Professional Documents
Culture Documents
cloud security
Cloud security, also known as cloud computing security, is the practice of protecting cloud-based data,
applications and infrastructure from cyber attacks and cyber threats.
Cybersecurity, of which cloud security is a subset, has the same goals. Where cloud security differs
from traditional cybersecurity is in the fact that administrators must secure assets that reside within a
third-party service provider's infrastructure.
As enterprise cloud adoption grows, business-critical applications and data migrate to trusted third-
party cloud service providers (CSPs). Most major CSPs offer standard cybersecurity tools with
monitoring and alerting functions as part of their service offerings, but in-house information technology
(IT) security staff may find these tools do not provide enough coverage, meaning there are
cybersecurity gaps between what is offered in the CSP's tools and what the enterprise requires. This
increases the risk of data theft and loss.
Because no organization or CSP can eliminate all security threats and vulnerabilities, business leaders
must balance the benefits of adopting cloud services with the level of data security risk their
organizations are willing to take.
Putting the right cloud security mechanisms and policies in place is critical to prevent breaches and
data loss, avoid noncompliance and fines, and maintain business continuity (BC).
A major benefit of the cloud is that it centralizes applications and data and centralizes the security of
those applications and data as well. Eliminating the need for dedicated hardware also reduces
organizations' cost and management needs, while increasing reliability, scalability and flexibility.
How cloud security works
1. Public cloud services are hosted by CSPs. These include software as a service (SaaS),
platform as a service (PaaS) and infrastructure as a service (IaaS).
2. Private clouds are hosted by or for a single organization.
3. Hybrid clouds include a mix of public and private clouds.
As a result, cloud security mechanisms take two forms: those supplied by CSPs and those
implemented by customers. It is important to note that handling of security is rarely the complete
responsibility of the CSP or the customer. It is usually a joint effort using a shared responsibility model.
Although not standardized, the shared responsibility model is a framework that outlines which security
tasks are the obligation of the CSP and which are the duty of the customer. Enterprises using cloud
services must be clear which security responsibilities they hand off to their provider(s) and which they
need to handle in-house to ensure they have no gaps in coverage.
Customers should always check with their CSPs to understand what the provider covers and what they
need to do themselves to protect the organization.
Many of the same tools used in on-premises environments should be used in the cloud, although
cloud-specific versions of them may exist. These tools and mechanisms include encryption, IAM and
single sign-on (SSO), data loss prevention (DLP), intrusion prevention and detection systems
(IPSes/IDSes) and public key infrastructure (PKI).
2
Cloud security posture management (CSPM). CSPM is a group of security products and
services that monitor cloud security and compliance issues and aim to combat cloud
misconfigurations, among other features.
Secure Access Service Edge (SASE) and zero-trust network access (ZTNA) are also emerging as two
popular cloud security models/frameworks.
Security as a service, often shortened to SaaS or SECaaS, is a subset of software as a service. The
Cloud Security Alliance (CSA) defined 10 SECaaS categories:
1. IAM
2. DLP
3. web security
4. email security
5. security assessments
6. intrusion management
7. security information and event management (SIEM)
8. encryption
9. BC/disaster recovery (BCDR)
10. network security
3
Common security threats to IT infrastructure
Cyber threats to technology infrastructure range from phishing attempts
and ransomware attacks to distributed denial of service (DDoS) exploits and Internet of
Things (IoT) botnets. Physical dangers include natural disasters such as fires and
floods, civil unrest, utility outages, and theft or vandalism of hardware assets. Any of
these have the potential to cause business disruption, damage an organization’s public
reputation, and have significant financial consequences.
Application
Outdated software can contain vulnerabilities that cyber attackers can exploit to gain
access to IT systems. Ensuring software and firmware updates are distributed and
applied across the enterprise network, known as patching, helps close security holes as
well as provide new functionality, performance improvements, and bug fixes for
enterprise applications.
Network
A firewall typically provides the first line of defense in network security. It serves as a
barrier between an enterprise’s trusted network and other untrusted networks, such as
5
public Wi-Fi. By monitoring incoming and outgoing network traffic based on a set of
rules, it only allows network traffic that has been defined in the security policy to access
resources on the trusted network. Multi-factor authentication (MFA) also protects the
enterprise network by requiring two or more forms of verification before allowing access
to network resources.
Physical
The most robust cyber protection cannot protect your technology assets from physical
theft, vandalism, or natural disasters. Data recovery plans that incorporate offsite
backups located in different geographies are also a part of a physical security strategy.
Infrastructure Security deals with the threats, risks, and challenges that are
associated with the security of the organization’s IT infrastructure such as the host,
network, and application levels, this approach is commonly used by security
practitioners whereas Non-IT security associates are advised not to equate the
infrastructure security with access management’s infrastructure as service
security(IaaS). Besides that infrastructure security is more related to customers, as they
have ramifications with threat, risk, and compliance management.
For example:- In Feb 2008 Pakistan telecom declare a dummy route for youtube to its
own telecommunication partner. The intention was to block youtube within the country
but the result was that the services of Youtube are globally affected for 2 Hours.
Apart from misconfiguration, there are deliberate attacks as well which can block
access to the data.
4. Replace the Models Established in Network Zones and tiers within the
Domains: The isolation model of network zones and tiers no longer exists in public
infrastructure a service and platform-as-a-service clouds. For years network security
has relied on zones, to segregate network traffic. This model was based on an
exclusion that only individuals and systems in specific roles have access to specific
zones. Similarly, systems within a specific tier often have access across a specific tier.
For example:- systems within a presentation tier are not allowed to communicate
directly with systems in the database tier, but can communicate only with an authorized
system within the application zone.
In the established model of network zones and tiers, development systems are logically
separated from the production systems at the network level, but these two groups of
systems are also physically separated at the host level. However, this separation no
longer exists. The cloud computing model of separation by domains provides logical
separation for addressing purposes only.
7
Infrastructure Security at the Host Level in Cloud
Computing
Pre-requisite: Cloud Computing
In this article, we’ll discuss the infrastructure security at the host level in cloud
computing followed by the introduction of the topic itself then moving towards the host
security at various delivery models such as System as a Service(SaaS), Platform as a
Service(Paas) and Infrastructure as a service(Iaas) after which we will end this article
by discussing the Virtual server Security.
During the review process of host security and assessing risks, one should always
consider the context of cloud service delivery models(IaaS, PaaS, and SaaS) and
various deployment models(Public, Private, and Hybrid). As we know there are no new
security threats to hosts specific to cloud computing apart from the virtualization security
threats like virtual machine escape, system configuration drift, and insider threats.
The elastic nature of cloud computing can bring new operation challenges from a
security management perspective. Therefore managing the vulnerabilities and patches
is tougher than running a scan, as the rates of changes are much higher than in
traditional data centers.
8
In System as a Service, the abstraction layer is hidden from the users and only
available to the developers and the cloud service provider’s operational staff.
Whereas in Platform as a Service users have indirect access to the abstraction
layer in the form of PaaS API(Application programming interface) that
eventually interacts with the host abstraction layer.
Thus, the customers of System as a Service(SaaS) and Platform as a
Service(Paas) rely on the cloud service providers to provide a secure host
platform on which the application is developed and deployed.
Infrastructure as a Service(IaaS) Host Security
The customers of Infrastructure as a Service(IaaS) are primarily responsible for
securing the hosts in the cloud, Infrastructure as a Service(IaaS) employs virtualization
at the host layer, IaaS host security can be categorized as follows:
These system management functions can provide elasticity for resources to grow or
shrink according to the demands. Network access mitigation steps to be taken for
restricting access to virtual instances as the virtual servers are available to anyone on
the internet. Conventionally, the cloud service providers block all ports except port
22(secure shell or SSH) for accessing the virtual servers instances.
9
Host Security Threats in the Public IaaS
Deployment of malware embedded in software components in the virtual
machines.
Attack on that system which is not properly secured by the host firewalls
Attacks on accounts that are not properly secured eg. weak passwords, repetitive
passwords, etc.
Stealing keys that will be used to access and manage hosts(SSH private keys).
Securing Virtual Servers
Ways to Secure the Virtual Servers in the Cloud require Operational Security
procedures as:-
Safeguard the private keys as they might be used to access hosts in the public
cloud.
Never allow password-based authentication at the shell prompt.
Require passwords for role-based access eg., Solaris, SELinux.
Host firewall should be available to only minimum ports which are necessary to
support the services offered by the instances.
Disable the unused services and use only required services eg., Database
services, FTP services, print services, etc.
Periodically check the logs for any kind of suspicious activities.
Isolate the decryption keys from the cloud where the data is hosted–unless
required for decryption and use only for the duration of decryption activity.
Include no authentication credentials in virtualized images except for a key to
decrypt the file system.
Install a host-based intrusion detection system(IDS).
Protect the integrity of virtualized images from unauthorized access.
Designing and implementing applications that will be deployed on the cloud platform will
be required to re-evaluate current practices and standards of existing security programs
of application. The security of applications ranges from standalone single-user
applications to sophisticated multi-user e-commerce applications used by millions of
customers. A large number of organizations also develop custom built web-applications
for their business.
Since the browser is the end-user client for accessing the cloud applications it is
important for application security programs to include browser security in the scope of
10
application security.Combined(application and browser security) determine the end-to-
end cloud security that helps in protecting the confidentiality, integrity, and information
availability on the cloud services.
These attacks have more impacts on the cloud service budget of the organization as in
the cloud we have a pay-as-you-go structure for using different cloud services,
therefore, we’ll have an increase in network bandwidth, CPU and storage consumption
this attack is primarily known as economic denial of sustainability(EDos) as it is
impacting the organization economically.
11
ActivityProtection includes the use of security software, like anti-malware,
antivirus, personal firewalls, security patches, and IPS-type software on your
Internet-connected computer most browsers have software vulnerabilities that
make them vulnerable to end-user security attacks.
Hence, for achieving end-to-end security in a cloud the end user should always have an
updated browser as in these updates the developer hides the vulnerabilities by patching
them.
The security controls available for managing the risks to information are offered by the
cloud service providers in the form of a web-based administration user interface tool for
managing the access control and authentication of the application.
The customers of the cloud should have knowledge of access control management in
the cloud for authentication and privilege management based on the roles of the user
12
and take the required steps for protecting the applications. Generally, SaaS providers
invest in software security and practice security assurance as a part of the SDLC
phases.
Generally, the PaaS platform uses the sandbox architecture in a multi-tenant computing
model as a result, due to the sandbox characteristic of the platform runtime engines
centrally maintain the confidentiality and integrity of applications that are deployed in the
PaaS.
The cloud service providers are responsible for bugs and vulnerabilities that might
exploit the PaaS platform and break out of the sandbox architecture, the network and
host security is also the responsibility of platform as a service(PaaS) cloud providers.
Why is data security important?
Data security is the practice of protecting digital information from unauthorized access, corruption, or theft
throughout its entire lifecycle. It’s a concept that encompasses every aspect of information security from the
physical security of hardware and storage devices to administrative and access controls, as well as the logical
security of software applications. It also includes organizational policies and procedures.
When properly implemented, robust data security strategies will protect an organization’s information assets
against cybercriminal activities, but they also guard against insider threats and human error, which remains
among the leading causes of data breaches today. Data security involves deploying tools and technologies
that enhance the organization’s visibility into where its critical data resides and how it is used. Ideally, these
tools should be able to apply protections like encryption, data masking, and redaction of sensitive files, and
should automate reporting to streamline audits and adhering to regulatory requirements.
Business challenges
Digital transformation is profoundly altering every aspect of how today’s businesses operate and compete.
The sheer volume of data that enterprises create, manipulate, and store is growing, and drives a greater need
for data governance. In addition, computing environments are more complex than they once were, routinely
spanning the public cloud, the enterprise data center, and numerous edge devices ranging from Internet of
Things (IoT) sensors to robots and remote servers. This complexity creates an expanded attack surface that’s
more challenging to monitor and secure.
At the same time, consumer awareness of the importance of data privacy is on the rise. Fueled by increasing
public demand for data protection initiatives, multiple new privacy regulations have recently been enacted,
including Europe’s General Data Protection Regulation (GDPR) and the California Consumer Protection Act
13
(CCPA). These rules join longstanding data security provisions like the Health Insurance Portability and
Accountability Act (HIPAA), protecting electronic health records, and the Sarbanes-Oxley Act (SOX),
protecting shareholders in public companies from accounting errors and financial fraud. With maximum
fines in the millions of dollars, every enterprise has a strong financial incentive to ensure it maintains
compliance.
The business value of data has never been greater than it is today. The loss of trade secrets or intellectual
property (IP) can impact future innovations and profitability. So, trustworthiness is increasingly important to
consumers, with a full 75% reporting that they will not purchase from companies they don’t trust to protect
their
Types of data security
Encryption
Using an algorithm to transform normal text characters into an unreadable format, encryption keys scramble
data so that only authorized users can read it. File and database encryption solutions serve as a final line of
defense for sensitive volumes by obscuring their contents through encryption or tokenization. Most solutions
also include security key management capabilities.
Data Erasure
More secure than standard data wiping, data erasure uses software to completely overwrite data on any
storage device. It verifies that the data is unrecoverable.
Data Masking
By masking data, organizations can allow teams to develop applications or train people using real data. It
masks personally identifiable information (PII) where necessary so that development can occur in
environments that are compliant.
Data Resiliency
Resiliency is determined by how well an organization endures or recovers from any type of failure – from
hardware problems to power shortages and other events that affect data availability (PDF, 256 KB). Speed of
recovery is critical to minimize impact.
Data security strategies
A comprehensive data security strategy incorporates people, processes, and technologies. Establishing
appropriate controls and policies is as much a question of organizational culture as it is of deploying the right
tool set. This means making information security a priority across all areas of the enterprise.
14
those who absolutely need it to get their jobs done.
Backups
Maintaining usable, thoroughly tested backup copies of all critical data is a core component of any robust
data security strategy. In addition, all backups should be subject to the same physical and logical security
controls that govern access to the primary databases and core systems.
Employee education
Training employees in the importance of good security practices and password hygiene and teaching them to
recognize social engineering attacks transforms them into a “human firewall” that can play a critical role in
safeguarding your data.
15
The rapid development of the cloud has led to more flexibility, cost-cutting, and
scalability of products but also faces an enormous amount of privacy and security
challenges. Since it is a relatively new concept and is evolving day by day, there are
undiscovered security issues that creep up and need to be taken care of as soon as
discovered. Here we discuss the top 7 privacy challenges encountered in cloud
computing:
1. Data Confidentiality Issues
Confidentiality of the user’s data is an important issue to be considered when
externalizing and outsourcing extremely delicate and sensitive data to the cloud service
provider. Personal data should be made unreachable to users who do not have proper
authorization to access it and one way of making sure that confidentiality is by the
usage of severe access control policies and regulations. The lack of trust between the
users and cloud service providers or the cloud database service provider regarding the
16
data is a major security concern and holds back a lot of people from using cloud
services.
2. Data Loss Issues
Data loss or data theft is one of the major security challenges that the cloud providers
face. If a cloud vendor has reported data loss or data theft of critical or sensitive
material data in the past, more than sixty percent of the users would decline to use the
cloud services provided by the vendor. Outages of the cloud services are very
frequently visible even from firms such as Dropbox, Microsoft, Amazon, etc., which in
turn results in an absence of trust in these services during a critical time. Also, it is quite
easy for an attacker to gain access to multiple storage units even if a single one is
compromised.
3. Geographical Data Storage Issues
Since the cloud infrastructure is distributed across different geographical locations
spread throughout the world, it is often possible that the user’s data is stored in a
location that is out of the legal jurisdiction which leads to the user’s concerns about the
legal accessibility of local law enforcement and regulations on data that is stored out of
their region. Moreover, the user fears that local laws can be violated due to the dynamic
nature of the cloud makes it very difficult to delegate a specific server that is to be used
for trans-border data transmission.
4. Multi-Tenancy Security Issues
Multi-tenancy is a paradigm that follows the concept of sharing computational
resources, data storage, applications, and services among different tenants. This is
then hosted by the same logical or physical platform at the cloud service provider’s
premises. While following this approach, the provider can maximize profits but puts the
customer at a risk. Attackers can take undue advantage of the multi-residence
opportunities and can launch various attacks against their co-tenants which can result in
several privacy challenges.
5. Transparency Issues
In cloud computing security, transparency means the willingness of a cloud service
provider to reveal different details and characteristics on its security preparedness.
Some of these details compromise policies and regulations on security, privacy, and
service level. In addition to the willingness and disposition, when calculating
transparency, it is important to notice how reachable the security readiness data and
information actually are. It will not matter the extent to which the security facts about an
organization are at hand if they are not presented in an organized and easily
understandable way for cloud service users and auditors, the transparency of the
organization can then also be rated relatively small.
17
6. Hypervisor Related Issues
Virtualization means the logical abstraction of computing resources from physical
restrictions and constraints. But this poses new challenges for factors like user
authentication, accounting, and authorization. The hypervisor manages multiple Virtual
Machines and therefore becomes the target of adversaries. Different from the physical
devices that are independent of one another, Virtual Machines in the cloud usually
reside in a single physical device that is managed by the same hypervisor. The
compromise of the hypervisor will hence put various virtual machines at risk. Moreover,
the newness of the hypervisor technology, which includes isolation, security hardening,
access control, etc. provides adversaries with new ways to exploit the system
7. Managerial Issues
There are not only technical aspects of cloud privacy challenges but also non-technical
and managerial ones. Even on implementing a technical solution to a problem or a
product and not managing it properly is eventually bound to introduce vulnerabilities.
Some examples are lack of control, security and privacy management for virtualization,
developing comprehensive service level agreements, going through cloud service
vendors and user negotiations, etc.
Cloud Computing :
Cloud Computing is a type of technology that provides remote services on the internet
to manage, access, and store data rather than storing it on Servers or local drives. This
technology is also known as Serverless technology. Here the data can be anything like
Image, Audio, video, documents, files, etc.
18
Need of Cloud Computing :
Before using Cloud Computing, most of the large as well as small IT companies use
traditional methods i.e. they store data in Server, and they need a separate Server room
for that. In that Server Room, there should be a database server, mail server, firewalls,
routers, modems, high net speed devices, etc. For that IT companies have to spend lots
of money. In order to reduce all the problems with cost Cloud computing come into
existence and most companies shift to this technology.
1. Data Loss –
Data Loss is one of the issues faced in Cloud Computing. This is also known as
Data Leakage. As we know that our sensitive data is in the hands of Somebody
19
else, and we don’t have full control over our database. So, if the security of
cloud service is to break by hackers then it may be possible that hackers will
get access to our sensitive data or personal files.
2. Interference of Hackers and Insecure API’s –
As we know, if we are talking about the cloud and its services it means we are
talking about the Internet. Also, we know that the easiest way to communicate
with Cloud is using API. So it is important to protect the Interface’s and API’s
which are used by an external user. But also in cloud computing, few services
are available in the public domain which are the vulnerable part of Cloud
Computing because it may be possible that these services are accessed by
some third parties. So, it may be possible that with the help of these services
hackers can easily hack or harm our data.
3. User Account Hijacking –
Account Hijacking is the most serious security issue in Cloud Computing. If
somehow the Account of User or an Organization is hijacked by a hacker then
the hacker has full authority to perform Unauthorized Activities.
4. Changing Service Provider –
Vendor lock-In is also an important Security issue in Cloud Computing. Many
organizations will face different problems while shifting from one vendor to
another. For example, An Organization wants to shift from AWS
Cloud to Google Cloud Services then they face various problems like shifting of
all data, also both cloud services have different techniques and functions, so
they also face problems regarding that. Also, it may be possible that the
charges of AWS are different from Google Cloud, etc.
5. Lack of Skill –
While working, shifting to another service provider, need an extra feature, how
to use a feature, etc. are the main problems caused in IT Company who doesn’t
have skilled Employees. So it requires a skilled person to work with Cloud
Computing.
6. Denial of Service (DoS) attack –
This type of attack occurs when the system receives too much traffic. Mostly
DoS attacks occur in large organizations such as the banking sector,
government sector, etc. When a DoS attack occurs, data is lost. So, in order to
recover data, it requires a great amount of money as well as time to handle it.
20
Issues in cloud computing
One of the most difficult areas today is the cloud. The core of the issue is the nature of
the cloud and the biggest problem that follows is the way personal data is processed in
the cloud having no visibility as to what is happening with the data. Given below are
some of the issues that can arise while utilizing cloud computing service.
Data privacy and security
When diving into the benefits of cloud computing, one shouldn’t overlook the security
issues it comes along with. The concern comes to attention when we start sharing
applications and sensitive data to a shared cloud environment. The data transmitted are
likely to data breach and have third party unauthorized access. The fluid nature of cloud
computing lacks a regulatory framework, and sometimes it isn’t easy to match the
privacy standards of various jurisdictions. The cloud service provider in this place has
control over your data, and the consumer has to adhere to the ‘reasonable’ security
standards they provide. When talking about ‘reasonable,’ it could be any cybersecurity
standard like ISO/IEC 27001 and 27002, ISC 15408, and other national and industry-
specific standards.
Government interception
Data stored in the cloud are either encrypted or unencrypted. Data encryption is
currently the only method ensured by the cloud service provider to protect data and
keep it confidential, which is discussed in the next segment. Even in the unencrypted
method, the service provider uses two keys, i.e., public and private. While the public key
can enable data to everyone, the private key is meant to protect from non-private access.
Now, the question is whether there is any window that gives access to the Government
or its agency? In most cases, there are possibilities open for the Government to seek into
the data even if the data is encrypted. There are vulnerabilities built by the service
provider itself, which allows the Government to get into data for any purpose of law
enforcement and inspection.
For instance, AWS, in their Data Privacy FAQ, specifies that they will disclose
customer content if they are required to do so to comply with the law or
Government’s order. They are using this provision to build the backdoor for
government authorities.
In India, Section 69 of the Information Technology Act mandates a person in charge of
computer resources to extend all possible support to the law enforcement agencies.
Such lawful interference stretches to any information stored in the computer device
regardless of what computer resources’ attributes are.
21
Data loss
One of the major issues one could have in cloud services is data loss. Even though the
data is not physically stored on a local hard drive, it is stored somewhere in the physical
location and can be susceptible to the same failure as the hard drive. Data loss is
possible in cloud computing even though it is structured in a way to keep the data
protected, it can potentially attract technology failure or human error.
The question is, who is responsible for such loss. The cloud service provider follows the
Shared Responsibility Model, which means that the service provider may be responsible
for the security “of” cloud whereas the consumer will be responsible for what’s stored
“in” cloud. The shared responsibility suggests that the service provider will be
responsible for providing data security via their infrastructure. The consumer on other
hand is responsible for the data stored there. The cloud service provider is solely there
to provide sufficient protection, but the consumer has to handle the service’s
configuration. This means that in the event of data loss, the service provider won’t take
responsibility for compensating for such loss. Moreover, the end-user or the company’s
client will not blame the service provider for their data loss because they entrusted their
data to the company and not the cloud provider.
Fixed contracts
In most cases, the cloud computing contracts (SLA) have fixed terms and leave little or
no room for negotiation. However, if the cloud service provider is a small service
provider, the customer may have a chance to negotiate the terms of the contract. The
flexibility of the agreement also depends on the cloud service model the customer is
opting for.
Third-party dependency
Cloud computing service providers may become dependent on third-party vendors to
provide their services effectively. This indicates that if the third-party vendor fails to
provide their services to cloud computing service providers or if there arises a conflict
between the two parties (the vendor and cloud service provider), the consumer may face
a potential risk of losing their data.
This is to note that cloud service providers, in most cases, do not hold themselves
responsible for the failure in third-party vendor performance. Apart from failure on the
vendors’ end, the cloud service provider can terminate the agreement if the relationship
with the vendor gets affected. This will adversely affect one’s business, whose data is
stored in the cloud. Therefore, it is periodically pushed to allocate the potential risk that
can cause failure from such dependency.
22
Multiple jurisdictions
Jurisdiction issues are mostly associated with the location of data and governing law at
that locality. Data stored in the cloud are spread across multiple jurisdictions resulting
in multiple jurisdictional claims of the data and conflict in-laws of the same subject
matter. Countries like Russia and the EU have strict data localization laws that only
allow those providers to process their citizen’s data only if they comply completely with
their localization laws. Localization of data or data residency restricts the storage of data
within the country’s border. India, on the other hand, provisions for extra-territorial
jurisdiction. The service provider delivers the subject matter related to jurisdiction and
governing laws in their SLAs.
Jurisdiction is also coming into attention when the cloud service provider subcontracts
with other service providers to leverage their services. In such a scenario, it becomes
even more challenging to allocate the actual jurisdiction of the cloud, where data is
stored.
Regulations
1. The first and foremost important and comprehensive law for regulating and
protecting personal data is the EU’s GDPR. The GDPR places equal liability on
data controllers as well as data processors (such as cloud providers, SaaS
vendors, payroll service providers). All the organizations providing cloud
services have initiated to comply with the terms of GDPR.
2. In 2009 European Union Agency for Cybersecurity came up with a cloud
computing Risk Assessment that acknowledged the cloud computing Business
Model’s upcoming security risk. The assessment is also followed by practical
recommendations, widely referred to by E.U. members and outside the E.U.
3. The issue of cloud security and privacy has been addressed in E.U. and the
United States collectively. International Safe Harbor Privacy Principles,
formulated by E.U. and U.S.A., which is now known as the Privacy Shield
Framework, allows only those entities in the U.S. which comply with the E.U.
data protection. Even though the privacy shield is no longer a valid mechanism
(after GDPR advent) for data transfer, data privacy requirements existing in the
privacy shield are still very relevant and valid.
4. In India, cloud computing has no recognition under any specific regulation.
Still, it is regulated indirectly under the Information Technology Act, 2000 (the
“Act”) and Information Technology (Reasonable security practices and
procedures and sensitive personal data or information) Rule 2011 (“Rules”).
23
5. Section 43A of the Act and the IT Rules 2011 provide guidelines for body
corporations who own sensitive data to maintain proper security practices to
secure personal and sensitive data or information of the consumer. The Act and
the Rules set out a regulatory framework for creating, collecting, storing,
processing data stored in an electronic device. cloud computing service
providers have to comply with the provisions given in the Rules.
6. In addition to the Act and Rules, the service provider using cloud computing in
the banking and insurance sector is subject to specific confinements. Cloud
service providers in India may also be required to comply with the Information
Technology (Intermediaries Guidelines) Rules 2011 prescribed under the Act.
7. In 2019 a Personal Data Protection Bill (PDP) was tabled in the Parliament, the
first comprehensive Act that ensures privacy and security of data of Indian
citizens. The Bill is similar to that of the EU’s GDPR, which is the most stringent
security and privacy law today.
24
Components of IAM
Users
Roles
Groups
Policies
With these new applications being created over the cloud, mobile and on-premise can
hold sensitive and regulated information. It’s no longer acceptable and feasible to just
create an Identity server and provide access based on the requests. In current times an
organization should be able to track the flow of information and provide least privileged
access as and when required, obviously with a large workforce and new applications
being added every day it becomes quite difficult to do the same. So organizations
specifically concentrate on managing identity and its access with the help of a few IAM
tools. It’s quite obvious that it is very difficult for a single tool to manage everything but
there are multiple IAM tools in the market that help the organizations with any of the few
services given below.
Services By IAM
IAM
Identitymanagement
Access management
Federation
RBAC/EM
Multi-Factor authentication
Access governance
Customer IAM
API Security
IDaaS – Identity as a service
Granular permissions
Privileged Identity management – PIM (PAM or PIM is the same)
What is access control?
Access Control in Cloud Computing refers to the ability to restrict access to information stored on
the cloud. This allows companies to ensure their information is secured and helps minimize risk.
Access Control is done through authentication processes which can include passwords, PINs, and
multi-factor authentications. There are also various types of Access Control that can be implemented
at an organization which authorize the verified employees to access company resources;
authorization to access can be restricted depending on factors like one’s role, attributes, and more.
To learn more about the cloud visit our Cloud Computing resource page. If you would like to learn
more about how your company can benefit from a cloud solution contact us today.
25
Access control is a security technique that regulates who or what can view or use resources in a
computing environment. It is a fundamental concept in security that minimizes risk to the business or
organization.
There are two types of access control: physical and logical. Physical access control limits access to
campuses, buildings, rooms and physical IT assets. Logical access control limits connections to
computer networks, system files and data.
To secure a facility, organizations use electronic access control systems that rely on user credentials,
access card readers, auditing and reports to track employee access to restricted business locations
and proprietary areas, such as data centers. Some of these systems incorporate access control panels
to restrict entry to rooms and buildings, as well as alarms and lockdown capabilities, to prevent
unauthorized access or operations.
The goal of access control is to minimize the security risk of unauthorized access to physical and logical systems.
Access control is a fundamental component of security compliance programs that ensures security technology and
access control policies are in place to protect confidential information, such as customer data. Most organizations
have infrastructure and procedures that limit access to networks, computer systems, applications, files and
sensitive data, such as personally identifiable information and intellectual property.
Access control systems are complex and can be challenging to manage in dynamic IT environments that involve
on-premises systems and cloud services. After high-profile breaches, technology vendors have shifted away
from single sign-on systems to unified access management, which offers access controls for on-premises and
cloud environments.
26
How access control works
Access controls identify an individual or entity, verify the person or application is who or what it claims to be,
and authorizes the access level and set of actions associated with the username or IP address. Directory services
and protocols, including Lightweight Directory Access Protocol and Security Assertion Markup Language,
provide access controls for authenticating and authorizing users and entities and enabling them to connect to
computer resources, such as distributed applications and web servers.
Organizations use different access control models depending on their compliance requirements and the security
levels of IT they are trying to protect.
27
Cloud computing is helping businesses to store a large amount of data at relatively low costs but it is
essential these service providers offer methods to ensure users are authenticated.
There are multiple authentication techniques in cloud computing suited for different applications and use
cases when it comes to the cloud. The best cloud authentication method depends on your preferences but
each is a supported method.
API Keys
This method doesn’t require client libraries and is transparent to the user. This method identifies the project
by creating a strong association between a key and a project. API keys are less secure as they are vulnerable
to man-in-the-middle attacks. API keys can easily be added to any HTTP call as a query parameter in the
header because they don’t require a client library.
Firebase Authentication
This type of authentication provides backend services, app SDKs, and libraries to authenticate users to a
mobile or web app. This method authenticates users, using a variety of credentials like Google, Facebook,
Twitter or GitHub. The Firebase authentication method uses a client library to sign a JSON Web Token,
JWT, with a private key after the user has successfully signed in. This method then validates the JWT,
through a proxy, was signed by Firebase and that the issuer matches the setting in API configuration.
Auth0 Authentication
This method not only authenticates and authorizes apps and APIs but it is also stack, device, and identity
agnostic. This method supports several providers and security assertion markup language specification.
Much like Firebase Authentication, this method also provides backend services, SDKs and user interface
libraries for authenticating users in web and mobile apps. Also, like Firebase Authentication, this method
validates the JWT was signed and the issuer matches the API configuration.
Google Authentication
This authentication method allows users to authenticate by signing in with their Google account. Once the
user is authenticated, they have access to all Google services and a Google ID token can be used to make
calls to Google APIs and Cloud Endpoints APIs. This method also verifies that the JWT was signed by
Google and the issuer is listed on the API configuration.
28
Cloud Computing Authentication Issues
Privacy Issues
Lack of Transparency
Security Issues
The Possibility of Exploitation of the Authentication Mechanism
Different Authentication Technologies Presents Challenges to Customers
When it comes to cloud computing, service providers require customers to store their account information in
the cloud, giving service providers access to this information. For many customers, this presents a privacy
issue for them. The lack of transparency in the cloud makes it difficult for customers to ensure the proper
rules are enforced. Customers using multiple cloud services have more copies of their information out there
in the cloud. This causes security issues for customers and cloud service providers. Multiple copies of
accounts lead to multiple authentication processes and provide the possibility to exploit the authentication
mechanism. Cloud service providers use different authentication technologies for authenticating users and
while this has less of an impact on SaaS than PaaS and IaaS, it presents challenges to customers.
The major importance of authentication in cloud computing is for users to ensure their projects and
information are safe and there when they need it. While there are still a few issues associated with cloud
service providers being able to perform authentication methods without any challenges or security fears, it is
important to remember just how new cloud computing is and the amount of room it has for progress.
A service agreement, on the other hand, is not designed to protect against the perils of providing a
copy ofsoftware to a user. It is primarily designed to provide the terms under which a service can
29
be accessed or used by a customer. The service agreement may also set forth quality parameters
around which the service will be provided to the users.
. In each of the three permutations of cloud computing (SaaS, PaaS, and IaaS), the access to the
cloud-based technology is provided as a service to the cloud user. The control and access points
are provided by the cloud provider.
There are two contracting models under which a cloud provider will grant access to its services.
The first, the on-line agreement, is a click wrap agreement with which a cloud user will be
presented before initially accessing the service. A click wrap is the agreement the user enters into
when he/she checks an “I Agree” box, or something similar at the initiationof the service
relationship. The agreement is not subject to negotiation and is generally thought to be a contract
of adhesion (i.e., a contract that heavily restricts one party while leaving the other relatively free
30