Swami Keshvanand Institute of Technology, Management & Gramothan,

Ramnagaria, Jagatpura, Jaipur-302017, INDIA

Approved by AICTE, Ministry of HRD, Government of India
Recognized by UGC under Section 2(f) of the UGC Act, 1956
Tel. : +91-0141- 5160400Fax: +91-0141-2759555
E-mail: [email protected] Web: www.skit.ac.in

Unit-5: Securing the Cloud

Cloud Security Services:

Cloud security services encompass a range of solutions and tools designed to protect
cloud-based assets, data, and infrastructure from various security threats and
vulnerabilities. These services are typically offered by cloud service providers, specialized
security vendors, or managed security service providers (MSSPs). Here are some common
types of cloud security services:

1. Identity and Access Management (IAM): IAM services help manage user identities,
access privileges, and authentication mechanisms in cloud environments. They enable
organizations to enforce strong access controls, implement multi-factor authentication
(MFA), and manage user permissions centrally.

2. Data Encryption: Encryption services provide mechanisms to encrypt data at rest and in
transit within cloud environments. They help protect sensitive data from unauthorized
access and interception by encrypting it using cryptographic algorithms.

3. Network Security: Network security services include firewalls, intrusion

detection/prevention systems (IDS/IPS), virtual private networks (VPNs), and secure web
gateways (SWG). These services help monitor and control network traffic, detect malicious
activities, and prevent unauthorized access to cloud resources.

4. Endpoint Protection: Endpoint security services protect end-user devices such as laptops,
desktops, and mobile devices accessing cloud resources. They include
antivirus/antimalware software, endpoint detection and response (EDR) solutions, and
mobile device management (MDM) platforms.

5. Security Information and Event Management (SIEM): SIEM services collect, analyze, and
correlate security event data from various sources within the cloud environment. They
provide real-time threat detection, incident response capabilities, and compliance
reporting.

6. Vulnerability Management: Vulnerability management services help identify, prioritize,

and remediate security vulnerabilities in cloud-based systems and applications. They
include vulnerability scanning, patch management, and configuration assessment tools.

7. Security Compliance and Governance: Compliance and governance services assist

organizations in ensuring compliance with industry regulations, standards, and internal

Page | 1
 Swami Keshvanand Institute of Technology, Management & Gramothan,
Ramnagaria, Jagatpura, Jaipur-302017, INDIA
Approved by AICTE, Ministry of HRD, Government of India
Recognized by UGC under Section 2(f) of the UGC Act, 1956
Tel. : +91-0141- 5160400Fax: +91-0141-2759555
E-mail: [email protected] Web: www.skit.ac.in

security policies. They provide tools for auditing, risk assessment, policy enforcement, and
security policy management.

8. Security Operations Center (SOC) as a Service: SOC as a Service offerings provide 24/7
monitoring, threat detection, and incident response capabilities from a remote security
operations center. They help organizations detect and respond to security threats in real-
time.

9. Cloud Access Security Broker (CASB): CASB services provide visibility and control over
cloud usage within an organization. They enforce security policies, monitor user activity,
and protect data as it moves between on-premises and cloud environments.

10. Managed Security Services (MSS): MSS providers offer a range of managed security
services tailored to the specific needs of cloud environments. These may include managed
detection and response (MDR), security consulting, incident response, and security
analytics.

Design Principles:

Policy Implementation:

1) Secure Cloud accounts and create groups

2) Check for free security upgrades.

Page | 2
 Swami Keshvanand Institute of Technology, Management & Gramothan,
Ramnagaria, Jagatpura, Jaipur-302017, INDIA
Approved by AICTE, Ministry of HRD, Government of India
Recognized by UGC under Section 2(f) of the UGC Act, 1956
Tel. : +91-0141- 5160400Fax: +91-0141-2759555
E-mail: [email protected] Web: www.skit.ac.in

3) Restrict infrastructure access via firewalls

4) Tether the cloud: manage the cloud properly

Cloud Computing Security Challenges:

• Cost
• Reliability
• Downtime
• Security
• Data Privacy
• Lock in

Cloud Computing Security Architecture:

• Cloud Security can be divided into different categories:

- Security issues faced by service provider: Cloud security mechanism need to be implemented on
cloud provided by service provider.
- Security issues faced by consumer: Services accessed by consumer need to be secure.
• Security Dimensions: It consists of:
- Security Domains: entities included in cloud and they are: users, workstation, devices, computer,
database& infrastcructure.
- Security Risks: Loss of privacy, financial loss.(personal data loss, file
• Security in Service Delivery Models:
- Security Issues in IaaS:(created website using AWS and didn’t launched then it is safe but once
launched it is possible for threats.
- Security Issues in paaS: attacks can be done on Confidentiality, authencity, privacy.
- Security Issues in SaaS: In this already defined software is used by user, which can be easily
attacked.Possible threats are via computer virus, spyware, installation of program without user
consent.
- Cloud security is applicable on 3 different platforms: IaaS, PaaS, SaaS
- Iaas: Application, storage, OS is handled by user. Vendor handles the Hardware part.
- Paas: User Handles Only application. Rest is handled by vendor.
- SaaS: Everything is handled by vendor. Eg, Salesforce.

Page | 3
 Swami Keshvanand Institute of Technology, Management & Gramothan,
Ramnagaria, Jagatpura, Jaipur-302017, INDIA
Approved by AICTE, Ministry of HRD, Government of India
Recognized by UGC under Section 2(f) of the UGC Act, 1956
Tel. : +91-0141- 5160400Fax: +91-0141-2759555
E-mail: [email protected] Web: www.skit.ac.in

Difference between BCP and DRP

Page | 4
 Swami Keshvanand Institute of Technology, Management & Gramothan,
Ramnagaria, Jagatpura, Jaipur-302017, INDIA
Approved by AICTE, Ministry of HRD, Government of India
Recognized by UGC under Section 2(f) of the UGC Act, 1956
Tel. : +91-0141- 5160400Fax: +91-0141-2759555
E-mail: [email protected] Web: www.skit.ac.in

Risk Mitigation

Risk mitigation refers to the process of reducing, minimizing, or managing the potential
impact and likelihood of risks to an acceptable level. It involves identifying potential risks,
assessing their likelihood and impact, and implementing strategies to mitigate or control
them. Risk mitigation aims to prevent or minimize the negative consequences of risks on
project objectives, business operations, or organizational goals. Here are some key aspects
of risk mitigation:

1. Risk Identification: The first step in risk mitigation is to identify potential risks that could
affect a project, initiative, or business operation. This involves systematically identifying
and documenting various types of risks, including technical, financial, operational, and
external risks.

2. Risk Assessment: Once risks are identified, they are assessed based on their likelihood of
occurrence and potential impact on objectives. Risk assessment helps prioritize risks and
determine which ones require immediate attention and mitigation efforts.

3. Risk Analysis: Conducting a detailed analysis of identified risks to understand their root
causes, triggers, and potential consequences. This may involve qualitative analysis (e.g., risk
probability and severity assessment) and quantitative analysis (e.g., risk modeling, Monte
Carlo simulations) to evaluate risk exposure accurately.

Page | 5
 Swami Keshvanand Institute of Technology, Management & Gramothan,
Ramnagaria, Jagatpura, Jaipur-302017, INDIA
Approved by AICTE, Ministry of HRD, Government of India
Recognized by UGC under Section 2(f) of the UGC Act, 1956
Tel. : +91-0141- 5160400Fax: +91-0141-2759555
E-mail: [email protected] Web: www.skit.ac.in

4. Risk Treatment Strategies: Developing and implementing risk treatment strategies to

mitigate, transfer, avoid, or accept identified risks. Common risk treatment strategies
include risk avoidance (eliminating the risk altogether), risk reduction (implementing
controls to minimize the likelihood or impact of risks), risk transfer (shifting the risk to
another party through insurance or contracts), and risk acceptance (acknowledging and
preparing to deal with the consequences of a risk).

5. Control Implementation: Implementing risk controls and mitigation measures to reduce

the likelihood or impact of identified risks. This may involve implementing technical
controls, process improvements, operational procedures, or contingency plans to address
specific risks.

6. Monitoring and Review: Continuously monitoring and reviewing the effectiveness of risk
mitigation measures and controls to ensure they remain relevant and effective over time.
Regular risk assessments and performance evaluations help identify emerging risks,
changes in risk profiles, and gaps in mitigation efforts.

7. Communication and Reporting: Maintaining open communication channels to ensure

stakeholders are informed about potential risks, mitigation strategies, and progress in risk
management efforts. Transparent reporting on risk exposure, mitigation activities, and
outcomes helps build trust and accountability within the organization.

8. Continuous Improvement: Continuously refining and improving risk mitigation strategies

and processes based on lessons learned, feedback, and changes in the business
environment. Embracing a culture of continuous improvement helps organizations adapt
to evolving risks and challenges effectively.

By systematically identifying, assessing, and addressing risks through proactive risk

mitigation efforts, organizations can minimize the likelihood and impact of adverse events,
enhance resilience, and protect their assets, projects, and operations.

SLA

Service Level Agreements (SLAs) in the context of cloud computing are formal agreements
between a cloud service provider and a customer that define the level of service,
performance, availability, and support that the provider guarantees to deliver. SLAs play a
crucial role in establishing clear expectations, ensuring accountability, and maintaining
trust between cloud service providers and their customers. Here are key aspects of SLAs in
cloud computing:

Page | 6
 Swami Keshvanand Institute of Technology, Management & Gramothan,
Ramnagaria, Jagatpura, Jaipur-302017, INDIA
Approved by AICTE, Ministry of HRD, Government of India
Recognized by UGC under Section 2(f) of the UGC Act, 1956
Tel. : +91-0141- 5160400Fax: +91-0141-2759555
E-mail: [email protected] Web: www.skit.ac.in

1. Service Scope: SLAs define the scope of services provided by the cloud service provider,
including the specific cloud services, features, and functionalities covered under the
agreement. This helps customers understand what they can expect from the provider and
ensures alignment with their business requirements.

2. Performance Metrics: SLAs specify measurable performance metrics and service level
objectives (SLOs) that determine the quality of service delivered by the cloud provider.
Performance metrics may include parameters such as response time, throughput, latency,
availability, uptime, and reliability.

3. Availability and Uptime Guarantees: Cloud SLAs typically include availability guarantees
that specify the minimum uptime percentage or maximum downtime allowed for the cloud
services covered under the agreement. Providers commit to maintaining the agreed-upon
availability levels to ensure uninterrupted access to services.

4. Response and Resolution Times: SLAs may define response and resolution times for
addressing customer inquiries, service requests, and technical issues. Response times
indicate the maximum time it takes for the provider to acknowledge a customer's request,
while resolution times specify the timeframe within which the provider resolves the issue.

5. Scalability and Performance Scaling: SLAs may address the scalability and performance
scaling capabilities of cloud services, particularly in response to fluctuations in demand or
workload. Providers may commit to dynamically scaling resources to accommodate
changes in traffic and ensure consistent performance levels.

6. Security and Compliance: SLAs may include provisions related to security controls, data
protection measures, and compliance with regulatory requirements. Providers may specify
security-related commitments such as data encryption, access controls, security
monitoring, and compliance certifications.

7. Disaster Recovery and Business Continuity: SLAs may outline the provider's disaster
recovery and business continuity capabilities, including backup procedures, data
replication, failover mechanisms, and recovery time objectives (RTOs) and recovery point
objectives (RPOs) for recovering from outages or disasters.

8. Support and Maintenance: SLAs define the levels of support and maintenance services
provided by the cloud provider, including technical support availability, response channels,
escalation procedures, and service credits or penalties for SLA violations.

Page | 7
 Swami Keshvanand Institute of Technology, Management & Gramothan,
Ramnagaria, Jagatpura, Jaipur-302017, INDIA
Approved by AICTE, Ministry of HRD, Government of India
Recognized by UGC under Section 2(f) of the UGC Act, 1956
Tel. : +91-0141- 5160400Fax: +91-0141-2759555
E-mail: [email protected] Web: www.skit.ac.in

9. Service Credits and Remedies: SLAs may specify remedies, incentives, or penalties in the
form of service credits or financial compensation for failing to meet agreed-upon service
levels. Service credits may be provided to customers affected by downtime or performance
degradation as compensation for the loss of service.

10. Monitoring and Reporting: SLAs typically include provisions for monitoring service
performance, collecting metrics, and generating regular reports to track compliance with
SLA requirements. Providers and customers use performance data and SLA reports to
assess service quality, identify areas for improvement, and ensure transparency and
accountability.

Overall, SLAs serve as contractual agreements that define the mutual responsibilities,
expectations, and commitments between cloud service providers and customers.

Trust Management in Cloud:

Trust management in cloud computing involves establishing and maintaining trust

relationships between cloud service providers (CSPs) and cloud consumers (organizations
or individuals) to ensure the secure and reliable delivery of cloud services. Trust is essential
in cloud computing due to the inherent risks associated with outsourcing sensitive data,
applications, and infrastructure to third-party providers. Here are key aspects of trust
management in cloud computing:

1. Transparency and Accountability: CSPs should be transparent about their security

practices, data handling policies, and compliance with regulatory requirements. Providing
clear and detailed information about their infrastructure, security controls, certifications,
and audit reports helps build trust with cloud consumers.

2. Security Assurance: CSPs must implement robust security measures to protect cloud
environments from unauthorized access, data breaches, and other security threats. This
includes implementing encryption, access controls, authentication mechanisms, intrusion
detection/prevention systems, and regular security audits to ensure the confidentiality,
integrity, and availability of cloud services.

3. Compliance and Regulatory Compliance: CSPs should adhere to relevant industry

standards, regulations, and compliance frameworks governing data privacy, security, and
confidentiality. Obtaining certifications such as ISO 27001, SOC 2, PCI DSS, HIPAA, and
GDPR demonstrates a commitment to compliance and helps build trust with customers
who have specific regulatory requirements.

Page | 8
 Swami Keshvanand Institute of Technology, Management & Gramothan,
Ramnagaria, Jagatpura, Jaipur-302017, INDIA
Approved by AICTE, Ministry of HRD, Government of India
Recognized by UGC under Section 2(f) of the UGC Act, 1956
Tel. : +91-0141- 5160400Fax: +91-0141-2759555
E-mail: [email protected] Web: www.skit.ac.in

4. Service Level Agreements (SLAs): SLAs define the terms, conditions, and performance
metrics associated with cloud services, including availability, uptime, response times, and
support. CSPs should meet or exceed SLA commitments to maintain trust and confidence
in their ability to deliver reliable and high-quality services.

5. Risk Management: CSPs should conduct risk assessments, vulnerability scans, and
penetration tests to identify and mitigate potential security risks and vulnerabilities in
cloud environments. Implementing proactive risk management strategies helps minimize
the likelihood and impact of security incidents, enhancing trust with cloud consumers.

6. Data Protection and Privacy: CSPs must ensure the protection of sensitive data stored,
processed, or transmitted in the cloud. This includes implementing data encryption, access
controls, data loss prevention (DLP) mechanisms, and privacy-enhancing technologies to
safeguard customer data and comply with privacy regulations.

7. Incident Response and Transparency: In the event of a security incident or data breach,
CSPs should have effective incident response plans and procedures in place to contain the
incident, mitigate the impact, and notify affected customers promptly. Maintaining
transparency and open communication about security incidents helps preserve trust and
credibility with cloud consumers.

8. Continuous Improvement: CSPs should continuously monitor, evaluate, and improve

their security posture, infrastructure, and processes to adapt to evolving threats and
industry best practices. Demonstrating a commitment to continuous improvement and
innovation fosters trust and confidence in the long-term reliability and security of cloud
services.

9. Customer Engagement and Feedback: CSPs should actively engage with customers,
solicit feedback, and address concerns or issues related to service quality, security, and
performance. Building strong relationships with customers and being responsive to their
needs helps strengthen trust and loyalty in cloud services.

10. Third-Party Assurance and Audits: CSPs may undergo independent third-party
assessments, audits, and certifications to validate their security controls, compliance
posture, and trustworthiness. Sharing audit reports and assessment results with customers
provides additional assurance and transparency, enhancing trust in cloud services.

Overall, trust management in cloud computing requires a multi-faceted approach that

encompasses security, compliance, transparency, risk management, and customer
engagement.

Page | 9