UNIT 1

Introduction to Virtualization
 What is virtualization?
1. Virtualization is like creating virtual versions of physical things, like computers or
networks, using software.

2. For example, imagine you have a powerful computer, and with virtualization software,
you can split YOUR COMPUTER into MULTIPLE "VIRTUAL" COMPUTERS.

3. Each of these virtual computers acts like a real one, with its own operating system and
applications, but they all share the resources of the main computer.

4. Really handy for businesses because it saves space and costs.

Server Virtualization:
• Think of a big server as a pizza.
• With server virtualization, instead of making one pizza, you can make
several smaller pizzas using the same ingredients.
• Each of these smaller pizzas is like a virtual machine, and they all look and
be like the same big pizza (the big server).
MAIN NOTE REGARDING VIRTUALIZATION

These virtual resources or VMs can then be used to run

multiple operating systems or applications independently of
one another.
Desktop Virtualization:

• Instead of running an operating system (OS) and applications directly

on your physical computer, they run in a virtual machine.

• A Virtual Machine is like a software-based computer within your

physical computer.
• Cost Savings
• Scalability
 Network Virtualization:
• Network virtualization is a technology that creates multiple virtual networks on
a single physical network.
• This allows different networks to share the same physical infrastructure while
operating independently from one another
 Difference in virtualization
Virtualization and cloud computing are closely related technologies, but they are not the
same.
1. Normal Virtualization
Definition: Virtualization refers to the creation of virtual versions of physical components,
such as servers, storage devices, networks, and even entire operating systems. This is
typically done on a single physical hardware platform.

2. Virtualization in Cloud Computing

Virtualization is a foundational technology for cloud computing. It allows cloud providers
to create virtual versions of physical resources like servers, storage, and networks, and
then offer them as services over the internet.
 Business Benefits of virtualization:
1. Redundancy and instant failover abilities: Virtualization keeps things
running smoothly by switching to backup servers instantly if one fails, there
are others which will work instead.
2. Smooth migration of resources: Virtualization makes it easy to switch from
physical to virtual infrastructure as you need.
3. Virtual firewalls and security: Virtual security tools protect against online
threats, keeping your data safe from cyberattacks.
4. Improved IT support: Improved IT support. Easier to help customers when
they have tech issues.
5. Reduced costs and a greener environment:
Virtualization helps businesses save money by using fewer resources and less
energy, which is good for both their budget and the environment.
EASE OF DATA TRANSFER: When you store data on virtual devices, they
are part of a virtual environment.
• This environment is managed by software that can easily move data
from one virtual device to another virtual device.
• Software like VMware or Hyper-Viser creates virtual machines (VMs)
and virtual storage.
DEVELOPMENT & TESTING: Developers can easily create virtual machines
for testing without affecting the main system.
• They can create a virtual machine, test new software on it, and then
apply it to the main system.
• This makes developing new applications faster and safe.
Sustainability: Eco-Friendly: Virtualization reduces the
number of physical servers and power usage.
 Top virtualization risks
1. External attacks: If attackers gain access to your host-level, this
opens doors for them to access other important VMs, or even
create a user account with admin rights that could be used
over a long period of time to collect or destroy sensitive
company data.
The host runs virtualization software (like VMware vSphere,
Microsoft Hyper-V, or KVM)
2. Keeping snapshots on VMs : Snapshots are temporary copies of
VMs. If they’re kept too long, hackers or insiders can steal data
from these snapshots.
It captures the state of the VM, including its memory, data, and
settings.
THIS NEEDS TO BE DELETED AND NOT KEPT FOR TOO LONG
3. Sharing Files & copy-pasting Between VM and Host: By
default, file sharing between VM and host is disabled/
restricted.
1. Turned off for security.
2. If turned on, a hacker with access to the HOST LEVEL
could move sensitive data to Virtual Machine.
3. It creates a way for attackers to steal data or infect the
system with malware from host to vm.
4. VM SPRAWL : ( TOO MANY VIRTUAL MACHINE)
1. Developers and IT admins often create many VMs for testing but
forget to delete them after the test is over. These VMs pile up and
can be hard to keep track of.
2. VMs can be created so easily that IT teams have a tough challenge
to track how many there are.
3. Unused VMs can be left unpatched and unprotected, making them
easy targets for hackers.
4. VM Sprawl refers to the uncontrolled and unmanaged virtual
machines
5. Viruses, ransom ware and other malware:
Basic Concept
• Viruses: These are harmful programs that infect your computer
and can spread to other computers. They can damage files, steal
information, or cause your computer to behave strangely.
• Ransomware: This is a type of malware that locks your computer
or encrypts your files, making them unusable. The attackers then
demand payment (a ransom) to unlock or decrypt them.
• Malware: This is a broad term for any malicious software designed
to harm your computer or steal your information.
Why VMs are Vulnerable ?
Just like regular computers, virtual machines (VMs) can also get
infected by viruses, ransomware, or other malware.
Ransomware Example: For instance, if ransomware like
Cryptolocker infects a VM, it can lock all the files inside, making
them inaccessible until a ransom is paid.
 Best Practices for Keeping Your Virtual
Environment Safe:
1. Secure all the parts of the infrastructure: Just like you lock the doors
and windows to keep your house safe, you need to protect all parts of
your computer setup.
• This includes the physical stuff like the main computers, network
equipment, and storage, as well as the virtual parts like the virtual
machines
2. keep everything up to date with the latest improvements, like
updating your apps on your phone.
3. Have a strong backup and disaster recovery (DR) plan:
A proper backup and DR plan is essential for ensuring business
continuity, whether you suffer a malware attack or any threat, YOU
MUST HAVE DR PLAN.
Here are two important tips to keep in mind as you
create your DR plan
1. Back up VMs and physical servers
2. Use the 3-2-1 backup rule — Create and keep at least 3
copies of your data and
store 2 backup copies on different storage media
with 1 of them located off site.
IMPORTANT NOTE:
A hypervisor is a specialized software that creates and
manages virtual machines (VMs) on a physical computer.
Think of it as a manager or boss that handles multiple
virtual computers running on a single physical machine.
The hypervisor represents a single point of
failure when it comes to the security and
protection of sensitive information.
 hyper jacking
• Hyper jacking is like a sneaky hacker move.
• They try to take control of the boss of all the virtual computers (the
hypervisor) inside a big computer.
Why? So they can secretly mess with the main computer
• The hypervisor is a critical part of the system. If it's compromised, the
entire server system can be affected.
How They Do It: Malicious Hypervisor: The hacker installs a fake,
malicious hypervisor that looks just like the real one.
• It overrides the actual real hypervisor.
• Stealth Mode: This malicious hypervisor operates in stealth mode,
meaning it hides itself so well that the virtual machines (and even
the operating system) don’t know it's there.
Why is Hyperjacking Dangerous?
1.Undetected Control: Since the virtual machines don’t realize
they’re being watched or controlled, the hacker can do all sorts of
bad things without being detected.
2. Single Point of Failure:
Direct Access: The hypervisor has direct control over the hardware
resources of the host machine. It allocates these resources to VMs,
effectively controlling how each VM operates.
For a Hyperjacking attack to succeed, an attacker would have
to take control of the hypervisor by the following methods:

Injecting a rogue hypervisor beneath the original hypervisor

Directly obtaining control of the original hypervisor
Running a rogue hypervisor on top of an existing hypervisor
 here are simple ways to protect against
hyperjacking:
1. Security Management of the Hypervisor must be Kept Separate from
Regular Traffic
Set up a separate network or environment for managing the hypervisor's
security, away from the network used by regular users and virtual machines.
By isolating the security management tools, you reduce the risk of
unauthorized access from regular network traffic.
2. Guest Operating Systems Should Never Have Access to the Hypervisor:
Guest operating systems should be restricted from accessing or interacting
with the hypervisor directly.
This separation ensures that any vulnerabilities or malicious activities within
a guest OS cannot impact the hypervisor, maintaining the overall security.
3. Management Tools Should Not be Installed or Used from Guest OS:
The tools and applications used to manage the hypervisor should not
be installed on or accessed from the guest operating systems. We
should avoid this.
4. Regularly Patching the Hypervisor:
Just like any other software, hypervisors can have vulnerabilities that
need fixing.
We must Regularly update and patch the hypervisor.
Keeping the hypervisor up to date is crucial for maintaining a secure
virtual environment.
 various hyper jacking attacks in virtualization

SUBVIRT ATTACK: Implementing malware with virtual machines

1. In the world of computers, some people try to take control of systems
for different reasons.
2. Attackers and defenders of computer systems both want to have full
control over a system.
3. They do this by getting deep into the computer's operating system.
4. New kind of harmful software called a "HYPERVIRUS.”
5. This hypervirus is designed to give attackers even more control over a
computer.
Here's how it works:
1. It installs a special program called a "virtual-machine monitor” (Rogue
Hypervisor) under the regular operating system.
2. This "virtual-machine monitor" essentially turns the regular operating
system into a virtual machine.
3. This idea is troublesome because it's very hard to detect and remove these
Hyperviruses.
4. Even the regular software running on the computer can't see what's
happening with the hypervirus.
5. Hyperviruses also let attackers run harmful programs in a separate,
protected area that the main computer system can't touch.
 BLUE PILL ATTACK (SOFTWARE):
1. Blue Pill is a special kind of computer software, often
called a "rootkit," that's designed to be very sneaky and
hard to detect.
2. It does some clever things with your computer's inner
workings, specifically using a technology called
virtualization.
Here's a breakdown of the key points:
1. Rootkit: A rootkit is a type of software that hides itself on your computer and
gives an attacker secret control over your computer. It's like a hidden backdoor
into your computer.
2. Virtualization: Virtualization is a technology that allows one computer to act like
it's actually many computers. It's often used in data centers to make better use of
computer servers.
3. AMD-V and Intel VT-x: These are technologies built into certain computer
processors that help with virtualization. Blue Pill can use either of them.
4. Joanna Rutkowska: This person is a computer security expert who came up with
the idea and made an example of how Blue Pill could work.
5. Red Pill and Blue Pill Reference: The names "Red Pill" and "Blue Pill" come from
the movie "The Matrix." In the movie, taking the "red pill" means seeing the
truth, while the "blue pill" means staying in a false reality. In the context of Blue
Pill software, it helps hide things on your computer so you don't see the truth.
compliance and management challenges in
cloud virtualization.
1. PERFORMANCE MONITORING: Unlike physical servers,
monitoring the performance of the virtual servers requires a
different approach. In a virtual infrastructure, the VMs share
the common hardware resources such as CPU, memory, and
storage.
When a computer has lots of virtual machines (VMs), they all
share same resources like the CPU and memory. To make sure
everything runs smoothly, we need to keep an eye on different
things than we do for a regular computer. We use special
numbers, like "CPU ready," "memory ready," "memory balloon,"
and "swapped memory," to check if each VM is getting enough
(resources).
2. SECURITY – In virtualized systems, the boss in charge of security is
called the "hypervisor." If something bad happens to HYPERVISOR,
then all the secret or confidential stuff on the computer is in danger.
This is "hyper-jacking." Bad people can secretly put their own security
guard (rogue hypervisor) in charge, and your computer won't realize
it's been compromised.
3. MANAGING VM SPRAWL: Virtualization can create too many virtual
machines (VMs) that aren't used efficiently. This is called "VM sprawl."
To stop it, we need to watch and adjust the VMs so they use resources
just right, like making sure we have the right number of toys in box and
not too many. This helps us save resources.
4. ATTACKS ON VIRTUALIZATION FEATURES: In virtualization, there are
many cool things we can do, like moving virtual machines (VMs) from
one computer to another (VM migration) and creating networks
between them (virtual networking). These features help make
computing more flexible and efficient.
But, if we're not careful when using these features, attackers can take
advantage of them.
In this case, if VM migration is not done securely, it can expose
everything inside a virtual machine
5. COMPLIANCE AND MANAGEMENT CHALLENGES: Some VMs are just
sitting there, not used, which makes it tricky to know if everything is
working as it should. Also, managing and keeping everything secure is
hard because there are so many VMs. So, managing and keeping things
organized with virtualization can be a bit of a challenge..
 VM sprawl
1. Virtualization sprawl is a phenomenon that occurs when the number of virtual machines
(VMs) on a network reaches a point where administrators can no longer manage them
effectively or properly.
2. Virtualization sprawl is also referred to as virtual machine sprawl, VM sprawl or virtual
server sprawl.
3. VM sprawl just means too Many Virtual Machines.
4. VM Sprawl is often caused by developers or IT admins creating VMs for testing purposes
but failing to delete them once the testing period is over.
5. In fact, VMs can be created so easily that IT teams have a tough challenge to track how
many there are, and when and where they are deployed or used.
6. As a result, these VMs are often left unpatched and unprotected.
7. In addition to being vulnerable, they also consume valuable hardware and other
resources.
8. VM sprawl has become a common challenge for many organizations, and the more they
rely on virtualization, the more likely they are to encounter this problem.
9. Because sprawl can occur gradually, IT teams might not be aware of it at first. By the
time they do realize it, the problem is often quite serious. Even when VM admins are
aware of the issue, they can still have a difficult time identifying and removing the
unwanted VMs.
 virtual machine jumping

Virtual Machine Jumping (VM Jumping):

Imagine your computer is like a big building with
many rooms.
Each room is a virtual machine (VM).
Normally, each room is separate, and people can't just
go from one room to another without permission.
VM jumping is when attackers find a way to sneak
from one room (VM) to another, causing trouble.
 How It Happens:
1. Exploiting Hypervisor Weakness:
The hypervisor is like the security guard managing all the rooms (VMs).
Sometimes, there might be a small security hole or weakness in the
hypervisor.
Attackers find this weakness, allowing them to move from one room to
another without permission.
2. Targeting Less Secure VMs:
Attackers often start with a VM that has weaker security, like an unlocked
room.
Once inside, they use this room to jump to other rooms (VMs) and even
reach the main control center (the host computer).
 Preventing VM Jumping:
1. Keep Web and Database Traffic Apart:
If you have one VM handling internet traffic (web) and another VM storing
sensitive data (database), they shouldn't directly connect to each other.
Why It Matters: If an attacker compromises the web VM, they shouldn't be able
to directly reach the database VM and access sensitive information.
How to Do It: Configure your network so that the web VM cannot directly
communicate with the database VM. Use firewalls or network segmentation to
deny this access.
2. Using Private VLANs:
Private VLANs (Virtual Local Area Networks) create isolated network segments
for each VM.
Why It Matters: This isolation acts like an invisible fence, ensuring that VMs
can’t talk directly to each other.
Set up your network so that each VM is on a separate VLAN. They can
communicate with a common point (gateway) but not with each other directly.
Using Up-to-Date and Secure Operating Systems:
Make sure all VMs run the latest operating systems with
all security patches applied.
• Why It Matters: Older operating systems may have
known vulnerabilities that attackers can exploit. Newer
systems are more likely to have fixes and protections
against such vulnerabilities.
• How to Do It: Regularly update the operating systems
and software on your VMs.
 characteristics of cloud
1. On-Demand Self-Service: This means you can easily get more
computer stuff (like storage or servers) without talking to the computer
company. It's like ordering things online when you need them.
2. Broad Network Access: Access cloud services through networks like
the internet or local connections.
Cloud resources are made accessible via network connections, making
them available to a wide range of customer platforms.
3. Multi-Tenancy and Resource Pooling: Multiple users share the same
infrastructure while maintaining privacy and utilizing common
resources. This concept is like - people residing in an apartment
building, sharing the same building's infrastructure while maintaining
individual privacy within their apartments. Cloud is the Same Kind.
4. Rapid Elasticity and Scalability: Cloud computing allows you to
easily adjust the amount of computer resources you use.
You can quickly get more when you need it or give some back when
you don’t need it.
This is handy for businesses to handle changing workloads
efficiently.
5. Measured Service: With cloud, you pay only for what you use, just
like how you pay for electricity. If you use more, you pay more. It
helps you keep track of your computer expenses easily.
 UNIT -2
Introduction to Cloud Security
 What is Cloud?

• The term Cloud refers to a Network or Internet.

• In other words, we can say that Cloud is something,
which is present at remote location.
• Cloud can provide services over public and private
networks, i.e., WAN, LAN or VPN.
What is Cloud Computing?
Cloud Computing refers to manipulating, configuring, and accessing
the hardware and software resources remotely.
It offers online data storage, infrastructure, and application.

Cloud computing offers platform independency, as the software is not

required to be installed locally on the PC. Hence, the Cloud Computing
is USEFUL FOR BUSINESS
History of Cloud Computing

The concept of Cloud

Computing came into
existence in the year 1950
with implementation of
mainframe computers,
then after 2000 Cloud
computing slowly started
to rise.
 Components of Cloud Computing
A cloud computing solution is made up of several elements:
clients, the datacenter, and distributed servers. These
components make up the three parts of a cloud computing
solution. Each element has a purpose and plays a specific role
1. Client:
What are Clients?
Clients are the devices that users use to access and manage their
information stored in the cloud.
These devices can be:
1. Desktops: Regular computers that sit on your desk.
2. Laptops: Portable computers.
3. Tablets: Like iPads or other tablet computers.
4. Mobile Phones: Smartphones like iPhones or Android devices.
Why are Clients Important?
Clients are essential because they allow users to access cloud services from
anywhere, using internet.
Categories of Clients:
1. Mobile Clients:
Examples: Smartphones and PDAs (Personal Digital Assistants).
iPhones, Android phones, and older devices like Blackberries.
2. Thin Clients:
These are computers that don’t have their own internal hard drives.
They rely on a server to do all the processing and then display the
information on their screen.
3. Thick Clients:
Regular desktop or laptop computers.
These devices have their own storage and processing power. Users typically
access the cloud using a web browser like Chrome, Firefox, or Safari.
 Distributed Server
1. This refers to a setup where servers are spread out across
multiple locations.
2. These servers work together and share tasks.
3. Distributed servers can improve performance, as the workload is
shared across different servers, potentially in different
geographical areas.
 Data Center

1. A data center is a centralized PLACE that houses numerous

servers and related equipment in one location.
2. It includes the physical space, power, cooling, and security
needed to operate and maintain servers efficiently.
 Deployment Models of Cloud Computing
Deployment models describe how cloud services are provided
to users.
There are 3 main deployment models:
1. PUBLIC CLOUD
2. PRIVATE CLOUD
3. HYBRID CLOUD
1. Public Cloud:
Cloud resources (like servers and storage) are owned and operated by a
third-party cloud service provider and delivered over the internet.
Example: Amazon Web Services (AWS), Microsoft Azure, Google Cloud
It’s ideal for businesses and individuals who want to use cloud services
without having to manage or maintain the underlying infrastructure.
2. Private Cloud:
Private cloud services, like those provided by VMware and OpenStack, are
dedicated exclusively to one organization. For example, a company might
establish its private cloud infrastructure within its own data centers or use
a private cloud service from a provider like IBM Cloud .
3. Hybrid Cloud:
A combination of public and private clouds.
Example: A company using a private cloud for sensitive data and a
public cloud for less critical resources.
like using AWS(public cloud) for storing and processing non sensitive
data while utilizing a private cloud from OpenStack for sensitive
customer information, combining public and private cloud services.
 cloud computing services
1. IaaS, PaaS, and SaaS are three main categories of cloud computing
services.
2. They stand for Infrastructure as a Service, Platform as a Service,
and Software as a Service.
3. Each offers different levels of control, flexibility, and management
to the user.
 SAAS : SOFTWARE AS A SERVICE
1. Software as a Service (SaaS) is like renting a software
application that you use, but over the internet.
2. Instead of buying and installing software on your computer,
you access it through a web browser.
3. The company that provides the software takes care of hosting
it on their servers, maintaining it, and updating it.
4. You usually pay a subscription fee to use it.
5. For example, services like Google Docs, Netflix, and Dropbox
are all examples of SaaS.
6. ALL THE APPS STORE THEIR SERVICE IN THE SERVER,
 PAAS - Platform as a Service
1. Platform as a Service (PaaS) is like a toolkit in the cloud that helps people build
and run apps.
2. How it works: Imagine you want to build a new app. Instead of setting up
everything on your own computer (like special software and servers), you use
a PaaS.
3. You access this through the internet using a web browser. (GOOGLE, FIREFOX,
etc).
What's included:
• Development Environment: A place online where you can write and test your
app.
• Tools: Things like code editors and testing tools are already set up for you.
• Standards: Guidelines and frameworks that help you build your app correctly.
• Distribution: Once your app is ready, PaaS helps you share it with users easily.
• Example: If you want to bake a cake but don’t have a kitchen or
ingredients, you go to a place where everything is provided – the
kitchen, the tools, the ingredients, and even a recipe. You just
focus on baking the cake.
• PaaS is like that place but for building apps.
 Infrastructure as a Service (IaaS):

1. 1. It is highly based on Virtualization Technology.

2. Instead of buying a physical computer, you can rent a virtual
one in the cloud.
3. Pick how powerful your virtual computer should be (how
much RAM, storage, etc.).
4. You only pay for the time you use the virtual computer, and
you can stop or change it whenever you want.
5. COST EFFECTIVE.
 The Cloud Trust Protocol (CTP)
1. CTP helps people and businesses that use cloud services (cloud
consumers) get important information about the cloud services they
are using.
2. This information ensures that the cloud provider is doing everything
they claim to be doing correctly and securely.
3. Why It’s Important: Just like you want to trust that your bank is
keeping your money safe, cloud consumers want to trust that their
data and applications are safe and handled properly in the cloud. CTP
provides this trust by giving evidence-based information.
 How Does CTP
Work?
1. Transparency: CTP makes cloud services more transparent. This means
cloud users can see and understand how their data and services are being
managed and protected by the cloud provider.
2. Information Provided: users can find out key information about:
• Compliance: Are the cloud services following all the necessary laws and
regulations?
• Security: How is the cloud provider protecting data from threats?
• Privacy: Is personal information kept private and secure?
• Integrity: Is the data being stored and handled correctly without
unauthorized changes?
 Transparency in cloud security services
1. Transparency in cloud security means being clear and open
about how a cloud service provider (CSP) keeps your data
safe.
2. It means that the cloud service provider openly shows you
the steps they take to protect your data and applications.
3. They will show their security measures and practices.
 different categories of cloud security
transparency:
1. Performance Transparency: Knowing how well your cloud service is
working. It Helps you trust that the service is fast and reliable.
2. Billing Transparency: Understanding how much you're paying and
why. Keeps your expenses clear so you know where your money is
going.
3. Configuration Transparency: Understanding how the cloud service is
set up.
4. Workload Transparency: Knowing how much the cloud can handle in
terms of tasks.
 various threats to cloud security
1. Data Breaches: Think of this like a break-in at your house where
someone sneaks in and steals your valuables. In cloud computing, a data
breach happens when unauthorized people access and steal sensitive
information stored in the cloud. This could be personal data, financial
records, or any confidential information, which they could misuse.

2. Data Loss:
• Imagine if you had a box of important documents and it suddenly
vanished. In the cloud, data loss refers to valuable information
disappearing, either by accident or due to malicious actions. This could
happen because of technical issues, human error, or cyberattacks, and
often there's no way to retrieve the lost data.
3. Account Hijacking: This is like someone stealing the keys to your house
and pretending to be you. In the cloud, account hijacking occurs when
someone unauthorized gains control of your cloud account. They can
then perform malicious activities, such as stealing data, or using your
account for illegal purposes.

4. Insecure APIs: Think of an API (Application Programming Interface) as a

bridge that allows different software programs to talk to each other. If
this bridge has weak spots, hackers can exploit these vulnerabilities to
access or manipulate data within the cloud system.
5. Denial of Service (DoS): Imagine a huge traffic jam that blocks the road,
preventing you and others from reaching your destination. A Denial of
Service (DoS) attack floods the cloud with excessive traffic, causing it to
slow down or crash completely. This makes it difficult or impossible for
legitimate users to access cloud services or websites.

6. Malicious Insiders: Malicious insiders are employees or trusted

individuals who intentionally cause harm to the cloud’s security. They
might leak confidential information, install malware, or manipulate data,
exploiting their access and knowledge of the system.
 cloud security threat mitigation strategies:
1. Data Breaches:
Safeguard sensitive data through encryption, making it unreadable to
unauthorized individuals.
Restrict access to sensitive information based on user roles and
permissions.

2. Data Loss:
We have to have backups of critical data to recover in case of accidental
deletion or loss.
Encrypt data to protect it even if it falls into the wrong hands.
3. Account Hijacking: Multi-Factor Authentication (MFA): Require
additional verification steps beyond passwords for account access.
(two factor authentication)
Train users to recognize and report suspicious activities to prevent
unauthorized account access.
4. Insecure APIs:
Conduct routine test to identify and fix vulnerabilities in APIs.
Follow API security standards to minimize weaknesses.
5. Denial of Service (DoS): Traffic Filtering: Implement traffic filtering
mechanisms or tools to distinguish right one from malicious traffic.

IPTables, Cloudflare, pfSense

Malicious Insiders:
Access Controls: Restrict employees' access based on
their roles and responsibilities.
Regularly monitor user activities to detect any
abnormal behavior.
cloud security services: Authentication,
Authorization, Auditing and Accountability (AAAA).
1. Authentication: In the digital world, authentication is like entering a
username and password to access your accounts. It confirms that you
are who you say you are.
2. Authorization: Once you've proven your identity, authorization
comes into play. It's like having certain permissions based on your role
or status. User rights – what you can do after getting into website or
system
3. Auditing: Think of auditing as keeping a digital record of everything
that happens in the cloud.
It tracks who accessed the cloud, what actions they took, and when
they did it. It's similar to a digital security guard keeping everything
noticed.
4. Accountability: If something goes wrong or there's a question about
who did what, accountability helps trace it back to the responsible
person.
showing them Audit trail document (An audit trail is a record of
events, activities, or changes that occur within a system or process.)
Example Scenario
Authentication: Elwin logs into her company's cloud storage using
her username and password.
Authorization: Based on her role as a manager, she has access to
certain confidential files.
Auditing: Every action Elwin takes, such as opening, modifying, or
sharing files, is recorded in the audit trail.
Accountability: If a file is improperly shared, the audit trail can be
shown to identify that Elwin was responsible for the action.
 penetration testing
1. Penetration testing, also called ethical hacking or pen testing,
is a method used by security experts to test how strong a
system, network, or application is against cyberattacks.
2. These experts pretend to be hackers and try to find
weaknesses that real hackers could exploit.
3. Tools like Whois and Nslookup gather information about the
target network, while password-cracking tools like Brutus and
WebCracker identify weak passwords.
EXTRA NOTE:
Testing Levels in pen testing:
1. Level I (High-level): This level checks the company's rules and
security practices without actually testing any systems.
2. Level II (Network Evaluation): At this level, testers actively
gather information and scan the network to see what they can
find.
3. Level III (Penetration Test): This is the most advanced level,
where testers act like hackers to try and find weaknesses in
the system, simulating real-world attacks.
 SECaaS : Security as a Service.
1. SECaaS stands for Security as a Service.
2. Instead of buying and managing all the security tools and software
yourself, you hire a company to provide these services over the internet.
3. These tools are designed to protect an organization’s infrastructure,
data, and users from security threats.
Examples of security tools :
Next-Generation Firewalls (NGFW), Web Application Firewalls (WAF),
Intrusion Detection and Prevention Systems, Antivirus/Anti-Malware,
Multi-Factor Authentication, Email Security, Encryption Services
 advantages and disadvantages:
Advantages of SECaaS:
1. Cost-Effective: You don't have to buy expensive security tools; you
pay for the services you need.
2. Expertise: Security experts from the SECaaS provider take care of
your security, bringing specialized tools and knowledge.
3. Scalability: It can grow with your needs. If you need more security,
you can easily get it without major changes.
4. Accessibility: You can access your security services from anywhere
with an internet connection.
Disadvantages of SECaaS:
1. Dependency: You rely on an external company for your security. If
they have issues, your security might be affected.
2. Limited Control: You have less control over the security tools because
they are managed by the service provider.
3. Privacy Concerns: Since your security data is with an external
company, there may be concerns about the privacy of your
information.
4. Internet Reliance: Your security is dependent on a stable internet
connection. If your connection is down, you might face security gaps.
 secure cloud software testing
1. Secure cloud software testing involves
evaluating or examining cloud-based
applications and services to identify
vulnerabilities.
2. It's essential due to the sensitive data often
stored in the cloud.
 Key Properties and Behaviours Checked:
1. Predictable and Secure Behaviour: Ensures the software behaves as
expected and securely under various conditions.
2. Vulnerability-Free: Identifies and addresses vulnerabilities and
weaknesses.
3. Error Handling: Verifies the software can maintain security even during
attacks or faults.
4. Code Obfuscation: Protects against reverse engineering by obscuring or
obfuscating the source code. (By obfuscating the code, developers make it
challenging for others to understand the program's internal workings.
Obfuscating means deliberately making something unclear or difficult to
understand.)
In programming, developers use code obfuscation to
scramble or hide the original code so that even if someone
tries to look at it, they can’t easily figure out how it works.
This makes it hard for others to steal the code, copy it, or
change it, protecting the software from being tampered.

So, obfuscation is like turning clear instructions into a

confusing puzzle that only the developer can solve.
 Types on testing in cloud:
1. White Box Testing: Testers have full access to the internal workings
of the software. They can see the source code, architecture, and
design documents.
2. Gray Box Testing: Testers have partial access to the internal
structure. They can see some parts of the source code but not
everything.
3. Black Box Testing: Testers have no knowledge of the internal
workings of the software. They interact with the software from an
external perspective, like a regular user. It's similar to using a
device without knowing how it's made.
 Unit 3
CLOUD COMPUTING ARCHITECTURE
 cloud delivery models

There are three main cloud service delivery

models:
• Infrastructure as a service (IaaS)
• Software as a service (SaaS)
• Platform as a service (PaaS)
 cloud deployment models
What are the three types of cloud deployment models?

• Public Cloud: In a public cloud deployment, cloud services and resources

are offered over the internet by third-party providers. These services are
available to the general public, and multiple customers share the same
infrastructure. Public cloud services, such as those offered by Amazon
Web Services (AWS), Microsoft Azure, and Google Cloud Platform (GCP),
are accessible over the internet and shared by multiple users, providing
cost-effective and scalable solutions for businesses and individuals.
• Private Cloud: Private cloud services, like those provided by VMware and
OpenStack, are dedicated exclusively to one organization. For example, a
company might establish its private cloud infrastructure within its own data
centers or use a private cloud service from a provider like IBM Cloud
Dedicated.
• Hybrid Cloud: Hybrid cloud deployments, like using AWS for storing and
processing non-sensitive data while utilizing a private cloud from
OpenStack for sensitive customer information, combine public and private
cloud services. This allows businesses to maintain flexibility and seamless
data sharing between different cloud environments, optimizing their
resources based on specific needs.
 identity and access Management (IAM)
1. In the realm of cybersecurity, identity management (or IAM -
Identity and Access Management) is the process of confirming a
user's identity and controlling their access to specific systems
and resources.
2. It's like a digital ID card that determines who gets access to what
in online services.
3. Authentication, a key component of IAM, involves verifying a
user's identity using methods like passwords, PINs, fingerprints,
or smart cards.
4. We interact with authentication mechanisms every day.
5. When you enter a username and password, use a PIN, scan your
fingerprint, your identity is being verified for authentication
purposes.
6. Once authenticated, access control steps in.
7. Access control determines the level of access a user has
within a system.
8. For instance, in a business setting, access control might
permit high-level administrators to modify settings and access
sensitive data, while restricting regular employees to their
specific tasks, preventing unauthorized access and potential
data breaches.
9. Essentially, identity management ensures the right person is
logging in, and access control ensures they can only do what
they're allowed to do, safeguarding sensitive information
 governance and enterprise risk in cloud

1. Governance, It includes policies, processes, and internal controls

that help the organization run smoothly.
2. Governance is like the rulebook or guidelines. It's like deciding
who the leaders are, what plans to use, and how to make sure
everyone follows the rules.
3. governance involves having guidelines and processes to run things
smoothly, especially when using technology like cloud services.
4. Access Control: The governance policy ensures that only
authorized employees, such as managers have access to sensitive
sales data.
5. Data Security: A company stores customer data, including
purchase history and personal information, on the cloud. To protect
this data, the governance policy mandates encryption methods and
regular security audits.
6. So basically, Governance Refers to specific policies, controls, and
procedures implemented by a company to manage their cloud
services effectively - access control, data security, compliance,
cost management, and performance optimization
1. Enterprise Risk Management: This is all about dealing
with the various risks a company might face.
2. In the context of the cloud, it means understanding and
managing the risks related to using cloud services
3. Enterprise Risk Management is like having a captain who
plans for all possible challenges.
In the cloud world, these principles (GOVERNANCE AND
ENTERPRISE RISK MANAGEMENT) guide how businesses
use technology and manage potential risks effectively.
 autonomic security for cloud application
1. Autonomic security for cloud applications refers to the methods
and practices to automatically and adaptively secure data and
resources in cloud computing systems.
2. Autonomic systems have self-managing features, meaning they
can adjust and respond to changes in the environment without
constant human intervention.
3. It's a type of intelligent software system that manages security by
monitoring, detecting, and responding to risks without needing constant
human control. These systems are built into the cloud infrastructure,
working behind the scenes to make sure data and applications are safe
when it comes to data breaches or cyber attacks.
"Autonomously" refers to the ability of a system or process to
operate independently, without external control or human
intervention.
 key factors to consider for autonomic
security :
1.Adaptability: Autonomic cloud systems can adjust to
unexpected changes in the environment. It's crucial to have
security measures that can adapt to new threats and challenges,
ensuring continuous protection.
2.Simplicity for Users: Autonomic systems are designed to hide
complex technical details from users and operators. Security
measures should be user-friendly and not require extensive
technical knowledge to operate effectively.
3.Historical Context: Autonomic computing, which started in 2001,
aimed to simplify the management of complex computing
systems. Autonomic security should continue this trend by
simplifying the process of securing cloud applications.
4.Self-Management: Autonomic cloud systems have self-
management features. NO constant manual intervention.
 Cloud Compliance and Audit
Issues:

Compliance and audit issues refer to challenges related

to following rules, regulations, and industry standards
(compliance) and ensuring that these rules are being
correctly followed and documented (audit).
Solutions for Cloud Compliance and Audit Issues:
1. Strong Passwords and Access Control: Create strong, unique
passwords and limit who can access your cloud data. This keeps your
files safe from unauthorized access.
2. Encryption for Data Security: Encryption is like turning your messages
into a secret code that only you and the intended person can
understand. Use it to protect your files. Even if someone tries to look at
them, they won't make sense without the special "key.“
3. Regular Software Updates: Just like updating your computer or phone
keeps them running smoothly, cloud services need updates too. These
updates often include security improvements, ensuring your data stays
safe from new threats.
4. Choosing a Trustworthy Cloud Provider: Pick a cloud provider that is
known for being reliable and safe. Look for providers with good reviews
and a history of keeping data secure.
5. Backups and Recovery Plans: Regularly back up your important files to
the cloud and have a plan in case something goes wrong.
By following these simple steps, you can ensure your data in the cloud
remains secure and compliant with the necessary regulations.
 portability and interoperability issues in the
cloud
1. Portability Issues: Portability means the ability to move data or
applications from one system to another easily.
2. In the cloud, portability issues occur when you can't move your data or
applications smoothly between different cloud services.
1. Interoperability Issues: Interoperability means different cloud services can
work together and share data seamlessly.
2. Cloud interoperability issues happen when one cloud service can't easily
exchange data with another.
It's like not being able to send a message from one messaging app to another
without complications.
• Portability Issues:
1.Data Transfer Challenges: Moving large volumes of data between different cloud
providers can be slow and costly.
2.Vendor-Specific Formats: Cloud services may use unique formats, making it difficult
to transfer data seamlessly between different providers. Not understood by other
cloud providers.
3.Dependency on Unique Features: Applications relying on specific features of one
cloud provider may not function the same way on another provider's platform.
• Interoperability Issues:
1.Data Incompatibility: Data formats and structures may differ between cloud services,
causing issues when trying to exchange information.
2.Authentication and Access Control: Different cloud providers might have different
authentication methods and access control mechanisms
3. Service Integration: Integrating different cloud services to work together seamlessly
can be challenging due to differences in APIs and protocols.
 business continuity management and disaster
recovery in cloud.
1. Business Continuity Management (BCM): In the cloud, BCM involves
planning to ensure that critical business functions can continue
despite disruptions. This includes data backups, and continuity
plans which is specific to the cloud environment.
2. Disaster Recovery (DR): Cloud-based DR involves replicating
(duplicating) critical systems and data to a separate geographic
location or cloud region. This ensures that if one location fails,
operations can quickly switch to another, minimizing downtime and
data loss.
3. BCM and DR work hand-in-hand in the cloud, both aspects are
aligned to maintain overall business.
4. Monitoring and Feedback: Cloud environments offer monitoring
capabilities. Continuous feedback and analysis of data allow
organizations to improve their BCM and DR strategies over time.
when it comes to Business Continuity Management and Disaster
Recovery in the cloud, it's all about planning ahead, always looking for
ways to do things better. This ensures that businesses can handle and
bounce back from problems quickly and efficiently.
UNIT 4
 security management standards
Security management standards in cloud computing refer to a set of guidelines,
frameworks, and best practices designed to ensure the security of data,
applications, and services hosted in the cloud.
These standards help organizations manage and protect their cloud
environments.
Strategies and Tactics:
Identification and Assessment: This involves recognizing the various cloud
services a business is using. It's like taking stock of what tools and
applications are in use within the cloud environment.
Limiting Threats and Vulnerabilities: cloud services are identified within
the cloud environment.
• NOW security management steps in, This can include using encryption,
access controls, and other security measures to safeguard data and
systems.
 various focus areas for securing services in the
1. Data Security: cloud.
1. At Rest, In Transit, In Storage: Keep your data safe whether
it's sitting idle, moving between locations, or actively in use.
2. Shared Responsibility Model: Understand who is responsible
for what in terms of securing data. It's a shared effort between
you and the cloud service provider.
2. Encryption and Key Management:
1. Focus on two crucial aspects—encryption and key
management—across major cloud platforms like AWS, Azure,
and Google Cloud.
2. Why It Matters: Encryption ensures that even if someone
unauthorized accesses your data, they can't understand it
without the proper 'key.’
3. Industry Resources:
1. AWS: Check out resources on encrypting data within Amazon
 ITIL lifecycle in an enterprise
1. ITIL (Information Technology Infrastructure Library)
2. ITIL is a set of best practices for managing Information
Technology (IT) services. Think of it as a collection of
guidelines that organizations can follow to ensure that their IT
services support their business goals effectively.
3. ITIL provides a structured framework for PLANNING,
DELIVERING, AND IMPROVING IT SERVICES to meet the needs
of the organization and its customers.
email systems, databases, networks, and software applications.
Why do we need lifecycle? IT services, like any other processes or
products, have a lifecycle. Lifecycles help in systematically
manage and improving services from their starting point till
retirement.
 Five Stages of ITIL Lifecycle:
The ITIL lifecycle is divided into five interconnected stages
1. Service Strategy: (plan)You decide what IT services your
organization needs to achieve its overall goals. This stage is all about
planning.
You figure out which IT services will best support your business, how
they’ll be funded, and how they’ll add value to the organization.
2. Service Design: You create detailed plans for how the IT services
will be implemented, including specifications and requirements.
You figure out all the details, like what resources are required, how
the service should look, and how it will function to meet business
needs.
3. Service Transition: The designed services are built, tested by IT TEAM,
and then it is introduced into the live environment. It ensures a smooth
transition from planning to live operation.
4. Service Operation: The services are managed in the live environment
according to agreed-upon service levels.
IT team monitors it to ensure it’s working properly. They handle any issues
that arise, like fixing bugs, performance and monitoring.
5. Continual Service Improvement: Ongoing evaluation of services to
identify areas for improvement, making sure they evolve to meet changing
needs.
After the service has been in use for a while, the company gathers feedback from both
customers and support staff and looks for improvement.
• Each stage connects to the next, forming a continuous cycle of
planning, designing, transitioning, operating, and improving IT
services.
• In essence, the ITIL lifecycle is a series of logical steps, all aimed at
making sure that IT services contribute effectively to the goals of
the organization.
 various security management functions available for
SPI cloud delivery models.
1. SPI stands for "Service Provider Interface.“
2. SPI typically refers to the different types of cloud service models.
The three main categories are: SaaS, Paas, Iaas.
1. Software as a Service (SaaS):
1. User Authentication and Authorization: Ensures that only
authorized users can access the SaaS application, typically
through secure login credentials.
2. Data Encryption: Protects sensitive data during transmission and
storage by converting it into a secure format that can only be
deciphered with the right keys.
3. Identity Management: Manages user identities, roles, and
permissions to control access to various features and data within
the SaaS application.
4. Regular Monitoring and Auditing: Continuous monitoring of user
activities and regular security audits to detect and respond to any
2. Platform as a Service (PaaS):
1. Access Controls: manage user permissions and restrict unauthorized access
to the development platform.
2. Secure Development Practices: Promotes and enforces secure coding
practices among developers to mitigate vulnerabilities in applications built on
the PaaS platform.
3. Data Encryption: Secures data at rest and in transit within the platform,
ensuring that sensitive information remains confidential.
3. Infrastructure as a Service (IaaS):
1. Network Security: Establishes strong network security measures, including
firewalls, intrusion detection/prevention systems, and VPNs, to protect the
overall infrastructure.
2. Virtual Machine Security: Ensures the security of virtual machines through
timely patching, regular updates, and proper configuration.
3. Data Backups and Disaster Recovery: Implements robust data backup and
recovery strategies to safeguard against data loss and ensure business
continuity.
4. Identity and Access Management: Controls user access to infrastructure
In summary, these security management functions play crucial roles in securing the different layers of the
componentscloud andservice
resources,
models,preventing unauthorized
addressing concerns and giving use and potential
solutions.
 IaaS Availability management
1. IaaS Availability Management is about making sure that the
Infrastructure as a Service (IaaS) is always up and running
smoothly.
2. For the companies that provide IaaS, their job is to keep the
essential parts like computing power, storage, and additional
services (like managing accounts, messaging, authentication,
databases, billing, and monitoring) always available.
3. They need to have a strong and dependable data center that
can deal with any issues and keep things running without
interruptions..
4. As a customer, your responsibility is to manage and maintain
the virtual machines (VMs) that you create. But to do that
effectively, you rely on the IaaS provider’s network, servers,
and storage to be available whenever you need them.
1. Security Vulnerability Management:
Security Vulnerability Management is like having a digital detective for your
systems. It uses tools like vulnerability scanners to find weak points in your
network. Once identified, it calculates the risks and helps decide the best way
to deal with them. Think of it as a guard against potential cyber threats.

2. Security Patch Management:

Security Patch Management is your system's personal bodyguard. It ensures
that your software and applications are up to date by managing patches.
Patches fix vulnerabilities and prevent security breaches. It's like giving your
systems the latest armor to stay safe in the ever-evolving digital landscape.
HOW PaaS customer reduce software application
vulnerability?

Secure Key Management: KEYS ARE special pieces of information USED

TO PROTECT DATA.
1. Keep your data or keys safe in a special place called Azure Key
Vault.
2. Azure Key Vault locks up important things like keys and
credentials, making sure they're super secure. Think of it as a
digital safe for sensitive info.
3. Azure Key Vault encrypts authentication keys, storage account
keys, and other sensitive data, enhancing security.
4. Azure Key Vault is a cloud service provided by Microsoft Azure.
Avoid Source Code Secrets:
Never store credentials or secrets in source
code or GitHub.
IAM functional architecture

Refers to the design and structure that defines

how IAM is implemented and managed within a
organization
IAM functional architecture
IAM (Identity and Access Management) functional architecture involves three
main components:
1. Identification: Assigning a unique identity to individuals or entities within the
system. Example: When you log in to a website, you might enter your
username or email address. This input is your identification within the system.
2. Authentication: Verifying the claimed identity to ensure the person or entity is
who they say they are. Example: Next time, When you enter your password
after providing your username, the system checks if the password matches the
one associated with your username. If it matches, you’re authenticated.
3. Authorization: Granting access rights and permissions based on the
authenticated identity. Example: When you enter your password after
providing your username, the system checks if the password
matches the one associated with your username. If it matches,
you’re authenticated.
 IAM standards and protocols.
• IAM (Identity and Access Management) involves various standards and
protocols to manage user identities and control access to resources. Here
are some key IAM standards and protocols:
1. LDAP (Lightweight Directory Access Protocol):
• It is like a digital phonebook for computer systems. It's an open-source
tool. Picture it as an old and reliable protocol from the 1990s, one of the
oldest in managing who gets access to what. LDAP (Lightweight Directory
Access Protocol):
• Purpose: Manages authentication for on-premise applications.
• Use Case: Directory access for connecting, searching, and modifying
directory contents.
• It is handy for dealing with logins to applications within a company's own
space (on-premise).
UNIT 5
 privacy principles of cloud computing
1. Data Minimization: Collect and keep only the data needed for a task. This
limits the chance of exposing sensitive information.
2. Data Encryption: Data encryption means turning information into a secret
code that only authorized people can read. This protects data both when at rest
and when being transferred.
Activity: students try encrypting a simple message using online tools to see how
encryption works in action.
3. Access Control: Ensure only people with permission can access certain data.
This can be done using passwords, multi-factor authentication, or assigning
specific roles.
Example: Compare this to different levels in a building—only authorized people
can access certain rooms.
4. Transparency: Cloud service providers should clearly explain how they
handle user data, including how it’s collected, stored, and shared.
5. User Consent: Users must agree to how their data is used. They should have
control over what data they provide.
Discussion: Talk about how they often click "Accept" on terms and conditions.
it's crucial to know what they're agreeing to.
6. Data Retention and Disposal: Decide how long data is kept and ensure it's
safely deleted when no longer needed.
how long they would keep old assignments on their computer. Relate this to
why data shouldn’t be kept forever in the cloud.
 GRC (Governance, Risk Management, and
Compliance)
1. Governance (G): Governance involves setting up the rules, policies
that guide an organization's overall direction and ensure that it
meets its goals and objectives.
2. Risk Management (R): Risk management is the process of
identifying, solving, potential risks that negatively impact the
organization.
3. Compliance (C): Compliance ensures that the organization follows
all the laws, regulations, standards, and internal policies that
apply to it.
 KEY COMPONENTS OF GRC.
By using GRC, companies can work more smoothly,
avoid risks, and stay within legal requirements.
It helps ensure the organization is both safe and well-
managed.
 legal and regulatory requirements for data
privacy
1. Protect Your Personal Data:
Just like companies must protect customer data in the cloud, you
should also protect your personal data online.
For example, don’t share your passwords, and use strong security
settings on your social media and email accounts.
2. Know Where Your Data is Stored:
you should know where your data goes when you use apps or
websites.
only use trusted services.
3. Use Encryption:
Companies are required to use encryption to protect cloud
data.
You can do this in your life by using apps with end-to-end
encryption (like WhatsApp) for messaging. This way, even if
someone tries to hack into your data, they won’t be able to
read it.
4. Stay Informed About Data Breaches:
Companies must inform people if there’s a data breach.
You should be aware of breaches too. If a company notifies
you that your data was exposed, immediately change your
passwords and monitor your accounts for unusual activity.
 lifecycle approach for managing security
controls in cloud service providers (CSPs)
1. Assessment (Understanding what you need)
2. Implementation (Setting up protection)
3. Operations (Running smoothly)
4. Monitoring (Checking if everything’s fine)
5. Adaptation (Improving based on feedback)
1. Assessment (Understanding what you need): Imagine you're
planning a party. First, you check what could go wrong, like a
shortage of food or unwanted guests. This is like identifying risks
and what security is required.
2. Implementation (Setting up protection): After figuring out the
potential risks, you take action. For example, you order enough
food and hire security at the gate. This step is about putting
security measures in place for the cloud.
3. Operations (Running smoothly): During the party, you keep
things going smoothly, making sure the food is served, guests are
happy, and security is watching the door. This is like keeping the
security measures running properly in the cloud.
1. 4. Monitoring (Checking if everything’s fine): You
regularly check if everything’s okay. Are there any
gatecrashers? Is the food enough? In the same way,
cloud security measures are checked to see if they
are still effective.
2. 5. Adaptation (Improving based on feedback): After
the party, you think about how it went. If anything
went wrong, you learn from it and make changes
for next time, like hiring more security. In the
cloud, this step means adjusting security to face
new threats or improve security.
 Benefits of GRC (Governance, Risk, and
Compliance) for Cloud Service Providers (CSPs):
• Reduce risks through a structured risk management approach
This means CSPs can handle risks in a planned way.
• Imagine making a checklist of possible problems (like hackers or
system failures) and ticking them off one by one. This helps them
avoid major issues.
• Improve monitoring of IT compliance
It’s like keeping track of whether they are following the important
rules, like exam rules in school. GRC helps them and monitoring
and security.
• Improve security
Just like locking your phone keeps your data safe, GRC
helps CSPs boost their security systems so that user data
and information are well protected.
• “Reduce the burden” of monitoring and testing
Checking whether you’ve followed all the rules can be a
lot of work.
• But GRC reduces that workload, making it easier to
monitor and test if they are following the rules properly.
What is an Asset?
An asset is anything valuable to the organization,
such as data, computers, servers.
Protecting these assets is crucial to keep the
business running smoothly and securely.
 OBJECTIVES FOR ASSET, COMMUNICATION, AND
OPERATIONS MANAGEMENT IN CLOUD COMPUTING:
These objectives are to protect a company’s resources (like data, devices, or
equipment) and to ensure everyone working in the company is responsible for
keeping things secure.

1. Responsibility for Assets: Everyone must protect important company

items, like data or devices, and know how to keep them safe.
2. Information Classification: Company information should be sorted
based on how sensitive it is.
For example, “highly sensitive information needs stronger security
measures than public information.”
3. Before Employment: When hiring someone, ensure they understand
their job and prevent risks like theft or fraud.
4. During Employment: Keep employees educated about
security risks and their duties to avoid mistakes that could
harm the company.
5. Termination OR After Employment: When someone
leaves, make sure their exit is handled carefully so they
don’t take any sensitive information with them.
 CLOUD SECURITY ALLIANCE
• The Cloud Security Alliance (CSA) is an organization that focuses on
promoting best practices for securing cloud computing environments.
• Established in 2009
Key Objectives or goals of the CSA:
1. Education and Awareness: CSA provides training, and certifications to
educate cloud users and providers about security practices.
2. Research and Best Practices: The organization conducts research to
identify and share best practices for secure cloud usage.
3. Guidance and Lists: CSA makes lists of issues and gives guidance on how to
make sure your stuff stays safe when using cloud services.
4. Certification Programs: CSA offers certifications, like the CSA STAR
(Security, Trust & Assurance Registry), which helps organizations with
cloud security.
CSA's White Paper:
• CSA wrote a detailed document (white paper) that talks about
specific concerns related to cloud computing.
They cover 15 areas, including:
• How cloud systems are set up.
• Managing risks and rules for big organizations.
• Legal stuff related to cloud computing.
• Making different cloud systems work together smoothly.
So, in simple terms, CSA is like a helpful guide that wants
everyone using the cloud works safely and understand how to
keep their information secure.
THANK YOU