Cloud security management for software-as-a-service (SaaS)

SAAS is a method of software delivery and licensing in which software is accessed online vai a
subscription, rather than buying and installing on individual computer.

The most common way to manage data security and user access in cloud computing is through the use
of a Cloud Access Security Broker (CASB). This technology allow to see all cloud applications in use and
to apply security policy across them.

1. View all cloud services in use and assess their risk. CASB technology uses network log data from
secure web gateways, firewalls, or security incident and event management (SIEM) products to
show all the cloud services being accessed from network and managed devices, including those
that employees sign up for without IT, like shadow IT services. It then displays a risk rating, so
we can decide whether to continue to allow access or not.
2. Audit and adjust native security settings. Many SaaS applications, including Office 365, come
with native settings like access and sharing permissions. From a single console, we can set
policies for how we want to set permissions across multiple cloud services.
3. Use Data Loss Prevention to prevent theft. Some of the intellectual property or regulated data
will most likely make it into a cloud service like Dropbox through an API connection to the
service itself, we can classify data and set policy to remove, or encrypt it based on the chosen
policy. This applies to all data in the service, whether it comes from a device or network we
know about, or from any unmanaged device we can’t see.
4. Encrypt data with your own keys. Depending on the risk tolerance, we may not want to trust
the cloud provider’s native encryption to protect our data. If we do, the provider will have our
encryption keys and technically could access our data. Instead, we have the option to use our
own encryption keys and manage them our self, blocking access from any third party but
allowing authorized users to use the application with normal functionality.
5. Block sharing with unknown devices or unauthorized users. One of the most common security
gaps in cloud computing is someone signing into a cloud service from an unmanaged device and
accessing data without visibility. To stop that, we can set requirements for the devices that can
access data within the cloud services we manage, so only the devices we know are allowed to
download anything. Similarly, we can control sharing of information to unauthorized users by
changing their permissions or “role” such as owner, editor, or viewer, and revoking shared links.

Cloud security management for infrastructure-as-a-service (IaaS)

Infrastructure-as-a-service (IaaS) is the data center and server environments that many IT teams are
used to manage their own physical sites.

1. View all infrastructure in use across multiple providers and assess its current security
configuration. Simply by entering account credentials for IaaS providers like AWS and Azure, we
can see all the cloud workloads being created, and assess their security policy. Connecting to a
virtual data center running VMware also provides a “private cloud” view.
2. View your network traffic and control it at the virtual machine (VM) level. In a fully virtualized
environment like AWS, we have network traffic coming in and out from the public internet, and
 also travelling between our VMs in the cloud. It’s important to see everything, scan for malicious
access, and set our policies at the VM so we can have fine-tuned security over certain assets.
3. Harden your workloads with whitelisting. Most workloads running in IaaS have a single purpose
and don’t need to change much. As opposed to allowing new applications to run on our
operating systems, we can whitelist only what we need, and default-deny the rest. This stops all
malware except for memory-exploit based attacks.
4. Stop file less attacks that target operating system memory. If we default-deny all new files
entering our operating systems, we are left with one critical vulnerability, which is memory
exploits that can bypass the whitelist. For memory exploit prevention, part of an agent we
deploy to our workloads, can monitor for these attacks (e.g., buffer overflow) and stop them
before they execute.
5. Deploy agent-based security as code, using DevOps tools. The last thing to do in a cloud
environment is to secure agent-based security after workloads have been deployed for a
constant catch-up mode. Instead, agents can be deployed through tools like Chef or Puppet, as
code in the same package as the workload itself. Once we decide what our security
configuration should be, we can export the code from cloud management console and share
with the DevOps or infrastructure teams so they can include it as part of the deployment
process.

Encryption

The Simple meaning of encryption is to convert a plain text to cipher text.

Eg hi - > ih

Encryption is done to preserve the confidentiality and integrity of data.

Confidentiality means no malicious or unauthorized user can read or understand the message.

Integrity means that message should not be changed. Eg hi should not be changed to other text like bye
when decrypting.

Type of encryption

Symmetric

-use same key for encryption and decryption

- basically used for confidentiality purpose

Asymmetric

-use different key for encryption and decryption like public and private key

- basically used confidentiality , authentication and non-repudiation

Public Key infrastructure

It is the standard for digital certificates and is related to the idea of Asymmetric key cryptography as
there is use of both public and private keys.

It is used to manage the process that involves issuing asymmetric keys

It is also used to associate public keys with their owner thus enabling the verification of key.

The entities involved in PKI are

CA, RA, Repo replying party and subscriber, repository;

Here subscriber first request for an certificate to registration auth that vertifes the request. If the
certificate is verified RA request for certificate to certificate authority. Certificate authority issues the
certificate and provides it to subscriber. Both the authority have repo to store their own data.

Then subscriber sends the certificate to other relying party when needed. Replying party then checks if
the certificate is verified from certificate authority.

SSO

The SSO cloud security mechanism enables one cloud service user to be authenticated by a Security
Broker which establishes a security context that is persisted while the cloud service user accesses other
cloud services of cloud-based IT resources.

The SSO mechanism essentially enables mutually independent cloud services and IT resource to
generate and circulate runtime authentication and authorization credential to each cloud user for
efficient security.

IAM

IAM includes the components and policies necessary to control and track user identities and access
privileges for IT resources, environments and system. Basically IAM Is responsible to manage if the user
is authenticated, authorized to use any resources. IAM mainly deals with preventing unauthorized
access to resources

IAM have four main components:

Authentication :
It checks if the username and password matches or not

Similarly digital signatures , digital certificates, and biometrics like fingerprints or face recognition are
also used to check if user is authentic or not.

Authorization:

After the authentication of user, IAM also check if the user is authorized to use any resources. Authentic
uses may be authorized to use resource A but may not have access to use resource B.

User Management

It means the admin functionality like creating new user, adding the user to required access group,

Maintaining password policies and privileges

Credential management:

Establishes identities and access control rules for user.

It means to stop the user if they are not authorized to use resource