Cloud security fundamentals, Vulnerability assessment tool for cloud, Privacy

What is Cloud Security Assessment?

A cloud security assessment evaluates the security of cloud computing infrastructure, services,
applications, and data to identify potential risks and vulnerabilities. It involves using various security
testing methods and tools to assess the security posture of cloud systems and determine if the
security controls effectively protect against unauthorized access, data breaches, and other security
threats. Internal security teams or third-party security providers can conduct cloud security
assessments. The assessment can be done on a one-time basis or as part of an ongoing
monitoring and testing program to ensure the continuous security of cloud systems.
An assessment of cloud security typically focuses on the following key areas:
 Data security: Ensuring that data stored in the cloud is protected against unauthorized
access, loss, theft, or misuse. Security includes encryption, access controls, and other
precautions to guarantee that only authorized users access data.
 Identity and access management: Ensuring that users are authenticated and
authorized to access resources and data in the cloud environment. This includes using
robust passwords, multi-factor authentication, and access controls to guarantee that only
authorized individuals can access resources.
 Compliance: Assuring that the cloud environment complies with legal requirements and
industry standards, including PCI-DSS, HIPAA, and GDPR. This includes regular audits and
assessments to ensure that the cloud environment complies with relevant standards.
 Network security: Ensuring that the cloud environment is protected against network-
based attacks, such as Distributed Denial of Service (DDoS) attacks, by implementing
firewalls, intrusion detection and prevention systems, and other security measures.
 Application security: Ensuring that applications hosted in the cloud are secure against
attacks such as cross-site scripting (XSS) and SQL injection. This includes implementing
secure coding practices, vulnerability scanning, and penetration testing.
 Disaster recovery and business continuity: Ensuring that the cloud environment
can recover from disasters, such as natural disasters, cyberattacks, or human errors. This
includes implementing backup and recovery solutions and disaster recovery plans to ensure
business operations can continue during an interruption.
Benefits of a Cloud Security Assessment
There are several benefits of conducting a cloud security assessment, including:
 Identification of security vulnerabilities: A cloud security assessment can help
identify potential vulnerabilities in the cloud environment, including misconfigurations, access
control issues, and other security gaps. By identifying these vulnerabilities, organizations can
take steps to address them and reduce the risk of a security breach.
 Compliance with regulations and standards: Many industries and regulatory
bodies have specific security requirements for cloud environments. A cloud security
assessment can help identify areas where an organization may not comply with these
requirements, allowing them to take action to address any compliance gaps.
 Improved risk management: A cloud security assessment can provide organizations
with a better understanding of their overall security posture, allowing them to prioritize
security investments and strengthen risk management strategies.
 Increased confidence in the cloud environment: By conducting a cloud security
assessment, organizations can demonstrate to customers, partners, and other stakeholders
that they are taking security seriously and are committed to protecting sensitive data in the
cloud environment.
 Enhanced business continuity: A cloud security assessment can help identify
weaknesses in disaster recovery and business continuity plans, allowing organizations to
improve their ability to recover from a security breach or other interruption.
Key Steps to Performing a Cloud Security Assessment
Performing a cloud security assessment involves several key steps, including:
 Define the scope: Define the scope of the evaluation, including which cloud services and
applications will be included, the types of data being kept or processed, and the regulatory
requirements that must be taken into account.
 Identify risks and threats: Identify potential risks and threats to the cloud environment,
including unauthorized access, data breaches, and denial of service attacks. Consider both
internal and external threats and determine each threat’s likelihood and potential impact.
 Evaluate existing controls: Evaluate the effectiveness of existing security controls,
including access controls, data encryption, network security, and application security
measures. Identify any gaps or weaknesses in the existing controls that may need to be
addressed.
 Test the environment: Conduct penetration testing and vulnerability assessments to
identify any security vulnerabilities or weaknesses that may have been missed during the
initial risk assessment. Use tools like port scanners, vulnerability scanners, and penetration
testing frameworks to test the cloud environment’s security.
 Analyze results: Analyze the assessment results to identify any security gaps or
weaknesses that must be addressed. Prioritize the identified issues based on each issue’s
likelihood and potential impact and determine appropriate actions to address each identified
gap.
 Develop a remediation plan: Develop a remediation plan that outlines the actions
needed to address the identified security gaps or weaknesses. Assign responsibilities for
implementing the plan and establish a timeline for completion.
 Monitor and maintain: Monitor the cloud environment continuously to ensure that
security controls remain effective and to identify new risks or threats as they emerge.
Implement a process for regularly reviewing and updating the security posture of the cloud
environment.

Cloud Computing Security Architecture

Security in cloud computing is a major concern. Proxy and brokerage services should
be employed to restrict a client from accessing the shared data directly. Data in the
cloud should be stored in encrypted form.

Security Planning
Before deploying a particular resource to the cloud, one should need to analyze several
aspects of the resource, such as:

o A select resource needs to move to the cloud and analyze its sensitivity to risk.
o Consider cloud service models such as IaaS, PaaS,and These models require
the customer to be responsible for Security at different service levels.
o Consider the cloud type, such as public, private, community, or
o Understand the cloud service provider's system regarding data storage and its
transfer into and out of the cloud.
o The risk in cloud deployment mainly depends upon the service models and
cloud types.

Understanding Security of Cloud

Security Boundaries
The Cloud Security Alliance (CSA) stack model defines the boundaries between each
service model and shows how different functional units relate. A particular service
model defines the boundary between the service provider's responsibilities and the
customer. The following diagram shows the CSA stack model:
Key Points to CSA Model

o IaaS is the most basic level of service, with PaaS and SaaS next two above levels
of services.
o Moving upwards, each service inherits the capabilities and security concerns of
the model beneath.
o IaaS provides the infrastructure, PaaS provides the platform development
environment, and SaaS provides the operating environment.
o IaaS has the lowest integrated functionality and security level, while SaaS has
the highest.
o This model describes the security boundaries at which cloud service providers'
responsibilities end and customers' responsibilities begin.
o Any protection mechanism below the security limit must be built into the
system and maintained by the customer.

Although each service model has a security mechanism, security requirements also
depend on where these services are located, private, public, hybrid, or community
cloud.
Understanding data security
Since all data is transferred using the Internet, data security in the cloud is a major
concern. Here are the key mechanisms to protect the data.

o access control
o audit trail
o certification
o authority

The service model should include security mechanisms working in all of the above
areas.

Separate access to data

Since the data stored in the cloud can be accessed from anywhere, we need to have a
mechanism to isolate the data and protect it from the client's direct access.

Broker cloud storage is a way of separating storage in the Access Cloud. In this
approach, two services are created:

1. A broker has full access to the storage but does not have access to the client.
2. A proxy does not have access to storage but has access to both the client and
the broker.
3. Working on a Brocade cloud storage access system
4. When the client issues a request to access data:
5. The client data request goes to the external service interface of the proxy.
6. The proxy forwards the request to the broker.
7. The broker requests the data from the cloud storage system.
8. The cloud storage system returns the data to the broker.
9. The broker returns the data to the proxy.
10. Finally, the proxy sends the data to the client.

All the above steps are shown in the following diagram:

Encoding
Encryption helps to protect the data from being hacked. It protects the data being
transferred and the data stored in the cloud. Although encryption helps protect data
from unauthorized access, it does not prevent data loss.

Why is cloud security architecture important?

The difference between "cloud security" and "cloud security architecture" is that the
former is built from problem-specific measures while the latter is built from threats. A
cloud security architecture can reduce or eliminate the holes in Security that point-of-
solution approaches are almost certainly about to leave.

It does this by building down - defining threats starting with the users, moving to the
cloud environment and service provider, and then to the applications. Cloud security
architectures can also reduce redundancy in security measures, which will contribute
to threat mitigation and increase both capital and operating costs.
The cloud security architecture also organizes security measures, making them more
consistent and easier to implement, particularly during cloud deployments and
redeployments. Security is often destroyed because it is illogical or complex, and these
flaws can be identified with the proper cloud security architecture.

Elements of cloud security architecture

The best way to approach cloud security architecture is to start with a description of
the goals. The architecture has to address three things: an attack surface represented
by external access interfaces, a protected asset set that represents the information
being protected, and vectors designed to perform indirect attacks anywhere, including
in the cloud and attacks the system.

The goal of the cloud security architecture is accomplished through a series of

functional elements. These elements are often considered separately rather than part
of a coordinated architectural plan. It includes access security or access control,
network security, application security, contractual Security, and monitoring, sometimes
called service security. Finally, there is data protection, which are measures
implemented at the protected-asset level.

A complete cloud security architecture addresses the goals by unifying the functional
elements.

Cloud security architecture and shared responsibility model

The security and security architectures for the cloud are not single-player processes.
Most enterprises will keep a large portion of their IT workflow within their data centers,
local networks, and VPNs. The cloud adds additional players, so the cloud security
architecture should be part of a broader shared responsibility model.

A shared responsibility model is an architecture diagram and a contract form. It exists

formally between a cloud user and each cloud provider and network service provider
if they are contracted separately.

Each will divide the components of a cloud application into layers, with the top layer
being the responsibility of the customer and the lower layer being the responsibility
of the cloud provider. Each separate function or component of the application is
mapped to the appropriate layer depending on who provides it. The contract form
then describes how each party responds.

What are the Security Risks of Cloud

Computing
Cloud computing provides various advantages, such as improved collaboration,
excellent accessibility, Mobility, Storage capacity, etc. But there are also security risks
in cloud computing.

Some most common Security Risks of Cloud Computing are given below-

Data Loss
Data loss is the most common cloud security risks of cloud computing. It is also known
as data leakage. Data loss is the process in which data is being deleted, corrupted, and
unreadable by a user, software, or application. In a cloud computing environment, data
loss occurs when our sensitive data is somebody else's hands, one or more data
elements can not be utilized by the data owner, hard disk is not working properly, and
software is not updated.

Hacked Interfaces and Insecure APIs

As we all know, cloud computing is completely depends on Internet, so it is compulsory
to protect interfaces and APIs that are used by external users. APIs are the easiest way
to communicate with most of the cloud services. In cloud computing, few services are
available in the public domain. These services can be accessed by third parties, so there
may be a chance that these services easily harmed and hacked by hackers.

Data Breach
Data Breach is the process in which the confidential data is viewed, accessed, or stolen
by the third party without any authorization, so organization's data is hacked by the
hackers.

Vendor lock-in
Vendor lock-in is the of the biggest security risks in cloud computing. Organizations
may face problems when transferring their services from one vendor to another. As
different vendors provide different platforms, that can cause difficulty moving one
cloud to another.

Increased complexity strains IT staff

Migrating, integrating, and operating the cloud services is complex for the IT staff. IT
staff must require the extra capability and skills to manage, integrate, and maintain the
data to the cloud.

Spectre & Meltdown

Spectre & Meltdown allows programs to view and steal data which is currently
processed on computer. It can run on personal computers, mobile devices, and in the
cloud. It can store the password, your personal information such as images, emails,
and business documents in the memory of other running programs.

Denial of Service (DoS) attacks

Denial of service (DoS) attacks occur when the system receives too much traffic to
buffer the server. Mostly, DoS attackers target web servers of large organizations such
as banking sectors, media companies, and government organizations. To recover the
lost data, DoS attackers charge a great deal of time and money to handle the data.

Account hijacking
Account hijacking is a serious security risk in cloud computing. It is the process in which
individual user's or organization's cloud account (bank account, e-mail account, and
social media account) is stolen by hackers. The hackers use the stolen account to
perform unauthorized activities.

Is Virtualization a Security Risk?

Virtualization has some clear security advantages when compared to traditional
server infrastructure. These advantages include the improved availability that
comes with virtual machines (VMs), the isolation of these VMs from the
operating systems and physical hardware they run on, and the enhanced
security tools that come with most virtualization solutions.

However, this improved security posture doesn't mean that virtualization has no
security risks. The fact that many businesses employ this technology makes it a
valid target for hackers and other malicious actors.

It's safe to say that virtualization is no more (or less) of a security risk than other
parts of your information technology infrastructure, and with increased
adoption comes the need for awareness of the potential issues that IT
administrators may face.

8 Virtualization Security Issues and

Risks
1. VM Sprawl
Virtual machine sprawl is the uncontrolled spread of VMs created for specific
workloads and then abandoned after serving their purpose. This unchecked
proliferation can lead to VMs with sensitive information being compromised
because they are not being actively managed and updated.

2. Malware & Ransomware Attacks

Virtual machines are also susceptible to viruses, malware, and ransomware
attacks. These attacks can come from infected VM images or from users without
proper security training. Once a VM is infected, it can spread malware across the
entire virtual infrastructure without adequate isolation and security controls.

3. Network Configuration
There is a lot of work involved in managing multiple virtual machines, even with
a VM management solution like VMware vSphere. Making poor configuration
choices, like allowing file sharing between VMs, or leaving unused firewall ports
open could be all that's needed for a hacker to gain access to your virtual
infrastructure. This misconfiguration can also include the physical servers, which
can become a security risk without the latest security patches and firmware.

4. Access Controls
An attacker gaining access to your virtual infrastructure, whether via physically
accessing host servers or via a compromised user account on your management
platform, can cause a lot of damage to your systems.

5. Security of Offline Virtual Machines

Offline or offsite backups are an essential part of disaster recovery planning.
However, any VMs you back up offline are stuck with their security updates and
configurations from when they were last online. This lack of updates will make
such a VM a security risk to the rest of your virtual environment when it is time
to come back online.

6. Workloads with Different Trust Levels

Without proper security controls, it's easy to create a test server that should be
in a low trust zone, on the same physical hardware as a live production server
with sensitive information that requires a high trust zone.
 7. Hypervisor Security Controls
The hypervisor is the platform that makes it possible to run virtual machines.
Therefore, it can become a single point of failure for your entire virtual
infrastructure without proper security measures to mitigate the risk of attacks.

8. Cloud Service Provider APIs

For organizations that run a hybrid implementation involving public and private
cloud infrastructure, intrusion attempts via APIs from your cloud service
providers are a potential risk. These APIs are meant for effective communication
between your virtual environment and the cloud-hosted one, and if they are not
adequately secured, a data breach may occur.

Virtualization Security Best Practices

Now that we've outlined the potential risks that come with virtualization, it's time
we cover the ways to mitigate these risks effectively. Here are some steps you
can take to reduce your exposure to the security risks outlined above:

1. Create policies and procedures to govern the management of virtual machines

throughout their lifecycle, from creation to deletion. You can use a cybersecurity
framework as a guideline for these policies, but they must be adapted to suit
your organization's unique needs.
2. Be sure to enforce the encryption of all offline VM images and backups to
protect the confidentiality of the information stored on them and the integrity of
the images.
3. Implement access control systems for the physical environment where you host
your infrastructure and the hypervisor/VM management platform. Only
administrators and authorized users should have access.
4. Use a VM management solution, like VMware vSphere. These tools can
effectively maintain your entire virtual infrastructure to ensure proper resource
allocation for VMs, and automated installation of security patches and updates.
5. Implement a monitoring and logging system for all network traffic and VM
operations and regularly audit these logs to identify trends that may point to a
breach.
6. If your virtual environment involves an external cloud services provider (CSP),
ensure that your connection to CSP services is encrypted and uses a private
channel separate from regular Internet traffic.

Cloud Computing Vulnerabilities

When deciding to migrate to the cloud, we have to consider the following cloud
vulnerabilities
 Session riding: session riding happens when an attacker steals a user’s cookie to
use the application in the name of the user. An attacker might also use CSRF
attacks in order to trick the user into sending authenticated requests to arbitrary
web sites to achieve various things.
 Virtual Machine Escape: in virtualized environments, the physical servers run
multiple virtual machines on top of hypervisors. An attacker can exploit a
hypervisor remotely by using a vulnerability present in the hypervisor itself – such
vulnerabilities are quite rare, but they do exist. Additionally, a virtual machine can
escape from the virtualized sandbox environment and gain access to the
hypervisor and consequentially all the virtual machines running on it.
 Reliability and Availability of Service: we expect our cloud services and
applications to always be available when we need them, which is one of the
reasons for moving to the cloud. But this isn’t always the case, especially in a bad
weather with a lot of lightning where power outages are common.
 Insecure Cryptography: cryptography algorithms usually require random number
generators, which use unpredictable sources of information to generate actual
random numbers, which is required to obtain a large entropy pool. If the random
number generators are providing only a small entropy pool, the numbers can be
brute forced. In client computers, the primary source of randomization is user
mouse movement and key presses, but servers are mostly running without user
interaction, which consequentially means lower number of randomization sources.
Therefore the virtual machines must rely on the sources they have available, which
could result in easily guessable numbers that don’t provide much entropy in
cryptographic algorithms.
 Internet Dependency: by using the cloud services, we’re dependent upon the
Internet connection, so if the Internet temporarily fails due to a lightning strike or
ISP maintenance, the clients won’t be able to connect to the cloud services.
Therefore, the business will slowly lose money, because the users won’t be able to
use the service that’s required for the business operation. Not to mention the
services that need to be available 24/7, like applications in a hospital, where
human lives are at stake.
Cloud Computing Threats
Before deciding to migrate to the cloud, we have to look at the cloud security
vulnerabilities and threats to determine whether the cloud service is worth the risk due to
the many advantages it provides. The following are the top security threats in a cloud
environment [1, 2, 3]:
 Ease of Use: the cloud services can easily be used by malicious attackers, since a
registration process is very simple, because we only have to have a valid credit
card. In some cases we can even pay for the cloud service by using PayPal, Western
Union, Payza, Bitcoin, or Litecoin, in which cases we can stay totally anonymous.
 The cloud can be used maliciously for various purposes like spamming, malware
distribution, botnet C&C servers, DDoS, password/hash cracking, etc.
 Secure Data Transmission: when transferring the data from clients to the cloud,
the data needs to be transferred by using an encrypted secure communication
channel like SSL/TLS. This prevents different attacks like MITM attacks, where the
data could be stolen by an attacker intercepting our communication.
 Insecure APIs: various cloud services on the Internet are exposed by application
programming interfaces. Since the APIs are accessible from anywhere on the
Internet, malicious attackers can use them to compromise the confidentiality and
integrity of the enterprise customers. Therefore it’s imperative that cloud services
provide a secure API, rendering such attacks worthless.
 Malicious Insiders: employees working at cloud service provider could have
complete access to the company resources. Therefore cloud service providers
must have proper security measures in place to track employee actions like
viewing a customer’s data. Since cloud service provides often don’t follow the best
security guidelines and don’t implement a security policy, employees can gather
confidential information from arbitrary customers without being detected.
 Shared Technology Issues: the cloud service SaaS/PasS/IaaS providers use
scalable infrastructure to support multiple tenants which share the underlying
infrastructure. Directly on the hardware layer, there are hypervisors running
multiple virtual machines, themselves running multiple applications. On the
highest layer, there are various attacks on the SaaS where an attacker is able to get
access to the data of another application running in the same virtual machine. All
layers of shared technology can be attacked to gain unauthorized access to data,
like: CPU, RAM, hypervisors, applications, etc.
 Data Loss: the data stored in the cloud could be lost due to the hard drive failure. A
CSP could accidentally delete the data, an attacker might modify the data, etc.
Therefore, the best way to protect against data loss is by having a proper data
backup, which solves the data loss problems. Data loss can have catastrophic
consequences to the business, which may result in a business bankruptcy, which is
why keeping the data backed-up is always the best option.
 Data Breach: when a virtual machine is able to access the data from another
virtual machine on the same physical host, a data breach occurs – the problem is
much more prevalent when the tenants of the two virtual machines are different
customers. The side-channel attacks are valid attack vectors and need to be
addressed in everyday situations. A side-channel attack occurs when a virtual
machine can use a shared component like processor’s cache to access the data of
another virtual machine running on the same physical host.
 Account/Service Hijacking: it’s often the case that only a password is required to
access our account in the cloud and manipulate the data, which is why the usage
of two-factor authentication is preferred. Nevertheless, an attacker gaining access
to our account can manipulate and change the data and therefore make the data
 untrustworthy. An attacker having access to the cloud virtual machine hosting our
business website can include a malicious code into the web page to attack users
visiting our web page – this is known as the watering hole attack. An attacker can
also disrupt the service by turning off the web server serving our website,
rendering it inaccessible.
 Unknown Risk Profile: we have to take all security implications into account
when moving to the cloud, including constant software security updates,
monitoring networks with IDS/IPS systems, log monitoring, integrating SIEM into
the network, etc. There might be multiple attacks that haven’t even been
discovered yet, but they might prove to be highly threatening in the years to come.
 Denial of Service: an attacker can issue a denial of service attack against the cloud
service to render it inaccessible, therefore disrupting the service. There are a
number of ways an attacker can disrupt the service in a virtualized cloud
environment: by using all its CPU, RAM, disk space or network bandwidth.
 User Awareness: the users of the cloud services should be educated regarding
different attacks, because the weakest link is often the user itself. There are
multiple social engineering attack vectors that an attacker might use to lure the
victim into visiting a malicious web site, after which he can get access to the user’s
computer. From there, he can observe user actions and view the same data the
user is viewing, not to mention that he can steal user’s credentials to authenticate
to the cloud service itself.