1

HOW TO INTERACT WITH CLOUD SERVICE

Cloud services can be interacted with through various methods including web-based consoles,
command-line interfaces (CLI), and application programming interfaces (APIs). These methods
enable users to manage resources, automate tasks, and integrate with other
applications. Additionally, cloud services are accessed through various applications like web
portals, browsers, and mobile apps.

 Web-based Consoles (or Portals):

Cloud providers offer graphical user interfaces (GUIs) accessible through web browsers for
managing resources and services. These consoles provide a visual way to interact with cloud
environments.
 Command-Line Interface (CLI):
CLIs allow users to interact with cloud services through text-based commands in a
terminal window. This method is useful for automation and scripting tasks.
 Application Programming Interfaces (APIs):
APIs enable developers to interact with cloud services programmatically. This allows for
integration with other applications and automation of complex operations.
 Cloud Shell:
Some cloud providers offer a cloud shell environment, which provides a pre-configured
environment with access to the CLI and other tools.
 Cloud Mobile Apps:
Cloud providers also offer mobile apps for managing resources and services on the go.

 Infrastructure as Code (IaC): Tools like Terra form allow users to define and manage cloud
infrastructure as code, enabling automation and version control. Infrastructure as Code (IaC) is
the process of provisioning and managing infrastructure using code instead of graphical user
interfaces or command-line scripts.

 Client Libraries:
Cloud providers offer client libraries in various programming languages to simplify
interacting with APIs (Application Programming Interface).
Examples of Applications:
 Social media platforms:
Cloud services enable users to store and share content like posts, photos, and videos.
 Communication and collaboration tools:
Cloud-based platforms like Zoom, Microsoft Teams, and Google Workspace allow for
communication, collaboration, and file sharing.
 Email services:
Cloud-based email services allow users to access their emails from any device.
 Media streaming:
 2

Cloud services host and deliver content for streaming services like Netflix and Spotify.
 Business applications:
Cloud services are used for various business applications like CRM (Salesforce), e-
commerce platforms, and more.

FUNDAMENTALS OF CLOUD COMPUTING SECURITY

Cloud Computing Security refers to the set of policies, technologies, and controls deployed to
protect data, applications, and infrastructure associated with cloud computing. It is crucial due to
the distributed nature of cloud services and the sensitive data often stored in the cloud.

CLOUD SECURITY

Security in cloud computing refers to the set of policies, technologies, controls, and practices
designed to protect data, applications, and the associated infrastructure of cloud computing
environments. It aims to safeguard cloud-based systems from threats such as unauthorized
access, data breaches, data loss, service disruptions, and other cyber attacks.

Cloud computing has rising security threats. Security concerns should be addressed according to
cloud delivery and deployment models.

SECURITY ISSUES AND CHALLENGES IN CLOUD COMPUTING.

There are some major security issues which organizations and key decision makers must address
before moving to the cloud computing model, they are as follows.

1. Data Protection: Ensuring confidentiality, integrity, and availability of data stored or

processed in the cloud through encryption, access controls, and data masking.

2. Identity and Access Management (IAM): Managing user identities and their permissions to
ensure that only authorized users can access specific resources.

3. Network Security: Protecting cloud networks using firewalls, intrusion detection/prevention

systems, and secure communication protocols.

4. Compliance and Governance: Adhering to regulatory requirements and industry standards to

ensure legal and policy compliance.

5. Threat Detection and Incident Response: Monitoring cloud environments for suspicious
activities and responding promptly to security incidents.

6. Physical Security: Protecting the physical data centers where cloud infrastructure resides.

7. Privileged Access: Data processed outside the enterprises are subject to many risks, because
of issues related to data ownership. Enterprises should ask their providers to supply more
 3

information about who has privileged access to data and who controls the hiring and
management of administrators.

8. Regulatory Compliance: Clients should make contracts with providers who allow external
third-party audits and security certifications, providing them with information about controls that
were evaluated.

9. Data Location: According to contracts and increasing globalised infrastructure, some clients
don’t even know in which country their data is stored, or what jurisdictions and privacy
regulations are applied to data.

10. Data Segregation: Most cloud providers store data in a shared environment. Consequently,
a provider must deploy a mechanism to separate clients’ data. Encryption is not everything, some
implementation mistakes may result in exploits or data breaches. Clients must know who has
access to the decryption keys and what part of data can be decrypted by every key.

11. Reliability: It is one of the major aspects of cloud computing. Clouds should be highly
scalable and able to meet wide variation in processing power and requirements. Therefore, if the
provider moves all his clients’ data onto a different environment, the existing environment
should not be compromised or unavailable.

12. Recovery: Cloud providers need to provide their clients with information about how they
will recover from disasters and protect their clients’ data, and how long this recovery process
will take.

13. Auditing: The collocation and spreading of data across a set of hosts and data centres makes
it difficult to pursue or investigate cloud providers when they do faulty activities.

14. Portability: An important thing to be evaluated is viability. What will happen to clients’ data
if the provider is acquired or goes out of business? Can clients get their data back in an
appropriate format that enables them to import to another application.

Overall, cloud security is critical to maintaining trust and ensuring the safe use of cloud services
by individuals and organizations.

CLOUD COMPUTING SECURITY THREATS.

Security threat in Cloud Computing refers to any potential risk or vulnerability that can exploit
weaknesses in cloud infrastructure, services, or applications, leading to unauthorized access, data
breaches, data loss, service disruption, or other malicious activities. These threats can
compromise the confidentiality, integrity, and availability of data and resources hosted in the
cloud.

The scope of cloud computing is rising. In consequence, that brought more fears about the
threats that could affect the cloud. Cloud Security Alliance, (CSA) spent good efforts to identify
 4

a regularly updated list for the most important threats that could affect cloud users and providers.
Here are some points of view regarding these threats along with some procedures and
precautions that cloud providers and users should care of regarding the cloud.

1 Cloud computing abuse

Cloud computing is considered as a double-edged weapon, it gives both enterprise users and
hackers the same large-scale, elastic services to use for their own purposes. Attackers have been
able to launch DDoS attacks, distribute pirated software, and find ways to upload malwares to
massive number of cloud users’ computers using the infrastructure of cloud computing.
Afterwards, they will be able to use these botnets to attack and control victims’ machines. IaaS
and PaaS providers have permanently suffered most from this kind of threats. In order to
alleviate this threat, cloud providers should take some precautions as follows:

 Spend more efforts to prevent service fraud using monitoring and coordination.
 Some strictness should be imposed, strong validation, especially in the registration
process.
 Monitoring and making permanent comprehensive checks on customer network traffic.

2 Insecure Application Programming Interfaces (APIs)

All cloud providers suffer from these threats. Customers use software interfaces and APIs to
interact, establish, manage and monitor services. If weak interfaces and APIs are used, this may
expose organizations to various security threats and vulnerabilities, such as anonymous access,
weak access controls, reusable tokens or passwords, reveal of data, limited monitoring
capabilities. Consequently, these interfaces and APIs must have extremely secure access
control, authentication, encryption and monitoring mechanisms to prevent any malicious
interaction with them. In order to alleviate this threat, cloud providers and users should take
some precautions as follows:
 Make strong implemented authentication and access controls compatible with encrypted
transmission.
 Analysis of the security model of cloud provider interfaces should be done.
 Awareness of all dependency chains associated with the API.

3. Malicious insiders.
It is a well-known threat to most organizations as it affects any delivery model. There is a lack
of visibility in how providers hire people, what are the privileges given to them to access the
assets and who can monitor their practices. This situation could make an attractive opportunity
for hackers to collect confidential data or control all the cloud services completely without being
detected. Most famous story here is the Edward Snowden case with NSA. Compliance reporting,
breach notification and transparency into provider processes and procedures are important for
 5

presenting secure cloud. In order to alleviate this threat, cloud providers and users should take
some precautions as follows:
 Keeping cloud users’ encryption keys on their own premises, not in the cloud.
 Enforcing security breach notification processes.
 Ensuring transparency across information security and management practices, besides
compliance reporting.
 Giving more attention for specifying human resource requirements.
 Applying strict supply chain management and conducting full supplier assessment.

4 Shared technology vulnerabilities

IaaS vendors depend on the usage of multi-tenancy property by introducing their infrastructure
for sharing. Components such as disk partitions and shared database services, Central
Processing Unit (CPU) cashes, Graphics Processing Units (GPUs) and other elements were
designed to be used by a single customer not to pose robust separation properties for a multi-
tenant architecture. Therefore, some breaches and vulnerabilities appeared. Even if these
vulnerabilities do not compromise a single customer, it will affect the whole environment.

In order to alleviate this threat, cloud providers should take some precautions as follows:

 Enforcing more security practices for installation and configuration.

 Detecting and getting rid of vulnerabilities and configuration audits.
 Monitoring and preventing any unauthorized access from a customer to any other tenant.
 Using Service Level Agreements (SLAs) for vulnerability treatment.
 Providing robust authentication and access control to administrative access and operations.

5 Leakage or loss of data

Data is always in danger of being lost, leaked or stolen. Various techniques such as deletion or
alteration without a backup, loss of the encoding key or unauthorized access could be also result
in terrible destruction. Particularly in a shared infrastructure models like clouds, organizations
should care about the service provider’s authentication systems that grant access to data. This
threat has horrible impact on both cloud customers and providers, because it not only makes a
customer lose the secrecy of his data, it also damages provider’s brand value and reputation. In
order to alleviate this threat, cloud providers and users should take some precautions as follows:
 Enhancing data protection at both design and run time.
 Using robust interfaces and APIs access controls.
 Asking providers to determine their backup and retention strategies, encryption, data disposal
procedures, and business continuity in the contract.
 Implement robust key generation, and destruction practices.
 Contractually ask providers to remove persistent media before it is released into the cloud.
 6

6 Account, resource and service hijacking

Attackers gain access to cloud user accounts through phishing, credential theft, or weak
passwords, potentially controlling cloud resources. Attack methods such as man-in-the-middle
attacks, phishing, fraud, exploitation of software vulnerabilities such as buffer overflow attacks,
cross-site scripting, denial-of-service attacks and so on, can all lead to the loss of control over a
user account. An intruder with control over a user account can manipulate or delete data, use
your reputation to enhance himself, eavesdrop on transactions, provide wrong responses to user’s
customers, and redirect customers to another malicious site. In order to alleviate this threat, cloud
providers and users should take some precautions as follows:

 Enforcing the use of strong multi-factor authentication techniques.

 Prohibiting the sharing of account credentials between users and services.
 Good understanding of the cloud vendor’s security policies and SLAs.

7 Lack of risk profile.

One of the most important characteristics of cloud computing is that it reduces the need for
hardware and software ownership, which allows companies to concentrate on their core business
strengths. Thus introduces more security concerns and issues. Although security has the highest
priority in cloud computing list, many service providers focus on functionality and benefits, not
security. Risks related to versions of software, update of codes, vulnerability and exploit profiles,
intrusion breaches and security designs are the most significant factors which must be kept in
mind when we talk about companies’ security. Some issues must be clearly handled such as
compliance, configuration, patching, auditing, and logging. In order to alleviate this threat, cloud
providers and users should take some precautions as follows:

 Ensuring of infrastructure details (e.g., patchs, software  updates, intrusion preventions,

firewalls, etc).
 Checking on logs and ensuring who has privileges to access them and what information will
they reveal if any incident happens.
 Monitoring and alerting on any information that could make a risk to the system.
7
 8

Figure 1.Threats that has great impact on provider’s reputation and customer’s data Security.

Figure 2. Cloud Computing Security requirements.

Security Requirements.

Cloud computing security should be guided by the ISO 7438-2 standard in order to become an
effective and secure technology solution. In Figure 2 above shows a guideline assessing the
security level, the different deployment and delivery models are compared with the information
 9

security requirements with ‘M’ denoting mandatory requirements and ‘O’ denoting optional
requirements. Cloud security requirements will be discussed below.

I. Authentication: Cloud providers should have robust federated identity management

architecture including components such as identity provisioning, de-provisioning,
information security, linking, mapping, authentication and authorization to managing
identities. Cloud providers make verification and validation to cloud users by using
usernames and passwords to protect their cloud profiles and prevent any unauthorized
access. In the beginning, they establish specified users, and then provide them with
permissions and access priorities.
II. Authorization: Authorization is an important cloud security requirement which is used
to reassure that referential integrity is applied. Authorization is the means for ensuring
that only authorized users are capable of interacting with resources in the cloud. First,
users should be authenticated. Second, information about users and resource used should
be obtained. Finally, allowing or denying access to resource should be based on the
applicable policies for that resource. Authorisation policy can be enforced in cloud
computing through three approaches listed below:

 Enterprise Authorisation – to grant or deny access to a resource, the cloud

application/resource asks the enterprise to make an authorization decision.
 Stand-Alone Cloud Authorisation – to grant or deny access to a resource, cloud
provided or custom authorisation services are used.
 Cloud Authorisation with Enterprise Governance to grant or deny access to a
resource, the cloud makes an authorisation decision but policies are governed by
the enterprises.
III. Confidentiality: It is concerned with how to keep users’ data and profiles secret
in the cloud systems. It is responsible for maintaining control over users’ data
distributed across different portions of databases. Public clouds are accessible
through public networks to facilitate the transfer of data. Therefore, their offerings
(e.g., applications and infrastructure) are exposed to more attacks than those hosted
in private databases. Most cloud computer providers depend on the physical isolation
and cryptography techniques to enforce confidentiality. To enforce a physical virtual
isolation, cloud providers use virtual local area networks and some network middle
boxes (e.g. firewalls)
IV Availability: It is an important information security requirement in cloud
computing systems to ensure that their users can use clouds’ applications and
infrastructures from any place, at any time. A cloud computing system allows its
users to access resources from anywhere because it is web-based. An important
technique for maintaining high availability is having redundant components. If any
component fails, a secondary or backup copy of that component can take over for the
 10

failed one, which prevents the single point of failure for the whole system. Another
important technique to enhance cloud system availability is system hardening. The
concept of hardening involves strengthening cloud infrastructure in a way that
eliminates security holes and vulnerabilities.

V Integrity: One of the most fundamental things that cloud providers must apply in
cloud computing is to preserve information integrity (i.e., guarantee that data is not
lost or modified by unauthorized users). The elastic nature of cloud computing
which enables users to increase or decrease resources results in increased high
potential of risks as node failure, disk failure or data loss. The Atomicity,
Consistency, Isolation and Durability (ACID) properties should be enforced across
all cloud computing delivery models to ensure integrity of cloud’s data.

VI. Non-repudiation: Non-repudiation is the method enabling to assure that

someone cannot deny something. In cloud computing, we can achieve non-
repudiation by enforcing the traditional e-commerce security protocols, and token
provisioning to data transmission within cloud applications such as timestamps,
digital signatures and confirmation receipts services. Some techniques have been
developed to apply non-repudiation schemes for storage clouds.

ENSURANCE OF SECURITY COMPLIANCE IN CLOUD ENVIRONMENTS BY

ORGANIZATIONS/ENTRPSISES THROUGH THESE KEY PRACTICES:

1. *Understand Regulatory Requirements:* Identify all relevant laws, regulations, and

industry standards that apply to your organization and data (e.g., GDPR, HIPAA, PCI
DSS).

2. *Choose Compliant Cloud Providers:* Select cloud service providers (CSPs) that comply
with necessary certifications and standards, such as ISO 27001, SOC 2, FedRAMP, or
others relevant to your industry.

3. *Define Shared Responsibility:* Clearly understand and document the shared

responsibility model between your organization and the cloud provider regarding security
and compliance.

4. *Implement Strong Access Controls:* Use Identity and Access Management (IAM) to
enforce least privilege access and multi-factor authentication (MFA).

5. *Encrypt Data:* Encrypt sensitive data both at rest and in transit to protect
confidentiality and meet compliance requirements.
 11

6. *Maintain Audit Trails:* Enable logging and monitoring to track access and changes to
cloud resources, facilitating audits and forensic investigations.

7. *Regular Compliance Audits:* Conduct periodic internal and external audits to verify
compliance with policies and regulatory requirements.

8. *Automate Compliance Monitoring:* Use cloud-native or third-party tools to

continuously monitor configurations, detect misconfigurations, and enforce compliance
policies.

9. *Train Employees:* Provide ongoing training and awareness programs to ensure staff
understand compliance obligations and security best practices.

10. *Develop Incident Response Plans:* Prepare and test response plans for security
incidents to meet regulatory reporting requirements.

By integrating these practices, organizations can effectively manage compliance risks and
maintain adherence to regulatory standards in cloud environments.