CLOUD SECURITY

Nithin RajRahul N

Cloud Computing

• Internet-based computing that provides shared processing resources and data to computers and other devices on demand.• Provide users and enterprises with various capabilities to store and

process their data in third-party data-centers.• Availability of high-capacity networks, low-cost computers and

storage devices and hardware virtualization have led to a growth in cloud computing.• Advantages are high computing power, cheap cost of services, high

performance, scalability, accessibility and availability.

Service Models

• Infrastructure as a service (IaaS)• Platform as a service (PaaS)• Software as a service (SaaS)

Deployment models

• Private cloud• Public cloud• Hybrid cloud

Cloud Security

• It refers to a broad set of policies, technologies, and controls deployed to protect data, applications, and the associated infrastructure of cloud computing.• Security issues fall into two categories : security issues faced by cloud

providers and security issues faced by their customers

Cloud Computing Threats

• Loss of governance : In a public cloud deployment, customers cede control to the cloud provider over a number of issues that may affect security.• Responsibility ambiguity : Responsibility over aspects of security may

be split between the provider and the customer.• Authentication and Authorization : Accessing cloud resources from

anywhere heightens the need for better authentication.• Isolation failure : It covers the failure of mechanisms separating the

usage of storage, memory, routing and even reputation between tenants.

• Compliance and legal risks : The cloud customer’s interest may be lost if the cloud provider cannot provide evidence of their own compliance with the relevant requirements.• Handling of security incidents : If detection, reporting and subsequent

management of security breaches is not done, it may have impact on customer.• Data protection : Exposure or release of sensitive data as well as the

loss or unavailability of data.• Business failure of the provider : Lead to unavailability of data and

application of customer over an extended period.• Service unavailability : This could be caused by hardware, software or

communication network failures. • Insecure or incomplete data deletion : The termination of a contract

with a provider may not result in deletion of the customer’s data.

Cloud Computing Security • Ensure effective governance, risk and compliance processes exist • Verify that agreement between the customer and the provider, along with

associated documents, contain all their requirements(i.e, applications and data hosted are secured).• Cloud service providers should notify about the occurrence of any breach of

their system, regardless of the parties or data directly impacted.• Servers hosting customer data may be located in multiple data centers within

different jurisdictions. This influences the protection of personally identifiable information (PII) and legal and jurisdictional authority access to this data.

• Audit operational & business processes• Customers should expect to see a report of the cloud provider's operations by

independent auditors.• Auditors may be employed by the customer or by the provider - but the key

element is that they should be independent.• Audits should be carried out by appropriately skilled staff typically belonging

to an independent auditing organization.

• Manage people, roles and identities• Two sets of people : employees of the provider – access to the customer’s

data and applications, and employees of the customer - perform operations on the provider’s systems.• Cloud providers must allow the customer to assign and manage the roles and

associated levels of authorization for each of their users in accordance with their security policies.

• Ensure proper protection of data and information • Data Confidentiality : Outsourced data is stored in a cloud and out of the

owners' direct control. Only authorized users can access the sensitive data while others.• Data Access Controllability : Legal users can be authorized by the owner to

access the data, while others can not access it without permissions.• Data Integrity : Data should not be illegally tampered, improperly modified,

deliberately deleted, or maliciously fabricated. If so, the owner should be able to detect the corruption or loss.

• Ensure cloud networks and connections are secure • Provide tools to protect clients from one another, such as VPN, firewall,

hypervisor.• Monitor for intrusion attempts using activity auditing and logging.

• Understand the security requirements of the exit process • The provider must ensure that any copies of the data are permanently erased

from its environment, wherever they may have been stored.• The exit process must allow the customer to retrieve their data in a suitably

secure form, backups must be retained for agreed periods before being eliminated

Thank You