Chapter - 3

SECURITY MANAGEMENT IN THE CLOUD

Session 6

IMPORTANCE in PAAS, IAAS AND SAAS

6. IMPORTANCE OF SECURITY IN THE CLOUD

6.1 Aim

To familiarise students with the basic concept of the Importance in PAAS, IAAS, SAAS

6.2 Instructional Objectives:

Describe the Importance in PAAS, IAAS, SAAS

6.3 Learning Outcomes:

At the end of this session, student should be able to know the Importance in PAAS, IAAS, SAAS.

6.4 Module Description:

Summarize the importance in PAAS,IAAS and SAAS.

6.5 Session Introduction:

In this session, the student will able to learn the Importance of security in the cloud by PAAS, IAAS
and SAAS.

6.6 Session description

Security is paramount in the cloud due to the unique challenges and risks associated with cloud
computing. Cloud services offer numerous benefits, such as scalability, flexibility, and cost-
effectiveness, but they also introduce new security considerations. Here are some key reasons why
security is crucial in the cloud:

Data Protection: Cloud providers host vast amounts of data, including sensitive information from
individuals and organisations. Ensuring the confidentiality, integrity, and availability of this data is
vital to prevent breaches and data loss.
Compliance: Many industries and regions have specific regulatory requirements for data protection,
privacy, and security. Cloud users must comply with these regulations, making it essential to
implement security measures that meet these standards.

Shared Responsibility: In a cloud environment, security is a shared responsibility between the cloud
service provider (CSP) and the customer. The CSP is responsible for the security of the cloud
infrastructure, while customers are responsible for securing their data and applications. Failing to
understand this shared responsibility can lead to vulnerabilities.

Data Breaches: Cloud data breaches can be catastrophic, resulting in financial losses, reputational
damage, and legal consequences. Securing data in the cloud is critical to prevent unauthorized
access, data theft, and exposure of sensitive information.

Access Control: Cloud environments are accessible from anywhere with an internet connection,
which increases the risk of unauthorized access. Implementing robust access controls,
authentication, and authorization mechanisms is essential to prevent unauthorized users from
accessing resources.

Multitenancy: Cloud services are often multitenant, meaning multiple customers share the same
physical infrastructure. This shared environment can introduce security risks, such as the potential
for data leakage or cross-tenant attacks, which need to be addressed.

Distributed Nature: Cloud services are distributed across various geographical locations. This
complexity can make it challenging to maintain a consistent and effective security posture, making
centralized security controls and monitoring crucial.

Evolving Threat Landscape: Cyber threats and attack techniques are constantly evolving. Cloud
security measures must adapt to these changes, requiring ongoing monitoring, threat detection, and
incident response capabilities.

Data Backup and Recovery: Cloud users often rely on the provider for data backup and recovery.
Ensuring that data can be reliably restored and is protected against data loss or corruption is
essential for business continuity.

Scalability and Elasticity: The cloud's scalability and elasticity enable resources to be easily
provisioned or de-provisioned. While this flexibility is an advantage, it also means that security
measures need to scale dynamically to meet changing demands.

Identity and Access Management (IAM): Effective IAM policies and practices are crucial in the cloud
to control and audit user access to resources. Misconfigured IAM settings can lead to data exposure
and unauthorized activity.
Security Monitoring and Response: Continuous monitoring, intrusion detection, and incident
response are essential to identify and mitigate security threats and vulnerabilities in a timely manner.

In summary, security in the cloud is indispensable because of the unique challenges and risks
associated with cloud computing. Organizations must prioritize security to protect their data,
maintain regulatory compliance, and safeguard against evolving threats in this dynamic and
distributed computing environment.

6.6.1 Platform as a Service (PaaS)

Platform as a Service (PaaS) provides a runtime environment. It allows programmers to

easily create, test, run, and deploy web applications. We can purchase these applications
from a cloud service provider on a pay-as-per use basis and access them using the Internet
connection. In PaaS, back end scalability is managed by the cloud service provider, so end-
users do not need to worry about managing the infrastructure.

PaaS includes infrastructure (servers, storage, and networking) and platform (middleware,
development tools, database management systems, business intelligence, and more) to
support the web application life cycle.

a)Key activities of PaaS include

Application development: PaaS offers a range of development tools and frameworks to

create web and mobile applications.

Deployment and scaling: PaaS platforms handle the deployment and scaling of applications
automatically, providing an efficient and scalable infrastructure.

Database management: PaaS often includes managed database services, allowing

developers to store and retrieve data easily.

Collaboration: PaaS facilitates collaboration among development teams by providing shared

development environments and version control systems.

b)Examples of PaaS providers

Google App Engine: A fully managed serverless platform for developing and hosting web
applications.

Microsoft Azure App Service: A PaaS offering that enables developers to build and deploy
web, mobile, and API applications
Heroku: A cloud platform that allows developers to build, deploy, and manage applications
easily.

Salesforce App Cloud: A platform that provides tools for building and deploying enterprise
cloud applications.

IBM Cloud Foundry: An open-source PaaS that allows developers to deploy and scale
applications across multiple cloud providers.

Oracle Cloud Platform: It provides a set of services for developing, deploying, and managing
applications in the cloud. It includes Oracle Cloud Application Container Service and Oracle
Cloud Developer Services, offering tools for building, testing, and deploying applications.

c) PAAS providers

PaaS providers provide the Programming languages, Application frameworks, Databases,

and Other tools

(i)Programming languages

PaaS providers provide various programming languages for the developers to develop the
applications. Some popular programming languages provided by PaaS providers are Java,
PHP, Ruby, Perl, and Go.

(ii)Application frameworks

PaaS providers provide application frameworks to easily understand the application

development. Some popular application frameworks provided by PaaS providers are
Node.js, Drupal, Joomla, WordPress, Spring, Play, Rack, and Zend.

(iii)Databases
PaaS providers provide various databases such as ClearDB, PostgreSQL, MongoDB, and Redis
to communicate with the applications.

(iv)Other tools

PaaS providers provide various other tools that are required to develop, test, and deploy the
applications.

Advantages of Paas

 Simplified Development
 Lower risk
 Prebuilt business functionality
 Instant community
 Scalability

Disadvantages of PaaS

a) Vendor lock-in

 One has to write the applications according to the platform provided by the PaaS
vendor, so the migration of an application to another PaaS vendor would be a
problem.

b)Integration with the rest of the systems applications

 It may happen that some applications are local, and some are in the cloud. So there
will be chances of increased complexity when we want to use data which in the
cloud with the local data.

6.6.2 Infrastructure as a Service (IaaS)

Iaas is also known as Hardware as a Service (HaaS). It is one of the layers of the cloud
computing platform. It allows customers to outsource their IT infrastructures such as
servers, networking, processing, storage, virtual machines, and other resources. Customers
access these resources on the Internet using a pay-as-per use model.

IaaS offers virtualised computing resources over the internet, including virtual machines,
storage, and networking capabilities. It provides users with the flexibility to create and
manage their own virtualised infrastructure without the need to invest in physical hardware.

The significance of IaaS lies in its scalability, cost-efficiency, and resource management
capabilities. Users can rapidly provision and scale resources based on their requirements,
paying only for their consumed resources. IaaS enables businesses to avoid upfront
infrastructure costs, easily handle spikes in demand, and have greater control over their
infrastructure configuration.

a)Key activities of IaaS

Virtual machine management: IaaS allows users to create, manage, and control virtual
machines as needed, providing flexibility and scalability.

Storage and backup: IaaS provides scalable storage solutions, allowing users to store and
retrieve data efficiently. It may also include backup and disaster recovery options.

Network management: IaaS offers networking capabilities, such as load balancing, firewalls,
and virtual private networks (VPNs).

Server management: Users have control over the operating systems, applications, and
configurations of virtual machines.

Billing and Cost Management: IaaS services are typically billed on a pay-as-you-go
basis, allowing users to pay only for the resources they use. Some providers offer flexible
pricing models and reserved instances for cost optimization.

b)Examples of IaaS providers

Amazon Web Services (AWS): A comprehensive cloud platform offering a wide range of
computing, storage, and networking services.

Microsoft Azure: A cloud computing platform that provides virtual machines, storage, and
networking capabilities.

Google Cloud Platform: A suite of cloud computing services, including virtual machines,
storage, and data analytics.

Digital Ocean: A cloud infrastructure provider that offers scalable virtual machines and
storage options.

Oracle Cloud Infrastructure: A cloud platform that provides infrastructure services such as
computing, storage, and networking.

VMware Cloud on AWS: Combines the capabilities of VMware's Software-Defined Data

Center (SDDC) with AWS's cloud infrastructure.

c)Advantages of IaaS

 Shared infrastructure
 Web access to the resources
 Pay-as-per use model
 Focus on the core business
 On-demand Scalability

d) Disadvantages of IaaS

Security
Security is one of the biggest issues in IaaS. Most of the IaaS providers are not able to
provide 100% security.

Maintenance & Upgrade

Although IaaS service providers maintain the software, but they do not upgrade the
software for some organizations.

Interoperability issues

It is difficult to migrate VM from one IaaS provider to the other, so the customers might face
problem related to vendor lock-in.

6.6.3 Software as a Service (SaaS)

SaaS is also known as "On-Demand Software". It is a software distribution model in which

services are hosted by a cloud service provider. These services are available to end-users
over the internet so, the end-users do not need to install any software on their devices to
access these services.

SaaS delivers software applications over the internet on a subscription basis, eliminating the
need for users to install, maintain, and update the software locally. SaaS applications are
centrally hosted and managed by the service provider.

The importance of SaaS lies in its accessibility, ease of use, and cost-effectiveness. Using
various devices, users can access SaaS applications from anywhere with an internet
connection. SaaS eliminates the need for software installation and maintenance, reducing
upfront costs and IT overhead. It also ensures that users always have access to the latest
version of the software, as the provider applies updates and patches centrally.

a)Key activities of SaaS

Application access: SaaS allows users to access and use software applications hosted in the
cloud from any device with an internet connection.

Application management: The provider handles application maintenance, updates, and

security, relieving users of the responsibility for software management.

User management: SaaS platforms typically include user authentication, access control, and
user administration features.

Data storage and retrieval: SaaS providers manage the storage and retrieval of user data,
often offering data backup and recovery options.

b) Examples of SaaS Providers

Salesforce: A cloud-based CRM (Customer Relationship Management) platform that helps

businesses manage customer interactions and sales processes.
Google Workspace (formerly G Suite): A suite of productivity and collaboration tools,
including Gmail, Google Drive, Docs, Sheets, and more.

Microsoft Office 365: A suite of productivity applications, including Word, Excel,

PowerPoint, and Outlook, delivered as a cloud-based service.

Dropbox: A cloud storage and file synchronisation service that allows users to store and
share files.

Slack: A team collaboration and communication platform that provides channels,

messaging, and integrations with other tools.

c)Advantages of SaaS

Less hardware required

The software is hosted remotely, so organizations do not need to invest in additional

hardware.

Low maintenance required for SaaS

Software as a service removes the need for installation, set-up, and daily maintenance for
the organizations. The initial set-up cost for SaaS is typically less than the enterprise
software.

SaaS is easy to buy

SaaS pricing is based on a monthly fee or annual fee subscription, so it allows organizations
to access business functionality at a low cost, which is less than licensed applications.

One to many

SaaS services are offered as a one-to-many model means a single instance of the application
is shared by multiple users.

d)Disadvantages of SaaS

Security

Actually, data is stored in the cloud, so security may be an issue for some users. However,
cloud computing is not more secure than in-house deployment.

Latency issue

Since data and applications are stored in the cloud at a variable distance from the end-user,
there is a possibility that there may be greater latency when interacting with the application
compared to local deployment. Therefore, the SaaS model is not suitable for applications
whose demand response time is in milliseconds.
Total Dependency on Internet

Without an internet connection, most SaaS applications are not usable.

Switching between SaaS vendors is difficult

Switching SaaS vendors involves the difficult and slow task of transferring the very large data
files over the internet and then converting and importing them into another SaaS also.

6.7 Activities/ Case studies/ Important facts related to the session

 Access Control: Implementing proper access controls is crucial to this Session is designed to
Describe Security Concepts: Confidentiality, privacy, integrity and prevent unauthorised
access to cloud resources. This involves employing strong authentication mechanisms, such
as multi-factor authentication (MFA), and enforcing role-based access control (RBAC) to limit
privileges based on user roles and responsibilities.

 Data Encryption: Encrypting data both in transit and at rest is essential for maintaining data
confidentiality. Encryption ensures that even if unauthorised individuals gain access to the
data, they cannot decipher it without the encryption keys.

 Identity and Access Management (IAM): Implementing robust IAM practices helps manage
user identities, control access permissions, and enforce security policies. This involves
creating and managing user accounts, defining roles and permissions, and regularly
reviewing and revoking access as needed.

 Vulnerability Management: Regularly scanning cloud infrastructure and applications for

vulnerabilities is critical to identify potential weaknesses. This includes using vulnerability
assessment tools and services to detect and remediate vulnerabilities promptly, minimizing
the risk of exploitation.

 Threat

6.8 Examples and contemporary extracts of articles or practices to convey the idea of the session:

Examples of cloud computing capabilities and diversity include the following:

 Google Docs, Microsoft 365. Users can access Google Docs and Microsoft 365 through the
internet. ...

 Email, Calendar, Skype, WhatsApp. ...

 Zoom. ...
  AWS Lambda.

6.9Table Numbering

NA

6.10 Figures with captions:

NA

6.11 Self-Assessment Questions:

1. Which of the following service providers provides the least amount of built-in security?
a) SaaS
b) PaaS
c) IaaS
d) All of the mentioned
2. Point out the correct statement.
a) Different types of cloud computing service models provide different levels of security services
b) Adapting your on-premises systems to a cloud model requires that you determine what security
mechanisms are required and mapping those to controls that exist in your chosen cloud service
provider
c) Data should be transferred and stored in an encrypted format for security purpose
d) All of the mentioned

Which of the following services need to be negotiated in Service Level Agreements?

a) Logging
b) Auditing
c) Regulatory compliance
d) All of the mentioned

4. SaaS providers manage and secure all the following except:

a) Infrastructure

b) OS

c) Application stack

d) Access controls

5. Which data may not be suitable for public clouds?

a) Legacy application data

b) Mission-critical workloads

c) Sensitive data

d) All of the above

6.Which of the following is a type of cloud computing service?

a) Service-as-a-Software (SaaS)
b) Software-and-a-Server (SaaS)
c) Software-as-a-Service (SaaS)
d) Software-as-a-Server (SaaS)

7. Which of the following is the most refined and restrictive cloud service model?
a) PaaS
b) IaaS
c) SaaS
d) CaaS

8.In which environment do admins have the most control over cloud app security?

a) PaaS

b) SaaS

c) IaaS

d) SECaaS

9. Simple Cloud, jclouds and Libcloud are all examples of:

a) Vendor-specific cloud APIs

b) Cross-platform APIs

c) IaaS APIs

d) Apache APIs

10. When is centralized cloud application monitoring most useful?

a) When applications must span hybrid architectures

b) When applications are hosted solely in the cloud

c) When an organization's applications are all on premises

d) When an organization uses a single cloud application

6.12 Summary

Cloud security is a collection of procedures and technology designed to address external and internal
threats to business security. Organisations need cloud security as they move toward their digital
transformation strategy and incorporate cloud-based tools and services as part of their
infrastructure.

6.13 Terminal Questions:

1. Explain PAAS in detail

2.Explain SAAS in detail

3.Explain IAAS in detail

6.14 Case Study: NA

6.15 Answer Key:

Answer -1: c
Answer -2: d
Answer -3: d
Answer -4 : d
Answer -5 : d
Answer 6 : c
Answer 7 : c
Answer 8 : a
Answer 9 : b
Answer 10 : a

6.16 Glossary:

Cloud security, also known as cloud computing security, is a collection of security measures designed
to protect cloud-based infrastructure, applications, and data. These measures ensure user and device
authentication, data and resource access control, and data privacy protection.
6.17 References of books, sites, links:

Text Books :

1. Tim Mather, Subra Kumaraswamy, Shahed Latif, "Cloud Security and Privacy: An
2. EnterprisePerspective on Risks and Compliance", O'Reilly Media Inc, 200

Reference Books :

1. Ronald L. Krutz, Russell Dean Vines, Cloud Security,2010. 2. John Rittinghouse,

2. James Ransome, Cloud Computing,2009. J.R. ("Vic") Winkler, Securing the Cloud,2011

Web Links

1. https://www.youtube.com/watch?v=fqMOX6JJhGo
2. https://www.youtube.com/watch?v=8OC0lj53KKI
3. https://www.youtube.com/watch?v=lEvKQR1E8IE

MOOC Course

1. https://www.coursera.org/learn/introduction-to-cybersecurity-foundations
2. https://www.coursera.org/specializations/cybersecurity-cloud
3. https://www.netacad.com/courses/cybersecurity/cloud-security
4. https://www.udemy.com/course/complete-ccskv4/

6.18 Keywords:

IaaS (Infrastructure-as-a-Service), PaaS (Platform-as-a-Service) and SaaS (Software-as-a-Service).