Cloud Security and

Existing Security
CHAPTER 6 Solutions
Learning Objectives
be able to:
Ater reading this chapter, you will
cloud
I, Provide realistic picture of the current " Know about VM security challenges.
securityscenario.
Understand cloud computing security
. Understand the detailed analysis of cloud architecture.
security concerns and various categories of " Understand open source security solution
cloud risks.
products in cloud.
Learn about the popular vulnerability assess
ment tool for cloud.

6.1 Cloud SecurityFundamentals

Cloud security is the first and foremost concern of every industry using cloud services. A cloud
Vendor must ensure that the customer does not face any difficulties such as loss of data or data
tet. There is apossibility that a malicious user can go through the cloud by impersonating a
Rgal user, thereby infecting the cloud services and hence affecting various customers sharing the
malcious cloud services. Data integrity, privacy issues, authentication issue, data loss, user-level
unty and vendor-level security are some of the basic concerns of cloud computing. These fun
damental Iproblemsin cloud computing scenario can be defined as cloud risks.

6.2 Cloud Risk

When
infrastructure,
chance
Irom
eof risk in each applications,
Cost and
data and storage are hosted by cloud providers, there is ahuge
type of service offering. This is known as acloud risk. Several aspects apart
Sequrity is of utmoffered services must
ost importance whilebeconsidering
evaluated abefore
cloudchoosing
computingaparticular cloudSometimes,
environment. provider.
physical location of the servers may also be afactor for sensitive data.
 128
products.
solution
shuidome t
3. 2. Following
1. 6.3.1 These Other risks 3.risks 2. 1. canCloud 6.3
Technical
risks Legal
4. emzes
SerVice.
ticular ticularmarket suchintegritycould theprovide be milane hanzatinshe
Although PI client
Compliance that partiesenvironment.
Lossoccurs Lock-in: is Policy ders CHAPTERO
terms known Policy
categories divided Cloud
risks
compliance,
as the of various cloud that
certification using
that SAS lead because are and
control
and and governance: (unknown the When have management,
under
customers to as policy organizational into Risk
they availability
AWS challenges: 70, service a and will been cloud
service meet
conditions the There
lock-in the such CLOUD
and of
applications, and be supervision their
thencloud PCI
impossibility high Organizational followingDivision the
may are operational providers) in discussed risks, providers as
could the following DSS a The organizational
could
problem. biggest interoperable criteria. the SECURITY
customization
lawful
of of
EC2 wants also andCloud cloud be risks their
use data, their data in four
concern before Cloud
service to providers
be management of way) that SaaS
Lock-in enable The
other HIPPA.
athe andservices provider detail major associated AND
problem use fulfilling may lock-in,
and risks:
AWS best
the deterioration a as of Risks in identity
moving Security
CSA's EXISTING
cannot These issued not services services is the categories: since industry-recommended
EC2security the may may one
services, for make compromise of by PaaS following the yPes data Trusted
certifications
be
service security also the ofare and Alliance
accessing huge sub-contract according the start SECURITY
used the lock-in ad and
follow
practices. change. cloud dependent
they of cloud biggest of Cloud
and investments
performance
requirements,provider subsections. the exisng services (CSA)
for
th e and best SOLUTIONS
are
credit if give
cloud provider. to cloud Initiative
Loss problems
restricted the
However, some pår same oruser laaS on practices. to offer
services.
EC2 them the the of outsource only open the
card-related certifications for and control may demand. lock-in. computing standards,
lackchange, guarantees Or
from service external ofone source cloud.certification
that program
in qualhty there a Several
For of services Lock-incloudcloud
using etdoes reputation conu" and
ana isa era. Sectionclsecure
transactions
this not cases in sa
ofgovernapossiblry
wu
(such
to problem
provider,
computing These cloud
63access,
created
was
to

par- havehave as thrd risks 1 tisks loud

5 4.
lo
3.
it
L lowing Risks32
Curiykuogly cat-

cal users. Isolation Technical

beSQL architecture, Jos es oflack of
volatiSLA.on of
Kesource
services, servicescomputicnoug.d gervice gport seanvdoicmees, seCbruotvdiceTherof
Tesourcecnance
Cloudabilityficient d
tromPolicy
because fied Insecure
scaled types Intercepting
transmission
cloud such.Images
and risk.
computing high services
experiences
the
impact
an maliciouslyseparations
injection This are e
in possible be of or problemresource
and,provider allocation of failure: some becaus
cooredination other loss portfolio
chaiton
other down, the distribution
attackscloud on exhaustions: risk multi-tenancythere other in
clients.security
or This
data data
because
therefore, the attacks
stored
or to in between technical ofof thírdfailure: offering.termination the
ineffective
physical
data
fullis storage risk
could
of
employees.
of provisionin8
inconfidentiality,
sevYTHE
malicious
degradation proper
Becauseis failure data
confidentiality,
irstity of
servicescompet factorsitive
algorithms and
in sharing
When policy.
is takes
between transit:
cloud responsibilities
parties.There
hardware more indirectly Cloud thememory also cloud risks: to
could And could or
to guest-hopping
insider: allocation is
deletion deletion
a It placearchitectures and used
same
leads of meet In it failure:
request may on-premises.
vulnerable cloud Cloud Taking in service stacks, possibility a be isleadworld
across performance. table. computing computing customer
that
terminated.
be is during
infrastructure services
integrityon investments
for toward possible
y moved, of
onltough
to care the The of between case,
availability
data: multiple contain allocating
resources is storage IT,
delete attacks), providers
imaginable todata Spoofing,
dat a when
organization's
are th is
ofmalicious
and fully some works
capacity, demand any that
inadequate
anmust
acarryWhenever data in
and interrupton all for
clou transfer- elated
byout
nmay physi
isand cal
based certainissue availabilityinfrastructure on-demand
actions
all to where threats
thecloud routing storage on such as
andparties the
cloud
to
short ago
be
24
77
dest man- in-the-mitdk
Nninsyinsg avaikabe
the be beinremot
g e onspecial
machi nes,
extremelv
is
reputation, of resourcesusers. the multi-tenancy
such
integrity
sinvolved i
provider
out support
bUSiNES
sTEy,
or CLOUD
6.3

pnmuS ttiiitsransterri diwesbtribcharact

uted
e ris tis in
of
al an pay-per-use
si d er may
dat atables
failure
of netwok
asand cascading corruption or rmediurm
economúc buSireSS
of
and
me a ciens fvn customa kind Although
lead of muliple (eg.
cas
iad coid period high
RISK
disk
this thsatiat the
may also iethby
moreNiu
arANNe
atai mm
nVntt VN daz
of
couid cdoud a
seie harnea amng shzd
h cstns
sidelbgia ofs and seie
seputztioral
d to i
tre
atsourCe
shut
of of
Or
availability
lack
DIVISION

notstores
t
e me Nment
eS
ni nste aue dhain time down
financal
rzN he s
orsoe
sone their
all of
129
result data urityspeci- iting n
5
zd a
 130
3. 2. Following1. Legal
Risks
6.3.3 9. 8. 7 6.
this API Is in
risk.
that
exponentially toinstances Licensing
checks Poice
local lack of
Risk with
to customer engines.
tor Compromise
requests
element availability
or Malicious
indirect
context customer or Loss they
clearly servers fromConflictsstandard
such orrityproviders effective
true
efficiently Data which them, and the theirI group
Nquired CHAPTER
the authorities the from are the ar e
of traditional wiping
protection states, service encryption understand
using
data may rule causing
application adapt Hacking can at of
threats
unauthorized
basis may some environments different private follow
risks: changes
be hacking of probes
a and between and
6
check is become states of service
engine service for as al);(or of CLOUD
so law be legal the th e to the special
andled risks:
Licensing if and high information
a
denial hypervisor, the the or keys) hardening. Linux LAMserver different at the
the our that and ofrisks: inside levels scams: keys: the customer data SECURITY
unusable datajurisdiction: service engine:
that andeffort.assets use or
data
cloud-based It have
do risk. (jailbreak) hardening hardeningrole therefore,
procedures
of for This
of is data.Malicious
in can or passwords server (as
ocessinga not service the placed A
being Windows
conditions, systems an If engine All authentication for
awful be in datacenters
respect customerinside abstraction. for cloud probable includes hardening
with
AND
tough unpredictable
a securing or
cloud (DoS and
platform just considered. procedures procedures. an most
Customer follow instances
way. instance subject them gain may providers impact probes to must EXISTING
thatenvironment;
for international
such environment),
attacks). above malicious
disclosure
be For and operating
here the are access
ina be
the increases, to usefulservice and traditional procedures
as legal data infrastructure th e could They or authentication hardening followed SECURITY
cloud enforced located of For encryption
mnaycloud per-seat transparent
to physical relynon-repudiation
scanning, parties, cloud
agreemments), Iramework may providers,the to either becan of example, systems),
customer
ovider
rity
data beoutpr
brings fo r in escape secret
thedisclosure
high-risk kept
be or data e loss a be the providers methods
mechanisms and
that
SOLUTIONS
example,
software
agreemnents
cost to hardware on as
used mechanism
decreasecontainedway theservice
it an of well
losskeys ofAWs cloud may For
(in of and in could confidentiality, to instances,
(without isolation extremely (digital or for
its the sites
or
countries
several collect as (e-g.
corruption and EC2 notdata
this,
true
enforcement, providers, and hardening. that
rolesoftware se1zure. the inside network
online
licensing
and could be ile which environment: service is be
ches and of jurisdictions, resources between
direct
hosted managesspecific
information signature).
encryption, whereas
required
are supported
data incralesaseso is be (e.g them,
integrity, best follows little
thhence mapping,are those of
charged this
al ate
monocraliand interaction application Users spreadin
to
control er
are be
ntsur atper it
somte
assigned different
moni :
to customer4
softwae platfom
and the
in keys, SSL,
practices physical different
must Cloud reduCe
the
by

ofIng There 0.4

layerThere naps have cloud woWing
providing 3 of
OtRihersks translers intithmdeataated
Because
Unauthorized t
securitysecurity.
2.
datacenter
VMsists
1.
Infrastructure
are already
Data and different
environmentFigure
Cloud
are
rastructures
canpie, also. recovery
region Natural procedures.
allowed
lowed
vulnerabilities.
datacenter
Theft possible. Backupres from
computing to of AAA lostpolicy, of ) to
shows6.1 several
is to Generally, of
AWS disasters:
four
layer:
issues physical
of
center
layers discussed
security
generic
Computing
a plan. accesses
equipment:
computer
enter must
This inadequate vulnerabilities,
access techniorcal
administdeatared the
This layer:
for
Although,
because
has be stolen: (e.cont
g. roller
as an those inriskstronger
services proposed Natural
and
layer layer, inService
(laaS). a
hardware This the issues architectural
in
view various physical is cloud to
and l between
VM premises
physical Thi s
by
detail, of cloud mnachines. mainly providers the by
involves layer 5ei categorization. cloud and the legal
physical disasters
isolation in because the
security, are
each thatsecurity Security
providers riskdatacenters
related This security
User risk federatedcloud 6.4
is (including risks, cloud
described layer.This: is, research-based
VMrelated architecture computing
view from is
risk isthehave provisioning
nagement are provider. CLOUD
level theft Software theto of regions following
possible providers).
cloudprovider.
I
Sect hon The the natural
possible
offer
to
and the impact
to procedures,
cloudArchitecture
security large
ection, follows:cloud,as ofpresents customer.
Prottraditional as
security
security and
redundancy
disasters any
possible physical
dual
datacenter, of due issue
This is
COMPUTING
iSsues. a cloud datacenters; are The
breach vulnerabilities
multiple a
issues, computing
Service architecture:
issues authentication
time access tosome
network
i.e. the We because unauthorized inadequate cloud
infrastructur user four(SaaS), have to
security is only SECURITY
VM availability andquite so of to other increased
customer
layer,categorizationdefined be there inadequatetherefore,
ofthis machines
monitoring,surity lavers
Plattormaddressed
service shown
architectures fault less authenticated
mechanism
must issue and
physical
risks:
ARCHITECTURE
four tolerance
compared access in
misplace
and UNty
in
zone be could
physical and user the may
all provider in asalavers
is a in
hypervisor-related physioncerns.
cal Figure6.Servi
1 cesame the
clon
oud
a in
the
option by
detault;
traditional
pertect
to should
physical
person
datacenters
higher.
controlfacilities):
bede-provisioning
other security case
of
layer, the - withun isaster must
security multiplecontrol
assets con-It (PaaS) comput
as market. be proce- 131
VM and basis
We tor fol be of.
a a is
 132
security.
Tespect
1. tothsECurity
e security
coTIsidered COuple ofAs6.5
the 4. 3.
Inents potential
mmunication discussed |
and User Service
level CHAPTER
evolving
y of VM
consequences
vulnerabilities.years, authorization
agreement
for unbelievable layer:
any downside, Security in provider
nature
we
Chapter This 6
nization CLOUD
have (SLA),
between
are of and the is layer:
while virtualization,
Unfortunately,
benefits. Challenges
observed
fully 2,
all first This
SECURITY
virtualization metering, Figure [Physical
encouraging browser-related
such VMs understood. layer layer User
[ldentity
SLA,
The some security, [VM
management]
0solation
6.1 authentication, AND
as or compliance of hardware audit, provider
Service
layer
objective some there is level
and
the
between great user
responsible Cloud center
layer
Data
EXISTING
is security, compliance,
access
layer
User
owing: people features layerVM
Some are the interaction.
security
security,
features key security browser
VMs of many and hypervisor managemernt,
listing of
to technology SECURITY
the are for network metering]
and consider
virtualization-related audit-related
iSSues. architecture. security]
frequently
items of identity
these
virtualization It
the is security SOLUTIONS
host: through labeled responsible
items in and
VMs implemernted
iss cloud issues.
access
increase as
the to that
threatshere computing
Serveimplente for
threats.Oeanted management,
can user
some opet l
the before ahe authenttauo
key
alertnesscould linkedthe service
requue alsolinked
ofbe ast
2.
O vendor.VMmust al Some withiVM.nthe Lo ..oiehualization " . "
Inresponsibility
ItSomeother between VM keystrokes
4.
VM ally As
ments
ways, Case, Can system.
VM acquire
the
host's
may an
escape:
other ideal
program
critical
VM
strokes
be ConsoldinigdatioSharn ing
Provi
nite facility
CPUsusually Adjust Monitor
network Start, monitoring thestart so a
al
able View, l number
Monitor although
compared full VMs technology
resources
strong are and one
monitoring host privilegedhappen bugs, situation, VMs a
configurations
shouldreferred where to copynetwork
the
stop, moritoring, access and of general physical
logged
technology,
passing
ofusage and itself inside VM of
monitor the pause allow layer
be onepackets and virtual
applications
number
configure depends starts
it
to from
software
that
to anv
their
users provides
the
of different
tohardware I
inherited as
from host of each
and changing the position, th e a that host. us of regular Computer
resource
among
and a networkpossibly network VMs. guest
files
security of programhost affect program or toisolation to basically services t
another hascoming CPUs, restart controlling;
individual on host: share discuss out
privilege the < resources any full screen
in traffic modify running the or It system. th e this operating onplatform
the defect privileges from interfaces amount VMs. kind is resultrunning other that the andaccesses into
VM: communicating VM. not isolation. and the the
updates
hypervisor to for orthe available therefore, resources
VM, runs understand security operating
its datinside
Isolation
when
do of normally Such host to one
going a available of may system to
to
VMs. VM The inside multiple
host
so.
thmemory, be a butunder all and to physical
The one monitor stored e
to is to technology
to host the situation a because of between guest all multiple
VMa This a VM. to the considered
can host with total VM
a
the
such enables system 6.5
nmemorv le basic VMpass on amnount VMs, the this guest VM
the can network
same a
a collapse iscan VM host asVMs cornpute.
the VM. affect VM
requires of isolation the
characteristic
hpervisor eusiiy VMs including being knoWntotally some shouldcomputer
guests monitoring and enables
VMs.operating
organizations.
companies orSECURITY
protecion traticthugh and
appicatin
VMs a file
itin limitation
used. more in and guest
monitor virtual number architecire
the bypass
as issue system
the These
tor may t e behavio not systems. CHALLENGES
memory built CFU. strict VMsp. commiiate and of VM the VMs
of all host,
disks. secuiir wifn level screen
secured
provide their host can
another VMitocu of or
s
virtualemory, the layer
into
hosted the suityin o a
te bug VM access.
VM. easily updates for
technology;
is in the nodel limitations
implementedwithout co-hosting hosta
most
disks, diskfollowing
host.when Becauselayer
isolation
respective It
terminals
logging
is environ In isaccess
There
modern machines. gener of to 133
and and this one the ofand any the and
defi it or
is
 134
9. 8. 6. 5.
7. channel network lf \Ms pnperly
onmachine. \Ms
envirorInents
Resource
produce virus toVM, External
TeTIt, arndwhileMixed thanywhere
e nature Thisbroken. be
malicious cation. mentprivilege External techniques This vice hardDenial
attack
isvirtualization possible ARP VMs Therepackets. how CHAPTER6
protect more
some enablement it secure so can attack disk
poisoning host should
memory
scarning, leveraging trust does
firewall among could for the then
before Ifthatcritical
modification be preventions
of
high
contention: external modification
the attack, a of against are
service: machine, network
each traffic
else, VM accessing that thebe not
loads level
hypervisor not execution.
VM any
in
hosts avoided shared
configuration individual
address
be CLOUD
otherwise where are other
some or host is
iles protecion affect of should then external a another then more able
security theVMs:virtualization virtual and used byamongBecause to case connections
VM,
on
Whenever and benefits the the employee of such Because
space. SECURITY
the of The be database guest limiting for guest of complicated to VM
from it database
the canexecuted VM. a then directly
systems patch mechanism and Enterprises working environment. user VM: aVMs.
restricting is variousattacks.
multiple technique.
spoofing
virtual
VM protection AND
anyhypervisor:
signing implemented, guest are
antivirus of be isnot is
databases th e
updates some virtualization. while In sniffmay hub set access VMs EXISTING
and external compromised. of installed
can a access computing
VMs VMs up then
any key by allowed business th e
urce-consuming
hamper are such must
making be also, takes
digitally
should Database allocation and should with there the havenotdo
detection, unauthorized underlying
take Because corrupted through of t he if
executed as becomes the VM e the thecouldautomatically.
virtual placeItSECURITY
integrity the to host
resources packets
be application host
server After care
process
e
the
signing
used
access
is a resources. machine.
of Virtualization VM not VMs.
the
hypervisor. accessible or placed secured resources
machine be be diskdirect
on applying of hypervisor uses
of able but an SOLUION
plicationsVMS, checking,
VM missionaccess veryeverymodified the like host of
of scenario, if issue
access
each
database inside
application. This to
operations can more carefully
There
can to CPU,
virtual
VM there
the and VM from
technology ior sniff with
some Theretore,
critical-related and individual may other's to
results befile self- is a prevent are each
is will
and changes. mainly and memory, other hub isolationa the
outside secured
outside users' create dedicated
physical
like monitoring
self-protection
more I-protected and the many for other's VM host not
VDI validating Database guest network
these of never system denial a must
connecting disturb
systens,onile
malware secure thresponstDk
e VMs virtualizationVMs. network
lenvironments inlog information m and bethe
because ofVM
trust the
environ
securty have service of.í
denial
Iof
ensure VMs
using S
depending
the
other
operatian aor
or
nt e
mued as es system secur placeu can of
sig
appli
a
the
proper
ser- and al all
host

vides service discussed

Preferred content.
editing
Netskope
Ontors (Fig.6.2) 6.6.1
Netskope toSecurity Cloud hardware
discussed.
Scenarioare ulost
allow I0 Clients
Management, Generally,earlier, As66 memory .. just avoisuchdTo
4. 3. rollowing
2. 1, O.6.1.1 Netskope popular address services.
one
provider Vulnerability increasing
eame like
ProvidesCreates
Provides
Proides these in CloudHSM
always device virtualization-sensitivetraditional
Features user's
cloud
each
CloudTrail,
cloud footprint VMkind
are security entities
third this Thereby AWS
one the layer
seekwhich providers I situations,of each
detailed moresingle apps. devices, important security performanceprotection
policy key party to and service offers on
granular point of
solution
In
is some stores the architecture,
audit which Netskope
features addition, service
browser
a independently
leverage cloud CloudWatch, series talke in
Assessment
of
cloud
concern,computing definite which
cryptography
virtual is
trail level cloud so
control. can of is care
of technologythat required VM 6.6
Netskope: anyquite session, that security some stands hosts. antivirus andthe
report
security control assurance administration services
of requires
unwanteduseful monitors testcloud third Trusted all
dedicated VULNERABILTY
n location and their best for for
case to all
tor service party encryptionCloud security isTool each
isadditional
al your activity cloud vulnerable practices that Advisor comparatively
any environment. needed
any
otyour
cloud
and
providers security theirHardware issues. and for antivirus VM, must
organization every app
wunty ap is and security too. ASSESSMENT
be
ap blocked policies assessment service decryption
suggest data and
For Cloud. and
for installed
signúficant
activity
In
have Directoryexample, the
must SecCurity optimal
file
breach. the that services
by
whee piñ or most scaráng on
he partnered
following provider be
\estope too's consumes fullr keys mernory
each TOOL
harin Modue
Services, ikimportante one resource
pives in also serue Identitv of should operating FOR
tne uhsecions,
cmt wih he footprint CLOUD
downloading us Itisa utilization
Houid though biggest concern.
grained can thid whle not
or dedicated and affect
system
use users. industry Access because
parties enableusing it
policy. their some pro cloud the and 135
or It
 136
CipherCloud
more form 6.6.2
CipherCloud Analytics
App
Aeoletions
Dsceved
thanwhich 43 netskope
CHAPTER
2.5
can
million (Fig.
Cloud
protect
6.3) 6
Delivers
amazon business CLOUD
plícations security
all Figure
On your
Aoplicstion
Lsteng(ma)
Aytia
mprehensive
usiness, SECURITY
3 users
software
clouds. 6.2
| Users
Top

Netskope. |
641O1
152
152
In and
Data Use
Discover This AND
encrypts
250
And&And is
million EXISTING
plonce why
Assesses
Precíse
data (From
CipherCloud
customer
directly
www.netskope.com) SECURITY
Visibillty
Criteria.Their
Count
User
Risk
Into
records at 60
gotyour SOLUTIONS
Based Devices
Top
21.Seo

A tremendous
over
business OAuyus,

the
last
gateway. --nnl.ll.Ju
growth Druobcr
few 1.4x
150
years.
and It
acquired one
is Inin
plat:

Skyhigh
Networks
WithSkyhigh
6..Provides
6.3
rollowin6.g 6.3.1
2. .
Skyhigh,
business
Provi
Following A2.1
2 1.
doudapP.Encr
des ypts
withOkta6.6.4
Okta 3. (Fig. Featuare res
compliance
sVPNs Uses Features
g, ementProvides
Google, (EiImpl 6.4) data
security data the
reverse are
or
6.5) any the cloud loss during key of
Microsoft, consistent ofcan
common
is
a data
specific proxy keyof yoursecuritypreventions solution
effectively Cipfeatures
herCloud
loss features
Skyhigh Figure |1,471° uploading8
Salesforce.csolomution protection tdevipolicies
echnol
ce o gy understand organization's
ldentify
for of
of 6.4 service CipherCloud:
Netwghorks
s. Skyhi
agentacross |
Skyhigh
secunty

Analyze
demand
manage and each
process
6.6

for
to Skyhigh. 121 breaches
enables also type VULNERABILITY
and all techniques cloudsallow
far

networks: doud and

datayour detects
ofand
cloud-based
other contextual (Courtesy 125.8 Ko
serices,insider
employees IT
privacy,
and and
arsP
threats, cloud
decryptsalso
ad to
cloud
granular grantsaCcess Skyhigh
consoldateanalyze
security
quickly malware
service ASSESSMENT
provibusiders.ness dinect
to
subsnptos
sge

patterm use and furnctions.including

level Networks) 59 and easily downloading
process.
during
aNthe cloud
applications. as, coud.
to

intemal TOOL
o servicesadopt database
and clouds FOR
also poiies. the
It whilecoud CLOUD
encryptswithout
is or
pre-integrated ensuring
services.
any
kind
data.
having 137
of
 moreform 6.6.2
CipherCloud
CipherCloud 136
AnalyticsApp
which
than Applatorsop
Ceeah Ceut
43
Aopliestions
Dscovmed
netskope
2.5 CHAPTER
can
million (Fig.
Applications.
Cloud r protect
Delívers
Figure 6.3) 6
amazon business
On security
all CLOUD
Business your Figure
6.3
Comprehenslve Applieation
Lstency
(ma)

| users SECURITY
Cloud. software
cdouds. 6.2
in
Dota and
Discoyer
Use Netskope. | Users

And& 250 This

encrypts
AndPrecise
Compllance AND
AssGsses million is
(From why EXISTING
data (From I1
CipherCloud
customer
e
Visibilty
om)Criterio,Their Ses ).
directly
www.netskope.com) Ses s. SECURITY
Risk
Into records Ses
12.

Based at
gotyour 9. Count
User
A Seg
60
tremendous
over DevicesTop
Seo
2.
SOLUTIONS
business
the Leenlen.

last
gateway.
growth
few
--nnl..1ll.
Orugtcr
Oresbou
years. 1.4K offersand hraron
tDromop ooenes
colaand
isdou
and It th

is DuracoAvg.
acquired one 7min
2s0

plat

WisttuhSkyhigh
high 6.6.3
business Networks
ProvidEnescryptfsol owingFeatare sou21res
, 2 1
with Okta6.6.4
Okta 2. 6.6.3.1
rollowing 1
Provides cloudapp.
3. Skyhigh,
ProvidesOses
VPNs compliance (Fig.
Google,(Fig.Implements Features
6.5) or reverse are you 6.4) data security data the
Microsoft, any the
consistentproxy key cancloud losS during key of
FCipherCloud
is

yoursecuritypreventions solution features

a specific
data of
of
common features
Skyhigh Figure effectively
lesforce.comn
loss
technology |1,471
servces
Coud
uploading of
solution protection
policies
device
of 6.4
understandIdentuy organization's service for
Networks
agents.across Skyhigh
Skyhigh. |
Skyhigh
Analyze demand
secuny
manage and CipherCloud:
each 66
for
and altechniques allow
to
121° breaches
for enables also process
type VULNERABIUTY
l cloudsnetworks: doud and
data your
other detects ofand.
cloud-had contextual
and
(Courtesy 125.8 Ko
services,isider
privacy,
employees IT cloud also
threats,
cloud and Jnd to
malware
grants consotidateanalyze quickly decrypts
povides. granullaevelr acces Skyhigh security service ASSESSMENT
busines dìrt to
sutspt
sge
to
use and functions.induding during
Networis) 59 pateS
and cioudeasly
aS aN
the
applications. cuu. internal adopt downloading
database
TOOL

Ucdouds servics FOR

Nd
It
is also poides. the CLOUD
whilecloud or
pre-integrated encrypts without anprocess.
y
ensuriservi
ng ces. kind 137
data. having of
 138
businesS
3. 2.Following 1. 6.6.5.1 checksnetworkQualys Qualys
6.6.5 4. 3. 2. Following1. 6.6.4.1 Okta
arnd PaaS.
and control Okta apps. Okta applications.
problem. Okta CHAPTER
Qualys Jualys Qualys the (Fig. Okta appcloud
fix Features security, Features
are
vulnerabilities also helps supports offers are Gokta or
the
helps security can the 6.6) for solution
provides
each managing
the mobile 6
nerabilities quickly multiple
in key security key of CLOUD
of Web type full ACCESS
seeing solution featuresQualys features Okta provides
app.
app role-based user APPS

scan of
solution of access authentication SECURITY
the your cycle; Figure This
security, access. of
details
very uses all of
Okta: servicesingle
automation
quickly. WeQualys:
b network
covers administration organizations
policies 6.5 eoiove
sign AND
of apps threat eliminates
all and all from factor
Okta. VicES phets on
EXISTING
urity keeping security
uttaert
(SSO)
cloud aspects (From Customer
AON
to one can and the
test through
centralized
Fata
for SECURITY
data services. and deploy ad

cks the of provides www.okta.com) prodycte

Conyany
Resrces need all
safe cloud types
entire compliance which their of
gh time SOLUTIONS
whenever services position of
Web we own support cloud
authentication
LDAP service I
DIRECTORY
veone can
application
more including
moonitoring. to for
youare set control OKTA
FEETRY

more solution mobile

providers
using asset all for
proactielyIt granular
cloud without devices
oard. ef iciently Saas, discovery
-based service.
each
sincluding
la s leve any and

Following6.6.6.1 wiatnVaultive
complies hdcloud 6.6.6
Vaultive
workson 4
SeAJeI
Asset
Vaultive 3. 2. 1.
keys.
tion Vaultive
Vaultive moment
-Dynamicallyseletases
Fatures
for idenuiy,
devicesweb
Management
agand Discover
togue
asseapplcations
scariningreAutomaticaly
pororganlze andQualys
Features
are
data
the compliancale ways
encryption
follows helps the principle security
leave
the
in
key
Vaultive
features
of
the of
many verifies
certificates
directly is
cloud engine regulations
transparency one Figure system
ensure
network
encrypting of of like
sevurity
supporsVaultive: the 6.6
and like most | FeaturesSeeAll SEM, Feed
Interactively
posturesecurity
nework yourvicwattacks
throughout Predict -ldentify
needed
patchesSystems
-Report
&time h- Fnd Security 6.6 process
PCI,
network
reach
Qualys. Prioritize&manage
rermediation instances
Amazon E2 Web
Perimeter
Corporate
networks
HIPAA,trusted acionable
GRC, & VULNERABILTYASsESSMENT
sttes al impact security apps tracdk HIPAA, to
ty out (From ERM,
d'iaihs proNV
PCI,
to. solutions security
WAF Zero-Day
of
trens
servers&
vutnerblities
wcbsites FISMA
whe
anvwhNh GLBA www.qualvs and the
aos &
cku more cata devices
in andproper
customerwithout an. It to
NS
anv yùn iis N
others.
enablement
NTpaon -Caae
lecion of
-CredLand "Tetandst
cerification P
Tetssnongrations eytssensCompliance
implemernt
modialwaysication. lauliveurity
Wnsmnove
TOOL
holds ot maepremplaresor
oocedur
yees
a police
of FOR
the
data passwordCLOUD139
encryp- takes on filesce
solution nttaianndnsfo
place cloud policies
 140
Following
There (www.boxcryptor.com)
(www.centrify.com) Boxcryptor
(www.Zscaler.com)
Zscaler
Certify
4. 3. 2. 1.
2.
products:
solution
1. be
those cial 6.7 (www.hytrust.com)
(www.prevoty.com)
(www.bitium.com) HyTrust
Prevoty
Bitium 7. 6. 5.
downloaded (www.silversky.com)
SilverSky
inspections.
ItSNORT:
It communication
AWSOSSEC Multiple
machine cloud-basedmachinesOSSEC active
Windows."
Solaris
and
Windows"OSSEC OSSEC-HIDS
Website:
(www.ossec.net)
It their to solutions
security Open are CHAPTER
work
can has has are
three
intrusion nstances response. a various
be works powerful some
works installation or registry is solution
developed
used SNORT multi-host instances
and a and Source 6
main clients on scalable, security evolving CLOUD
It (Open used
withdetection is and between well monitoring,
a correlation
runs is
products.
modes an
a can with optionsserver-client (also multi-platform, open by Security
solutionsby SECURITY
AWS fully scenario, as on source anyone. some cloud
of monitor cloud the called
well. most
EC2 system open
working OSSEC are centralized and source Here security
operating security other for AND
instances instances. where
available agents) model. analysis Following
(NIDS).source file host-based
open third-party Solution
we all
- integrity server discuss types and EXISTING
sniffer,network policy
one
can The systems, engine,sourcehost-based vulnerability
also. It The
instilation and with are of
can OSSECbe enforcement, intrusion some cloud SECURITY
some Products
SNORTpacketintrusion checking,OSSEC theOSSEC.installed including integrating Host companies.
perform open
agent server based intrusion prominentcomputing
logger is assessment SOLUTIONS
server It on rootkit detection
host-based is coulda Intrusion source
prevention real-time alwaysserver
real-time any must Linux, log Users in
and and
operating
be analysis,
detection, detection opern
solution services, Cloud
OpenBSD,
be system or tool:
intrusion
network encrypted.
and
installed Detection
supports IDSanalytics
tracking agents
file installed clients
file source
Systemmonitoring others real-time (HIDS). Most
can system. FreeBSD,integrity system): products need
(NIPS)
on are on on System cloud are
be aLinux/Unix alerting Accordine to
IP installed stand-alone
agents.
couid
It checking, 0ssEC seruit Pay
detectineton.works. andet- aiu o MacOS, (HIDS). for
i be and
of on

3. It abnormal
behavior.
bestcurityPPOVidedSummary
Poducts data Crypton: CryptSync
ofapplications
aand JavaScript Crypton iles. analyzes
ingCryptSync:
analy zi ng SNORT ruanniny ng
processes,
Questions
Multiple
Choice 1.
practices erabilitySCnapter,
ICe SuPports IrueCrypt:
Amazon
real Crypton files
CryptSync
works
traffic
(d) (c) (b)Identify
(a) providers transparent encrypted is
Encryption challenges,of a disk. that
Crypton provides The
the prasovides
andproxypasses
Encryption
Encryption
tion/decryption cloud detailed S3.
deviceTrueCrypt library a are outbound to
the assessment
of we It built is library to
trafficin-flitght
configuration
,detection of
uses best
principle cloud
computing.cloud and have supports
encryption. for on
unencrypted
encrypt
is decidethrough
explanationcloud encryption with two wayan
ofof of Web thdeveloped
e that packet for
files iles files computng learned is additional
on computingtools service compatibility
Linux, an client
data folders towhether the data
beforeafterbeforewhich applications allows protect backend
In and encryption
according
the about usingopen-source It in and Elastic
moving
of moving of creates
Mac side by that to
reaching next users developers a the layer logs
data CryptSync security cloud the itself Web the work riles reject IDS Load
chapter, to first TrueCrypt OS of other of the
during to
security most virtual
andPostgreSQL,
that browser
SpiderOak is instances
HTTP.as for
to to
network current before synchronously.
disk offer security results.
to Balancer,or
other otherworks. architecture important take folder cloudforchanges,
uploading we
care
Windows
encrypted
encryption to encrypt accept
for
servers servers willindustry
fundamerntals,
import
moving
anwrite itselfcontains that
and
example, i
instances;
leam and
of object
Redis secure the which tracking
MULTIPLE
this
concerm platforms disk licensed makes th em
and trends, tobefore packet
aboutsome foremost application
to storage
and cloud encrypted Ome before is
dwndding of Amazon within
Nodejs. cloud
movingunder folder diffcult
it SNORT used of CHOICE
cdoudopenvanoscloud doud also. APL
storage Afte r as
file
conen a appicatios,
moving
suwri fles.
Contains transmission,
SNORT is an access
miewe conuing S3ANS fe I Data tothe for used QUESTIONS
pocesses s ni provides
and Crypton AGPL attackers to HTTPS in
agns, Ihe storage doud curent and
Inpot/ other here AWS,
port mounts terminator. detection
hapter where It for all
and ed Al al-time backend supportslocations.
enables work to servers.
solution
internal packet incom-
some doud doud
has
romExport it view 141
as al of
 142
3. 2.
9. 8. 7. 6. many
How 5. 4..
Which
(a)
b) riskWhich (d) (c) (b) Which (d) 5(c) 4(b) 3(a) 2 SaaSWhere
(d) (c) PaaS(b) In (a)In (d) (c) (b) (a) How (d) (c) (b)
yservice
ectory
on (C) (b) (a)What Technical
Other
risks (b) riskWhich
(d) (c) riskLegal (a) Other
risks
(d) (c) risk(Legal
Technical (a) (a)
CHAPTER
In In ByByByBy Network
can
Host-based
Client
Server
tification Policy Policy Network
Client
Host-based
Server one
ated is type one SaaS, laaS does using network
operating
limiting
the type the
side side side of
purpose and of and of side of security PaaS and lock-in denial
intrusion the 6
intrusion the intrusion data data CLOUD
are organizational cloud
organizational cloud
data data PaaS thfirewall
e following intrusion
intrusion following and system
and layers problem access of
encryption
encryption
of risk(s) encryption
encryption
risk service
laaS detection detection SECURITY
agement AWS detection
is detection firewall
of detection
vice isolation categories are exist? VM categories
are be
CloudHSM risks there
risks data resources avoided?system
system AND
system system
hich
protection failure? system in does EXISTING
service does cloud
ores service?
OSSEC
SNORT
computing
risks? SECURITY
security security
security SOLUTIONS
tool tool
belong belone
architecture?

n
to?
and
ryption
ke
15. 14, 13. 12. 1.
Questions
Review
5. 4. 3. Z. 1. (d) (c) (b) (On
accessible
protection
(c) (b) (a)tools? Anytime
VM a)Which )On-demand
d) (c) (bldentify
demand(On (a) (d) (c) (b) (a) Which
(c) (b) ldentify
(a) (d) (c) (b) Dat(a) Which
prevention (d)
(d) SilverSky
SNORTOSSEC
nHowd ListWhatWhich
CloudHSM Which
Reverse Network Data EncryptNet
Principle Encryption/decryption
Transparency Open work
SNORT.aExplain
OSSEC Single Reverse
Single Single one ion/ One one
do
out do
policy one demand one the
signtechnology
the loss source
of policy of
open thsome
e you sign sign principle proxy and the and the
security key and
of the
of proxy
of on
monitoring can
sourceunderstand
the on on
transparency network VMfollowingservice decryption control
following
VM
followingtechnology
(SSO) (SSO)
technology
organizational
legal following
concerns
products which
on monitoring
on monitoring
riskS proxywhich all
by of options options
of your
options
decompromi
ateu se risks
assOCiassociated options network
Vaultive data data
pOVi Skyhigh during
is is during apps
cloud the is
is the
are the proxy
Seunty With wiservie
th evolving
key
security
securityuploading key key
assoatd
ethckoud
uploading
feature
un
feature feature
aver
a engie cloud solution
cud with works.
mutig.t secuiir Okta
of of and
and of
works. CipherCloud? Netskope
enario? oud securitr
downicading downloading
serrity N QUESTIONS
REVIEW
Explain mputing? Vhebity oin? cloud
architecture. processes processes security
with
the assessment service?
help
of 143