UNIT V : Cloud Security

Cloud computing enables new opportunities for businesses willing to make the transition. However, at
the same time, cloud computing presents many challenges such as cloud security.

How secure is the cloud?

Questions about cloud security threats are a valid concern, as all your sensitive data is held outside of
your company premises. However, in most cases, data will be much safer when stored in the cloud
than kept on the user's device.
Usually, cloud data is stored in an encrypted form, meaning that anyone needing data access needs a
digital key. Not to mention that the data itself is stored across a large fleet of servers with multiple
backups. This is done to protect the information in case of a server malfunction or a cyberattack.

What is cloud security?

Cloud security is a set of procedures and technologies designed to protect the data and fend off
external and internal threats.
Cloud security solutions are deployed much like the tools used to protect physical hardware. The key
difference is that they are also managed and deployed remotely. The responsibility for data protection
is shared among the cloud provider and the customer. The former provider must ensure the security
of their hardware setup and access rules, while the latter should take care of storage encryption and
various security policies configurations.
This is one of the key reasons why cloud security is thought to be much harder to maintain than on-
premises models. As there are more involved parties, this also means that something crucial could be
overlooked. Not to mention that relying on external providers takes much visibility and control away
from the client.
How do cloud threats differ from traditional threats?
Cloud security threats differ from traditional network threats in a few ways:

 The shared infrastructure and availability of data in cloud systems attracts cyber attackers.
 Cloud computing opens more ways to access and control hosts.
 Cloud technology removes many of the traditional barriers of network security by making new
virtual machines (VMs) and private networks easy and cheap to deploy. This is especially
threatening to identity providers (IdP), such as Azure AD, Okta, and more, whose
configurations allow an attacker to access multiple services with only one account.
Why is cloud security important?
Organizations heavily rely on cloud computing for a lot of their day-to-day operations. The dynamic
nature of cloud infrastructure provides many great opportunities for businesses aiming to reap benefits
when pursuing their business goals. As the potential is great, businesses that find ways to trained cloud
computing can overcome many IT challenges.
However, as cloud computing is still new territory for most businesses, the risks associated with
keeping your data externally are more prominent. As the arrangement between a cloud provider
needs, each client is responsible for the safety of its data. Therefore, each organization has to consider
how to approach cloud security for its unique business case.
Cybersecurity always requires active input from an organization. Otherwise, they risk attracting
unwanted attention from hackers specifically targeting cloud networks. Therefore, cloud computing is
relevant regardless of your organization's size or industry.

Main benefits of cloud security

 Helps to prevent cyber attacks. Cloud security can be a foundation to prevent or stop incoming
hacking attempts.
 Improves data security. Various technologies help to protect sensitive data helping to secure data so
that it wouldn't fall into the wrong hands.
 Facilitates cloud maintenance. Most cloud services offer live monitoring and support, which helps to
improve service reliability.
 Faster recovery. In a data breach, cloud security tools help organize a recovery process more easily.
 Regulatory compliance. Often, cloud security is a requirement for secure regulatory compliance
accreditation.

How does cloud security work?

Cloud security helps organizations by providing various controls to protect against threats to data
applications and cloud systems. As cloud computing platforms are a go-to solution for most
businesses, the threats targeting businesses are frequently directed at the cloud.
Therefore cloud security solutions help businesses in several ways:
 Increase transparency. It's much easier to secure an organization when network administrators know
what users are accessing.
 Monitoring network status. Knowledge about what activity is occurring in the cloud can help to stop
various risks on their track.
 Increases layer of security. The most important resources can be better secured against unauthorized
users accessing sensitive information.
 Enforces stronger identity management. Increasing the access requirements helps to protect user
accounts from takeovers.
 Aligns security to compliance requirements. As most companies hold a lot of confidential
information, cloud security helps them to align to defined security standards.

Types of cloud environments

Despite its umbrella term, cloud computing can be set up in multiple ways. It's also important to note
that even the same cloud type can be organized differently from one another. Still, each cloud
computing type has weaknesses and strengths that could significantly impact your business.

Public clouds
A public cloud is an environment distributed on-demand over the public internet by a service
provider. Some public clouds are free for everyone, while others require a subscription or are priced
under pay-per-usage models. The largest public cloud providers include Google Cloud, Amazon Web
Services, Microsoft Azure, and IBM Cloud.
Such services help forward-thinking businesses move their workloads externally and easily scale up or
down according to their needs. This frees up on-premise network administrators and helps to drive IT
costs down. It's much cheaper to use a shared infrastructure managed by a third party than to have the
same setup scale in-house.

Private clouds
A private cloud is a cloud environment in which all hardware and software resources are reserved
and accessible to a single customer. Often, these environments are protected behind the group's
firewall. This creates completely isolated access with no overlaps with other cloud users.
Most companies prefer private cloud setups as it's a much easier way to ensure security and meet
compliance requirements. However, one major flaw of this setup is that it isn't as scalable as a public
cloud. Private clouds usually are fixed size and can't be upscaled or downscaled at a moment's notice.
Additional hardware and software licenses would be necessary to upscale a private cloud.

Hybrid clouds
A hybrid cloud is an environment in which applications run from different sources: cloud and on-
premises. This method is the most prominent cloud computing setup, as most businesses get the best
of both worlds. Most businesses are using the infrastructure they have built for a long time and
expanding it with cloud additions.
Connecting cloud and on-premises environments are usually done with local area networks (LANs),
wide area networks (WANs), virtual private networks (VPNs), and other methods. The whole setup is
managed from an integrated management and orchestration platform.

Multiclouds
Multi clouds are combinations of different cloud types, public or private. This setup is created
when different clouds (often from different service providers) are combined by some method of
integration or orchestration. This helps to avoid vendor lock-in and create more flexible solutions
adapted to specific business needs.
Frequently, such setups are created for one cloud to function as a backup in case of data loss
prevention. If some accidents happen, the organization's data could be safely recovered from the
backup.

Types of Cloud Service models

Cloud computing can be delivered as three distinct service models, each providing a unique set of
benefits that could serve various business needs.

IaaS
Infrastructure as a service virtually offers the typical components of data center infrastructure like
hardware, computing power, storage space, or network resources. The resources are accessed via
virtual or private networks and can be quickly put to use by the client. This method solves the problem
of maintaining physical hardware for small, medium-sized, and large companies.

SaaS
Software as a service is a license and sales model used to deliver software applications over the
public internet. Usage is usually subscription-based. After paying the fee, you're allowed to use the
service for a set duration of time. The vendor is the one controlling the entire computing stack.
Meanwhile, the user gets to interact directly with software from its endpoint.

PaaS
Platform as a service offers an entire suite of development environment tools. This heavily
streamlines the software development process and is useful when creating new applications. This
framework instantly provides design, testing, and delivery tools, allowing clients to start working on
new projects quickly.

Vulnerability Issues and Security Threats

TOP 6 CLOUD VULNERABILITIES

# 1 Cloud Misconfiguration

Cloud misconfiguration is probably the most common vulnerability organizations face, as

reported in a recent NSA study. Misconfigurations can take many forms and shapes, a few of
which we cover below. They are often caused by a lack of knowledge of good practices or lack of
peer review from your DevOps/infra team.

Identity and Access Management

Having unsecure identity and access management (IAM) is a common vulnerability in cloud
systems. In a nutshell, it occurs when a user or service of your infrastructure has access to
resources they should not be able to access and/or do not need.

To minimize this threat:

 Enforce the principle of least privilege for all of your cloud resources and users; always avoid
granting complete access to a resource if a service only needs read access or access to a subpart
of the resource.
 Use third-party tools to scan and detect misconfiguration of IAM policies; a cloud-native
application protection platform (CNAPP) can help increase the visibility of a misconfiguration.
 Frequently review access and privileges, as access requirements change over time.

Public Data Storage

This vulnerability occurs when a given data blob, like an S3 bucket or, less frequently, an SQL
database, is partly or completely opened to the public, which then has access via either read -only
or both read and write. A common cause of this issue is the misconfiguration of a resource.

Your DevOps team, sysadmins, and managers should follow some basic principles to minimize
the risk of public data storage misconfiguration.

To minimize this threat:

 Use third-party tools to scan your infrastructure and quickly detect this type of vulnerability.
 Always have your data storage set to private by default for your cloud resource.
 When using Terraform or other IaC framework, make sure to have the infrastructure-as-code
files reviewed by another member of your team.

Other Misconfigurations

Many other vulnerabilities exist in this category; here is a quick rundown of good practices to
reduce misconfiguration:

 Always use HTTPS instead of HTTP (the same goes for any other protocol, e.g., FTP instead
of SFTP); you should also use the latest version of SSL/TLS.
 Restrict all inbound and outbound ports if not needed for a given machine fronted on the
internet.
 Keep secrets like API keys, passwords, etc. in one and only one place using a secure secret
management solution (e.g., AWS Secrets Manager).

#2 Insecure APIs

APIs are proliferating in modern software development, being used in microservices, application
and website backends. They must handle requests received from mobile devices, applications,
webpages and third parties, as well as bots, spammers and hackers. This is why having a secure
API is critical to ensuring cyber threat mitigation and to protect against unwanted traffic.

These malicious requests can take a wide array of forms. Some of the most common are:

 Code and query injection (SQL injection, command injection)

 Taking advantage of a bad access control
 Targeting a vulnerability due to an outdated component (software libraries, database engine,
runtime environments, etc.)

Many cloud providers offer in-house solutions. Otherwise, there are a few easy steps you can take
on your own to ensure API security.

To minimize this threat:

 Have a web application firewall (WAF) to filter requests by IP address or HTTP header info,
and to detect code injection attacks; WAFs also let you set response quotas per user or other
metrics.
 Implement DDoS protection (see more information below).

# 3 Lack of Visibility

As the use of cloud services increases, so does the scale of your infrastructure. When companies
are using thousands of instances of cloud services, it can be easy to get lost in them or forget
about some of those running instances. Visibility into the state of your entire infrastructure must
be easy and convenient to access.
Lack of visibility of cloud infrastructure is a major issue that can delay action on a threat and
result in a data breach. Managers, sysadmins and DevOps teams must therefore take a proactive
security approach.

To minimize this threat:

 Monitor for and detect threats.

 Ensure visibility into your cloud infra.
 Implement tools such as a CNAPP; this can minimize risk and shorten the response time in
case of a breach.

# 4 Lack of Multi-factor Authentication

Multi-factor authentication (MFA) is an authentication method in which a user must present at

least two forms of identification validation to access an account or data. For instance, a typical
MFA is when a user has to enter a username and password. The user is then prompted to enter a
second validation, such as a one-time password/code received via SMS, email or push notification
on their cell phone.

Passwords and users are vulnerable to theft, making a lack of MFA a potentially critical
vulnerability.

To minimize this threat:

 Implement MFA across your organization to benefit from an additional layer of authentication
required to access systems (e.g., via a physical phone or email address).
 Always enforce MFA for any employees granted cloud access to their accounts and data.

# 5 Malicious Insiders

Unauthorized access occurs when a user obtains access to some or all of your company’s cloud
resources.

There are a few ways that these malicious insiders can gain access to your cloud accounts. As
mentioned in the cloud misconfiguration section, this can result from too loose of rules or a
former employee still having valid credentials to the accounts.

Malicious insiders can also access your cloud resources via account hijacking due to a successful
phishing attack and/or weak credential security (e.g., too simple of a password or a password
shared between accounts). This kind of vulnerability can be particularly dangerous, as not only
data is at risk of being stolen or changed, but also intellectual property.

To minimize this threat:

 Make sure MFA is activated.

 Filter out phishing emails using an automated tool.
 Educate employees about phishing attacks.
 Make sure safe password practices are being followed.

# 6 Distributed Denial-of-Service Attacks

Distributed denial-of-service (DDoS) attacks are malicious efforts to take down a web service
such as a website. It works by flooding the server with requests from different sources (hence
distributed) and overcharging it. The goal is to make the server unresponsive to requests from
legitimate users.

To minimize this threat:

  Choose a cloud provider that protects against DDoS attacks; most do, e.g., AWS Shield comes
with easy integration and no additional cost.
 Make sure DDoS protection on your cloud service is always turned on.

Cloud computing vulnerabilities are increasingly common, and your organization must act to
ensure mitigation. We discussed the most common cloud security threats, but there are many
other vulnerabilities to be addressed. CrowdStrike delivers advanced, unified and automated
security to protect, prevent and address vulnerabilities.

The list of the top cloud vulnerabilities.

Open S3 bucket
An Amazon S3 bucket is a public cloud storage resource used within Amazon Web Services. Buckets
are similar to folders as they consist of data and descriptive metadata. According to various reports,
poorly configured S3 buckets contribute to a significant portion of cloud security data breaches. Some
of the companies that were recently affected by these misconfigurations that resulted in a data breach
were Netflix and Capital One. This allowed some of the private buckets to be accessible to anyone
interested. Therefore, when using cloud services, it's critical to implement proper access rules.
Incomplete data deletion
One of the trickiest parts of cloud data management is data deletion. On the one hand, it's a process
that should be done irreversibly. On the other hand, an administrator must ensure that there are no
backups left.
In cases when multiple tenants are sharing the infrastructure, data should be deleted without the
possibility of retrieving it. It's not enough to wipe the hard drive and hope for the best. The data should
be overwritten with blank tables and then deleted again.
As for the data backups, this requires full visibility of where they are kept. There shouldn't be any
unsupervised copies lying in the cloud as, over time, this data could find its way to hackers. That said,
in most cases, data deletion must follow the cloud provider's procedures, so it will likely be a joint
effort. Although some cloud service providers may have different requirements.

Lambda command injection

Lambda function is an AWS computing service that allows running code without provisioning or
managing servers. It can execute code when needed, ranging from a few daily requests to thousands
per second. The service model allows using this tool per the computed time only. It's a convenient tool
that tests any application or backend service.
As the user function is serverless, this greatly increases the potential attack surface. The function can
be launched from various events like database changes, code modifications, notifications, and other
events. This means that a hacker can try to inject an unexpected event into the vulnerable function,
which is then passed down to the OS-level application. It's potentially devastating to the stored data as
the hacker could obtain direct access to the cloud using this vulnerability.

Failure of separation among multiple tenants

The multitenancy model helps drive costs low — multiple customers are using the same software
instance, which is installed on multiple servers. User data and resources are located in the same
computing cloud, controlled and distinguished by various unique identifiers. Naturally, the risks
associated with this model arise from the shared model itself, as the used computer hardware is the
same for multiple clients.
Data isolation is paramount in such scenarios as multitenancy would, by definition, be one of the best
attack vectors at a hacker's disposal. Not to mention that successfully breaching one of the tenants
makes it easier to infiltrate co-residents within the cloud. Since the only boundary between them is
individual user IDs, this gives plenty of leverage for malicious individuals.
 Cloud computing security risks and threats

While the cloud is much safer than device storage, it's important to note that no security system is
uncrackable. A broad spectrum of cybersecurity risks applies to cloud infrastructure that could
compromise your data.

External data breaches

Most business owners view data loss as their biggest cloud security concern. Leaking financial or
customer data threatens customer trust, which can cause long-lasting revenue loss. As the security
responsibilities are shared between a cloud service provider and a client, there's always a risk of failure
to secure the network properly. The servers should also be properly equipped to withstand DDoS
attacks.

Misconfigurations
Cloud infrastructure is very complex, so there's a real risk of missing something when setting it up.
Organizations risk misconfiguring their access systems when scaling up or scaling down their
operations. Missing important updates or overlooking existing infrastructure shortcomings may also
contribute to critical misconfigurations.

Poor authentication controls

Your data is as secure as strong is the weakest component within its chain. If the only thing that your
employees need is a username and a password, this is something that could be easily exploited.
Generally, the rule is to protect sensitive assets with a corresponding level of authentication
mechanisms. The more sensitive the data, the more authentication layers it should have.

Account hijacking via phishing

Hackers don't need to penetrate your internal networks when the data is hosted in the cloud. This
means that hijacking your administrator's account and posing as one could be enough to gain direct
access to the cloud-hosted data. It requires less effort to pull off than bypassing various cybersecurity
defenses that could be deployed internally.

API insecurities
Growing Application Programming Interface (API) usage creates an opportunity for hackers looking
for an opening into the network. This area must be thoroughly checked for vulnerabilities, poor coding
practices, lack of authentication, and insufficient authorization. These and other similar oversights can
help hackers gain access to the system.
Common Cloud Security Threats
Cloud services have transformed the way businesses store data and host applications while introducing
new security challenges.

1. Identity, authentication and access management – This includes the failure to use multi-
factor authentication, misconfigured access points, weak passwords, lack of scalable identity
management systems, and a lack of ongoing automated rotation of cryptographic keys,
passwords and certificates.
2. Vulnerable public APIs – From authentication and access control to encryption and activity
monitoring, application programming interfaces must be designed to protect against both
accidental and malicious attempts to access sensitive data.
3. Account takeover – Attackers may try to eavesdrop on user activities and transactions,
manipulate data, return falsified information and redirect users to illegitimate sites.
4. Malicious insiders – A current or former employee or contractor with authorized access to an
organization’s network, systems or data may intentionally misuse the access in a manner that
leads to a data breach or affects the availability of the organization’s information systems.
5. Data sharing – Many cloud services are designed to make data sharing easy across
organizations, increasing the attack surface area for hackers who now have more targets
available to access critical data.
6. Denial-of-service attacks – The disruption of cloud infrastructure can affect multiple
organizations simultaneously and allow hackers to harm businesses without gaining access to
their cloud services accounts or internal network.
7. Data Loss –
Data Loss is one of the issues faced in Cloud Computing. This is also known as Data
Leakage. As we know that our sensitive data is in the hands of Somebody else, and we don’t
have full control over our database. So, if the security of cloud service is to break by hackers
then it may be possible that hackers will get access to our sensitive data or personal files.

8. Interference of Hackers and Insecure API’s –

As we know, if we are talking about the cloud and its services it means we are talking about
the Internet. Also, we know that the easiest way to communicate with Cloud is using API. So
it is important to protect the Interface’s and API’s which are used by an external user. But
also in cloud computing, few services are available in the public domain which are the
vulnerable part of Cloud Computing because it may be possible that these services are
accessed by some third parties. So, it may be possible that with the help of these services
hackers can easily hack or harm our data.

9. User Account Hijacking –

Account Hijacking is the most serious security issue in Cloud Computing. If somehow the
Account of User or an Organization is hijacked by a hacker then the hacker has full authority
to perform Unauthorized Activities.

10. Changing Service Provider –

Vendor lock-In is also an important Security issue in Cloud Computing. Many organizations
will face different problems while shifting from one vendor to another. For example, An
Organization wants to shift from AWS Cloud to Google Cloud Services then they face
various problems like shifting of all data, also both cloud services have different techniques
and functions, so they also face problems regarding that. Also, it may be possible that the
charges of AWS are different from Google Cloud, etc.

11. Lack of Skill –

While working, shifting to another service provider, need an extra feature, how to use a
feature, etc. are the main problems caused in IT Company who doesn’t have skilled
Employees. So it requires a skilled person to work with Cloud Computing.
 The five main best practices to improve cloud security include:
 Encrypt traffic
 Develop and devise data backup and recovery plans
 Monitor the cloud environment
 Improve user account security by monitoring the account and the behavior within the account
 Cloud security posture assessment and management

Types of cloud security solutions

Several cloud security solution types are available, each suited to a particular task.

Identity and access management (IAM)

Identity and access management (IAM) is a business processes framework that facilitates policies
and technologies for digital identity management. IT managers can use IAM to control how an
organization's resources are accessed. IAM creates digital identities for each user, which facilitates
their monitoring and restrictions.

Data loss prevention (DLP)

Data loss prevention (DLP) is a set of tools and processes used to ensure the safety of business
data. It uses various tools like encryption, preventative measures, and remediation alerts to protect the
data in transit or at rest.

Security information and event management (SIEM)

Security information and event management (SIEM) is a security management approach to
orchestrate an organization's IT security. It uses various information and event management tools to
create a single dashboard using AI to correlate data across multiple platforms. This allows one to
easily have a full panoramic view of the organization's security.

Business continuity and disaster recovery

Business continuity (BC) and disaster recovery (DR) tools provide organizations with tools, services,
and protocols to restore an organization after an accident. These services help organizations to
reduce the risk of data loss and reputational harm and improve ongoing business operations.
 Cloud security threats

Cloud systems are subject to the same risks that affect your on-premise infrastructure. However,
additional parties' involvement makes the total amount of risks greater.

 Lack of complete control. As cloud services exist outside corporate networks, organizations don't
fully control all areas of cybersecurity.
 Multitenancy. When multiple clients are renting services from the same provider, it's possible to be
caught in an avalanche when one of your neighbors gets breached.
 Shadow IT. Cloud environments are notorious for shadow IT setups, especially when bring-your-own-
device (BYOD) policies are active.
 Misconfigurations. One of the most frequent reasons for data breaches are misconfigurations. Insider
accidents frequently result in leaked client information, which is frustrating even if the security setup is
sound.
Read more about cloud security threats, risks & vulnerabilities

Cloud security tools

Here are some of the specific tools used for securing the cloud:

 Cloud Workload Protection Platform (CWPPs) — a security system designed to protect workloads
 Cloud Access Security Brokers (CASBs) — an intermediary between cloud customers and cloud
service enforcing security policies
 Cloud Security Posture Management (CSPM) — a collection of security tools facilitating
monitoring and misconfiguration detection
 Secure Access Service Edge (SASE) — a convergence of various security and networking tools,
making network security management easier
Finally, numerous additions like IAM web services, DLP tools, and other security tools help cloud
users.

How to secure the cloud

Here are some tips on how you could better secure your cloud information.

 Encryption. Encryption should be used for communication channels and permanent storage. That
way, the data is inaccessible in transit and when your server is breached.
 Secure configurations. Following through with good hygiene of cybersecurity services management.
This entails changing default passwords and learning more about the cloud provider's security controls.
 Use strong passwords. No security setup will help if your users reuse the same passwords. Strong
passwords lift the organization's entry bar, making it harder to penetrate.
 Restrict permissions. They shouldn't be granted unless permissions aren't required to perform a
specific job role. While this seems restrictive, this also helps to prevent a lot of cybersecurity risks.
Finally, for the users relying on third-party providers, it cannot be understated how crucial it is to
analyze the terms of service conditions. A clear division of responsibilities will help to ensure that
there are no grey zones that could be exploited. It's a crucial document helping to understand your
current setup's weaknesses and what steps could be taken to make amends to its setup.
 Data Level Security

What is cloud data security? Benefits and solutions

Cloud data security is the practice of protecting data and other digital information assets
from security threats, human error, and insider threats. It leverages technology, policies,
and processes to keep your data confidential and still accessible to those who need it in
cloud-based environments.

Cloud computing delivers many benefits, allowing you to access data from any device
via an internet connection to reduce the chance of data loss during outages or incidents
and improve scalability and agility. At the same time, many organizations remain
hesitant to migrate sensitive data to the cloud as they struggle to understand their
security options and meet regulatory demands.

Understanding how to secure cloud data remains one of the biggest obstacles to
overcome as organizations transition from building and managing on-premises data
centers. So, what is data security in the cloud? How is your data protected? And what
cloud data security best practices should you follow to ensure cloud-based data assets
are secure and protected?
Cloud data security defined

Cloud data security protects data that is stored (at rest) or moving in and out of the
cloud (in motion) from security threats, unauthorized access, theft, and corruption. It
relies on physical security, technology tools, access management and controls, and
organizational policies.

Why companies need cloud security

Today, we’re living in the era of big data, with companies generating, collecting, and
storing vast amounts of data by the second, ranging from highly confidential business or
personal customer data to less sensitive data like behavioral and marketing analytics.

Beyond the growing volumes of data that companies need to be able to access, manage,
and analyze, organizations are adopting cloud services to help them achieve more
agility and faster times to market, and to support increasingly remote or hybrid
workforces.

The traditional network perimeter is fast disappearing, and security teams are realizing
that they need to rethink current and past approaches when it comes to securing cloud
data. With data and applications no longer living inside your data center and more
people than ever working outside a physical office, companies must solve how to
protect data and manage access to that data as it moves across and through multiple
environments.
 Data privacy, integrity, and accessibility

Cloud data security best practices follow the same guiding principles of
information security and data governance:

 Data confidentiality: Data can only be accessed or modified by authorized

people or processes. In other words, you need to ensure your organization’s data
is kept private.
 Data integrity: Data is trustworthy—in other words, it is accurate, authentic, and
reliable. The key here is to implement policies or measures that prevent your data
from being tampered with or deleted.
 Data availability: While you want to stop unauthorized access, data still needs to
be available and accessible to authorized people and processes when it’s needed.
You’ll need to ensure continuous uptime and keep systems, networks, and
devices running smoothly.

Often referred to as the CIA triad, these three broad pillars represent the core concepts
that form the basis of strong, effective security infrastructure—or any organization’s
security program. Any attack, vulnerability, or other security incident will likely violate
one (or more) of these principles. This is why security professionals use this framework
to evaluate potential risk to an organization’s data assets.
What are the challenges of cloud data security?

As more data and applications move out of a central data center and away from
traditional security mechanisms and infrastructure, the higher the risk of exposure
becomes. While many of the foundational elements of on-premises data security remain,
they must be adapted to the cloud.

Common challenges with data protection in cloud or hybrid environments include:

 Lack of visibility. Companies don’t know where all their data and applications
live and what assets are in their inventory.

 Less control. Since data and apps are hosted on third-party infrastructure, they
have less control over how data is accessed and shared.

 Confusion over shared responsibility. Companies and cloud providers share

cloud security responsibilities, which can lead to gaps in coverage if duties and
tasks are not well understood or defined.

 Inconsistent coverage. Many businesses are finding multicloud and hybrid cloud
to better suit their business needs, but different providers offer varying levels of
coverage and capabilities that can deliver inconsistent protection.

 Growing cybersecurity threats. Cloud databases and cloud data storage make
ideal targets for online criminals looking for a big payday, especially as
 companies are still educating themselves about data handling and management in
the cloud.

 Strict compliance requirements. Organizations are under pressure to comply

with stringent data protection and privacy regulations, which require enforcing
security policies across multiple environments and demonstrating strong data
governance.
 Distributed data storage. Storing data on international servers can deliver lower
latency and more flexibility. Still, it can also raise data sovereignty issues that
might not be problematic if you were operating in your own data center.

What are the benefits of cloud data security?

Greater visibility

Strong cloud data security measures allow you to maintain visibility into the inner
workings of your cloud, namely what data assets you have and where they live, who is
using your cloud services, and the kind of data they are accessing.

Easy backups and recovery

Cloud data security can offer a number of solutions and features to help automate and
standardize backups, freeing your teams from monitoring manual backups and
troubleshooting problems. Cloud-based disaster recovery also lets you restore and
recover data and applications in minutes.

Cloud data compliance

Robust cloud data security programs are designed to meet compliance obligations,
including knowing where data is stored, who can access it, how it’s processed, and how
it’s protected. Cloud data loss prevention (DLP) can help you easily discover, classify,
and de-identify sensitive data to reduce the risk of violations.

Data encryption

Organizations need to be able to protect sensitive data whenever and wherever it goes.
Cloud service providers help you tackle secure cloud data transfer, storage, and sharing
by implementing several layers of advanced encryption for securing cloud data, both in
transit and at rest.

Lower costs

Cloud data security reduces total cost of ownership (TCO) and the administrative and
management burden of cloud data security. In addition, cloud providers offer the latest
security features and tools, making it easier for security professionals to do their jobs
with automation, streamlined integration, and continuous alerting.
Advanced incident detection and response

An advantage of cloud data security is that providers invest in cutting-edge AI

technologies and built-in security analytics that help you automatically scan for
suspicious activity to identify and respond to security incidents quickly.

Who is responsible for securing your data?

Cloud providers and customers share responsibility for cloud security. The exact
breakdown of responsibilities will depend on your deployment and whether you
choose IaaS, PaaS, or SaaS as your cloud computing service model.

In general, a cloud provider takes responsibility for the security of the cloud itself, and
you are responsible for securing anything inside of the cloud, such as data, user
identities, and their access privileges (identity and access management).

At Google Cloud, we follow a shared fate model. That means we are active partners in
ensuring our customers deploy securely on our platform. We can help you implement
best practices by offering secure-by-default configurations, blueprints, policy
hierarchies, and advanced security features to help develop security consistency across
your platforms and tools.
What it means to be compliant

Being compliant in the context of the cloud requires that any services and systems
protect data privacy according to legal standards and regulations for data protection,
data sovereignty, or data localization laws. Certain industries, such as healthcare or
financial services, will also have an additional set of laws that come with mandatory
guidelines and security protocols that will need to be followed.

That’s why it’s important to consider cloud service providers and evaluate their cloud
security carefully. Reputable cloud service providers will not only strive to ensure their
own services and platforms are compliant but should also be willing to collaborate with
you directly to understand and address your specific regulatory and risk management
needs.
 Virtual Machine Security in Cloud

The term “Virtualized Security,” sometimes known as “security virtualization,” describes

security solutions that are software-based and created to operate in a virtualized IT
environment. This is distinct from conventional hardware-based network security, which is
static and is supported by equipment like conventional switches, routers, and firewalls.
Virtualized security is flexible and adaptive, in contrast to hardware-based security. It can be
deployed anywhere on the network and is frequently cloud-based so it is not bound to a
specific device.
In Cloud Computing, where operators construct workloads and applications on-demand,
virtualized security enables security services and functions to move around with those on-
demand-created workloads. This is crucial for virtual machine security. It’s crucial to protect
virtualized security in cloud computing technologies such as isolating multitenant setups in
public cloud settings. Because data and workloads move around a complex ecosystem
including several providers, virtualized security’s flexibility is useful for securing hybrid and
multi-cloud settings.

Types of Hypervisors

Type-1 Hypervisors

Its functions are on unmanaged systems. Type 1 hypervisors include Lynx Secure, RTS
Hypervisor, Oracle VM, Sun xVM Server, and Virtual Logic VLX. Since they are placed
on bare systems, type 1 hypervisor do not have any host operating systems.

Type-2 Hypervisor

It is a software interface that simulates the hardware that a system typically communicates
with. Examples of Type 2 hypervisors include containers, KVM, Microsoft Hyper V,
VMWare Fusion, Virtual Server 2005 R2, Windows Virtual PC, and VMware
workstation 6.0.

Type I Virtualization

In this design, the Virtual Machine Monitor (VMM) sits directly above the hardware and
eavesdrops on all interactions between the VMs and the hardware. On top of the VMM is a
management VM that handles other guest VM management and handles the majority of a
hardware connections. The Xen system is a common illustration of this kind of virtualization
design.

Type II virtualization

In these architectures, like VMware Player, allow for the operation of the VMM as an
application within the host operating system (OS). I/O drivers and guest VM management are
the responsibilities of the host OS.
Service Provider Security
The system’s virtualization hardware shouldn’t be physically accessible to anyone not
authorized. Each VM can be given an access control that can only be established through the
Hypervisor in order to safeguard it against unwanted access by Cloud administrators. The three
fundamental tenets of access control, identity, authentication, and authorization, will prevent
unauthorized data and system components from being accessed by administrators.
Hypervisor Security
The Hypervisor’s code integrity is protected via a technology called Hyper safe. Securing the
write-protected memory pages, expands the hypervisor implementation and prohibits coding
changes. By restricting access to its code, it defends the Hypervisor from control-flow
hijacking threats. The only way to carry out a VM Escape assault is through a local physical
setting. Therefore, insider assaults must be prevented in the physical Cloud environment.
Additionally, the host OS and the interaction between the guest machines need to be
configured properly.

Virtual Machine Security

The administrator must set up a program or application that prevents virtual machines from
consuming additional resources without permission. Additionally, a lightweight process that
gathers logs from the VMs and monitors them in real-time to repair any VM tampering must
operate on a Virtual Machine. Best security procedures must be used to harden the guest OS
and any running applications. These procedures include setting up firewalls, host intrusion
prevention systems (HIPS), anti-virus and anti-spyware programmers, online application
protection, and log monitoring in guest operating systems.

Guest Image Security

A policy to control the creation, use, storage, and deletion of images must be in place for
organizations that use virtualization. To find viruses, worms, spyware, and rootkits that hide
from security software running in a guest OS, image files must be analyzed.
Benefits of Virtualized Security
Virtualized security is now practically required to meet the intricate security requirements of a
virtualized network, and it is also more adaptable and effective than traditional physical
security.
 Cost-Effectiveness: Cloud computing’s virtual machine security enables businesses to
keep their networks secure without having to significantly raise their expenditures on
pricey proprietary hardware. Usage-based pricing for cloud-based virtualized security
services can result in significant savings for businesses that manage their resources
effectively.
 Flexibility: It is essential in a virtualized environment that security operations can follow
workloads wherever they go. A company is able to profit fully from virtualization while
simultaneously maintaining data security thanks to the protection it offers across various
data centers, in multi-cloud, and hybrid-cloud environments.
 Operational Efficiency: Virtualized security can be deployed more quickly and easily than
hardware-based security because it doesn’t require IT, teams, to set up and configure
several hardware appliances. Instead, they may quickly scale security systems by setting
them up using centralized software. Security-related duties can be automated when security
technology is used, which frees up more time for IT employees.
 Regulatory Compliance: Virtual machine security in cloud computing is a requirement for
enterprises that need to maintain regulatory compliance because traditional hardware-based
security is static and unable to keep up with the demands of a virtualized network.

Virtualization Machine Security Challenges

 As we previously covered, buffer overflows are a common component of classical network
attacks. Trojan horses, worms, spyware, rootkits, and DoS attacks are examples of
malware.
 In a cloud context, more recent assaults might be caused via VM rootkits, hypervisor
malware, or guest hopping and hijacking. Man-in-the-middle attacks against VM
migrations are another form of attack. Typically, passwords or sensitive information are
stolen during passive attacks. Active attacks could alter the kernel’s data structures,
seriously harming cloud servers.
 HIDS or NIDS are both types of IDSs. To supervise and check the execution of code, use
programmed shepherding. The RIO dynamic optimization infrastructure, the v Safe and
v Shield tools from VMware, security compliance for hypervisors, and Intel vPro
technology are some further protective solutions.

Four Steps to ensure VM Security in Cloud Computing

Protect Hosted Elements by Segregation

To secure virtual machines in cloud computing, the first step is to segregate the newly hosted
components. Let’s take an example where three features that are now running on an edge
device may be placed in the cloud either as part of a private subnetwork that is invisible or as
part of the service data plane, with addresses that are accessible to network users.

All Components are Tested and Reviewed

Before allowing virtual features and functions to be implemented, you must confirm that they
comply with security standards as step two of cloud-virtual security. Virtual networking is
subject to outside attacks, which can be dangerous, but insider attacks can be disastrous. When
a feature with a backdoor security flaw is added to a service, it becomes a part of the
infrastructure of the service and is far more likely to have unprotected attack paths to other
infrastructure pieces.

Separate Management APIs to Protect the Network

The third step is to isolate service from infrastructure management and orchestration. Because
they are created to regulate features, functions, and service behaviors, management APIs will
always pose a significant risk. All such APIs should be protected, but the ones that keep an eye
on infrastructure components that service users should never access must also be protected.

Keep Connections Secure and Separate

The fourth and last aspect of cloud virtual network security is to make sure that connections
between tenants or services do not cross over into virtual networks. Virtual Networking is a
fantastic approach to building quick connections to scaled or redeployed features, but
each time a modification is made to the virtual network, it’s possible that an accidental
connection will be made between two distinct services, tenants, or feature/function
deployments. A data plane leak, a link between the actual user networks, or a management or
control leak could result from this, allowing one user to affect the service provided to another.
 Virtualization based security and Multi-tenancy Issues

MULTI-TENANCY
The Main requirement of multitenancy is that the software provider gets many requests from
customers with the customized needs. If a software product is implemented according to each
customer needs separately and delivered, then the implementation takes more time to complete. The
software cannot be maintained easily if there are different implementations of the product. The
provider needs to spend more money to satisfy different customers. Here multi-tenancy comes into
existence to provide solution for all the problems faced by provider to satisfy different customer with
different needs. Multi-Tenancy allows single software to be served between the multiple customers by
using customized settings option. The needs of each customer are stored in custom settings. The
software provider serves the same product by implementing it seeing the customized requirements of
each customer and makes it available only to the specific customer respectively. The tenants who share
the software product cannot see each other’s implementation of product. There is no contact between
each customer’s sharing the same software. The software provider must be in contact with multiple
customers to satisfy them.
Multi-Tenancy means sharing the application software between multiple users who have different
needs. Allocating solitary instance of an application software i.e., cloud to multiple users is called as
multitenancy. Each user is called as tenant. The users who need similar type of resources are allocated
a solitary illustration of cloud, so that the cost is shared between the users to make the access of
instance of cloud computing cost effective. Multi-Tenancy allows users to easily access, maintain,
configure and manipulate the data stored in single database running on the same operating system. The
data storage mechanism remains same for all users who share the similar hardware and software
resources. In multitenant architecture, user cannot distribute or observe every other’s data, here the
security and privacy is provided. To perform any type of services like IaaS, SaaS and PaaS in public
cloud and private clouds the key technique is Multi-tenancy. If the people discuss about the clouds
they many speak about the IaaS Services. Both cloud architectures like private and public clouds go
beyond the special features like Virtualization and the concept of IT-as-a-Service through payments or
billing back in the event of private clouds based on metered usage. An IaaS service has an advanced
features such as Service Level Agreements (SLAs), Identity and Access Management for Security
Access)(IDAM), fault tolerance, disaster recovery, dynamic resource allocation and many other
important properties. By Injecting all these key services at the level of infrastructure, the clouds
become multitenant to a degree. In the case of IaaS multi-tenancy go beyond the layer to merge the
PaaS layer and at the end SaaS layer or application layer. IaaS layer contains Servers, Storages and
networking components, PaaS layer Consists of Platform for Applications like Java Virtual Machines
like Java Compilers, Application Servers and SaaS Layer Consists of applications like business logic,
work flow, data bases and user interfaces.
 Fig1: Architecture of Multitenancy
Tenant can like the full stream of applications that are widely used from the network application cloud
services to the user interface, depending on the degree of multi-tenancy provided by the provider.
Cloud computing multi-tenancy is used for most, if not all, of the SaaS systems, since computational
services are flexible and the distribution of these resources is determined by real usage.
There are different types of SaaS services that the clients can access by using internet, from low
internet bases applications to a very big software applications that contains a very high security
requirements depends on the type of information stored on the software vendors infrastructure outside
the corporate network. There are basically two types of Multitenancy Techniques like:
Virtual Multi-Tenancy: This Computing and Space Capacity is shared by multiple users. Several
tenants are supported by virtual machines that run simultaneously on top of the same computing and
space tools.
Organic Multi-Tenancy: Throughout organic multi-tenancy, each component, i.e. hardware and
software resources throughout the network architecture, is owned by several tenants. Internet multi-
tenancy principles are introduced at three specific rates of consumer integration.
They are:
• Data centre layer
• Infrastructure layer
• Application layer
The infrastructure layer and application layer consumer integration levels are latest additions to the
cloud computing model. This integration is used to diminish the cost and developing highly scalable
SaaS applications, which they do by compromising on security and customer segregation
requirements.
Data centre layer: This configuration provides the highest level of security requirements if
implemented correctly, with firewalls and access controls to meet business requirements as well as
defined security access to the physical location of the infrastructure providing the SaaS. Mostly data
centre layer multitenancy acts as a service provider that that rents cages to companies that host their
hardware, network, and software in the same building.
Infrastructure layer: In infrastructure layer multi-tenancy the software stacks are provided. Each
customer or tenant is provided with a dedicated software stack. T his configuration saves costs
compared to data centre-layer multi-tenancy, because stacks are deployed based on actual customer
accounts. The high availability of hardware and software resources can be seen in this layer. In this
case, you can grow hardware requirements based on actual service use.
Application layer: Application-layer multi-tenancy requires architectural implementations at both the
software layer and the infrastructure layer. Modifications are required for the existing software
architecture, including multi-tenant patterns in the application layer. For example, multi-tenant
applications require application methods and database tables to access and store data from different
user accounts, which compromises on security. If done accurately, however, the benefit is cost savings.
Software as a Service provides a software model to deliver software based applications to provide
remote access to the customers. A key feature of cloud multitenancy is the provision of SaaS services
to multiple tenants at the same time as a single application instance at the top of the shared
infrastructure.
Nowadays, SaaS applications are being built with centralization through a single instance of multi-
tenant architecture to provide an advanced rich experience compared to on-site models. The benefit of
multi-tenancy is that operating costs are minimized by splitting equipment, sharing computing
resources among various tenants, and simplifying maintenance and management efforts. All of these
advantages of a multi-tenancy impact of rising implementation costs in order to provide maximum
benefits for small and medium-sized organizations. Multi-Tenancy System Standards for Cloud
Services Providers include tenant data insulation, tenant environment insulation, tenant execution
insulation, Tenant-aware protection, surveillance, maintenance, reporting and self-service
administration, separation of tenant customizations and business logic extensions, tenant-aware version
control, Tenant-aware error tracking and recovery. The degree of flexibility of the framework is
specified as the amount of base application or the SaaS layer is built to be shared number tenants. The
maximum degree of flexibility enables the database schema to be exchanged and facilitates
configuration of business logic, process and user experience levels. Personal clouds are accessible at
the lowest multi-tenancy rates and are more suitable to unique large business clients.
MULTI-TENANCY SECURITY CHALLENGES
What is unique about Multi-Tenancy in Cloud Computing is that both the attacker and the victim are
sharing the same server (i.e. physical machine (PM)). Such a setup cannot be mitigated by traditional
security techniques and measures, simply because it is not designed to penetrate inside servers and
their monitoring techniques are limited to the network layer.
To illustrate, Fig. 2 shows the different cases of attacker and victim locations and the networking
between them. In case one, the attacker and the victim both are regular Internet users; in order to
defend against such attacks, traditional network security techniques and devices are efficient. In case
two, both attacker and victim are customers in the same Cloud provider but each one of them is located
on a separate server. This kind of setup is due to the utilization of the virtualization layer in the Cloud
Computing Model; to secure such a setup, virtual network security devices and techniques must be
implemented by Cloud providers.
Case three describes the problem that we intend to address in future work, where both the attacker and
the victim are customers in the same Cloud and are sharing the same server. Such a situation is due to
Multi-Tenancy; securing such a setup is not an easy task as network communication between the
attacker’s VM and the victim’s VM is limited within the physical machine (PM). Therefore, traffic
will not leave the physical machine, which is harder to be mitigated by virtual network security
defenses as opposed to case two.
In order to secure such vulnerability, we must first answer the following question: how is Multi-
Tenancy exploited? An answer can be found in [7], where an attack is generated over the Amazon EC2
Cloud to investigate data leakage. In order to carry out the attack, network probing is performed;
following this, a brute force attack is generated to take advantage of the Multi-Tenancy effect by
allocating the attacker’s VM beside the victim’s VM. The results show that Figure 3: Proposed System
Model. by spending just a few dollars, an attacker has a 40% chance to allocate his VM beside the
victim’s VM. After achieving Multi-Tenancy, a side channel attack any attack takes advantage of the
system characteristics is generated to extract the data of the victims. Obviously, any tenant can attack
its neighbor because the type of attack that could be utilized, such as side channels, cannot be detected
by the hypervisor or even the operating system. There is no way, however, to remove the Multi-
Tenancy impact in order to retain its advantages, yet the effect could be reduced and what this paper is
attempting to demonstrate. Multi-Tenancy cannot be avoided, yet a clever resource allocation strategy
can minimize the risk of multi-Tenancy; in other terms, a resource allocation methodology would
improve the complexity of obtaining multi-Tenancy for users while being easily managed by cloud
providers.
What is interesting of Multi-Tenancy is that in order to achieve it for targeted victims, the attacker
needs to invest an effort, time and cost. So, by making Multi-Tenancy difficult to be achieved by
customers, we are restricting the number of potential attackers.
 Figure 2: Difference between Multi-Tenancy and Traditional Cases.
MULTI-TENANCY ECONONMICS
 Cost savings:- Multi-Tenancy provides cost savings over and above the simple economies of
scale that can be obtained from the convergence of IT services into a single operation. Systems
typically incur a certain amount of overhead memory and processing that can be significant
when compounded by many customers, particularly when customers are low. Multi-Tenancy
wipes out this cost by extending it to numerous customers. More cost savings can emerge out
of permitting costs for the basic programming, (for example, working systems and database the
executives systems). Put roughly, in the event that you can work everything on a solitary
programming case, you just need to acquire one programming permit. Cost savings can be
eclipsed by the trouble of scaling a solitary occurrence as request increments expanding the
exhibition of a case on a solitary server must be accomplished by acquiring quicker equipment,
for example, quick CPUs, more memory, and quicker disk systems, and these costs typically
increment quicker than if the heap was part between multiple servers with generally a similar
total capacity. Furthermore, the improvement of multi-tenant systems is progressively intricate
and security testing is increasingly thorough because of the blend of multiple client data.
 Data aggregation/data mining:- One of the most convincing purposes behind sellers/ISVs to
utilize multi-tenancy is the natural points of interest of data aggregation. Rather than social
event data from multiple data sources with conceivably extraordinary database outlines, all data
for all customers is contained in a typical database mapping. In this way, running inquiries
through customers, mining data, and pattern looking is much simpler. This is probably going to
be overhyped as one of the key multi-tenancy necessities is the need to prevent Service
Provider from getting to client (tenant) data. Furthermore, it is normal to distinguish the
operating database from the mining database (usually due to different workload
characteristics), thereby undermining the claim even more.
 Complexity:- Due to the additional complexities of configuration and the need to retain per-
tenant metadata, multi-tenant applications require greater development effort. Considerations
such as vector-based data sequence encrypting effective algorithm systems and virtualized
control interfaces must be taken into account.
 Release management:- Multi-Tenancy simplifies the process of handling updates. In the
conventional release management process, bundles comprising application and database
improvements are delivered to client desktops and/or storage machines; in the case of a single
instance, For each device, that would be one host PC. These things will be installed on any
given computer at that stage. The software usually just has to be installed on a single server for
a multi-tenant environment. This greatly increases the process of discharge power, and the size
will never again be subject to consumer quantities.
At a similar period, multi-tenancy expands the dangers and effects engaged with the usage of the new
discharge rendition. Since there is a solitary programming occasion serving multiple tenants, an update
to this case may cause personal time for all tenants, regardless of whether the update is mentioned and
is valuable for just one tenant. Likewise, certain glitches and issues that emerged from the execution of
the most recent variant might be communicated in the modified understanding of the item by specific
tenants. As per potential personal time, the time of discharge may be abbreviated dependent on the
time pattern of utilization by more than one tenant.
BENEFITS OF MULTI-TENANCY
 Lower cost of ownership:- Since all customers have access to their apps from the same
technology platform, it is much easier to access regular and periodic notifications. You no
longer need to compensate for data customizations or add new features.
 Worry free capacity:- Multi-Tenancy allows businesses of all types to operate in the same
network and data center.
 API Integration scalability:- Web API functionality is possible in single cases, but in the
multi-tenancy world, unique configuration requirements will now be included in our product
roadmap, so as they become usable, they will be pushed out to all customers.
 Access to the latest releases:- Previously, anytime we decided to roll out a new version, it was
a long process because we had to code the improvement individually for each customer
instance and make sure it was consistent with their customizations, conduct QA, and then bring
the change into development. It was a time-consuming job for our support team with more than
100 clients. Now with our multi-tenant environment, because every consumer instance has the
same basic code, the roll-out of new releases will be very smooth and will provide faster access
to innovative features to reduce IT and connectivity costs.
 Configurable to your own needs:- It helps our clients to meet their requirements and contact
preferences in order to manage both IT and communication costs.
DISADVANTAGES OF MULTI-TENANCY:
 A multi-tenant system has less ability to create low-level requirements than a single-tenant
device. This may not be a concern for you, but if your design requires a lot of flexibility for
each new tenant, it may not be the best solution.
 The multi-tenant system is more complicated than the comparable single-tenant device, the
design of which can stay largely unchanged. You do not need any code in a single-holder
application to detect that tenant a web request is designed to prevent your clients from
contamination of data among tenants. File types are easier because logs are segregated by a
different program instance for each device.
 Since a multi-tenant program is backed up by a single database operating on a single server,
there are less locations that are prone to failure, but those failure points may prove to be much
more catastrophic. Both residents are feeling lack of operation. When a database for a multi-
tenant app is unavailable, unlike when a single-tenant application breaks. It's taking down a
single occupant. Other instances remain unaffected.
Cloud storage: Introduction to Storage Systems, Cloud Storage Concepts, Data in the cloud-
Cloud file systems.