries among distinct organizations. A federation is an
association of organizations that come together to exchange
information about their users and resources to enable
collaborations and transactions
09-01-2025 B. Varghese, BIT, Durg 37 09-01-2025 B. Varghese, BIT, Durg 38

Identity Access Management (IAM) Identity Access Management (IAM)

Open Authentication (OAuth) :
• OAuth is an emerging authentication standard that allows
consumers to share their private resources (e.g., photos,
videos, contact lists, bank accounts) stored on one CSP with
another CSP without having to disclose the authentication
information (e.g., username and password).
• OAuth is an open protocol and it was created with the goal of
enabling authorization via a secure application programming
interface (API)—a simple and standard method for desktop,
mobile, and web applications. For application developers,
OAuth is a method for publishing and interacting with protected
data.
• For CSPs, OAuth provides a way for users to access their data
hosted by another provider while protecting their account
credentials.
09-01-2025 B. Varghese, BIT, Durg 39 09-01-2025 B. Varghese, BIT, Durg 40
 09-01-2025

Identity Access Management (IAM) Identity Access Management (IAM)

1. Customer web application contacts the Google Authorization
service, asking for a request token for one or more Google
service.
2. Google verifies that the web application is registered and
responds with an unauthorized request token.
3. The web application directs the end user to a Google
authorization page, referencing the request token.
4. On the Google authorization page, the user is prompted to log
into his account (for verification) and then either grant or deny
limited access to his Google service data by the web
application.
5. The user decides whether to grant or deny access to the web
application. If the user denies access, he is directed to a
Google page and not back to the web application.

09-01-2025 B. Varghese, BIT, Durg 41 09-01-2025 B. Varghese, BIT, Durg 42

Identity Access Management (IAM) Cloud Data Security

6. If the user grants access, the Authorization service redirects Security should be provided to the data at all levels while using
him back to a page designated with the web application that Cloud Computing.
was registered with Google. The redirect includes the now 1. Data-in-transit
authorized request token. • Data transmitted in encrypted form
7. The web application sends a request to the Google • Use protocol –HTTPS, FTPS, SCP (Secure Copy program)
Authorization service to exchange the authorized request 2. Data-at-rest
token for an access token. • The data in storage (server, employer’s computer on/off,
8. Google verifies the request and returns a valid access token. tape etc.)
9. The web application sends a request to the Google service in • Stored in an unencrypted form
question. The request is signed and includes the access token. 3. Data Lineage
10. If the Google service recognizes the token, it supplies the • It describes what happens to data when it passes through
requested data. different stages.
4. Data Remanence
• It is the residual data which remains on a storage device,
like HD, FD after the task of deleting or erase data.
09-01-2025 B. Varghese, BIT, Durg 43 09-01-2025 B. Varghese, BIT, Durg 44