Cloud Security
Cloud Security
Cloud security refers to a broad set of policies, technologies, and
controls deployed to protect data, applications, and the
associated infrastructure of cloud computing.
It is a sub‐domain of computer security, network security, and,
more broadly, information security.
Security Concerns
• Security issues faced by Customers
• Security issues faced by Cloud Providers
1
�Cloud Security Concerns
Security issues faced by Customers
• When an organization elects to store data or host applications
on the public cloud, it loses its ability to have physical access to
the servers hosting its information.
• As a result, potentially sensitive data is at risk from insider
attacks.
• User must take measures to fortify their applications and use
strong passwords and authentication measures.
Cloud Security Concerns
Security concerns faced by Cloud Providers
• The provider must ensure that their infrastructure is secure
and that their clients’ data and applications are protected.
• Cloud Service providers must ensure that thorough
background checks are conducted for employees who have
physical access to the servers in the data center.
• Additionally, data centers must be frequently monitored for
suspicious activity.
2
�Cloud Security Concerns
Security concerns faced by Cloud Providers
• In order to conserve resources, cut costs, and maintain
efficiency, Cloud Service Providers often store more than one
customer's data on the same server. [Multitenancy]
• As a result, there is a chance that one user's private data can
be viewed by other users (possibly even competitors).
• To handle such sensitive situations, cloud service providers
should ensure proper data isolation and logical storage
segregation.
Cloud Security Concerns
The extensive use of virtualization in implementing cloud
infrastructure brings unique security concerns for customers or
tenants of a public cloud service.
• Virtualization alters the relationship between the OS and
underlying hardware ‐ be it computing, storage or even
networking. This introduces an additional layer ‐ virtualization
‐ that itself must be properly configured, managed and
secured.
• Specific concerns include the potential to compromise the
virtualization software, or "hypervisor". For example, a breach
in the administrator workstation with the management
software of the virtualization software can cause the whole
datacenter to go down or be reconfigured to an attacker's
liking.
3
�Cloud Security Controls
Cloud security architecture is effective only if the
correct defensive implementations are in place.
Security Controls
An efficient cloud security architecture should
recognize the issues that will arise with security
management. The security management addresses
these issues with security controls.
These controls are put in place to safeguard any
weaknesses in the system and reduce the effect of an
attack.
Cloud Security Controls
While there are many types of controls behind a cloud
security architecture, they can usually be found in one
of the following categories:
• Deterrent Controls
• Preventive Controls
• Detective Controls
• Corrective Controls
4
�Cloud Security Controls
Deterrent Controls
These controls are intended to reduce attacks on a cloud system.
Much like a warning sign on a fence or a property, deterrent controls
typically reduce the threat level by informing potential attackers that
there will be adverse consequences for them if they proceed.
Preventive Controls
Preventive controls strengthen the system against incidents,
generally by reducing if not actually eliminating vulnerabilities.
Strong authentication of cloud users, for instance, makes it less likely
that unauthorized users can access cloud systems, and more likely
that cloud users are positively identified.
Cloud Security Controls
Detective controls
Detective controls are intended to detect and react
appropriately to any incidents that occur.
In the event of an attack, a detective control will signal the
preventative or corrective controls to address the issue.
System and network security monitoring, including intrusion
detection and prevention arrangements, are typically
employed to detect attacks on cloud systems and the
supporting communications infrastructure.
5
� Cloud Security Controls
Corrective controls
They come into effect during or after an incident.
Corrective controls reduce the consequences of an incident,
normally by limiting the damage.
Restoring system backups in order to rebuild a compromised
system is an example of a corrective control.
Cloud Security Reference Model
6
�Dimensions of Cloud Security
Dimensions of Cloud Security
7
�Dimensions of Cloud Security
Dimensions of Cloud Security
8
�Dimensions of Cloud Security
Security and Privacy
Identity Management
Identity management, also known as Identity and Access
Management (IAM) is, a discipline that "enables the right
individuals to access the right resources at the right times and for
the right reasons“.
Every enterprise may have its own identity management system to
control access to information and computing resources.
Cloud providers either integrate the customer’s identity
management system into their own infrastructure (using federation
or SSO technology, or a biometric‐based identification system) or
provide an identity management system of their own.
9
�Security and Privacy
Identity Management
CloudID, for instance, provides privacy‐preserving cloud‐based and
cross‐enterprise biometric identification.
It links the confidential information of the users to their biometrics
and stores it in an encrypted fashion.
Making use of a searchable encryption technique, biometric
identification is performed in encrypted domain to make sure that
the cloud provider or potential attackers do not gain access to any
sensitive data or even the contents of the individual queries.
Security and Privacy
Physical Security
Cloud service providers must physically secure the IT hardware
(servers, routers, cables etc.) against unauthorized access,
interference, theft, fires, floods etc. and ensure that essential
supplies (such as electricity) are sufficiently robust to minimize the
possibility of disruption.
This is normally achieved by serving cloud applications from 'world‐
class' (i.e. professionally specified, designed, constructed, managed,
monitored and maintained) data centers.
10
�Security and Privacy
Personnel Security
Personnel security is a system of policies and procedures which
seek to mitigate the risk of workers (insiders) exploiting their
legitimate access to an organization's assets for unauthorized
purposes.
Personnel Security concerns can be handled through pre and post
employment activities such as security screening potential recruits,
security awareness and training programs, etc.
Security and Privacy
Privacy
Privacy is the ability of an individual or group to seclude
themselves, or information about themselves.
Service Providers must ensure that all critical data (credit card
numbers, for example) are masked or encrypted and that only
authorized users have access to data in its entirety.
Moreover, digital identities and credentials must also be protected.
11
�Data Security
Confidentiality
Data confidentiality is the property that data contents are not made
available or disclosed to illegal users.
Outsourced data is stored in a cloud and out of the owners' direct
control. Only authorized users should have access to the sensitive
data while others, including CSPs, should not gain any information
of the data.
Meanwhile, there is a need of means to fully utilize cloud data
services, e.g., data search, data computation, and data sharing,
without the leakage of the data contents to CSPs or other
adversaries.
Data Security
Access Controllability
Access controllability means that a data owner can perform the
selective restriction of access to his data outsourced to cloud.
Legal users can be authorized by the owner to access the data,
while others can not access it without permissions.
Further, it is desirable to enforce fine‐grained access control to the
outsourced data, i.e., different users should be granted different
access privileges with regard to different data pieces.
The access authorization must be controlled only by the owner in
untrusted cloud environments.
12
�Data Security
Integrity
Data integrity demands maintaining and assuring the accuracy and
completeness of data.
A data owner always expects that his data in a cloud can be stored
correctly and trustworthily. It means that the data should not be
illegally tampered, improperly modified, deliberately deleted, or
maliciously fabricated.
If any undesirable operations corrupt or delete the data, the owner
should be able to detect the corruption or loss.
Further, when a portion of the outsourced data is corrupted or lost,
it should still be retrieved by the data users.
References
• https://en.wikipedia.org/wiki/Cloud_computing_security
• https://cloudsecurityalliance.org/
13
