Domain 1

• Cloud computing has come to mean many things, but the following characteristics have
become part of the generally accepted definition:
o Broad network access means that there should never be network bandwidth
bottlenecks
▪ This is generally accomplished with the use of such technologies as
advanced routing techniques, load balancers, multisite hosting, and other
technologies.
o On-demand services refer to the model that allows customers to scale their
compute and/ or storage needs with little or no intervention from or prior
communication with the provider. The services happen in real time
o Resource pooling is the characteristic that allows the cloud provider to meet various
demands from customers while remaining financially viable
o Measured or metered service simply means that the customer is charged for only
what they use and nothing more
• Business needs of the organization drive security decisions, and not the other way around.
• Many organizations are currently considering moving their network operations to a cloud-
based motif. This is not a decision made lightly, and the business requirements must be
supported by this transition
• A full inventory of assets, processes, and requirements is necessary, and there are various
methods for collecting this data.
• The greatest driver pushing organizations toward cloud migration at the moment is cost
savings, and that is a significant and reasonable consideration
• One way an organization can use hosted cloud services is to augment internal, private
datacenter capabilities with managed services during times of increased demand. We refer
to this as “cloud bursting.”
• PII is a major component of regulatory compliance, whether the regulation comes in the
form of statutes or contractual obligation. Protection of PII will be a large part of our security
concern in the cloud
• Elasticity
o In the cloud environment, the organization is paying not for a device, but for the use
of a service, when it is being used
o The ability of the cloud vendor to offer this type of service (while remaining
profitable) is based on the elasticity and the flexibility offered by recent
enhancements in technology, including virtualization
o With virtualization, the cloud provider can allocate partial usage of each resource to
every user and customer, when those users and customers require it, and nothing
more, thereby avoiding wasted, underutilized resources and excess, nonproductive
costs
o In a virtualized environment, users can also access their data from almost any device
or platform, and almost any location. This allows portability, availability, and
accessibility that exceed previous enterprise environments.
• Simplicity
o Proper cloud implementations should not require constant or even frequent
interaction between the cloud provider and cloud customer.
• Scalability
o A cloud service can easily meet those needs, either temporarily or long-term, in a
much more cost-efficient manner than a traditional environment, because new
computing resources can be assigned and allocated without any significant
additional capital investment on the part of the cloud provider, and at an
incremental cost to the cloud customer.
• Infrastructure as a Service (IaaS)
o IaaS allows the customer to install all software, including operating systems (OSs) on
hardware housed and connected by the cloud vendor.
o In this model, the cloud provider has a datacenter with racks and machines and
cables and utilities, and administers all these things
o IaaS might be optimum for organizations that want enhanced control over the
security of their data, or are looking to the cloud for a limited purpose, such as
BC/DR or archiving.
o The cloud provider simply supplies the compute, storage, and networking functions.
o In Infrastructure as a Service (IaaS), the cloud customer has the most responsibility
and authority of all the possible cloud models
o The customer, however, is in charge of everything from the operating system and
up; all software will be installed and administered by the customer, and the
customer will supply and manage all the data.
o In IaaS, though, the cloud customer may still collect and review event logs from the
software, including the OS, which still lends a great deal of insight into the usage and
security of the data
• Platform as a Service (PaaS)
o PaaS contains everything included in IaaS, with the addition of Oss
o The cloud vendor usually offers a selection of OSs, so that the customer can use any
or all of the available choices.
o The vendor will be responsible for patching, administering, and updating the OS as
necessary, and the customer can install any software they deem useful
o The responsibilities for updating and maintaining the software will also be the
customer’s
o the cloud customer loses still more control of the environment, because the cloud
provider is now responsible for installing, maintaining, and administering the OS(s).

• Software as a Service (SaaS)

o SaaS includes everything listed in the previous two models, with the addition of
software programs
o The cloud vendor becomes responsible for administering, patching, and updating
this software as well
o The cloud customer is basically only involved in uploading and processing data on a
full production environment hosted by the provider
o The cloud customer will not have ownership of the hardware, the software, or the
administration of either; the customer only supplies and processes data to and in
the system.
 o
The customer remains liable for all statutory and contractual obligations related to
the safeguarding of the data but, in this case, has little control over how that data is
protected
o The cloud provider is now almost exclusively responsible for all system maintenance,
all security countermeasures, and the vast majority of policy (and implementation of
that policy) affecting the data
o In all three models, the customer is giving up an essential form of control: Physical
access to the devices on which the data resides. This is a massive and serious
increase of risk and loss of assurance; anyone who can physically access the location
of the data can eventually take it, with or without permission
• Some Keywords
o Vendor Lock-in Vendor lock-in occurs in a situation where a customer may be
unable to leave, migrate, or transfer to an alternate provider due to technical or
nontechnical constraints.
o Vendor Lock-out Vendor lock-out occurs when a customer is unable to recover or
access their own data due to the cloud provider going into bankruptcy or otherwise
leaving the market.

Deployment Service Model Service Model Service Model

Model
Private IaaS PaaS (Cloud OS) SaaS
Public IaaS PaaS (Cloud OS) SaaS
Community IaaS PaaS (Cloud OS) SaaS
Hybrid IaaS PaaS (Cloud OS) SaaS

Cloud Computing NIST Essential Characteristics

On-Demand Self-Service
Broad Network Access (Always On, and Always Accessible)
Resource Pooling
Rapid Elastic (Transparent and Pay per user”)
Measure service (Resource usage can be measure, controlled, reported)

‘Elasticity Virtualization and Scalability

Simplicity Risk Reductions and Cost

Expandability: Mobility, Collaboration, and Innovation

Service Model Storage

IaaS Volume Storage & Object Storage

PaaS or CloudOS Structured & Unstructured

SaaS Information Storage and Management

Content/file storage
Ephemeral Storage
Content Delivery Network
Raw-storage
Long-term storage

Client Side Key Management Cloud Provider Key Management

Remote Key Management Service: This is

where the customer maintains the Key
Management Service (KMS) on-premise.

Client Side Key Management: Client Side

looks to put the customer or cloud user in
complete control of encryptions and
decryption keys

Open Web Application Security Project (OWASP) Top 10

A1-Injection LDAP Query Injection, OS Command Injection and SQL

A2- Broken Authentication
and Session Management
A3- Cross-Site Scripting (XSS)
A4- Insecure Direct Object
References
A5- Security Misconfiguration
A6 – Sensitive Data Exposure
A7- Missing Function Level
Access Control
A8 – Cross-Site Request
Forgery (CSFR)
Injection are all different type of injection flaws.
Most common security risks related to authentication and
session management are stealing of passwords or session
tokens and impersonating legitimate users.
malicious hacker to inject malicious client-side script in a
website or web application which is later executed by the
victims
the web application where access to a sensitive object,
such as a directory, a particular record or a database is not
fully protected and the object is exposed by the application.
the web application where access to a sensitive object,
such as a directory, a particular record or a database is not
fully protected and the object is exposed by the application.
Credit card details, social security numbers and other
sensitive customer details should be encrypted when
stored in a database, even if they are not directly
accessible via the web application.
An attacker can exploit this type of security flaw by changing
the URL in the browser when accessing a web application to try
and access a function he does not have access to. If the web
application fails to perform proper access control checks
specifically for that particular object,
A cross-site request forgery, also referred to as CSRF is widely
popular with scammers and spammers because when
exploited, the attacker can force a victim's web browser to
send a forged HTTP request to a vulnerable web
application. Such forged HTTP request would typically contain
logged in information
A9 – Using Components with
Known Vulnerabilities
A10 – Un validated Redirects
and Forwards
It is quite surprising that this class of vulnerabilities is in 9th
place, considering that most of today's successful attacks
happen because the attacker exploited a known
vulnerability.
Website visitors are frequently redirected and forwarded to
different pages and even other third party websites
depending on the visitor location, type of browser being used
and several other factors. If the functions analyzing

• Foundational Concepts of Cloud Computing

o Sensitive Data
▪ Each organization will have its own risk appetite and desire for
confidentiality
o Virtualization
▪ Virtualization is one of the technologies that has made cloud services a
financially viable business model
o Auditing and Compliance
▪ Cloud providers are extremely reluctant to allow physical access to their
facilities or to share network diagrams and lists of controls; maintaining
confidentiality of these things enhances the provider’s overall security.
However, these are essential elements of an audit.
• Cloud Service Provider Contracts
o The business arrangement between the cloud provider and the cloud customer will
usually take the form of a contract and a service-level agreement (SLA).
o The SLA will set specific, quantified goals for these services and their provision over
a certain timeframe
• Always bear in mind that all management decisions are driven by business needs, including
security and risk decisions
• Business Requirements Analysis
o An inventory of all assets
▪ First step in creating a sound security program would be to perform a
thorough, comprehensive inventory. There are many methods and tools for
doing so, such as surveys, interviews, audits, and so forth.
▪ In performing an IT inventory, we can also incorporate automation into the
process, enhancing our capabilities and efficiency
o A valuation of each asset
▪ There are some risks associated with letting the data owners assign value to
their assets
▪ The data owner for a given data set is the business manager in charge of
that data
▪ The data owner is also tasked with assigning a category and/or classification
to their data, usually when it is created

o A determination of critical paths, processes, and assets

▪ Senior management has the correct perspective for making determinations
of criticality
 ▪ The security professional, however, should have a good understanding of
the overall mission and function of the organization, in order to better serve
and advise the organization in securing critical elements
▪
o
▪ Risk appetite is the level, amount, or type of risk that the organization finds
acceptable
▪ Avoidance
• This isn’t really a method for handling risk; it means leaving a
business opportunity because the risk is simply too high and
cannot be compensated for with adequate control mechanisms—a
risk that exceeds the organization’s appetite.
▪ Acceptance
• The opposite of avoidance; the risk falls within the organization’s
risk appetite, so the organization continues operations without any
additional efforts regarding the risk.
▪ Transference
• The organization pays someone else to accept the risk, at a lower
cost than the potential impact that would result from the risk being
realized; this is usually in the form of insurance
▪ Mitigation
• The organization takes steps to decrease the likelihood or the
impact of the risk (and often both); this can take the form of
controls/countermeasures, and is usually where security
practitioners are involved.
o The risk appetite of an organization is set by senior management, and is the guide
for all risk-management activities in the organization.
o The security practitioner must have a thorough understanding of the risk appetite
of the organization in order to perform their functions properly and efficiently.
• Design Principles for Protecting Sensitive Data
o For instance, cloud customers should ensure that all assets in their BYOD
infrastructure that access the cloud should
o Be protected with some form of antimalware/security software
▪ Have remote wipe/remote lock capability in the event of loss/theft, with the
user granting written permission to the organization to wipe/lock via a
signed authorized use policy
▪ Utilize some form of local encryption
▪ Be secured with strong access controls (a password, or perhaps a biometric)
in a multifactor configuration
▪ Have and properly employ VPN solutions for cloud access
▪ Have some sort of data loss, leak prevention, and protection (DLP) solution
installed
• The organization may also want to consider containerization software options for
personally owned user devices as a means to isolate their personal data from the
organization’s information.
• From a cloud customer perspective, similar efforts should include
 o ■ Training programs for staff and users that include good coverage of security
topics
o ■ Contractual enforcement of policy requirements
o ■ Use of encryption and logical isolation mechanisms on BYOD assets, as
mentioned earlier in this chapter
o ■ Strong access control methods, perhaps including multifactor authentication

Roles

o .
• Private Cloud Benefits
o Increased control over data, underlying systems, and application
o Ownership and retention of governance controls.
o Assurance over data location, removal of multiple
o jurisdiction legal and compliance requirement.
• Public Cloud Benefits
o Easy and inexpensive setup because hardware, application, and bandwidth costs are
covered by the provider
o Streamlined and easy-to-provision resources
o Scalability to meet customer needs
o No wasted resources-pay as you consume.
• Community cloud
o The cloud infrastructure is provisioned for exclusive use by a specific community of
consumers from organizations that have shared concerns (e.g., mission, security
requirements, policy, and compliance considerations). It may be owned, managed,
and operated by one or more of the organizations in the community, a third party,
or some combination of them, and it may exist on or off premises.
o E.g. Indian Banking Community Cloud (IBCC), Cloud4C by CtrlS, AWS GovCloud (USA)
, Microsoft Azure Government (USA)
o Can offer a valuable and cost-effective manner for specified groups or entities with a
similar focus or with common compliance and requirements to operate in a multi-
tenant infrastructure. It will give the benefits of public cloud deployment.
o Cloud bursting is an application deployment model in which an application runs in a
private cloud or datacenter and bursts into a public cloud when the demand for
computing capacity spikes.(Hybrid Cloud)
• Cloud Cross-Cutting Aspects
o Interoperability: How easy it is move and reuse application regardless of platform
o Portablity : Move application and associated data between one cloud provider to
another cloud provider
o Resiliency:
▪ Continue operating in the event of a disruption, which may be equipment
failure, power outage, or a nature disaster.
o Governance : all talk about responsibilities and verifying performance
o Service Level Agreements (SLAs) :
▪ In the SLA,the minimum levels of service, availability, security, controls,
▪ processes, communication, support, and many other crucial business
elements will be stated and agreed upon by both parties.
 o Regulatory Compliance
▪ Regulatory compliance is an organization’s requirement to adhere to
relevant laws, regulations, guidelines and specification relevant to its
business , specifically dictated by the nature, operation, and function it
provides or utilized to its customer.
o Importance of Key Management
▪ Key Management should be separated from the provider hosting the data,
and the data owner should be positioned to make decisions.
• Remote Key Management Service
o Required hybrid connectivity
• Client Side Key Management
o In CKMS, customer is in complete control of
encryption/decryption keys.
o Identity and Access Management (IAM) Phase Activity
▪ Provisioning and DE provisioning
• The ultimate goal of user provisioning is to standardize, streamline,
and create an efficient account creation process, while creating a
consistent, measurable, traceable, and auditable framework for
providing access to end users.
▪ Centralized Directory Service
• A directory service stores, processes, and facilitates a structured
repository of information stored, coupled with unique identifiers
and locations.
▪ Privileged User Management
• Privileged user management focuses on the process and ongoing
requirements to manage the lifecycle of user accounts with highest
privileges in a system.
▪ Authorization and Access Management
• Vendor Lock In
o Unfavorable contract , Proprietary data formats ,Insufficient bandwidth may result
in vendor lock in
• A Hypervisor also known as Virtual Machine Monitor (VMM) can be a piece of software,
firmware or hardware that gives an impression to the guest machines(virtual machines) as if
they were operating on a physical h/w.
• VM-based rootkits (VMBRs)
o Rootkit act by inserting a malicious hypervisor on the fly or modifying the installed
hypervisior to gain control over the host
o To cause a VMBR to run underneath an existing OS, the system's boot sequence
must be modified so that the VMBR loads first. Modifying the system boot sequence
requires a high level of privilege or an easily duped user.
• The virtual switch is vulnerable to a wide range of layer II attacks such as manipulation or
modification of the virtual switch’s configuration, VLANs and trust zones, and ARP tables.
• Colocation : Multiple VMs residing on a single server and sharing the same resources
increase the attack surface and the risk of VM-to-VM or VM-to-hypervisor compromise.
• PAAS tenant should not have shell access
• Important SLA Components
o Single Points of Failure should not exist
 o Migration to alternate provider(s) should be possible within the agreed upon RTO
o Whether all components will be supported by alternate cloud providers in the event
of a failover.
o Automated controls should be enabled to allow customers to verify data integrity
• FIPS-140 =
o Security Level 4 provides the highest level of security, with mechanisms providing
complete protection around the cryptographic module with the intent of detecting
and responding to all unauthorized attempts at physical access.
▪ A CSP is data using a cryptography module to process encryption functions.
o It is also meant to protect against environmental factors.
o Level 3 also includes robust cryptographic protection and key management,
identity-based authentication
o Level 2: It also requires the ability to detect physical tampering by using physical
locks or tamper-evident seals.
o Level 1: The lowest level of security. requirements, basic cryptographic module
▪ requirements are specified for at least one approved security function or
approved algorithm.
• The organization needs to carefully weigh all the risks associated with a business decision
before engaging in an activity minimize the risk impact associated with an activity.
• Reputational risk can be defined as “the loss of value of a brand or the ability of an
organization to persuade (You cant measured) Exam Point
• The extensive use of automation within the cloud enables real-time monitoring and
reporting on security control points, allowing for the establishment of continuous security
monitoring regimes, enhancing the overall security posture of the organization consuming
the cloud services
Cloud computing should have large resource pools to enable swift scaling, rapid movement,
and flexibility to meet your needs at any given time within the bounds of your service
subscription.
o Without pooling and measured services, you cannot implement the cloud
computing economic model.

Key Cloud Computing Characteristics

• On-Demand Self-Service
o Automated means without the need to interact with a person
o As services are expanded or contracted, billing is adjusted through automatic means.
• Broad Network Access
o All cloud services and components are accessible over the network and accessible in
most cases through many different vectors.
• Resource Pooling
o Significant cost savings can be realized for all customers of the cloud through
resource pooling and the economies of scale that it affords.

• Rapid Elasticity
o If the applications and systems are built in a way where they can be supported,
elasticity can be automatically implemented such that the cloud provider through
programmatic means and based on predetermined metrics can automatically scale
the system by adding additional resources and can bill the customer accordingly.
 • Measured Service
o Within the terms of the contract and agreements, these metrics can be used for a
variety of uses, such as monitoring and reporting, placing limitations on resource
utilization, and setting thresholds for automatic elasticity.
o These metrics also will be used to some degree in determining the provider’s
adherence to the requirements set forth in the service level agreement (SLA)
o With the metering and reporting metrics that cloud providers are able to offer, this
becomes much more simplistic for companies and offers a significantly greater
degree of flexibility, with granularity of systems and expansion.

Cloud Computing functions

• Cloud administrator
o implementation, monitoring, and maintenance of the cloud within the organization
o The cloud administrator works directly with system, network, and cloud storage
administrators
• Cloud application architect
o This person is typically responsible for adapting, porting, or deploying an
application to a target cloud environment.
▪ Design and implementation resources to ensure that an application’s
performance, reliability, and security are all maintained throughout the
lifecycle of the application
• Cloud auditor
o An auditor that is specifically responsible for conducting audits of cloud systems and
cloud applications
o A cloud auditor is a party that can perform an independent examination of cloud
service controls with the intent to express an opinion thereon
o A cloud auditor can evaluate the services provided by a cloud provider in terms of
security controls, privacy impact, performance, etc.
o A privacy impact audit can help Federal agencies comply with applicable privacy
laws and regulations governing an individual‟s privacy, and to ensure confidentiality,
integrity, and availability of an individual‟s personal information at every stage of
development and operation
o
• Cloud service broker
o A partner that servers as an intermediary between a cloud service customer and
cloud service provider
o An entity that manages the use, performance and delivery of cloud services, and
negotiates relationships between Cloud Providers and Cloud Consumers.
• Cloud service customer
o One that holds a business relationship for services with a cloud service provider
• Cloud service partner
o One that holds a relationship with either a cloud service provider or a cloud service
customer to assist with cloud services and their delivery
• Cloud service provider
o One that offers cloud services to cloud service customers
• Cloud service user
o One that interacts with and consumes services offered by a cloud services customer
• Cloud Backup Service Provider:
o A third-party entity that mange holds operational responsibilities for cloud-based
data backup service and solutions to customers from a central data center.
• Cloud Service Broker (CSB):
o Acts as liaison between cloud service customers and cloud service providers
• Cloud Broker Services
o Aggregate : one or more new services
o Arbitrage : Broker has flexibility to choose service from multiple provider
o Intermediate : Integrating IAM, API Management to cloud consumer
• Cloud Administrator:
o This individual is typically responsible for the implementation, monitoring, and
maintenance of the cloud within the organization or on behalf of an organization
(acting as a third party).
• Cloud Application Architect:
o The Cloud Application Architect is typically responsible for adapting, porting, or
deploying an application to the target cloud environment.
• Cloud Service Manager:
o The Cloud Service Manager is typically responsible for policy design, business
agreement, pricing model, and some elements of the SLA.This role will work closely
with the cloud management and customers to reach agreement, and alongside
Network and Cloud Administrators.
o Cloud service management can be described from the perspective of business
support, provisioning and configuration, and from the perspective of portability
and interoperability requirements
• Cloud Architect:
o This role will determine when and how a private cloud meets the policies and needs
of an organization’s strategic goals and contractual requirement (from a technical
perspective such as encryption).
• Cloud Data Architect:
o This individual is similar to the Cloud Architect; the Data Architect’s role is to ensure
various storage types and mechanisms utilized within the cloud environment meet
and conform to the relevant SLAs, and that the storage components are functioning
according to their specified requirements.
• Cloud developer
o Development for the cloud infrastructure itself
• Cloud Operator:
o This individual is responsible for daily operational tasks and duties that focus on
cloud maintenance and monitoring activities.
• Cloud Storage Administrator:
o This role focuses on relevant user groups and the mapping segregations,
bandwidth, and reliability of storage volume assigned
• Cloud Service Customer
o Cloud service user Uses the cloud services
o Cloud service administrator Tests cloud services, monitor services, administers
security of services, provides usage reports on cloud services, and addresses
problem reports
 o Cloud service business manager Oversees business and billing administration,
purchases the cloud services, requests audit reports as necessary
o Cloud service integrator Connects and integrates existing systems and services to
the cloud
• Cloud Service Provider
o Cloud service operations manager Prepares systems for the cloud, administers
services, monitors services, provides audit data when requested or required,
manages inventory and assets
o Cloud service deployment manager: Gathers metrics on cloud services, manages
deployment steps and processes, defines the environment and processes
o Cloud service manager Delivers, provisions, and manages the cloud services
o Cloud service business manager Oversees business plans and customer
o relationships as well as processes financial transactions

Infrastructure as a Service (IaaS)

• The capability provided to the consumer is to provision processing, storage, networks, and
other fundamental computing resources where the consumer is able to deploy and run
arbitrary software, which can include operating systems and applications

Key Features and Benefits of IaaS

• Scalability Within an IaaS framework, the system can be rapidly provisioned and expanded
as needed,
• Cost of ownership of physical hardware Within IaaS, the customer does not need to procure
any hardware either for the initial launch and implementation or for future expansion.
• High availability: High availability and redundancy requirements, which would result in
additional costs for a customer to meet within their own data center.
 • Metered usage The customer only pays for the resources they are using and only during the
durations of use.
• The ability to scale up and down infrastructure services based on actual usage. This is
particularly useful and beneficial when there are significant spikes and dips within the usage
curve for infrastructure

Platform as a Service (PaaS)

• PaaS allows a customer to fully focus on their core business functions from the software
and application levels, either in development or production environments, without having to
worry about the resources at the typical data center operations level
• The capability provided to the customer is to deploy onto the cloud infrastructure
consumer-created or acquired applications created using programming languages, libraries,
services, and tools supported by the provide
• The customer does not manage or control the underlying cloud infrastructure including
network, servers, operating systems, or storage, but has control over the deployed
applications and possibly configuration settings for the application-hosting environment

Key Features and Benefits of PaaS

• Auto-scaling : As resources are needed (or not needed), the system can automatically adjust
the sizing of the environment to meet demand without interaction from the customer
• Multiple host environments: This also allows a customer evaluating different applications to
be more open to underlying operating system requirements.
o Significant strides and efforts have been taken to ensure that open source stacks are
both supported and utilized, thus reducing lock-in or issues with interoperability
when changing CSPs
• Choice of environments: The choice of environments not only extends to actual operating
systems, but it also allows enormous flexibility as to specific versions and flavors of
operating systems, contingent on what the cloud provider offers and support
• Flexibility : The developers have enormous flexibility to move between providers and
platforms with ease. PaaS offers development teams enormous ease in testing and moving
between platforms or even cloud provider
• Cost effective: PaaS offers significant cost savings for development teams because only
systems that are actively and currently used incur costs.
• Licensing : Licensing In a PaaS environment, the cloud provider is responsible for handling
proper licensing of operating systems and platforms, which would normally be incumbent
on an organization to ensure compliance
• OSs can be changed and upgraded frequently
• Globally distributed development teams are able to work together
• Services are available and can be obtained from diverse sources
• Upfront and recurring or ongoing costs can be significantly reduced by utilizing a single
vendor instead of maintaining multiple hardware facilities and environments.
Software as a Service (SaaS)
• The capability provided to the customer is to use the provider’s applications running on a
cloud infrastructure. The applications are accessible from various client devices through
either a thin client interface, such as a web browser (e.g., web-based email), or a program
interface
• The consumer does not manage or control the underlying cloud infrastructure including
networks, servers, operating systems, storage, or even individual application capabilities,
with the possible exception of limited user-specific application configuration settings.”6
• When utilizing and deploying the right middleware and associated components, the ability
to run and execute programs with the flexibility, scalability, and on-demand selfservice
capabilities can present massive incentives and benefits for scalability, usability, reliability,
productivity, and cost savings
• Key Features and Benefits of SaaS
o Support costs and effort: Only the availability of the software application is
important to the customer, and any responsibility for upgrades, patching, high
availability, and operations solely reside with the cloud provider. This enables the
customer to focus solely on productivity and business operations instead of IT
operations
o Reduced overall costs
▪ The customer does not need to have systems administrators or security staff
on hand, nor do they need to purchase hardware and software, plan for
redundancy and disaster recovery, perform security audits on infrastructure,
or deal with utility and environmental costs
o Licensing
▪ Whereas PaaS offers the licensing of the operating system and platforms to
the cloud provider, SaaS takes it a step further with the software and
everything included, leaving the customer to just “lease” licenses as they
consume resources within the provided application
o Ease of use and administration:
▪ The customer only bears responsibility for configuring user access and
access controls within the system, as well as minimal configurations. The
configurations typically allowed within a SaaS system are usually very
restricted and may only allow slight tweaks to the user experience, such as
default settings or possibly some degree of branding; otherwise, all
overhead and operations are held by the cloud provider exclusively.
o Standardization: SaaS is a fully featured software application, all users will by
definition be running the exact same version of the software at all time
▪ A major challenge that many development and implementation teams face
relates to patching and versioning, as well as configuration baselines and
requirements. Within a SaaS model, because this is all handled by the cloud
provider, it is achieved automatically.
Cloud Deployment Models

Public Cloud

• Key Benefits and Features of the Public Cloud Model

o Setup Setup is very easy and inexpensive for the customer.
o Scalability Even though scalability is a common feature of all cloud implementations,
most public clouds are offered from very large corporations that have very broad
and extensive resources and infrastructures
o Right-sizing resources Customers only pay for what they use and need at any given
point in time.
o Streamlined and easy-to-provision resources

Private Cloud

It may be owned, managed, and operated by the organization, a third party, or some combination of
them, and it may exist on or off premises.

• Key Benefits and Features of the Private Cloud Model

• ■ Increased control over data, underlying systems, and applications ■ Ownership and
retention of governance controls ■ Assurance over data location and removal of multiple
jurisdiction legal and compliance requirements
o Ownership retention:
▪ This includes control of the underlying hardware and software
infrastructures, as well as control throughout the cloud in regard to data
policies, access polices, encryptions methods, versioning, change control,
and governance as a whole.
▪ For any organization that has strict policies or regulatory controls and
 requirements, this model would facilitate easier compliance and verification
for auditing purposes versus the more limited controls and views offered via
a public cloud.
o Control over systems
▪ With a private cloud, the operations and system parameters of the cloud are
solely at the discretion of the controlling organization.
o Proprietary data and software control:
▪ Whereas a public cloud requires extensive software and contractual
requirements to ensure the segregation and security of hosted systems, a
private cloud offers absolute assurance that no other hosted environments
can somehow gain access or insight into another hosted environment
o Private clouds are typically more popular among large, complex organizations with
legacy systems and heavily customized environments

The Hybrid cloud model

• Remain unique entities, but are bound together by standardized or proprietary technology
that enables data and application portability
o Cloud bursting for load balancing between clouds
• Hybrid cloud benefits
o Retain ownership and oversight of critical tasks and processes related to technology.
o Reuse previous investments in technology within the organization
o Control the most critical business components and systems
o Enhance cloud bursting and DR by hybrid cloud deployments
• Community cloud model
o It may be owned, managed, and operated by one or more of the organizations in the
community, a third party, or some combination of them, and it may exist on or off
premises.”10
o Providing heightened levels of privacy, security, and regulatory compliance.

Cloud Cross-Cutting aspects

• The deployment of cloud solutions, by its nature, is often deemed a technology decision;
however, it’s truly a business alignment decision
• Why is it a business decision, you ask? Two distinct reasons:
o All technology decisions should be made with the overall business direction and
strategy at the core.
o When it comes to funding and creating opportunities, these should be made at a
business level.
▪ A cloud transition’s ability to directly support organizational business or
mission goals
• Architecture overview
o The architect is a planner, strategist, and consultant who sees the “big picture” of
the organization
o Enterprise security architecture provides the conceptual design of network security
infrastructure and related security mechanisms, policies, and procedures
The NIST cloud technology Roadmap
• Interoperability
o Interoperability defines how easy it is to move and reuse application components
regardless of the provider, platform, OS, infrastructure, location, storage, format of
data or APIs
o Portability is a key aspect to consider when selecting CSPs because it can both help
prevent vendor lock-in and deliver business benefits by allowing identical cloud
deployments to occur in different CSP solutions, either for the purposes of DR or for
the global deployment of a distributed single solution.
• Availablity
o In many cases, CSPs are required to provide upward of 99.9 percent availability as
per the SLA
o Failure to do so can result in penalties, reimbursement of fees, loss of customers,
loss of confidence, and ultimately brand and reputational damage
• Security
o Security remains the biggest concern, with security continuing to act as a barrier
preventing them from engaging with cloud services
o successful security program, the ability to measure, obtain assurance, and integrate
contractual obligations to minimum levels of security are the keys to success.
• Privacy
o Privacy presents a major challenge for both customers and providers
o leading providers of cloud services make provisions to ensure the location and
legislative requirements (including contractual obligations) are met, this should
never be taken as a given and should be specified within relevant SLAs and
contracts.
o Within Europe, privacy is seen as a human right and as such should be treated with
the utmost respect
• Resiliency
o Cloud resiliency represents the ability of a cloud services data center and its
associated components, including servers, storage, and so on, to continue operating
in the event of a disruption, which may be equipment failure, power outage, or a
natural disaster
o Resiliency should typically be far higher, with equipment and capabilities being
ready to fail over, multiple layers of redundancy, and enhanced exercises to test
such capabilities.
• Performance
o Cloud computing and high performance should go hand in hand at all times
o With these four elements influencing the design, integration, and development
activities, performance should be boosted and enhanced throughout
• Governance
o The term governance relating to processes and decisions looks to define actions,
assign responsibilities, and verify performance
o Goal is to secure applications and data when in transit and at rest.
o A key benefit of many cloud-based services is the ability to access relevant reporting,
metrics, and up-to-date statistics related to usage, actions, activities, downtime,
outages, updates, and so on
 ▪ This may enhance and streamline governance and oversight activities with
the addition of scheduled and automated reporting.
• SLA
oIn the SLA, the minimum levels of service, availability, security, controls, processes,
communications, support, and many other crucial business elements are stated and
agreed upon by both parties
o These include downtime, upgrades, updates, patching, vulnerability testing,
application coding, test and development, support, and release management
• Auditability
o Auditability allows for users and the organization to access, report, and obtain
evidence of actions, controls, and processes that were performed or run by a
specified user.
o From a customer perspective, increased confidence and the ability to have evidence
to support audits, reviews, or assessments of object-level or systems-level access
form key drivers.
o Auditability in noncloud environments can focus on financial reporting, whereas
cloud-based auditability focuses on actions and activities of users and systems.
• Regulatory compliance
o Regulatory compliance is an organization’s requirement to adhere to relevant laws,
regulations, guidelines, and specifications relevant to its business, specifically
dictated by the nature, operations, and functions it provides or utilizes to its
customers

Network security and Perimeter

• Cryptography
o Encryption mechanisms should be selected based on the information and data they
protect, while taking into account requirements for access and general functions
o The critical success factor for encryption is to enable secure and legitimate access to
resources, while protecting and enforcing controls against unauthorized access.
o The cloud architect and administrator should explore the appropriate encryption
and access measures to ensure that proper separation of tenants’ information and
access is deployed within public cloud environments
• Data in transit (Data in motion)
o Data in transit can include the following scenarios:
▪ Data transiting from an end user endpoint
▪ Data moving between machines within the cloud
▪ Data traversing trusted and untrusted networks
o The cloud architect is responsible for reviewing the way data in transit will be
protected or secured at the design phase
o The use of symmetric cryptography for key exchange followed by symmetric
encryption for content confidentiality is also increasing.
• Data at Rest
o The cloud architect is typically responsible for the design and assessment of
encryption algorithms for use within cloud environments
o Of key importance for both security and performance is the deployment and
implementation of encryption on the target hosts and platforms
 ▪ encryption can affect performance
o Note that when information is encrypted on the CSP side and in the event of
discrepancies or disputes with the providers, it may prove challenging to obtain or
extract your data

• Key management
o Encryption and segregation of duties should always go hand in hand
o Key management should be separated from the provider hosting the data, and the
data owners should be positioned to make decisions but ultimately should be in a
position to apply encryption, control, and manage key management processes,
select the storage location for the encryption keys (on-premises in an isolated
location is typically the best security option), and retain ownership and
responsibilities for key management.
o Remote Key Management Service (KMS):
▪ Customer maintains the KMS on-premises
▪ customer will own, operate, and maintain the KMS.
▪ CSP can focus on the hosting, processing, and availability of services
▪ Note that hybrid connectivity is required between the CSP and the cloud
customer for the encryption and decryption to function
o Client-Side Key Management
▪ The main difference here is that most of the processing and control is done
on the customer side
▪ The CSP provides the KMS; however, the KMS resides on the customer’s
premises, where the customer generates, holds, and retains the keys
• SAAS Used this
o

IAM and access control

• The combination of access control and effective management of those technologies,
processes, and controls has given rise to identity and access management (IAM).
• In line with best practice, one-time passwords should be utilized as a risk reduction and
mitigation technique.
• The key phases that form the basis and foundation for IAM in the enterprise include the
following
o Provisioning and deprovisioning
▪ Provisioning is the process of creating accounts to allow users to access
appropriate systems and resources within the cloud environment.
▪ The ultimate goal of user provisioning is to standardize, streamline, and
create an efficient account creation process, while creating a consistent,
measurable, traceable, and auditable framework for providing access to end
users
▪ Deprovisioning is the process whereby a user account is disabled when the
user no longer requires access to the cloud-based services and resources.
▪ Deprovisioning is a risk-mitigation technique to ensure that authorization
creep or additional and historical privileges are not retained, thus granting
access to data, assets, and resources that are not necessary to fulfill the job
role.
 o Centralized directory services
▪ A directory service stores, processes, and facilitates a structured repository
of information stored, coupled with unique identifiers and locations.
▪ The use of privileged identity management (PIM) features is strongly
encouraged for managing access of the administrators of the directory
o Privileged user management
▪ Privileged accounts typically carry the highest risk and impact because
compromised privileged user accounts can lead to significant permissions
and access rights being obtained, thus allowing the user or attacker to
access resources and assets that may negatively affect the organization.
▪ Segregation of duties can form an extremely effective mitigation and risk
reduction technique around privileged users and their ability to effect major
changes
o Authentication and access management
▪ Authorization determines the user’s right to access a certain resource.
▪ Access management is focused on the manner and way in which users can
access relevant resources, based on their credentials and characteristics of
their identity
▪ If one of the mentioned activities is not carried out regularly as part of an
ongoing managed process, it can weaken the overall security posture.

Data and media sanitization

• Vendor Lock-in
o Vendor lock-in highlights where a customer may be unable to leave,
migrate, or transfer to an alternate provider because of technical or
nontechnical constraints.
• Vendor lock-in poses a real risk for an organization that may not be in a position to
leave the current provider or indeed continue with business operations and services.
• Challenge related to secure deletion or the sanitization of digital media remains a
largely unsolved issue among CSPs and cloud customers alike
• Adopting a security mind-set, if you can restrict the availability, integrity, and
confidentiality of the data, you can then make the information unreadable, which
will act as the next best method to secure deletion

Cryptographic erasure
• Where possible (this may not apply to all cloud-based environments), erase each
block, overwrite all with a known pattern, and erase them again.
• When done correctly, a complete erasure of the storage media eliminates risks
related to key recovery (where stored locally—yes, this is a common mistake), side-
channel attacks on controller to recover information about the destroyed key, and
future attacks on the cryptosystem.
• Key destruction on its own is not a comprehensive approach because the key may
be recovered using forensic techniques.
Virtualization security
• Virtualization technologies enable cloud computing to become a real and scalable service
offering due to the savings, sharing, and allocations of resources across multiple tenants and
environments
• In the world of cloud computing, virtualization represents one of the key targets for the
attackers
• security types
o Type 1 security: Type 1 hypervisors significantly reduce the attack surface over Type
2 hypervisors.
▪ The limited access and strong control over the embedded OS greatly
increase the reliability and robustness of Type 1 hypervisors
o Type 2 security: Because Type 2 hypervisors are OS based, they are more attractive
to attackers, given that there are far more vulnerabilities associated
▪ Where technology, hardware, and software standardization can be used
effectively, this can significantly reduce the risk landscape and increase the
security posture.

Common Threat
• Data Breach
o The risk of data breach is not unique to cloud computing, but it consistently ranks as
a top concern for cloud customers
o Cloud providers are highly accessible and the vast amount of data they host makes
them an attractive target.
o The best protection against data breach is an effective security program. Two
important security measures that can help companies stay secure in the cloud are
multifactor authentication and encryption.
• Data Loss
o Data loss refers to the loss of information, deletion, overwriting, corruption, or
integrity related to the information stored, processed, or transmitted within cloud
environments.
o Note that when the customer uploads encrypted information to the cloud
environment, the encryption keys become a critical component to ensure data is not
lost and remains available. The loss of the relevant encryption keys constitutes data
loss because the information will no longer be available for use in the absence of the
keys
o Cloud consumers should review the contracted data loss provisions, ask about the
redundancy of a provider’s solution, and understand which entity is responsible for
data loss and under what conditions
• Account or service traffic Hijacking
o The key component of these attack methods, when successful, allows for the
attackers to monitor and eavesdrop on communications, sniff and track traffic,
capture relevant credentials, and access and alter account and user profile
characteristics (changing passwords and more).
o All accounts and account activities should be monitored and traceable to a human
owner, even service accounts
• Insecure interfaces and API
o Key functions of the APIs, including the provisioning, management, and monitoring,
are performed utilizing the provider interfaces
o APIs is required to prevent against deliberate and accidental attempts to circumvent
policies and controls.
o Threat modeling applications and systems, including data flows and
architecture/design, become important regular parts of the development lifecycle.
In addition to security-specific code reviews, rigorous penetration testing becomes a
requirement.
• Denial of service
o This can be done using any number of attack vectors available but typically look to
target buffers, memory, network bandwidth, or processor power.
• Abuse and Nefarious Use of Cloud Services
o Malicious use of cloud service resources can reduce available capacity for legitimate
customers hosted by cloud service providers. Responding to malicious use can also
reduce the availability of response resources for addressing other customer support
issues. Fraudulent payment instrument use can result in passing increased costs
along to innocent parties such as financial institutions or cloud providers and
ultimately to customers and others.