5.

1 IOT security:

Introduction

What Is IoT?
The concept of the Internet of Things (IoT) was introduced by Kevin Ashton, a
co-founder of the Auto-ID Center at MIT, in 1998.The vision is that objects (“things”) are
connected to each other and thereby they create IoT in which each object has its distinct identity
and can communicate with other objects. IoT objects can vary dramatically in size from a small
wearable device to a cruise ship.

IoT transforms ordinary products such as cars, buildings, and machines into smart,
connected objects that can communicate with people, applications and each other.
There are various definitions of IoT. The International Telecommunication Union
(ITU) defined the term Internet of Things as "Internet of Things will connect the world's
objects in both a sensory and intelligent manner". In 2014, the Joint Technical Committee of the
International Organization for Standardization (ISO) and the International Electrotechnical
Commission (IEC) defined IoT as “an infrastructure of interconnected objects, people, systems
and information resources together with intelligent services to allow them to process information
of the physical and the virtual world and react”. At the IoT reception layer, sensors placed within
devices, objects, and machinery collect, measure, and record information about the physical
environment, such as temperature, humidity, gas pressure, and motion. This information can be
read, integrated and analyzed at higher IoT layers. NIST uses two acronyms, IoT and NoT
(Network of Things). IoT is considered a subset of NoT, since IoT has its “things” connected to
the Internet. In contrast, some types of NoT use only Local Area Networks (LAN), with none of
their “things” connected to the Internet.
The IoT growth is driven by business needs as part of enterprise digital transformation (Fig. 5.1).
According to Machina Research, the total number of IoT connections will grow from six billion
in 2015 to 27 billion by 2025.

IoT solutions not only involve various technology domains such as mobile
communications, cloud, data, security, telecommunications, and networking but they also lead to
cross-industrial use of data (for example, data generated in smart home and industrial
applications is used in the automotive domain) (Fig. 5.2). This opens a possibility for
establishing business partnerships between horizontal industries, such as
telecommunication operators, and vertical industries, such as car manufacturers, as new business
models.

IoT Security and IoT Architectures:

IoT security solutions should be extremely scalable to apply to an exponentially increasing

number of various IoT devices. A growing variety of IoT applications creates
new security challenges. In addition to traditional security domains such as cryptography, secure
communication, and privacy assurances, IoT security also focuses on trust/identity management,
data confidentiality, privacy protection, etc

IoT Architecture:
IoT architecture refers to the tangle of components such as sensors, actuators, cloud services,
Protocols, and layers that make up IoT networking systems. In general, it is divided into layers
that allow administrators to evaluate, monitor, andmaintain the integrity of the system. The
architecture of IoT is a four-step process through which data flows from devices connected to
sensors, through a network, andthen through the cloud for processing, analysis, and storage.
Different Layers of IoT Architecture:
A four-layer architecture is the standard and most widely accepted format.
There are four layers present i.e., the Perception Layer, Network Layer, Processing Layer, and
Application Layer.

Perception/Sensing Layer
The first layer of any IoT system involves “things” or endpoint devices that serve as a conduit
between the physical and the digital worlds. Perception refers to the physical layer, which
includes sensors and actuators that are capable of collecting, accepting, and processing data over
the network. Sensors and actuators can be connected either wirelessly or via wired connections.
The architecture does not limit the scope of its components nor their location.

Network Layer
Network layers provide an overview of how data is moved throughout the application. This layer
contains Data Acquiring Systems (DAS) and Internet/Network gateways. A DAS performs data
aggregation and conversion functions (collecting and aggregating data from sensors, then
converting analog data to digital data, etc.). It is necessary to transmit and process the data
collected by the sensor devices. That’s what the network layer does. It allows these devices to
connect and communicate with other servers, smart devices, and network devices. As well, it
handles all data transmissions for the devices.
Processing Layer
The processing layer is the brain of the IoT ecosystem. Typically, data is analyzed, pre-
processed, and stored here before being sent to the data center, where it is accessed by software
applications that both monitor and manage the data as well as prepare further actions. This is
where Edge IT or edge analytics enters the picture.

Application Layer
User interaction takes place at the application layer, which delivers application- specific services
to the user. An example might be a smart home application where users can turn on a coffee
maker by tapping a button in an app or a dashboard that shows the status of the devices in a
system. There are many ways in which the Internet of Things can be deployed such as smart
cities, smart homes, and smart health.

IoT Security Challenges

Three categories of IoT risks include:

1. Risks that are typical in any Internet system
2. Risks that are specific to IoT devices
3. Safety to ensure no harm is caused by misusing actuators, for instance.

Scalability: Managing a large number of IoT nodes requires scalable security solutions.
Connectivity: In IoT communications connecting various devices of different capabilities in a
secure manner is another challenge.

End-to-End Security: End-to-end security measures between IoT devices and Internet hosts are
equally important.

Authentication and Trust: Proper identification and authentication capabilities and their
orchestration within a complex IoT environment are not yet mature. This prevents
establishment of trust relationships between IoT components, which is a prerequisite for IoT
applications requiring ad-hoc connectivity between IoT components, such as Smart City
scenarios. Trust management for IoT is needed to ensure that data analytics engines are fed with
valid data. Without authentication it is not possible to ensure that the data flow produced by an
entity contains what it is supposed to contain.

Identity Management: Identity management is an issue as poor security practices are often
implemented. For example, the use of clear text/Base64 encoded IDs/passwords with devices and
machine-to-machine (M2M) is a common mistake. This should be replaced with managed tokens
such as JSON Web Tokens (JWT) used by OAuth/OAuth2 authentication and authorization
framework (the Open Authorization).

Attack-Resistant Security Solutions: Diversity in IoT devices results in a need for attack
resistant and lightweight security solutions. As IoT devices have limited compute resources, they
are vulnerable to resource enervation attacks.

Security threats to IoT devices:

Security Requirements in IoT:
Security is significant obstacle in IoT. It involves sensing of infrastructure security,
communication network security, application security and general system security. IoT security
has diverse meaning which is depicted in the below diagram:
In IoT, each connected device could be a potential doorway into the IoT infrastructure or
personal data. Security concern would elevate once IoT reaches next level of interoperability
and autonomous decision making and higher order security loopholes.
The IoT key security requirements can be presented as shown in below Fig. The main security
requirements are categorized into six domains.

The need for privacy is the core property of self-actualization in IoT. There are several
applications working in many different grounds like patient monitoring system, traffic control,
energy consumption inventory management, smart parking, civil protection any many others.
Privacy should be guaranteed to the end user.

After security, the main aspect occurs is the privacy and with privacy, there is trust, according to
the internet of things, trust is also an important aspect or factor which is developed by the end
user when there is an element of security and privacy in the device

The current issue in IoT security concerns the access IoT has to sensitive data and the movement
of sensitive data overall. With enough time, hackers could theoretically use a connected kettle to
gain your business’ WIFI password.

Therefore, IoT security depends on intra-network data loss prevention. This tool helps
ensure that IoT devices can’t simply access data to which they aren’t entitled. Further, it prevents
malicious actors from moving data through network nodes or out of the network; instead, it
keeps all the data stored securely until an authorized user decides to move it. This can apply to
devices as much as people.

Integration with Backup

When we discuss IoT security, the conversation usually hinges on endpoint security. Certainly,
this stems from accurate beliefs. After all, IoT devices represent one more aspect of the
hardware-based digital perimeter; each device opens another potential attack vector for external
threat actors. Without visibility into every device brought by endpoint security, hackers could
find a solid foothold for infections.

Unnecessary Capabilities
Of course, the future of IoT security depends largely on your own commitment to cybersecurity
and the steps you take to ensure it. For example, many IoT devices come with default
administrator passwords which are easily guessed or cracked. Your security team needs to take
the time to reset these passwords wherever possible. Further, you need to turn off unnecessary
capabilities on each device which could hamper cybersecurity efforts and protections.

Updates and Patches

Security depends on making sure that IoT devices receive regular updates to their security
firmware and software. Like all devices, the updates these devices receive contain vital security
patches and threat intelligence. Unfortunately, many IoT developers fail to make patching these
devices a priority.

(i) Next Generation IoT Security: Data Confidentiality

Homomorphic Encryption - Homomorphic encryption schemes make it possible to perform

mathematical operations on ciphertexts. Ex: Private healthcare

Searchable Encryption - Searchable encryption schemes allow a storage provider to search for
keywords or patterns in encrypted data. So it is not possible to gain any knowledge of the
underlying plaintext.

(ii) Next Generation IoT Security: Trust

Trust Establishment - mainly focus on establishing trust in public keys and their assignment to
users, s mainly focus on establishing trust in public keys and their assignment to user

Blockchain and IoT: Trust in Transactions

Trust in Platforms – Hardware and software

Identity Management
(iii) Next Generation IoT Security: Privacy

Privacy Through Data Usage Control - The key advantage of data usage control is that it
provides users with the ability to control the usage of their data even when it is managed by
others.
Privacy in Multifaceted and Dynamic Contexts - As more data is being stored, transmitted and
processed via shared infrastructure, future IoT platforms will require new advanced services and
technologies to enforce adequate access controls.

5.2 CLOUD SECURITY

What is Cloud Security Architecture?

Cloud security starts with a cloud security architecture. An organization should first understand
its current cloud security posture, and then plan the controls and cloud security solutions it will
use to prevent and mitigate threats. This planning is critical to secure hyper-complex
environments, which may include multiple public clouds, SaaS and PaaS services, on-premise
resources, all of which are accessed from both corporate and unsecured personal devices.

Why Do You Need a Cloud Security Architecture?

As organizations become more dependent on the cloud, they must also place a bigger focus on
security. Most off-network data flows through cloud-based services, yet many of these cloud
services are used without any security planning. The use of cloud service providers and multiple
personal devices makes it difficult for companies to view and control data flows. Cloud
collaboration bypasses ordinary network control measures. Access to sensitive data on
unmanaged personal devices presents a major risk.

Security and risk management experts find it difficult to gain visibility over a complex mix of
devices, networks and clouds. These network security mosaics, fraught with hidden
vulnerabilities, are an invitation for attackers to attempt breaches. Many cloud service providers
do not provide detailed information about their internal environment, and many common internal
security controls cannot be directly converted to a public cloud.

For all these reasons, organizations need to think about cloud security as a new challenge, and
build a cloud security architecture that will help them adequately secure this complex
environment.

Cloud Security Architecture Patterns

The right pattern can help you implement security across your organization. For example, it can
help you protect the CIA (confidentiality, integrity, and availability) of your cloud data assets, as
well as respond to security threats. You can implement security controls directly, or use security
controls as a service offered by your cloud provider or third-party vendors. The cloud security
architecture model is usually expressed in terms of:
• Security controls—which can include technologies and processes. Controls should take into
account the location of each service—company, cloud provider, or third party.

• Trust boundaries—between the different services and components deployed on the Cloud •
Standard interfaces and security protocols—such as SSL, IPSEC, SFTP, LDAPS, SSH,
SCP,SAML, OAuth, etc.)

• Techniques used for token management—authentication, and authorization

• Encryption methods including algorithms like 128-bit AES, Triple DES, RSA, Blowfish.

• Security event logging—ensuring all relevant security events are captured, prioritized, and
delivered to security teams.Each security control should be clearly defined using the following
attributes:

• Service function—what is the service’s role? For example, encryption, authorization,

event data collection.

Logical location—public cloud service, third party service, or on-premises. Location affects
performance, availability, firewall policies, and service management.

• Protocol—what protocol is used to access the service? For example, REST, HTTPS, SSH.

• Input/Output – what does the service receive and what is it expected to deliver? For example,
input is a JSON feed and output is the same feed with encrypted payload data.

• Control mechanisms—what types of control does the service achieve? For example, data at
rest protection, user authentication, application authentication.

• Users and operators—who operates or benefits from the service? For example, endpoint
devices, end users, business managers, security analysts.

Cloud Computing Security Architectural elements:

The cloud security architecture model differs depending on the type of cloud service: IaaS
(Infrastructure as a Service), PaaS (Platform as a Service), or SaaS (Software as a Service).
Below we explain different security considerations for each model.

IaaS Cloud Computing Security Architecture

IaaS provides storage and network resources in the cloud. It relies heavily on APIs to help
manage and operate the cloud. However, cloud APIs are often not secure, because they are open
and easily accessible from the web.

The cloud service provider (CSP) is responsible for securing the infrastructure
and abstraction layer used to access the resources. Your organization's security obligations cover
the rest of the layers, mainly containing the business applications. To better visualize cloud
network security issues, deploy a Network Packet Broker (NPB) in an IaaS environment. The
NPB sends traffic and data to a Network Performance Management (NPM) system, and to the
relevant security tools. In addition, establish logging of events occurring on network endpoints.

IaaS cloud deployments require the following additional security features:

• Network segmentation
• Intrusion Detection System and Intrusion Prevention System (IDS/IPS)
• Virtual firewalls placed in front of web applications to protect against malicious code, and at
the edge of the cloud network
• Virtual routers

SaaS Cloud Computing Security Architecture

SaaS services provide access to software applications and data through a browser. The specific
terms of security responsibility may vary between services, and are sometimes up for negotiation
with the service provider. Cloud Access Security Brokers (CASB) offers logging, auditing,
access control and encryption capabilities that can be critical when investigating security issues
in a SaaS product. In addition, make sure your SaaS environment has:
• Logging and alerting
• IP whitelists and/or blacklists
• API gateways, in case the service is accessed via API

PaaS Cloud Computing Security Architecture

PaaS platforms enable organizations to build applications without the overhead and complexity
associated with managing hardware and back-end software. In a PaaS model, the CSP protects
most of the environment. However, the company is still responsible for the security of the
applications it is developing. Therefore, a PaaS security architecture is similar to a SaaS model.
Ensure you have CASP, logging and alerting, IP restrictions and an API gateway to ensure
secure internal and external access to your application’s APIs.

CLOUD SECURITY ARCHITECTURE:

A cloud security architecture (also sometimes called a “cloud computing security architecture”)
is defined by the security layers, design, and structure of the platform, tools, software,
infrastructure, and best practices that exist within a cloud security solution. A cloud security
architecture provides the written and visual model to define how to configure and secure
activities and operations within the cloud, including such things as identity and access
management; methods and controls to protect applications and data; approaches to gain and
maintain visibility into compliance, threat posture, and overall security; processes for instilling
security principles into cloud services development and operations; policies and governance to
meet compliance standards; and physical infrastructure security components.
Cloud security, in general, refers to the protection of information, applications, data, platforms,
and infrastructure that operate or exist within the cloud. Cloud security is applicable to all types
of cloud computing infrastructures, including public clouds, private clouds, and hybrid clouds.
Cloud security is a type of cybersecurity.

Key Elements of a Cloud Security Architecture

When developing a cloud security architecture several critical elements should be included:

• Security at Each Layer: Ensure that each layer of the cloud’s security stack is “self-
defending.” There may be multiple components in each layer, so having defense-indepth is
critical. This goes into having things like automatic updates on operating
systems, secure coding and monitoring logs.

• Centralized Management of Components: This is taking the concept of multiple components

in each layer and managing each — especially security — from one place, making sure to
incorporate efficiency opportunities.

• Redundant & Resilient Design: Building out disaster recovery plans and having backups on
hand to re-establish operations. Another aspect of this is making sure you have resiliency built
into all components, or at least the ones that continuously need to be online.

• Elasticity & Scalability: When it comes to elasticity, we have to keep in mind specific design
options. When scaling, should it be a horizontal or vertical scale? In other words, can you make
the server bigger or add more servers/services?

• Appropriate Storage for Deployments: When choosing storage, it comes down to your
organization’s use cases and needs. Take time to look at the options available as they are not
created equal. Each has its security controls and different performance specifications.

• Alerts & Notifications: While designing how the components will talk to each other and how
users interact with those components, you need to ensure that you are being alerted and notified.
This keeps you in the loop on what is happening in your cloud infrastructure.

• Centralization, Standardization, & Automation: Centralization is using services and tools

that can be integrated into a single dashboard for viewing. Standardization is creating consistent
architectural security models across the vast amount of services offered in the cloud, reducing
the burden of implementation of those new services.Finally, Automation, the more you can
automate your infrastructure, the quicker you can scale and respond to incidents and issues.

SECURITY MANAGEMENT IN THE CLOUD:

Cloud security management is the practice of securing your data and operations in the cloud
from theft or damage. As demand for cloud computing expands, cloud security services are
expected to grow as organizations become more aware of the importance of securing their
presence in the cloud. This article tackles what cloud security management means and why it is
important, how to evaluate cloud security management service providers, and the pros and
challenges of cloud security management.

Implementation of security management in cloud computing

Among several strategies you can adopt to keep your cloud secure are:

• Perform security audits. Analyze your cloud-based products and services for potential
security loopholes on a regular basis.

• Set appropriate levels of protection. Task your IT security team with complete control of the
security settings for your cloud-based applications, setting them to the highest level possible.

• Use data encryption and network security monitoring tools. Add another level of protection
to your data by encrypting them, and only allow legitimate traffic into your network.

• Manage end-user devices. Make sure that only authorized devices are given access toyour
network and data.

• Manager users. Set appropriate user-level controls to limit data access to authorized users
only. Ensure that your users only have access to the data they need in their line of work.

• Monitor user activity. Make use of reports to view user activity in your cloud, and gain better
understanding of security risks surrounding your operations.

Challenges of cloud security management

There are also challenges in managing cloud security, including:
• Difficulties in tracking data use.This is especially true since cloud services provided by a
third-party vendor lie outside your corporate network. Be prepared to ask your vendor for audit
trail logs when necessary.
• Security risks inherent in multi-tenant environments. Multi-tenant environments may
expose your network to malicious attacks. Even if someone else’s network is targeted, your
network may still end up as collateral damage. The risk may be lower when you have a reputable
vendor host your cloud environment.

Access restriction management. Ensuring access restrictions in your on-premises infrastructure

are carried over to your cloud environment. When applicable, your IT team must ensure that you
have BYOD policies for your end -users, and that only authorized devices and locations are
allowed access to your cloud services.

• Meeting compliance requirements. Ensure that your cloud services pass compliance
requirements. You may assume that the vendor will take care of compliance. This is a mistake
that can lead to heavy fines from regulators. Since compliance is always your responsibility, you
should have a team ready to handle this for your organization.
• Asset misconfiguration potential. A misconfiguration can leave your network open to attack.
To prevent this from happening, assign a team to review configuration settings and changes.
Have a team ready to plug potential holes when needed.

Availability Management in Cloud Computing

Cloud Services are not immune to outages (failure/interruption) and the severity and the scope of
impact on the customer can vary based on the situation. As it will depend on the criticality of the
cloud application and its relationship to internal business processes.

1. Impact on business: In the case of business-critical applications where businesses rely on the
continuous availability of service, even a few minutes of service failure can have a serious
impact on the organization’s productivity, revenue, customer satisfaction, and service-level
compliance.
2. Impact on customers: During a cloud service disruption, affected customers will not be able
to access the cloud service and in some cases may suffer degraded performance or user
experience. For Example:- when a storage service is disrupted, it will affect the availability and
performance of a computing service that depends on the storage service.

Factors Affecting Availability:

The cloud service’s ability to recover from an outage situation and availability depends on a few
factors, including the cloud service provider’s data center architecture, application architecture,
hosting location redundancy, diversity of Internet service providers (ISPs), and data storage
architecture.

Following is a list of the major factors:

• The redundant design of System as a Service and Platform as a Service application.
• The architecture of the Cloud service data center should be fault-tolerant.
• Having better Network connectivity and geography can resist disaster in most cases.
• Customers of the cloud service should quickly respond to outages with the support team of the
Cloud Service Provider.
• Sometimes the outage affects only a specific region or area of cloud services, so it is
difficult in those cases to troubleshoot the situation.
• There should be reliability in the software and hardware used in delivering cloud
services.
• The infrastructure of the network should be efficient and should be able to cope-up with
DDoS(distributed denial of service ) attacks on the cloud service.
• Not having proper security against internal and external threats, e.g., privileged users
abusing privileges.

SaaS Availability Management

System as a Service Customer’s Responsibility:

• Customers should understand the Service Level Agreement(SLA) and communication

methods so that they will be informed on service outages or maintenance.
• Customers should be aware of options to support availability management that is they should
understand the factors affecting availability management.
• The customer of System as a service should be aware that the cloud service is multitenant
which means Cloud Service Providers typically offer a Standard Service Level Agreement(SLA)
for all customers. Thus, Cloud Service Providers may not be able to provide their services to the
customers if the standard Service level-Agreement(SLA) does not meet the service requirements.
However, if you are a medium or large enterprise with a big budget, a custom SLA can be made
available.
• The customers should be aware of how resource democratization occurs within the Cloud
Service Providers to best predict the likelihood of system availability and performance during
business fluctuations.

PaaS Availability Management:

Platform as a Services Customer’s Responsibilities:

The following considerations are for Platform as a Services Customers:

• PaaS platform service levels: Customers should read and understand the terms and conditions
of the Cloud Service Provider’s Service Level Agreements.

• Third-party web services provider service levels: When your Platform as a Services
application depends on a third-party service it is critical to understand the Service Level
Agreements of that service. Network connectivity parameters with thirdparty service providers.
Example: Bandwidth and latency factors.

• Platform as a Service Health Monitoring: The following options are available to

customers to monitor the health of their service:
• Service health dashboard published by the Cloud Service Provider.
• Cloud Service Providers customer mailing list that notifies customers of occurring and recently
occurred outages
• Use third-party tools to check the health of the application

IaaS Availability Management:

IaaS Providers Availability Considerations include computing and building Storage

Infrastructure. Other services such as account management, a message queue service, an identity
and authentication service, a database service, a billing service, and monitoring services.
Customer Responsibility for the IaaS are to provision and manage the life cycle of virtual
servers.

To manage the IaaS virtual infrastructure includes

Availability of CSP network available, host, storage, and support application infrastructure.
Cloud service provider’s data center architecture, including a geographically diverse and fault-
tolerance architecture should be efficient. With these being present infrastructure also must be
reliable.
– Internal or third-party-based service monitoring tools (e.g., Nagios) – Web console or API that
publishes the current health status of your virtual servers and network.

• Infrastructure as a Service Health Monitoring: The following options are available to

Infrastructure as a Service customer for managing the health of their service:
• Service health dashboard published by the Cloud Service Providers.
• Cloud Service Providers customer mailing list that notifies customers of occurring and recently
occurred outages.
• Third-party-based service monitoring tools that periodically check the health of your
Infrastructure as a Service virtual server.

ACCESS CONTROL :

Access requirements must be aware to the client users and system administrators (privileged
users) who access network, system, and application resources. The functionalities of access
control management include defining who should have access to what resources (Assignment of
entitlements to users, and also to audit and report to verify entitlement assignments), why should
the users have access to the resource they hold (Assignment of entitlements based on the user’s
job functions and responsibilities), how can the user access the resources which will state the
authentication methods and strength check before granting access to the resources. In a cloud
computing model, network based access control plays a diminishing role. User access control
should be strongly emphasized in the cloud, since it can strongly bind a user’s identity to the
resources in the cloud and will help with fine granular access control, user accounting, support
for compliance, and data protection. User access management controls, including strong
authentication, single sign-on (SSO), privilege management, and logging and monitoring of
cloud resources, play a significant role in protecting the confidentiality and integrity of your
information in the cloud.

The following are the six control statements:

• Control access to information.
• Manage user access rights.
• Encourage good access practices.
• Control access to network services.
• Control access to operating systems.
• Control access to applications and systems.

Access Control: SaaS

In the SaaS delivery model, the CSP is responsible for managing all aspects of the network,
server, and application infrastructure. In that model, since the application is delivered as a
service to end users, usually via a web browser, network-based controls are becoming less
relevant and are augmented or superseded by user access controls, e.g., authentication using a
one-time password. Hence, customers should focus on user access controls (authentication,
federation, privilege management, deprovisioning, etc.) to protect the information hosted by
SaaS. Some SaaS services, such as Salesforce.com, augment network access control (e.g., source
IP address/network-based control) to user access control in which case customers have the option
to enforce access based on network and user policy parameters.

Access Control: PaaS

In the PaaS delivery model, the CSP is responsible for managing access control to the network,
servers, and application platform infrastructure. However, the customer is responsible for access
control to the applications deployed on a PaaS platform. Access control to applications manifests
as end user access management, which includes provisioning and authentication of users.

Access Control: IaaS

IaaS customers are entirely responsible for managing all aspects of access control to their
resources in the cloud. Access to the virtual servers, virtual network, virtual storage, and
applications hosted on an IaaS platform will have to be designed and managed by the customer.

In an IaaS delivery model, access control management falls into one of the following two
categories:

(i) CSP infrastructure access control

Access control management to the host, network, and management applications that are owned
and managed by the CSP

(ii)Customer virtual infrastructure access control

Access control management to your virtual server (virtual machines or VMs), virtual storage,
virtual networks, and applications hosted on virtual servers.

In summary, from an enterprise customer perspective, access management is an essential security

process to protect the confidentiality, integrity, and availability (CIA) of information hosted in
the cloud. A robust access management program should include procedures for provisioning,
timely deprovisioning, flexible authentication, privilege management, accounting, auditing, and
support for compliance management. Cloud customers should understand the CSP-specific
access control features for networks, systems, and applications, and appropriately manage
access.

SECURITY VULNERABILITY, PATCH, AND CONFIGURATION MANAGEMENT

The ability for malware (or a cracker) to remotely exploit vulnerabilities of infrastructure
components, network services, and applications remains a major threat to cloud services. It is an
even greater risk for a public PaaS and IaaS delivery model where vulnerability, patch, and
configuration management responsibilities remain with the customer. Customers should
remember that in cloud computing environments, the lowest or highest common denominator of
security is shared by all tenants in a multitenant virtual environment. Hence, the onus is with the
customers to understand the scope of their security management responsibilities. Customers
should demand that CSPs become more transparent about their cloud security operations to help
customers understand and plan complementary security management functions.
By and large, CSPs are responsible for the vulnerability, patch, and configuration (VPC)
management of the infrastructure (networks, hosts, applications, and storage) that is CSP
managed and operated, as well as third-party services that they may rely on. However, customers
are not spared from their VPC duties and should understand the VPC aspects for which they are
responsible. A VPC management scope should address end-to-end security and should include
customer-managed systems and applications that interface with cloud services. As a standard
practice, CSPs may have instituted these programs within their security management domain, but
typically the process is internal to the CSP and is not apparent to customers. CSPs should assure
their customers of their technical vulnerability management program using ISO/IEC 27002 type
control and assurance frameworks.

Security Vulnerability Management

Vulnerability management is an essential threat management element to help protect hosts,
network devices, and applications from attacks against known vulnerabilities. Mature
organizations have instituted a vulnerability management process that involves routine scanning
of systems connected to their network, assessing the risks of vulnerabilities to the organization,
and a remediation process (usually feeding into a patch management program) to address the
risks. Organizations using ISO/IEC 27002 are known to address this program using a technical
vulnerability management control objective, which states:

Objective: To reduce risks resulting from exploitation of published technical vulnerabilities.

Technical vulnerability management should be implemented in an effective, systematic, and
repeatable way with measurements taken to confirm its effectiveness. These considerations
should include operating systems, and any other applications in use. Both the customer and the
CSP are responsible for vulnerability management of the cloud infrastructure, depending on the
SPI service in context.

Security Patch Management

Similar to vulnerability management, security patch management is a vital threat management

element in protecting hosts, network devices, and applications from unauthorized users
exploiting a known vulnerability.

Patch management processes follow a change management framework and feeds directly from
the actions directed by your vulnerability management program. Security patch management
mitigates risk to your organization by way of insider and outsider threats. Hence, SaaS providers
should be routinely assessing new vulnerabilities and patching the firmware and software on all
systems that are involved in delivering the *aaS service to customers.

The scope of patch management responsibility for customers will have a low-to high relevance in
the order of SaaS, PaaS, and IaaS services—that is, customers are relieved from patch
management duties in a SaaS environment, whereas they are responsible for managing patches
for the whole stack of software (operating system, applications, and database) installed and
operated on the IaaS platform. Customers are also responsible for patching their applications
deployed on the PaaS platform.

Security Configuration Management

Security configuration management is another significant threat management practice to protect

hosts and network devices from unauthorized users exploiting any configuration weakness.
Security configuration management is closely related to the vulnerability management program
and is a subset of overall IT configuration management. Protecting the configuration of the
network, host, and application entails monitoring and access control to critical system and
database configuration files, including OS configuration, firewall policies, network zone
configuration, locally and remotely attached storage, and an access control management
database.

In the SPI service delivery model, configuration management from a customer responsibility
perspective has a low-to-high relevance in the order of SaaS, PaaS, and IaaS services—that is,
SaaS and PaaS service providers are responsible for configuration management of their platform,
whereas IaaS customers are responsible for configuration management of the operating system,
application, and database hosted on the IaaS platform. Customers are also responsible for
configuration management of their applications deployed on the PaaS platform.

(i) SaaS VPC Management

SaaS VPC management focuses on managing vulnerabilities, security patching, and system
configuration in the CSP-managed infrastructure, as well as the customer infrastructure
interfacing with the SaaS service. Since the SaaS delivery model is anchored on the premise that
the application service is delivered over the Internet to a web browser running on any computing
device (personal computer, virtual desktop, or mobile device), it is important to secure the
endpoints from which the cloud is accessed. Hence, a VPC management program should include
endpoint VPC management requirements and should be tailored to the corporate environment. It
is standard practice for most companies to institute a standard OS image for personal computers
that include security tools such as antivirus, anti-malware, firewall, and automatic patch
management from a central management station.

SaaS provider responsibilities

The following list represents SaaS VPC scope:

• Systems, networks, hosts, applications, and storage that are owned and operated by the CSP •
Systems, networks, hosts, applications, and storage that are managed by third parties
• Personal computers and smartphones owned by the SaaS employees and contractors

SaaS customer responsibilities

SaaS customers are responsible for VPC management of their systems that interface with the
SaaS service. The responsibilities include:
• Personal computers of a SaaS user.
• Applications or services that interface with the SaaS service.
• Security testing of the SaaS service. Although SaaS providers are responsible for vulnerability
management of the software delivered as a service, some enterprise customers can choose to
independently assess the state of application security. Note: The scope of the VPC management
program should include browser security, systems, and applications (on both trusted and
untrusted zones) located at a customer’s premises interfacing with SaaS services.

(ii)PaaS VPC Management

PaaS VPC management focuses on VPC management in the CSP-managed infrastructure, as

well as the customer infrastructure interfacing with the PaaS service. Since applications deployed
on a PaaS platform are accessed from a web browser running on an endpoint device (personal
computer, virtual desktop, or mobile device), the program should include endpoint VPC
management scope.

PaaS provider responsibilities

Similar to a SaaS model, the PaaS CSP is responsible for VPC management of the infrastructure
that is operated by the CSP, as well as third-party services that they may rely on.

PaaS customer responsibilities

PaaS customers are responsible for VPC management of the applications implemented and
deployed on the PaaS platform. Vulnerabilities or the configuration weakness of applications
deployed on a PaaS platform should be treated similarly to a standard application operating in
your data center (e.g., private cloud). Software vulnerabilities are introduced by design flaws or
coding errors. Configuration weakness can be introduced by improper configuration of an
application in the area of authentication and privilege management. In addition, PaaS
applications that rely on third-party web services may simply become weak and vulnerable by
way of vulnerabilities in the third-party service, and that is out of your control. PaaS customers
should follow standard practices embedded in the Software Development Life Cycle (SDLC),
which helps to reduce software application vulnerabilities. Following are some of the standard
practices:
• Application white-box testing
• Application black-box testing
• Application penetration testing
• Vulnerability alerts
PaaS customers are also responsible for VPC management of their systems that interface with the
PaaS service. These systems include:
• Personal computers of a PaaS user
• Browsers used for accessing the PaaS service
• Applications located at the customer’s premises that interface with the PaaS service

(iii)IaaS VPC Management

IaaS VPC management focuses on the CSP-managed infrastructure, as well as the customer
infrastructure interfacing with the IaaS service. IaaS VPC management diverges from SaaS and
PaaS in that the infrastructure delineation, network boundary between customers, and CSP
infrastructure are blurred. For each layer of infrastructure (network, host, storage), the customer
and CSP have responsibilities in managing VPC in the respective layers from their perspective
(i.e., the CSP is responsible for the common CSP infrastructure available to all customers, and
the customer is responsible for the virtual infrastructure available to the customer for the duration
of use). Hence, a VPC management program should address both the common and shared
infrastructures.

IaaS provider responsibilities

In general, an IaaS CSP is responsible for VPC management of the infrastructure that is
owned and operated by the CSP, as well as the third-party infrastructure and services they may
rely on. The VPC management scope should include:
• Systems, networks, hosts (hypervisors), storage, and applications that are CSP-owned
and operated • Systems, networks, hosts, storage, and applications that are managed by third
parties
• The web console or management station used by customers to manage their virtual
infrastructure
• Personal computers owned by the IaaS employees and contractors

IaaS customer responsibilities

IaaS customers are responsible for VPC management of the virtual infrastructure allocated by an
IaaS CSP for customer use.
IaaS administrators are also responsible for VPC management of their systems that
interface with an IaaS service. These systems include:
• Cloud management station, which is the host that the customer manages for managing the
virtual infrastructure in an IaaS cloud
• Personal computers of IaaS administrators
• Browsers used for accessing the IaaS service