Cloud 4

cloud security
Cloud security, also known as cloud computing security, is the practice of protecting cloud-based data,
applications and infrastructure from cyber attacks and cyber threats.

Cybersecurity, of which cloud security is a subset, has the same goals. Where cloud security differs
from traditional cybersecurity is in the fact that administrators must secure assets that reside within a
third-party service provider's infrastructure.

Why cloud security is important

As enterprise cloud adoption grows, business-critical applications and data migrate to trusted third-
party cloud service providers (CSPs). Most major CSPs offer standard cybersecurity tools with
monitoring and alerting functions as part of their service offerings, but in-house information technology
(IT) security staff may find these tools do not provide enough coverage, meaning there are
cybersecurity gaps between what is offered in the CSP's tools and what the enterprise requires. This
increases the risk of data theft and loss.

Because no organization or CSP can eliminate all security threats and vulnerabilities, business leaders
must balance the benefits of adopting cloud services with the level of data security risk their
organizations are willing to take.

Putting the right cloud security mechanisms and policies in place is critical to prevent breaches and
data loss, avoid noncompliance and fines, and maintain business continuity (BC).

A major benefit of the cloud is that it centralizes applications and data and centralizes the security of
those applications and data as well. Eliminating the need for dedicated hardware also reduces
organizations' cost and management needs, while increasing reliability, scalability and flexibility.
How cloud security works

Cloud computing operates in three main environments:

1. Public cloud services are hosted by CSPs. These include software as a service (SaaS),
platform as a service (PaaS) and infrastructure as a service (IaaS).
2. Private clouds are hosted by or for a single organization.
3. Hybrid clouds include a mix of public and private clouds.

As a result, cloud security mechanisms take two forms: those supplied by CSPs and those
implemented by customers. It is important to note that handling of security is rarely the complete
responsibility of the CSP or the customer. It is usually a joint effort using a shared responsibility model.

The shared responsibility model

Although not standardized, the shared responsibility model is a framework that outlines which security
tasks are the obligation of the CSP and which are the duty of the customer. Enterprises using cloud
services must be clear which security responsibilities they hand off to their provider(s) and which they
need to handle in-house to ensure they have no gaps in coverage.

Customers should always check with their CSPs to understand what the provider covers and what they
need to do themselves to protect the organization.

Cloud security tools

Many of the same tools used in on-premises environments should be used in the cloud, although
cloud-specific versions of them may exist. These tools and mechanisms include encryption, IAM and
single sign-on (SSO), data loss prevention (DLP), intrusion prevention and detection systems
(IPSes/IDSes) and public key infrastructure (PKI).

Some cloud-specific tools include the following:

 Cloud workload protections platforms (CWPPs). A CWPP is a security

mechanism designed to protect workloads -- for example, VMs, applications or data -- in a
consistent manner.
 Cloud access security brokers (CASBs). A CASB is a tool or service that sits between
cloud customers and cloud services to enforce security policies and, as a gatekeeper, add a
layer of security.

2
  Cloud security posture management (CSPM). CSPM is a group of security products and
services that monitor cloud security and compliance issues and aim to combat cloud
misconfigurations, among other features.

Secure Access Service Edge (SASE) and zero-trust network access (ZTNA) are also emerging as two
popular cloud security models/frameworks.

Security as a service, often shortened to SaaS or SECaaS, is a subset of software as a service. The
Cloud Security Alliance (CSA) defined 10 SECaaS categories:

1. IAM
2. DLP
3. web security
4. email security
5. security assessments
6. intrusion management
7. security information and event management (SIEM)
8. encryption
9. BC/disaster recovery (BCDR)
10. network security

What is Infrastructure Security?

Infrastructure security is the practice of protecting critical systems and assets
against physical and cyber threats. From an IT standpoint, this typically
includes hardware and software assets such as end-user devices, data center
resources, networking systems, and cloud resources.
Benefits of infrastructure security
Enterprises depend on their technology assets to maintain operations, so protecting
technology infrastructure is protecting the organization itself. Proprietary data and
intellectual property (IP) provide many companies significant competitive advantages in
the market, and any loss of or disruption of access to this information can have
profound negative impacts to a company’s profitability.

3
Common security threats to IT infrastructure
Cyber threats to technology infrastructure range from phishing attempts
and ransomware attacks to distributed denial of service (DDoS) exploits and Internet of
Things (IoT) botnets. Physical dangers include natural disasters such as fires and
floods, civil unrest, utility outages, and theft or vandalism of hardware assets. Any of
these have the potential to cause business disruption, damage an organization’s public
reputation, and have significant financial consequences.

Options for securing IT infrastructure

Typical elements of physical protection include access control, surveillance systems,
security guards, and perimeter security. To protect their digital perimeter, organizations
will implement firewalls, penetration testing, network monitoring, virtual private networks
(VPNs), encryption technologies, and training programs to teach employees how to
identify and respond to phishing emails and other attempts to steal their network
credentials.

Best practices for infrastructure security

Increased interconnectivity and the increased adoption of cloud services, microservices,
and software components across different cloud platforms and at corporate
network edges make securing technology infrastructure both more complex and more
important than ever. Adopting zero-trust security architectures is one way enterprises
are addressing this challenge. Zero trust is a philosophical approach to identity and
access management, establishing that no user or workload is trusted by default. It
requires all users, devices, and application instances to prove they are who or what
they present themselves to be and that they are authorized to access the resources
they seek.
Training employees on password and credential security also plays a significant role in
protecting IT infrastructure. Often, the human element can be the weakest link in an
organization’s security strategy, and the relentless pace of intrusion attempts means
even a brief and seemingly minor lapse in the security perimeter can cause significant
damage.
And because new types of threats can arise at any time, or disasters can have greater-
than-anticipated effects, a robust and frequent backup strategy provides a vital safety
net for business continuity. With data volumes steadily growing, enterprises should look
for a data protection solution that ensures continuous availability via simple, fast
recovery from disruptions, globally consistent operations, and seamless app and data
mobility across multiple clouds.
4
Why is infrastructure security important?
As more business is done digitally and enterprises increasingly rely on data to inform
critical business decisions, protecting the resources that make these activities possible
takes on greater importance. And with more devices having access to corporate
networks, more users accessing valuable enterprise intellectual property (IP) using
unsecured public networks in locations around the world, and more data being
generated and consumed across edges and clouds, many organizations have an
expanding attack surface vulnerable to threats.
Criminals, hacktivists, hostile national-state actors, terrorists, and others are using
increasingly sophisticated methods to target organizations of all sizes around the world
and across industry sectors. And not all security threats have malicious intent; human
error and natural disasters can also pose dangers to the integrity of an organization’s
technology infrastructure. To safeguard business continuity, having a strategy in place
to address both cyber and physical security across all key systems and assets,
including those at the edge and in the cloud, is a critical requirement to operate in
today’s digitally connected world.

What are the different levels of infrastructure security?

Many enterprise IT infrastructure security frameworks will address four types, or levels,
of security.
Data
As more data is generated and stored in more locations (core data centers, colocations,
multiple clouds, and edges), protecting this data becomes more complex. The
increasing number of devices connect to enterprise networks due to bring-your-own-
device (BYOD) policies, IoT adoption, and more, meaning that a growing number of
endpoints, or entry points into enterprise networks, must be protected. Some common
enterprise endpoint security measures include URL filtering, anti-virus tools,
sandboxing, secure email gateways, and endpoint detection and response (EDR) tools.
Data encryption technologies also help protect data by encoding it so that only users
with the correct decryption key may access it.

Application
Outdated software can contain vulnerabilities that cyber attackers can exploit to gain
access to IT systems. Ensuring software and firmware updates are distributed and
applied across the enterprise network, known as patching, helps close security holes as
well as provide new functionality, performance improvements, and bug fixes for
enterprise applications.

Network
A firewall typically provides the first line of defense in network security. It serves as a
barrier between an enterprise’s trusted network and other untrusted networks, such as

5
public Wi-Fi. By monitoring incoming and outgoing network traffic based on a set of
rules, it only allows network traffic that has been defined in the security policy to access
resources on the trusted network. Multi-factor authentication (MFA) also protects the
enterprise network by requiring two or more forms of verification before allowing access
to network resources.

Physical
The most robust cyber protection cannot protect your technology assets from physical
theft, vandalism, or natural disasters. Data recovery plans that incorporate offsite
backups located in different geographies are also a part of a physical security strategy.

Infrastructure Security at Network Level in Cloud

Computing
Pre-requisite: Cloud Computing

Infrastructure Security deals with the threats, risks, and challenges that are
associated with the security of the organization’s IT infrastructure such as the host,
network, and application levels, this approach is commonly used by security
practitioners whereas Non-IT security associates are advised not to equate the
infrastructure security with access management’s infrastructure as service
security(IaaS). Besides that infrastructure security is more related to customers, as they
have ramifications with threat, risk, and compliance management.

Infrastructure Security at the Network Level

There are no new attacks, vulnerabilities, or changes that need to be considered in this
specific topology by the information security personnel, beside that our organization’s IT
infrastructure might be affected by the implementation of a private cloud but our current
network topology probably will not get affected. whereas if we used the services of
public clouds any changes in the security requirements will require a change in the
network topology. Therefore, we must define some ways through which our existing
network topology will interact with the topology of the cloud provider.

Risk Factors Needed to be Addressed are:

1. Integrity and Confidentiality of the In-Transit Data: The resources and data that
were previously confined within the private networks are now exposed to the internet
which is a shared public network that belongs to a third-party cloud provider.

2. Access Control Methods: As a subset of the resources is now exposed to the

internet, an organization using services of the public cloud can result in an increase in
6
risk to its data, The ability to audit the operations of our cloud provider’s network even
after the fact which is non-existent can be considered as a threat to the network.

3. Availability of the Services: Accessible from Internet Resources: Dependency on

the security of networks has increased because now an enormous amount of
organizations’ personnel or users depend on externally hosted devices to ensure the
availability of services provided by the cloud. Border gateway protocol Prefix Hijacking
involves the announcement of an autonomous(connected group of one or more IP
prefixes that are run by one or more network operators having a single routing policy)
system address space that belongs to another person without his/her permission. Such
mistakes often occur due to misconfigurations which can affect the availability of our
cloud-based resources.

For example:- In Feb 2008 Pakistan telecom declare a dummy route for youtube to its
own telecommunication partner. The intention was to block youtube within the country
but the result was that the services of Youtube are globally affected for 2 Hours.

Apart from misconfiguration, there are deliberate attacks as well which can block
access to the data.

4. Replace the Models Established in Network Zones and tiers within the
Domains: The isolation model of network zones and tiers no longer exists in public
infrastructure a service and platform-as-a-service clouds. For years network security
has relied on zones, to segregate network traffic. This model was based on an
exclusion that only individuals and systems in specific roles have access to specific
zones. Similarly, systems within a specific tier often have access across a specific tier.

For example:- systems within a presentation tier are not allowed to communicate
directly with systems in the database tier, but can communicate only with an authorized
system within the application zone.

In the established model of network zones and tiers, development systems are logically
separated from the production systems at the network level, but these two groups of
systems are also physically separated at the host level. However, this separation no
longer exists. The cloud computing model of separation by domains provides logical
separation for addressing purposes only.

7
Infrastructure Security at the Host Level in Cloud
Computing
Pre-requisite: Cloud Computing

In this article, we’ll discuss the infrastructure security at the host level in cloud
computing followed by the introduction of the topic itself then moving towards the host
security at various delivery models such as System as a Service(SaaS), Platform as a
Service(Paas) and Infrastructure as a service(Iaas) after which we will end this article
by discussing the Virtual server Security.

During the review process of host security and assessing risks, one should always
consider the context of cloud service delivery models(IaaS, PaaS, and SaaS) and
various deployment models(Public, Private, and Hybrid). As we know there are no new
security threats to hosts specific to cloud computing apart from the virtualization security
threats like virtual machine escape, system configuration drift, and insider threats.

The elastic nature of cloud computing can bring new operation challenges from a
security management perspective. Therefore managing the vulnerabilities and patches
is tougher than running a scan, as the rates of changes are much higher than in
traditional data centers.

SaaS and Paas Host Security

Generally, the cloud service providers do not share information regarding their host
platforms, hosts OS, and the processes that are in place to secure the hosts, as
hackers might exploit that information when they are trying to break into the cloud
services. Hence, in the context of System as a service(SaaS) or Platform as a
service(PaaS) cloud services security of the host should be non-transparent with the
customers and the responsibility of securing the host is confined to the cloud service
providers.

 Virtualizationis a technique that improves the host’s hardware utilization, along

with other benefits, it is common for cloud service providers to employ
virtualization platforms including VMware hypervisors and XEN, in their host’s
computing platform architecture. Apart from this one should be aware of how
his provider is using the virtualization technology and the provider’s process for
securing the virtualization layer.
 Both the SaaS and PaaS delivery models software platforms should abstract the
host operating system from the end user with a host abstraction layer. The
accessibility of the abstraction layer is different in each one of the delivery
models (SaaS and PaaS).

8
  In System as a Service, the abstraction layer is hidden from the users and only
available to the developers and the cloud service provider’s operational staff.
 Whereas in Platform as a Service users have indirect access to the abstraction
layer in the form of PaaS API(Application programming interface) that
eventually interacts with the host abstraction layer.
 Thus, the customers of System as a Service(SaaS) and Platform as a
Service(Paas) rely on the cloud service providers to provide a secure host
platform on which the application is developed and deployed.
Infrastructure as a Service(IaaS) Host Security
The customers of Infrastructure as a Service(IaaS) are primarily responsible for
securing the hosts in the cloud, Infrastructure as a Service(IaaS) employs virtualization
at the host layer, IaaS host security can be categorized as follows: 

Virtualization Software Security

It provides customers to create and terminate virtual instances. Virtualization can be
achieved by using virtualization models such as:-OS-level virtualization,
paravirtualization, or hardware-based virtualization. In public, IaaS application
customers do not have access to this software layer as it is managed by cloud service
providers.

Customer Guest OS or Virtual Server Security

The virtual instance of an operating system is placed above the virtualization layer and
is visible to customers from the internet. Customers have full access to virtual servers.
For example:- various versions of Linux, Microsoft, and Solaris are available in
amazon’s aws for creating an instance.

Virtual Server Security

The customers of Infrastructure as a Service(IaaS) have full access to the virtualized
guest virtual machines that are hosted and isolated from each other by hypervisor
technology. Thus, customers are responsible for the security management of the guest
virtual machines. A public Infrastructure as a Service(IaaS) offers a web service API to
perform management functions such as provisioning, decommissioning, and duplication
of virtual servers on the IaaS platform itself.

These system management functions can provide elasticity for resources to grow or
shrink according to the demands. Network access mitigation steps to be taken for
restricting access to virtual instances as the virtual servers are available to anyone on
the internet. Conventionally, the cloud service providers block all ports except port
22(secure shell or SSH) for accessing the virtual servers instances.

9
Host Security Threats in the Public IaaS
 Deployment of malware embedded in software components in the virtual
machines.
 Attack on that system which is not properly secured by the host firewalls
 Attacks on accounts that are not properly secured eg. weak passwords, repetitive
passwords, etc.
 Stealing keys that will be used to access and manage hosts(SSH private keys).
Securing Virtual Servers
Ways to Secure the Virtual Servers in the Cloud require Operational Security
procedures as:-

 Safeguard the private keys as they might be used to access hosts in the public
cloud.
 Never allow password-based authentication at the shell prompt.
 Require passwords for role-based access eg., Solaris, SELinux.
 Host firewall should be available to only minimum ports which are necessary to
support the services offered by the instances.
 Disable the unused services and use only required services eg., Database
services, FTP services, print services, etc.
 Periodically check the logs for any kind of suspicious activities.
 Isolate the decryption keys from the cloud where the data is hosted–unless
required for decryption and use only for the duration of decryption activity.
 Include no authentication credentials in virtualized images except for a key to
decrypt the file system.
 Install a host-based intrusion detection system(IDS).
 Protect the integrity of virtualized images from unauthorized access.

Infrastructure Security at the Application Layer in

Cloud Computing
Pre-requisite:- Cloud Computing

Designing and implementing applications that will be deployed on the cloud platform will
be required to re-evaluate current practices and standards of existing security programs
of application. The security of applications ranges from standalone single-user
applications to sophisticated multi-user e-commerce applications used by millions of
customers. A large number of organizations also develop custom built web-applications
for their business.

Since the browser is the end-user client for accessing the cloud applications it is
important for application security programs to include browser security in the scope of

10
application security.Combined(application and browser security) determine the end-to-
end cloud security that helps in protecting the confidentiality, integrity, and information
availability on the cloud services.

Security Threats at the Application Level

 The existing threats on the web application may exploit well-known vulnerabilities
including XSS(cross-site scripting), SQL injection, malicious file execution, and
other vulnerabilities resulting from programming errors and design flaws.
 The hackers are exploiting the various vulnerabilities that they have discovered
for various illegal activities including financial fraud, cyber-bullying, and
converting trusted websites into malicious servers using phishing scams. Thus,
all web applications are at risk of security defects from insufficient validations to
logic errors.
 Organizations that use the public cloud should have a combination of security
controls and network-and-host-based access controls to protect web
applications.
 The web applications that are deployed on the public cloud are at a higher threat
level as they are exploited by hackers to support fraudulent and illegal activities.
Threat models for web applications that are deployed on the public cloud must
be designed in which internet security should be embedded into the
SDLC(Software Development Lifecycle).
DoS and EDoS
DoS(Denial of Services) and EDoS(Economically Denial of Sustainability) are attacks
that can disrupt cloud services. DoS attacks at the application layer can result in high-
volume page reloads XML web services requests or protocol-specific requests
supported by a cloud service. This malicious request comes with legitimate traffic.
Hence, it is difficult to filter this traffic without impacting the services as a result it makes
a poor user experience.

These attacks have more impacts on the cloud service budget of the organization as in
the cloud we have a pay-as-you-go structure for using different cloud services,
therefore, we’ll have an increase in network bandwidth, CPU and storage consumption
this attack is primarily known as economic denial of sustainability(EDos) as it is
impacting the organization economically.

Security of End User

The customers of cloud services are responsible for ensuring the end user security they
have to perform the tasks such as

 Performing the security procedures for protecting the Internet-connected PC,

ensuring “safe browsing.” that is not using malicious web applications that
websites not having the HTTPS certification are not reliable.

11
  ActivityProtection includes the use of security software, like anti-malware,
antivirus, personal firewalls, security patches, and IPS-type software on your
Internet-connected computer most browsers have software vulnerabilities that
make them vulnerable to end-user security attacks.
Hence, for achieving end-to-end security in a cloud the end user should always have an
updated browser as in these updates the developer hides the vulnerabilities by patching
them.

Web Application Security in the Cloud

1. For maintaining security in the cloud. Both the cloud service provider(CSP) and
the customers are responsible, this responsibility depends on the Cloud service
delivery model(SaaS, PaaS, IaaS) and service level agreement(SLA).
2. As the customers do not have expertise in the area of software vulnerabilities in
the cloud service which prevents them from managing the operational risk that
might come from vulnerabilities.
3. The cloud service provider(CSP) often treats their software as sole proprietary
which results in difficulties for security researchers in analyzing the software for
bugs and flaws. (Except for the operation on the open source software) due to
this customers are dependent on their service provider to secure their
applications from any new vulnerability that can affect the confidentiality,
integrity, or availability of their applications.
Applications Level Security in System as a Service(SaaS)
In the SaaS model the service provider generally manages the entire application of the
customer Hence, it is their responsibility for securing the applications of the customers.
Customers are responsible for user and access management and operational security
functions, generally, the customers request information from the service provider about
the various security aspects of their application including design, architecture,
development, back-box and white-box application security testing, and release
management.

The security controls available for managing the risks to information are offered by the
cloud service providers in the form of a web-based administration user interface tool for
managing the access control and authentication of the application.

The customers of the cloud should have knowledge of access control management in
the cloud for authentication and privilege management based on the roles of the user

12
and take the required steps for protecting the applications. Generally, SaaS providers
invest in software security and practice security assurance as a part of the SDLC
phases.

Application Level Security in Platform as a Service(PaaS)

Platform as a Service(PaaS) cloud service providers are responsible for securing the
platform of software including the runtime engine that runs the customer’s application,
as PaaS applications can use third-party applications, components, or web services,
therefore, the third-party application providers are also responsible for securing their
services.

Generally, the PaaS platform uses the sandbox architecture in a multi-tenant computing
model as a result, due to the sandbox characteristic of the platform runtime engines
centrally maintain the confidentiality and integrity of applications that are deployed in the
PaaS.

The cloud service providers are responsible for bugs and vulnerabilities that might
exploit the PaaS platform and break out of the sandbox architecture, the network and
host security is also the responsibility of platform as a service(PaaS) cloud providers.
Why is data security important?

Data security is the practice of protecting digital information from unauthorized access, corruption, or theft
throughout its entire lifecycle. It’s a concept that encompasses every aspect of information security from the
physical security of hardware and storage devices to administrative and access controls, as well as the logical
security of software applications. It also includes organizational policies and procedures.

When properly implemented, robust data security strategies will protect an organization’s information assets
against cybercriminal activities, but they also guard against insider threats and human error, which remains
among the leading causes of data breaches today. Data security involves deploying tools and technologies
that enhance the organization’s visibility into where its critical data resides and how it is used. Ideally, these
tools should be able to apply protections like encryption, data masking, and redaction of sensitive files, and
should automate reporting to streamline audits and adhering to regulatory requirements.

Business challenges
Digital transformation is profoundly altering every aspect of how today’s businesses operate and compete.
The sheer volume of data that enterprises create, manipulate, and store is growing, and drives a greater need
for data governance. In addition, computing environments are more complex than they once were, routinely
spanning the public cloud, the enterprise data center, and numerous edge devices ranging from Internet of
Things (IoT) sensors to robots and remote servers. This complexity creates an expanded attack surface that’s
more challenging to monitor and secure.
At the same time, consumer awareness of the importance of data privacy is on the rise. Fueled by increasing
public demand for data protection initiatives, multiple new privacy regulations have recently been enacted,
including Europe’s General Data Protection Regulation (GDPR) and the California Consumer Protection Act

13
(CCPA). These rules join longstanding data security provisions like the Health Insurance Portability and
Accountability Act (HIPAA), protecting electronic health records, and the Sarbanes-Oxley Act (SOX),
protecting shareholders in public companies from accounting errors and financial fraud. With maximum
fines in the millions of dollars, every enterprise has a strong financial incentive to ensure it maintains
compliance.
The business value of data has never been greater than it is today. The loss of trade secrets or intellectual
property (IP) can impact future innovations and profitability. So, trustworthiness is increasingly important to
consumers, with a full 75% reporting that they will not purchase from companies they don’t trust to protect
their
Types of data security

Encryption
Using an algorithm to transform normal text characters into an unreadable format, encryption keys scramble
data so that only authorized users can read it.  File and database encryption solutions serve as a final line of
defense for sensitive volumes by obscuring their contents through encryption or tokenization. Most solutions
also include security key management capabilities.

Data Erasure
More secure than standard data wiping, data erasure uses software to completely overwrite data on any
storage device. It verifies that the data is unrecoverable.
 
Data Masking
By masking data, organizations can allow teams to develop applications or train people using real data. It
masks personally identifiable information (PII) where necessary so that development can occur in
environments that are compliant.

Data Resiliency

Resiliency is determined by how well an organization endures or recovers from any type of failure – from
hardware problems to power shortages and other events that affect data availability (PDF, 256 KB). Speed of
recovery is critical to minimize impact.
Data security strategies

A comprehensive data security strategy incorporates people, processes, and technologies. Establishing
appropriate controls and policies is as much a question of organizational culture as it is of deploying the right
tool set. This means making information security a priority across all areas of the enterprise.

Physical security of servers and user devices

Regardless of whether your data is stored on-premises, in a corporate data center, or in the public cloud, you
need to ensure that facilities are secured against intruders and have adequate fire suppression measures and
climate controls in place. A cloud provider will assume responsibility for these protective measures on your
behalf.

Access management and controls

The principle of “least-privilege access” should be followed throughout your entire IT environment. This
means granting database, network, and administrative account access to as few people as possible, and only

14
those who absolutely need it to get their jobs done.

Learn more about access management

Application security and patching

All software should be updated to the latest version as soon as possible after patches or new versions are
released.

Backups
Maintaining usable, thoroughly tested backup copies of all critical data is a core component of any robust
data security strategy. In addition, all backups should be subject to the same physical and logical security
controls that govern access to the primary databases and core systems.

Learn more about data backup and recovery

Employee education
Training employees in the importance of good security practices and password hygiene and teaching them to
recognize social engineering attacks transforms them into a “human firewall” that can play a critical role in
safeguarding your data.

Network and endpoint security monitoring and controls

Implementing a comprehensive suite of threat management, detection, and response tools and platforms
across your on-premises environment and cloud platforms can mitigate risks and reduce the probability of a
breach.

7 Privacy Challenges in Cloud Computing

Cloud computing is a widely well-discussed topic today with interest from all fields, be it
research, academia, or the IT industry. It has seen suddenly started to be a hot topic in
international conferences and other opportunities throughout the whole world. The spike
in job opportunities is attributed to huge amounts of data being processed and stored on
the servers. The cloud paradigm revolves around convenience and easy the provision
of a huge pool of shared computing resources.

15
The rapid development of the cloud has led to more flexibility, cost-cutting, and
scalability of products but also faces an enormous amount of privacy and security
challenges. Since it is a relatively new concept and is evolving day by day, there are
undiscovered security issues that creep up and need to be taken care of as soon as
discovered. Here we discuss the top 7 privacy challenges encountered in cloud
computing:
1. Data Confidentiality Issues
Confidentiality of the user’s data is an important issue to be considered when
externalizing and outsourcing extremely delicate and sensitive data to the cloud service
provider. Personal data should be made unreachable to users who do not have proper
authorization to access it and one way of making sure that confidentiality is by the
usage of severe access control policies and regulations. The lack of trust between the
users and cloud service providers or the cloud database service provider regarding the

16
data is a major security concern and holds back a lot of people from using cloud
services.
2. Data Loss Issues
Data loss or data theft is one of the major security challenges that the cloud providers
face. If a cloud vendor has reported data loss or data theft of critical or sensitive
material data in the past, more than sixty percent of the users would decline to use the
cloud services provided by the vendor. Outages of the cloud services are very
frequently visible even from firms such as Dropbox, Microsoft, Amazon, etc., which in
turn results in an absence of trust in these services during a critical time. Also, it is quite
easy for an attacker to gain access to multiple storage units even if a single one is
compromised.
3. Geographical Data Storage Issues
Since the cloud infrastructure is distributed across different geographical locations
spread throughout the world, it is often possible that the user’s data is stored in a
location that is out of the legal jurisdiction which leads to the user’s concerns about the
legal accessibility of local law enforcement and regulations on data that is stored out of
their region. Moreover, the user fears that local laws can be violated due to the dynamic
nature of the cloud makes it very difficult to delegate a specific server that is to be used
for trans-border data transmission.
4. Multi-Tenancy Security Issues
Multi-tenancy is a paradigm that follows the concept of sharing computational
resources, data storage, applications, and services among different tenants. This is
then hosted by the same logical or physical platform at the cloud service provider’s
premises. While following this approach, the provider can maximize profits but puts the
customer at a risk. Attackers can take undue advantage of the multi-residence
opportunities and can launch various attacks against their co-tenants which can result in
several privacy challenges.
5. Transparency Issues
In cloud computing security, transparency means the willingness of a cloud service
provider to reveal different details and characteristics on its security preparedness.
Some of these details compromise policies and regulations on security, privacy, and
service level. In addition to the willingness and disposition, when calculating
transparency, it is important to notice how reachable the security readiness data and
information actually are. It will not matter the extent to which the security facts about an
organization are at hand if they are not presented in an organized and easily
understandable way for cloud service users and auditors, the transparency of the
organization can then also be rated relatively small. 

17
6. Hypervisor Related Issues
Virtualization means the logical abstraction of computing resources from physical
restrictions and constraints. But this poses new challenges for factors like user
authentication, accounting, and authorization. The hypervisor manages multiple Virtual
Machines and therefore becomes the target of adversaries. Different from the physical
devices that are independent of one another, Virtual Machines in the cloud usually
reside in a single physical device that is managed by the same hypervisor. The
compromise of the hypervisor will hence put various virtual machines at risk. Moreover,
the newness of the hypervisor technology, which includes isolation, security hardening,
access control, etc. provides adversaries with new ways to exploit the system
7. Managerial Issues
There are not only technical aspects of cloud privacy challenges but also non-technical
and managerial ones. Even on implementing a technical solution to a problem or a
product and not managing it properly is eventually bound to introduce vulnerabilities.
Some examples are lack of control, security and privacy management for virtualization,
developing comprehensive service level agreements, going through cloud service
vendors and user negotiations, etc.

Security Issues in Cloud Computing

In this, we will discuss the overview of cloud computing, its need, and mainly our focus
to cover the security issues in Cloud Computing. Let’s discuss it one by one.

Cloud Computing :
Cloud Computing is a type of technology that provides remote services on the internet
to manage, access, and store data rather than storing it on Servers or local drives. This
technology is also known as Serverless technology. Here the data can be anything like
Image, Audio, video, documents, files, etc.

18
Need of Cloud Computing :
Before using Cloud Computing, most of the large as well as small IT companies use
traditional methods i.e. they store data in Server, and they need a separate Server room
for that. In that Server Room, there should be a database server, mail server, firewalls,
routers, modems, high net speed devices, etc. For that IT companies have to spend lots
of money. In order to reduce all the problems with cost Cloud computing come into
existence and most companies shift to this technology.

Security Issues in Cloud Computing : 

There is no doubt that Cloud Computing provides various Advantages but there are also
some security issues in cloud computing. Below are some following Security Issues in
Cloud Computing as follows.

1. Data Loss – 
Data Loss is one of the issues faced in Cloud Computing. This is also known as
Data Leakage.  As we know that our sensitive data is in the hands of Somebody

19
 else, and we don’t have full control over our database. So, if the security of
cloud service is to break by hackers then it may be possible that hackers will
get access to our sensitive data or personal files.
 
2. Interference of Hackers and Insecure API’s – 
As we know, if we are talking about the cloud and its services it means we are
talking about the Internet.  Also, we know that the easiest way to communicate
with Cloud is using API. So it is important to protect the Interface’s and API’s
which are used by an external user. But also in cloud computing, few services
are available in the public domain which are the vulnerable part of Cloud
Computing because it may be possible that these services are accessed by
some third parties. So, it may be possible that with the help of these services
hackers can easily hack or harm our data.
 
3. User Account Hijacking – 
Account Hijacking is the most serious security issue in Cloud Computing. If
somehow the Account of User or an Organization is hijacked by a hacker then
the hacker has full authority to perform Unauthorized Activities. 
 
4. Changing Service Provider –
Vendor lock-In is also an important Security issue in Cloud Computing. Many
organizations will face different problems while shifting from one vendor to
another. For example, An Organization wants to shift from AWS
Cloud to Google Cloud Services then they face various problems like shifting of
all data, also both cloud services have different techniques and functions, so
they also face problems regarding that. Also, it may be possible that the
charges of AWS are different from Google Cloud, etc.
 
5. Lack of Skill – 
While working, shifting to another service provider, need an extra feature, how
to use a feature, etc. are the main problems caused in IT Company who doesn’t
have skilled Employees. So it requires a skilled person to work with Cloud
Computing.
 
6. Denial of Service (DoS) attack –  
This type of attack occurs when the system receives too much traffic. Mostly
DoS attacks occur in large organizations such as the banking sector,
government sector, etc. When a DoS attack occurs, data is lost.  So, in order to
recover data, it requires a great amount of money as well as time to handle it.

20
Issues in cloud computing 
One of the most difficult areas today is the cloud. The core of the issue is the nature of
the cloud and the biggest problem that follows is the way personal data is processed in
the cloud having no visibility as to what is happening with the data. Given below are
some of the issues that can arise while utilizing cloud computing service. 
Data privacy and security
When diving into the benefits of cloud computing, one shouldn’t overlook the security
issues it comes along with. The concern comes to attention when we start sharing
applications and sensitive data to a shared cloud environment. The data transmitted are
likely to data breach and have third party unauthorized access. The fluid nature of cloud
computing lacks a regulatory framework, and sometimes it isn’t easy to match the
privacy standards of various jurisdictions. The cloud service provider in this place has
control over your data, and the consumer has to adhere to the ‘reasonable’ security
standards they provide. When talking about ‘reasonable,’ it could be any cybersecurity
standard like ISO/IEC 27001 and 27002, ISC 15408, and other national and industry-
specific standards. 
Government interception 
Data stored in the cloud are either encrypted or unencrypted. Data encryption is
currently the only method ensured by the cloud service provider to protect data and
keep it confidential, which is discussed in the next segment. Even in the unencrypted
method, the service provider uses two keys, i.e., public and private. While the public key
can enable data to everyone, the private key is meant to protect from non-private access.

Now, the question is whether there is any window that gives access to the Government
or its agency? In most cases, there are possibilities open for the Government to seek into
the data even if the data is encrypted. There are vulnerabilities built by the service
provider itself, which allows the Government to get into data for any purpose of law
enforcement and inspection.

 For instance, AWS, in their Data Privacy FAQ, specifies that they will disclose
customer content if they are required to do so to comply with the law or
Government’s order. They are using this provision to build the backdoor for
government authorities.
In India, Section 69 of the Information Technology Act mandates a person in charge of
computer resources to extend all possible support to the law enforcement agencies.
Such lawful interference stretches to any information stored in the computer device
regardless of what computer resources’ attributes are.

21
Data loss
One of the major issues one could have in cloud services is data loss. Even though the
data is not physically stored on a local hard drive, it is stored somewhere in the physical
location and can be susceptible to the same failure as the hard drive. Data loss is
possible in cloud computing even though it is structured in a way to keep the data
protected, it can potentially attract technology failure or human error.

The question is, who is responsible for such loss. The cloud service provider follows the
Shared Responsibility Model, which means that the service provider may be responsible
for the security “of” cloud whereas the consumer will be responsible for what’s stored
“in” cloud. The shared responsibility suggests that the service provider will be
responsible for providing data security via their infrastructure. The consumer on other
hand is responsible for the data stored there. The cloud service provider is solely there
to provide sufficient protection, but the consumer has to handle the service’s
configuration. This means that in the event of data loss, the service provider won’t take
responsibility for compensating for such loss. Moreover, the end-user or the company’s
client will not blame the service provider for their data loss because they entrusted their
data to the company and not the cloud provider.
Fixed contracts
In most cases, the cloud computing contracts (SLA) have fixed terms and leave little or
no room for negotiation. However, if the cloud service provider is a small service
provider, the customer may have a chance to negotiate the terms of the contract. The
flexibility of the agreement also depends on the cloud service model the customer is
opting for.
Third-party dependency 
Cloud computing service providers may become dependent on third-party vendors to
provide their services effectively. This indicates that if the third-party vendor fails to
provide their services to cloud computing service providers or if there arises a conflict
between the two parties (the vendor and cloud service provider), the consumer may face
a potential risk of losing their data. 

This is to note that cloud service providers, in most cases, do not hold themselves
responsible for the failure in third-party vendor performance. Apart from failure on the
vendors’ end, the cloud service provider can terminate the agreement if the relationship
with the vendor gets affected. This will adversely affect one’s business, whose data is
stored in the cloud. Therefore, it is periodically pushed to allocate the potential risk that
can cause failure from such dependency. 

22
Multiple jurisdictions
Jurisdiction issues are mostly associated with the location of data and governing law at
that locality. Data stored in the cloud are spread across multiple jurisdictions resulting
in multiple jurisdictional claims of the data and conflict in-laws of the same subject
matter. Countries like Russia and the EU have strict data localization laws that only
allow those providers to process their citizen’s data only if they comply completely with
their localization laws. Localization of data or data residency restricts the storage of data
within the country’s border. India, on the other hand, provisions for extra-territorial
jurisdiction. The service provider delivers the subject matter related to jurisdiction and
governing laws in their SLAs.

Jurisdiction is also coming into attention when the cloud service provider subcontracts
with other service providers to leverage their services. In such a scenario, it becomes
even more challenging to allocate the actual jurisdiction of the cloud, where data is
stored.

Regulations 
1. The first and foremost important and comprehensive law for regulating and
protecting personal data is the EU’s GDPR. The GDPR places equal liability on
data controllers as well as data processors (such as cloud providers, SaaS
vendors, payroll service providers). All the organizations providing cloud
services have initiated to comply with the terms of GDPR.
2. In 2009 European Union Agency for Cybersecurity came up with a cloud
computing Risk Assessment that acknowledged the cloud computing Business
Model’s upcoming security risk. The assessment is also followed by practical
recommendations, widely referred to by E.U. members and outside the E.U. 
3. The issue of cloud security and privacy has been addressed in E.U. and the
United States collectively. International Safe Harbor Privacy Principles,
formulated by E.U. and U.S.A., which is now known as the Privacy Shield
Framework, allows only those entities in the U.S. which comply with the E.U.
data protection. Even though the privacy shield is no longer a valid mechanism
(after GDPR advent) for data transfer, data privacy requirements existing in the
privacy shield are still very relevant and valid.
4. In India, cloud computing has no recognition under any specific regulation.
Still, it is regulated indirectly under the Information Technology Act, 2000 (the
“Act”) and Information Technology (Reasonable security practices and
procedures and sensitive personal data or information) Rule 2011 (“Rules”). 

23
 5. Section 43A of the Act and the IT Rules 2011 provide guidelines for body
corporations who own sensitive data to maintain proper security practices to
secure personal and sensitive data or information of the consumer. The Act and
the Rules set out a regulatory framework for creating, collecting, storing,
processing data stored in an electronic device. cloud computing service
providers have to comply with the provisions given in the Rules.
6. In addition to the Act and Rules, the service provider using cloud computing in
the banking and insurance sector is subject to specific confinements. Cloud
service providers in India may also be required to comply with the Information
Technology (Intermediaries Guidelines) Rules 2011 prescribed under the Act.
7. In 2019 a Personal Data Protection Bill (PDP) was tabled in the Parliament, the
first comprehensive Act that ensures privacy and security of data of Indian
citizens. The Bill is similar to that of the EU’s GDPR, which is the most stringent
security and privacy law today.  

Identity and Access Management (IAM)

Fine-grained access control and visibility for centrally managing cloud resources.
IAM provides tools to manage resource permissions with minimum fuss and high automation.
Map job functions within your company to groups and roles. Users get access only to what they
need to get the job done, and admins can easily grant default permissions to entire groups of
users

Identity and Access Management

In a recent study by Verizon, 63% of the confirmed data breaches are due to either
weak, stolen, or default passwords used. There is a saying in the cybersecurity world
that goes like this “No matter how good your chain is it’s only as strong as your weakest
link.” and exactly hackers use the weakest links in the organization to infiltrate. They
usually use phishing attacks to infiltrate an organization and if they get at least one
person to fall for it, it’s a serious turn of events from thereon. They use the stolen
credentials to plant back doors, install malware or exfiltrate confidential data, all of
which will cause serious losses for an organization. And so Identity and Access
Management (IAM) is a combination of policies and technologies that allows
organizations to identify users and provide the right form of access as and when
required. There has been a burst in the market with new applications, and the
requirement for an organization to use these applications has increased drastically. The
services and resources you want to access can be specified in IAM. IAM doesn’t
provide any replica or backup.  IAM can be used for many purposes such as, if one
want’s to control access of individual and group access for your AWS resources. With
IAM policies, managing permissions to your workforce and systems to ensure least-
privilege permissions becomes easier. The AWS IAM is a global service.

24
Components of IAM

 Users
 Roles
 Groups
 Policies
 With these new applications being created over the cloud, mobile and on-premise can
hold sensitive and regulated information. It’s no longer acceptable and feasible to just
create an Identity server and provide access based on the requests. In current times an
organization should be able to track the flow of information and provide least privileged
access as and when required, obviously with a large workforce and new applications
being added every day it becomes quite difficult to do the same. So organizations
specifically concentrate on managing identity and its access with the help of a few IAM
tools. It’s quite obvious that it is very difficult for a single tool to manage everything but
there are multiple IAM tools in the market that help the organizations with any of the few
services given below. 

Services By IAM 

IAM 

 Identitymanagement
 Access management
 Federation
 RBAC/EM
 Multi-Factor authentication
 Access governance
 Customer IAM
 API Security
 IDaaS – Identity as a service
 Granular permissions
 Privileged Identity management – PIM (PAM or PIM is the same)
What is access control?
Access Control in Cloud Computing refers to the ability to restrict access to information stored on
the cloud. This allows companies to ensure their information is secured and helps minimize risk.
Access Control is done through authentication processes which can include passwords, PINs, and
multi-factor authentications. There are also various types of Access Control that can be implemented
at an organization which authorize the verified employees to access company resources;
authorization to access can be restricted depending on factors like one’s role, attributes, and more.

To learn more about the cloud visit our Cloud Computing resource page.  If you would like to learn
more about how your company can benefit from a cloud solution contact us today. 

25
Access control is a security technique that regulates who or what can view or use resources in a
computing environment. It is a fundamental concept in security that minimizes risk to the business or
organization.

There are two types of access control: physical and logical. Physical access control limits access to
campuses, buildings, rooms and physical IT assets. Logical access control limits connections to
computer networks, system files and data.

To secure a facility, organizations use electronic access control systems that rely on user credentials,
access card readers, auditing and reports to track employee access to restricted business locations
and proprietary areas, such as data centers. Some of these systems incorporate access control panels
to restrict entry to rooms and buildings, as well as alarms and lockdown capabilities, to prevent
unauthorized access or operations.

Logical access control systems perform identification authentication and authorization of users and

entities by evaluating required login credentials that can include passwords, personal identification
numbers, biometric scans, security tokens or other authentication factors. Multifactor authentication
(MFA), which requires two or more authentication factors, is often an important part of a layered
defense to protect access control systems

Why is access control important?

The goal of access control is to minimize the security risk of unauthorized access to physical and logical systems.
Access control is a fundamental component of security compliance programs that ensures security technology and
access control policies are in place to protect confidential information, such as customer data. Most organizations
have infrastructure and procedures that limit access to networks, computer systems, applications, files and
sensitive data, such as personally identifiable information and intellectual property.

Access control systems are complex and can be challenging to manage in dynamic IT environments that involve
on-premises systems and cloud services. After high-profile breaches, technology vendors have shifted away
from single sign-on systems to unified access management, which offers access controls for on-premises and
cloud environments.

26
How access control works

Access controls identify an individual or entity, verify the person or application is who or what it claims to be,
and authorizes the access level and set of actions associated with the username or IP address. Directory services
and protocols, including Lightweight Directory Access Protocol and Security Assertion Markup Language,
provide access controls for authenticating and authorizing users and entities and enabling them to connect to
computer resources, such as distributed applications and web servers.

Organizations use different access control models depending on their compliance requirements and the security
levels of IT they are trying to protect.

Types of access control

The main models of access control are the following:

 Mandatory access control (MAC). This is a security model in which access rights are

regulated by a central authority based on multiple levels of security. Often used in
government and military environments, classifications are assigned to system resources and
the operating system or security kernel. MAC grants or denies access to resource objects
based on the information security clearance of the user or device. For example, Security-
Enhanced Linux is an implementation of MAC on Linux.
 Discretionary access control (DAC). This is an access control method in which owners or
administrators of the protected system, data or resource set the policies defining who or
what is authorized to access the resource. Many of these systems enable administrators to
limit the propagation of access rights. A common criticism of DAC systems is a lack of
centralized control.
 Role-based access control (RBAC). This is a widely used access control mechanism that
restricts access to computer resources based on individuals or groups with defined business
functions -- e.g., executive level, engineer level 1, etc. -- rather than the identities of
individual users. The role-based security model relies on a complex structure of role
assignments, role authorizations and role permissions developed using role engineering to
regulate employee access to systems. RBAC systems can be used to enforce MAC and
DAC frameworks.
 Rule-based access control. This is a security model in which the system administrator
defines the rules that govern access to resource objects. These rules are often based on
conditions, such as time of day or location. It is not uncommon to use some form of both
rule-based access control and RBAC to enforce access policies and procedures.
 Attribute-based access control. This is a methodology that manages access rights by
evaluating a set of rules, policies and relationships using the attributes of users, systems
and environmental conditions.

Cloud Authentication Methods and Issues Faced

There are multiple methods to authenticate cloud users and many issues that come along with these methods.

27
Cloud computing is helping businesses to store a large amount of data at relatively low costs but it is
essential these service providers offer methods to ensure users are authenticated.
There are multiple authentication techniques in cloud computing suited for different applications and use
cases when it comes to the cloud. The best cloud authentication method depends on your preferences but
each is a supported method.

Cloud Authentication Methods

 API Keys
This method doesn’t require client libraries and is transparent to the user. This method identifies the project
by creating a strong association between a key and a project. API keys are less secure as they are vulnerable
to man-in-the-middle attacks. API keys can easily be added to any HTTP call as a query parameter in the
header because they don’t require a client library.

 Firebase Authentication
This type of authentication provides backend services, app SDKs, and libraries to authenticate users to a
mobile or web app. This method authenticates users, using a variety of credentials like Google, Facebook,
Twitter or GitHub. The Firebase authentication method uses a client library to sign a JSON Web Token,
JWT, with a private key after the user has successfully signed in. This method then validates the JWT,
through a proxy, was signed by Firebase and that the issuer matches the setting in API configuration.

 Auth0 Authentication
This method not only authenticates and authorizes apps and APIs but it is also stack, device, and identity
agnostic. This method supports several providers and security assertion markup language specification.
Much like Firebase Authentication, this method also provides backend services, SDKs and user interface
libraries for authenticating users in web and mobile apps. Also, like Firebase Authentication, this method
validates the JWT was signed and the issuer matches the API configuration.

 Google Authentication
This authentication method allows users to authenticate by signing in with their Google account. Once the
user is authenticated, they have access to all Google services and a Google ID token can be used to make
calls to Google APIs and Cloud Endpoints APIs. This method also verifies that the JWT was signed by
Google and the issuer is listed on the API configuration.

 Google Authorization and Service Accounts

With this method, a JWT can be generated and signed using a service account and Google-provided client
library for a Google Cloud Platform project. This method uses the public key to validate a Google-signed
JWT and to ensure that Google is listed as the issuer in the API configuration. For this method, Google ID
tokens are recommended for service accounts because the API producer only needs to whitelist Google as an
issuer for all service accounts.

28
Cloud Computing Authentication Issues
 Privacy Issues
 Lack of Transparency
 Security Issues
 The Possibility of Exploitation of the Authentication Mechanism
 Different Authentication Technologies Presents Challenges to Customers
When it comes to cloud computing, service providers require customers to store their account information in
the cloud, giving service providers access to this information. For many customers, this presents a privacy
issue for them. The lack of transparency in the cloud makes it difficult for customers to ensure the proper
rules are enforced. Customers using multiple cloud services have more copies of their information out there
in the cloud. This causes security issues for customers and cloud service providers. Multiple copies of
accounts lead to multiple authentication processes and provide the possibility to exploit the authentication
mechanism. Cloud service providers use different authentication technologies for authenticating users and
while this has less of an impact on SaaS than PaaS and IaaS, it presents challenges to customers.
The major importance of authentication in cloud computing is for users to ensure their projects and
information are safe and there when they need it. While there are still a few issues associated with cloud
service providers being able to perform authentication methods without any challenges or security fears, it is
important to remember just how new cloud computing is and the amount of room it has for progress.

CLOUD CONTRACTING MODELS

Licensing Agreements Versus Services Agreements Summary of Terms of a License

Agreement. A traditional software licenseagreement is used when a licensor is providing a copy of
software to a licensee for its use (which is usually non-exclusive). This copy is not being sold or
transferred to the licensee, but a physical copy is being conveyed to the licensee. The software
license is important because it sets forth the terms under which the software may be used by the
licensee. The license protects the licensor against the inadvertent transfer of ownership of the
software to the person or company that holds the copy. It also provides a mechanism for the
licensor of the software to (among other things) retrieve the copy it provided to the licensee in the
event that the licensee (a) stops complying with the terms of the license agreement or (b) stops
paying the fee the licensee charges for the license.

Summary of Terms of a Service Agreement.

A service agreement, on the other hand, is not designed to protect against the perils of providing a
copy ofsoftware to a user. It is primarily designed to provide the terms under which a service can

29
be accessed or used by a customer. The service agreement may also set forth quality parameters
around which the service will be provided to the users.

Value of Using a Service Agreement in Cloud Arrangements

. In each of the three permutations of cloud computing (SaaS, PaaS, and IaaS), the access to the
cloud-based technology is provided as a service to the cloud user. The control and access points
are provided by the cloud provider.

On-Line Agreements Versus Standard Contracts

There are two contracting models under which a cloud provider will grant access to its services.
The first, the on-line agreement, is a click wrap agreement with which a cloud user will be
presented before initially accessing the service. A click wrap is the agreement the user enters into
when he/she checks an “I Agree” box, or something similar at the initiationof the service
relationship. The agreement is not subject to negotiation and is generally thought to be a contract
of adhesion (i.e., a contract that heavily restricts one party while leaving the other relatively free

30