Agenda

 Risks in Cloud Computing:

 Risk Management,
 Enterprise-Wide Risk Management,
 Types of Risks in Cloud Computing.
 Data Security in Cloud:
 Security Issues,
 Challenges, advantages, Disadvantages,
 Cloud Digital persona and Data security,
 Content Level Security.
 Cloud Security Services:
 Confidentiality,
 Integrity and Availability,
 Security Authorization
 Challenges in the Cloud,
 Secure Cloud Software Requirements,
 Secure Cloud Software Testing.
Introduction
 The cloud computing embraces new technologies like
virtualization; there are both risks to be determined and
archived risks to be re-evaluated.
 Together with rushing of the cloud computing paradigm, some
new risks have appeared.
 Risks in cloud environments should be advised at service, data
and infrastructure layers.
 The most significant risks presented by cloud computing are:
 SLAs violations,
 proficiency to amply consider risks of a cloud provider,
 blame to defend perceptive data,
 virtualization related risks,
 lessening of direct command of assets and software programs,
 compliance risks and
 decreased reliability since service providers may proceed out of
business.
Contd…
 However, there are some risks that clients need to understand.
There are some points to address before taking up cloud-based
services.
 Consumers should analyse if cloud-based services are right for
their needs and which of the accessible services are right for
them.
 While evaluating the promise of cloud-based service providers,
one should hold these top five security anxieties in mind.
1. Secure data transfer
2. Secure programs interfaces
3. Secure retained data
4. User access to control
5. Data separation
Risk Management
 Risk management is a significant part of business planning.
 The method of risk management is believed to reduce or
eradicate the risk of certain types of happenings or having
an influence on the business.
 Risk management is a method for
 Recognizing,
 Considering and
 Prioritizing risks of distinct kinds.
 Once the risks are recognized, the risk supervisor will
conceive a design to minimize or eradicate the influence of
contradictory events.
Contd…
 There are several risk administration measures,
encompassing those evolved by the
 Project Management Institute,
 The International Organization for Standardization (ISO),
 The National Institute of Science and Technology and
societies.
 There are numerous distinct kinds of risks that risk
management designs can mitigate.
Process of Risk Management
 Risk management is a cyclically executed process
comprised of a set of activities for overseeing and
controlling risks.
 Risk management follows a series of 5 steps to manage risk,
it drives organizations to formulate a better strategy to
tackle upcoming risks.
Contd…
 Benefits of Risk Management
1. Forecast Probable Issues
2. Increases the scope of growth
3. Business Process Improvement
4. Better Budgeting
Risk Management in Cloud Computing
 More and more organizations are investing in cloud
deployment infrastructure rather than on-premise
infrastructure.
 This mobilization of technology introduces new risks
associated with cloud computing, which needs to be
treated with foresight.
 To manage these risks, risk management plans are
implemented by organizations.
 Risk management is the process of identifying, assessing,
and controlling threats to an organization's system
security, capital and resources.
Contd…
 Being an on-demand availability of system resources, like
computing power and data storage, cloud computing
involves various types of risks that are grouped in different
categories like
 Privacy (involves risk like controlled Access, Segmentation,
Risk with Sub letting services and ownership claim),
 Availability (involves risk like service disruption),
 Changes (involves risk like Changes in service and return of
investment) and
 Compliance( involves risk like Audit, storage location, and
notification).
Contd…
 Subsequently, the process for creating a cloud risk
management strategy is as follows:
 Risk identification
 Risk assessment
 Risk mitigation
 Continuous monitoring and review
Contd…
 Benefits of effective cloud risk management
 Stronger cloud security posture
 Increased Compliance
 Proactive cyber threat mitigation
 Improved business continuity and disaster recovery
 Benefits realisation
 Reduced costs
Contd…
 Best Practices for Risk Management in Cloud
Computing
 Determine your business goals
 Risk identification
 Risk assessment
 Risk Remediation
 Cloud monitoring capability
 Policies and compliance requirements
 Vendor management
 Employee training
Contd…
 How Can You Minimize Risks of Cloud Computing?
 Multifactor authentication (MFA)
 Network segmentation
 Virtual private networks (VPNs)
 Cloud audits
What is the difference between
risks, threats, and challenges?
 A risk is a potential for loss
of data or a weak spot.

 A threat is a type of attack or

adversary.

A challenge is an
organization’s hurdles in
implementing practical cloud
security.
What is the difference between
risks, threats, and challenges?
Let’s consider an example:
An API endpoint hosted in the cloud and exposed to the
public Internet is a risk, the attacker who tries to access
sensitive data using that API is the threat (along with any
specific techniques they could try), and your
organization's challenge is effectively protecting public
APIs while keeping them available for legitimate users or
customers who need them.
Need of Cloud Security?
Live map
 https://threatmap.bitdefender.com/
Types of Risks in Cloud Computing
 Operation risk
 Security risk
 Data risk
 Compliance risk
 Cloud vendor risk
 Availability risk
 Insider risk
 Financial risk
 Reputational risk
Types of Risks in Cloud Computing
 Operational Risk – The risk of service disruptions due to
misconfigurations, infrastructure failures, or human errors
in managing cloud operations.

 Security Risk – The possibility of unauthorized access,

data breaches, or cyberattacks due to vulnerabilities in
cloud security settings.

 Data Risk – Risks related to data loss, corruption, or

leakage, including insufficient encryption, improper access
controls, and accidental deletions.
Types of Risks in Cloud Computing
 Compliance Risk – The risk of failing to meet industry
regulations (e.g., GDPR, HIPAA), which can lead to legal
consequences or penalties.

 Cloud Vendor Risk – Dependence on third-party cloud

providers can introduce risks like vendor lock-in, pricing
changes, or service outages affecting business operations.

 Availability Risk – The risk that cloud services may

experience downtime or outages, preventing users from
accessing critical applications and data.
Types of Risks in Cloud Computing
 Insider Risk – Threats posed by employees, contractors, or
administrators who may intentionally or accidentally
compromise cloud security.

 Financial Risk – Unexpected costs due to overuse, hidden

fees, or inefficiencies in cloud resource allocation, impacting
an organization’s budget.

 Reputational Risk – Damage to an organization’s brand and

customer trust due to security breaches, compliance failures,
or prolonged service outages.
 Security risk
 These encompass all the cyber threats your company’s
cloud environment is susceptible to, which could
compromise the security posture of the infrastructure itself
or the data within it.
 Unauthorised access
 Data breaches
 Malware
 Misconfiguration
 Application and system vulnerabilities
 Enterprise
Risk
Management

https://community.trustcloud.ai/docs/grc-launchpad/grc-
101/governance/understanding-enterprise-risk-management/
Enterprise Wide Risk Management
 Enterprise risk management vs. cybersecurity
Enterprise Risk Management Cybersecurity

Enterprise risk management, is the process Cybersecurity and risk management have
of identifying, assessing and mitigating distinct scopes but significant overlap.
the mountain of diverse risks -- strategic, Cybersecurity primarily focuses on
financial, legal and operational -- the protection of digital assets -- such as
organizations face today. While information systems, networks and data
cybersecurity deals specifically with digital -- from unauthorized access, disruption
threats, enterprise risk management takes or theft. It centers on the technical
a much broader view, also concerning itself controls, policies and procedures that
with threats in the economic, mitigate cyber-risks.
environmental, financial, judicial,
legislative and social spheres
Enterprise Wide Risk Management
 The modern corporate organization faces a host of risks
that can affect operational efficiency and regulatory
compliance. Simple awareness is not enough to stay ahead
of these risks.
 You must find ways to manage, mitigate, accept, or transfer
these risks.
 Here’s where enterprise risk management (ERM) comes in.
 It helps you manage, minimize, and in some cases
eliminate risks, to keep your organization safe and in
business.
 Enterprise risk management is a holistic, disciplined
approach to identifying, addressing, and managing an
organization’s risks.
Enterprise Wide Risk Management
 Enterprise risk management (ERM) is the process of planning,
organizing, directing and controlling the activities of an
organization to minimize the harmful effects of risk on its capital
and earnings.
 Enterprise risk management can include financial, strategic
and operational risks as well as risks associated with accidental
losses.
 ERM is an organization-wide strategy enacted to identify and
prepare for potential hazards. Because risk management requires
the understanding and analysis of the possible risks an
organization might face, the ERM process must be proportionate
to the size or complexity of the organization.
 ERM is designed to manage and identify risks across an
organization and its extended networks.
Contd…
 Components of enterprise risk management
 The following components make up ERM:
 Business and IT objectives
 Risk appetite
 Culture and governance
 Compliance and control requirements
 Measurement and reporting
Contd…
 Components of enterprise risk management
 Business and IT objectives. An organization's
planned strategic initiatives must be included in
all risk analysis and decision-making. A migration into
cloud services, for example, definitively changes many
controls and risk paradigms.

 Risk appetite. To maintain business continuity, an

enterprise needs to assess its tolerance in pursuit of
strategic goals.
Contd…
 Components of enterprise risk management
 Culture and governance. Some organizations are
generally risk-averse, while others promote risk cultures to
pursue strategic initiatives. In addition, internal
governance models and collaborative team structures differ
widely across enterprises, affecting the way organizations
make decisions and implement controls.

 Compliance and control requirements. Internal

standards as well as external regulatory and compliance
requirements must be factored into risk and control
decisions.
Contd…
 Components of enterprise risk management
Measurement and reporting. All ERM programs need to
provide timely and consistent output to a cross-section of
stakeholders, ranging from corporate executives to
operations professionals. The metrics used to measure
progress as well as the reporting mechanisms and styles are
important considerations.
Types of Enterprise Risks in Cloud Computing

Types of
Enterprise
Risks in Cloud
Computing

Unauthorized Compliance Availability

Cloud Vendor Operational
Access to Risks
Security Risks Risks Control
Business Data
Types of Enterprise Risks in Cloud Computing
1)Unauthorized Access to Business Data
 Cloud computing services manage data from thousands of companies.

 Each company using a cloud service, however, increases the value of that
service as a potential target for cyber attackers – and the risk is concentrated
at a single point of failure (the cloud service provider).

 As a result, a cyberattack at a cloud provider could affect all of its customers.

 No business is safe in this scenario. Attackers may target small businesses

because those companies typically have weaker controls and may be easier to
breach

 Alternatively, some attackers prefer to target larger companies because of

the lure of hefty payouts.
Types of Enterprise Risks in Cloud Computing
2)Cloud Vendor Security Risks
 Using cloud providers exposes you to additional third-party risks. Doing
business with any vendor that experiences business challenges such as
bankruptcy, lawsuits, regulatory investigations, or other threats could
inadvertently harm your organization’s reputation and goodwill.
 Many small businesses know little about the technology behind the
cloud services they use. As a result, your reputation no longer depends
only on the integrity of your company: it now also relies on the integrity
of the cloud provider’s company. And that’s a risk of cloud computing.
 Due to the ease of access to IaaS (infrastructure as a service), there has
been a proliferation of innovative SaaS (software as a service) startups
providing cloud services. Some offer unique features that traditional
providers have left unmet.
 Some of these providers, however, may lack the expertise required to
meet stringent control requirements. Their products may also be
unsustainable for large organizations that need to exchange increasing
amounts of data.
Types of Enterprise Risks in Cloud Computing
3)Cloud Vendor Security Risks
 Using cloud providers exposes you to additional third-party risks. Doing
business with any vendor that experiences business challenges such as
bankruptcy, lawsuits, regulatory investigations, or other threats could
inadvertently harm your organization’s reputation and goodwill.
 Many small businesses know little about the technology behind the cloud
services they use. As a result, your reputation no longer depends only on the
integrity of your company: it now also relies on the integrity of the cloud
provider’s company. And that’s a risk of cloud computing.
 Due to the ease of access to IaaS (infrastructure as a service), there has been
a proliferation of innovative SaaS (software as a service) startups providing
cloud services. Some offer unique features that traditional providers have left
unmet.
 Some of these providers, however, may lack the expertise required to meet
stringent control requirements. Their products may also be unsustainable for
large organizations that need to exchange increasing amounts of data.
Types of Enterprise Risks in Cloud Computing
4)Compliance Risks
 Legal or compliance risks arise from non-compliance with various industry
regulations or regulatory requirements, such as the Health Insurance
Portability and Accountability Act (HIPAA), Sarbanes-Oxley Act (SOX),
Gramm-Leach-Bliley Act (GLBA), or the European Union’s General Data
Protection Regulation (GDPR).

 When a data breach in a cloud service provider exposes personal data, your
company may be held accountable if it does not have proper protections in
place. In other words, a cloud service provider suffers a breach of your data,
and you will still suffer the consequences. Proper legal contracts to place as
much of that responsibility back upon the cloud provider are vital.
Types of Enterprise Risks in Cloud Computing
5)Operational Control

 When an organization manages its own IT infrastructure such as enterprise

tools, documents, computing resources, and processes, it has direct control
over these elements (along with responsibility for their care).

 When outsourcing to a vendor cloud environment, the control resides with

the cloud provider – not you.
Types of Enterprise Risks in Cloud Computing
6)Availability Risks
 If your Internet access is lost, you will be unable to access your provider’s
cloud service. You’ll have to wait until the Internet is back up and running
if you need to use the cloud service to process customer payments or
access sensitive data. You don’t have this problem when operating on a
local server.

 Another risk associated with the cloud is that the service provider may
fail. The service can become unresponsive due to various factors,
including adverse weather, distributed denial of service (DDoS) assaults,
or some other system breakdown.

 Downtime of cloud environments, platforms, or infrastructure can

significantly affect companies that rely primarily on cloud computing
technologies for their day-to-day operations and corporations that provide
user services.
Best Practices for Cloud Computing Risk
Management
 Carefully select your cloud service provider (CSP)
 Establish adequate controls based on the risk treatment
 Deploy technical safeguards
 Vendor management
 Implement a comprehensive ERM framework
Best Practices for Cloud Computing Risk
Management
Carefully select your cloud service provider
(CSP)
 Conduct supplier risk evaluations for contract clarity,
ethics, legal liability, viability, security, compliance,
availability, and business resilience, among other
things.
 Determine whether or not the CSP itself has service
providers it can rely on to deliver its solutions and
adjust the scope accordingly.
Best Practices for Cloud Computing Risk
Management
Establish adequate controls based on the risk treatment
 After measuring the risks and determining the risk appetite, the
resulting risk treatment solutions will drive the program in a reasonable,
pragmatic and prioritized manner.
 An essential aspect of risk management is to build robust data
classification and lifecycle management methods. It’s also a good idea to
incorporate processes in your service-level agreements (SLAs) for
safeguarding, and even erasing, data hosted in the public cloud.
Deploy technical safeguards
 Technical safeguards, such as a cloud access security broker (CASB), can
be cloud or on-premises security policy enforcement points between
cloud service users and providers.
 It serves as an enforcement point for enterprise security policies when
users access cloud-based resources.
Best Practices for Cloud Computing Risk
Management
Vendor management
 Third-party suppliers’ presence in cloud business models has generated
security concerns. Many cloud services are subject to third-party security
audits, such as those specified by the International Organization for
Standardization (ISO).
 Consider building a public cloud strategy that includes security criteria
for suitable SaaS usage to avoid security risks.

Implement a comprehensive ERM framework

 The Committee of Sponsoring Organizations (COSO) offers a
comprehensive ERM framework to help you succeed, as does the
International Organization for Standardization (ISO).
 Governance, risk management, and compliance (GRC) software can help you
track and automate many of your risk management tasks to ensure
compliance with various frameworks.
Contd…
 Benefits of enterprise risk management
 By creating a more risk-focused culture, organizations can
integrate risk evaluation into business and IT practices,
improving risk management across the organization.
 Enterprises can implement more standardized risk reporting
that helps with long-term metrics and measurement.
 Organizations can improve focus and increase their perspective
on risk in various categories.
 Companies focusing on risk associated with business objectives
might discover more efficient ways to use resources.
 Highly regulated organizations can improve the coordination of
regulatory and compliance issues across a diverse set of business
objectives.
Contd…
 Challenges of enterprise risk management
 Capital and operational expenditures often increase initially
because ERM programs can require expensive, specialized
software and services.
 ERM initiatives increase emphasis on governance, requiring
business units to invest a significant amount of time in risk
management.
 Leaders might struggle to reach a consensus on risk severity
and metrics across all units of an enterprise.
Contd…
 ERM frameworks
 ISO 31000 for risk management
 The National Institute of Standards and Technology
(NIST) Risk Management Framework
 The Committee of Sponsoring Organizations (COSO)
 British Standard 31100
Data Security in Cloud
 Cloud data security refers to the strategies, policies, and
tools employed to protect sensitive information stored in
cloud computing environments.
 This includes protecting not only the stored data but also
the infrastructure supporting it.
 Cloud data security is the practice of protecting data and
other digital information assets from security threats,
human error, and insider threats.
 Understanding how to secure cloud data remains one of
the biggest obstacles to overcome as organizations
transition from building and managing on-premises data
centers.
Data Security in Cloud
 The core principles of information security and data
governance—data confidentiality, integrity, and availability
(known as the CIA triad)—also apply to the cloud:
 Confidentiality: protecting the data from unauthorized
access and disclosure
 Integrity: safeguard the data from unauthorized
modification so it can be trusted
 Availability: ensuring the data is fully available and
accessible when it’s needed
Data Security in Cloud
 People may confuse cloud data security for data security or cloud
security—but cloud data security is not just about the data you have.
 It also encompasses data not bound by the constraints of your hardware.
This includes:

 Data in use: Securing data used within an application.

 Data in motion: Transmitting data safely as it moves within a network
through encryption or additional security measures.
 Data at rest: Protecting data stored in any network location.

 Why companies need data security?

 With data and applications no longer living inside your data center
and more people than ever working outside a physical office,
companies must solve how to protect data and manage access to that
data as it moves across and through multiple environments.
Contd…
 Who Is Responsible for Cloud Data Security?
 Cloud Service Provider (CSP) Responsibilities
 Physical security
 Network security
 Patching vulnerabilities
 Data encryption at rest
 Customer Responsibilities
 Data classification
 Data encryption in transit
 Identity and access management (IAM)
 Data loss prevention
 Secure configuration
Types of Data Security
 To enable the confidentiality, integrity and availability
of sensitive information, organizations can implement
the following data security measures:
 Encryption
 Data erasure
 Data masking
 Data resiliency
Types of Data Security
 Encryption
 Data erasure
 Data masking
 Data resiliency
Types of Data Security
Encryption
 By using an algorithm to transform normal text
characters into an unreadable format, encryption keys
scramble data so that only authorized users can read
it.
 File and database encryption software serve as a final
line of defense for sensitive volumes by obscuring their
contents through encryption or tokenization. Most
encryption tools also include security key
management capabilities.
 Types of Data Security
Data erasure
 Data erasure uses software to completely overwrite data
on any storage device, making it more secure than
standard data wiping. It verifies that the data is
unrecoverable.

Data masking
 By masking data, organizations can allow teams to
develop applications or train people that use real data. It
masks personally identifiable information (PII) where
necessary so that development can occur in environments
that are compliant
Types of Data Security
Data resiliency
 Resiliency depends on how well an organization
endures or recovers from any type of failure—from
hardware problems to power shortages and other
events that affect data availability.
 Speed of recovery is critical to minimize impact.
Contd…
 Common Cloud Data Security Risks
 Data breaches
 Insecure APIs
 Lack of Visibility and Control over Data Storage
 Insider Threats
 Denial of Service (DoS) attack
 Account Hijacking and Misuse of Credentials
 Inadequate Security Configurations & Management
Contd…
 Cloud Data Security Best Practices
1. Leverage Advanced Encryption Capabilities
2. Implement Data Loss Prevention Measures
3. Enable Unified Visibility across Private, Hybrid, and Multi-
Cloud Environments
4. Ensure Security Posture and Governance
5. Strengthen Identity and Access Management (IAM)
6. Leverage Cloud Workload Protection
Contd…
 Challenges of cloud data security
 Lack of visibility
 Less control
 Confusion over shared responsibility
 Inconsistent coverage
 Growing cybersecurity threats
 Strict compliance requirements
 Distributed data storage
Contd…
 Benefits of cloud data security
1. Greater visibility
2. Easy backups and recovery
3. Cloud data compliance
4. Data encryption
5. Lower costs
6. Advanced incident detection and response
 Disadvantages of Cloud Data Security
1. Bandwidth issues
2. Without excess
3. Data transfer capacity issues
4. More control
5. No Redundancy
Cloud Digital Personas and Data
Security
 Cloud Digital Personas and Data Security refers to the
relationship between different digital identities (personas)
in the cloud and the measures taken to protect data from
unauthorized access, breaches, and misuse.

 This persona includes various aspects such as authentication

credentials, access rights, online behavior, preferences, and
security attributes.
Cloud Digital Personas and Data
Security
 Cloud Digital Personas and Data Security refers to the
relationship between different digital identities
(personas) in the cloud and the measures taken to protect
data from unauthorized access, breaches, and misuse.
Key Aspects:
 Cloud Digital Personas – Represent different user roles (e.g.,
end users, administrators, developers) interacting with
cloud services.Identity and Access Management
 (IAM) – Ensures that only authorized personas can access
specific cloud resources.
 Data Protection – Includes encryption, access controls, and
data loss prevention strategies to secure cloud data.
 Cloud Digital Personas and Data
Security
 Threat Management – Detecting and mitigating risks associated
with insider threats, cyberattacks, or compromised credentials.
 Compliance and Regulations – Ensuring that data handling meets
legal and regulatory standards like GDPR, HIPAA, or ISO 27001.
Cloud Digital Personas and Data
Security
 By managing digital personas effectively and implementing
strong security measures, organizations can reduce
vulnerabilities and safeguard sensitive data in cloud
environments. Here are four areas where personas are
important in optimizing your digital strategy.

1. Sharing knowledge between teams

2. Enabling design and testing
3. Supporting segmentation and targeting
4. Supporting campaign creation
Content Level Security (CLS)
 Content Level Security (CLS) is a feature that controls who
has access to edit or read content.

 In the context of cloud security, Content Level Security

(CLS) refers to controlling access to and permissions for
specific content within a cloud environment, ensuring that
only authorized users can view or modify certain data.
Contd…
 The need for Content Level Security
 For certain businesses, there is information that should not
be shared or be editable between divisions. There are two key
scenarios corresponding to different levels of access:
 Completely confidential content: Content can be accessed only
from some business units. Other units are not aware that the
content exists.
 Safety Reuse: A business unit can share content to other business
units but only in read-only mode.
Contd…
 Understanding security levels
 CLS uses a hierarchy of security levels, ranging from the
most-permissive/open to the most-restrictive/closed. These
security levels determine what users can see.
 The content security levels are (from most-permissive to
most-restrictive):
 Read-write: Content is viewable and editable
 Read-only: Content is viewable, but cannot be edited
 Invisible: Content is not visible
 Here are some key aspects of content level security in the
cloud:
 Encryption: Utilizing encryption techniques to encode data, making it unreadable
to unauthorized users. This can include data at rest (stored data) and data in transit
(data being transmitted between systems).
 Access Control: Implementing strict access controls to ensure that only authorized
individuals or systems can view, modify, or delete specific content. This often
involves the use of role-based access control (RBAC) and multi-factor
authentication (MFA).
 Data Loss Prevention (DLP): Employing DLP tools and strategies to prevent
sensitive data from being leaked, whether intentionally or accidentally. This may
involve monitoring and blocking the transmission of sensitive information.
 Digital Rights Management (DRM): Applying DRM technologies to manage and
enforce copyright and intellectual property rights for digital content. This can
restrict the copying, sharing, and printing of protected content.
 Secure File Transfer: Using secure protocols and methods for transferring files
within the cloud environment, such as SFTP (Secure File Transfer Protocol) or
encrypted file sharing services.
 Data Masking: Employing data masking techniques to obscure or anonymize
sensitive information, allowing for safe usage in non-production environments or
for specific user roles.
 Cloud Security Services
 While cloud computing has multiple business and technology
advantages, it has also expanded cyber security attack surface for
enterprises.
 In current business scenario enterprise data has become most
valuable assets & without efficient cloud security solutions the data
exfiltration’s are bound to be exploited.
 Security concerns such as
 compromised credentials,
 hacked interface and applications,
 data breaches,
 exploited system vulnerabilities along with lack of visibility,
 governance,
 expertise, and
 control
 can render organizations at major risk of cyber-attacks that could
have long-term, devastating effects not only on technology landscape
but also on business.
 Data Loss Prevention (DLP): Data Loss Prevention (DLP) services are dedicated
to safeguarding your sensitive data, such as credit card information or personal
health records, from accidental exposure or malicious access. By utilizing DLP
services organizations can reduce the risk of data breaches and maintain the
confidentiality of critical information.

 Identity and Access Management (IAM): IAM services ensure that the right
individuals within an organization have the correct level of access to cloud
resources based on their specific roles or responsibilities. IAM services help
organizations handle the complex task of managing user permissions, simplify
access control, reduce the risk of unauthorized access, and improve the overall
security posture of their cloud systems.

 Email Security: It safeguards against email-related threats including phishing

attempts and malware attacks, which often serve as the entry point for
cybercriminal activities. These services work persistently to identify and counteract
malicious emails, suspicious attachments, and links, preventing cyberattacks from
gaining access to your systems through deceptive emails.
What are the Different Types of Cloud
Security Services?
 Web Security: Regardless of their location, web security protects your online
activities and connections from a wide range of cyber threats. Users access these
cloud services from various locations whether in their corporate headquarters,
remote offices, or even from home. With web security measures, you can confidently
access websites and web-based applications ensuring that your online interactions
are fortified against potential threats.

 Intrusion Detection and Response: Intrusion-detection solutions typically

scrutinize both inbound and outbound network traffic, identifying any unusual or
suspicious activities and promptly detecting potential threats. This is often achieved
through advanced pattern recognition mechanisms that analyze specific signatures
and behaviors associated with known threats.

 Network and Application Protection: These services enforce security policies and
inspect network traffic to prevent unauthorized access at various points, providing
multi-layered protection for your network. They allow you to scrutinize and filter
traffic, reducing the risk of unauthorized access at various levels, including host,
network, and application boundaries.
What are the Different Types of
Cloud Security Services?
 Data Protection: Data protection services help to safeguard your data and
workloads from unauthorized access through key management, and data
discovery services. It ensures the confidentiality and integrity of your
information stored in the cloud.

 Compliance: Cloud security services help organizations maintain compliance

by providing an overview of their compliance status and conducting automated
compliance checks based on industry standards. This ensures that your cloud
environment aligns with regulatory requirements and industry-specific best
practices, minimizing compliance-related risks.
Contd…
 What are some cloud security challenges?
 Lack of visibility
 Multitenancy
 Access management and shadow IT
 Compliance
 Misconfigurations
 Confidentiality, Integrity & Availability
Confidentiality
 Confidentiality involves the efforts of an organization to make sure data is
kept secret or private.
 To accomplish this, access to information must be controlled to prevent the
unauthorized sharing of data—whether intentional or accidental.
 A key component of maintaining confidentiality is making sure that people
without proper authorization are prevented from accessing assets important
to your business.
 Conversely, an effective system also ensures that those who need to have
access have the necessary privileges.

 For example, those who work with an organization’s finances should be

able to access the spreadsheets, bank accounts, and other information
related to the flow of money. However, the vast majority of other
employees—and perhaps even certain executives—may not be granted
access. To ensure these policies are followed, stringent restrictions have
to be in place to limit who can see what.
Confidentiality, Integrity & Availability
 Confidentiality
 There are several ways confidentiality can be compromised. This may involve direct attacks
aimed at gaining access to systems the attacker does not have the rights to see. It can also
involve an attacker making a direct attempt to infiltrate an application or database so they
can take data or alter it.
 These direct attacks may use techniques such as man-in-the-middle (MITM) attacks,
where an attacker positions themselves in the stream of information to intercept data and
then either steal or alter it. Some attackers engage in other types of network spying to gain
access to credentials.
 In some cases, the attacker will try to gain more system privileges to obtain the next level of
clearance.
 However, not all violations of confidentiality are intentional. Human error or insufficient
security controls may be to blame as well. For example, someone may fail to protect their
password—either to a workstation or to log in to a restricted area. Users may share their
credentials with someone else, or they may allow someone to see their login while they enter
it. In other situations, a user may not properly encrypt a communication, allowing an
attacker to intercept their information. Also, a thief may steal hardware, whether an entire
computer or a device used in the login process and use it to access confidential information.
 To fight against confidentiality breaches, you can classify and label restricted data, enable
access control policies, encrypt data, and use multi-factor authentication (MFA) systems. It
is also advisable to ensure that all in the organization have the training and knowledge they
need to recognize the dangers and avoid them.
Confidentiality, Integrity & Availability
 Data Integrity
 Integrity involves making sure your data is trustworthy and free from
tampering.
 The integrity of your data is maintained only if the data is authentic,
accurate, and reliable.

 For example, if your company provides information about senior

managers on your website, this information needs to have
integrity. If it is inaccurate, those visiting the website for
information may feel your organization is not trustworthy.
Someone with a vested interest in damaging the reputation of
your organization may try to hack your website and alter the
descriptions, photographs, or titles of the executives to hurt their
reputation or that of the company as a whole.
Confidentiality, Integrity & Availability
 Data Integrity
 Compromising integrity is often done intentionally. An attacker may bypass an
intrusion detection system (IDS), change file configurations to allow
unauthorized access, or alter the logs kept by the system to hide the attack.
Integrity may also be violated by accident.
 Someone may accidentally enter the wrong code or make another kind of
careless mistake. Also, if the company’s security policies, protections, and
procedures are inadequate, integrity can be violated without any one person in
the organization accountable for the blame.
 To protect the integrity of your data, you can use hashing, encryption, digital
certificates, or digital signatures.
 For websites, you can employ trustworthy certificate authorities (CAs) that
verify the authenticity of your website so visitors know they are getting the site
they intended to visit.
 A method for verifying integrity is non-repudiation, which refers to when
something cannot be repudiated or denied. For example, if employees in your
company use digital signatures when sending emails, the fact that the email
came from them cannot be denied. Also, the recipient cannot deny that they
received the email from the sender.
 Confidentiality, Integrity & Availability
 Data Availability
 Even if data is kept confidential and its integrity maintained, it is often useless
unless it is available to those in the organization and the customers they serve.
This means that systems, networks, and applications must be functioning as
they should and when they should. Also, individuals with access to specific
information must be able to consume it when they need to, and getting to the
data should not take an inordinate amount of time.

 If, for example, there is a power outage and there is no disaster recovery
system in place to help users regain access to critical systems,
availability will be compromised. Also, a natural disaster like a flood or
even a severe snowstorm may prevent users from getting to the office,
which can interrupt the availability of their workstations and other
devices that provide business-critical information or applications.
Availability can also be compromised through deliberate acts of
sabotage, such as the use of denial-of-service (DoS) attacks or
ransomware.
Confidentiality, Integrity & Availability
 Data Availability
 To ensure availability, organizations can use redundant networks,
servers, and applications.

 These can be programmed to become available when the primary

system has been disrupted or broken.

 You can also enhance availability by staying on top of upgrades to

software packages and security systems. In this way, you make it less
likely for an application to malfunction or for a relatively new threat to
infiltrate your system.

 Backups and full disaster recovery plans also help a company regain
availability soon after a negative event.
Contd…
 Benefits of the CIA triad
 Data security and privacy
 Compliance
 Proactive risk prevention
 Comprehensiveness
 CIA triad challenges
 Large data volumes
 Data stewardship and governance
 Internet of things (IoT) security and privacy
 Security in product development
Contd…
 Best practices for implementing the CIA triad
 Confidentiality
 Follow an organization's data-handling security policies.
 Use encryption and 2FA.

 Keep access control lists and other file permissions up to date.

 Integrity
 Ensure employees are knowledgeable about compliance and
regulatory requirements to minimize human error.
 Use backup and recovery software and services.

 Use version control, access control, security control, data logs and
checksums.
 Availability
 Use preventive measures, such as redundancy, failover and RAID.

 Ensure systems and applications stay updated.

 Use network or server monitoring systems.

 Have a data recovery and business continuity plan in place in case

of data loss.
Secure Cloud Software Requirements
 When enterprises take up cloud computing and establish
databases in virtual environments, they run the risk of revealing
highly-sensitive data to internal and external attacks.
 The secure cloud software requirements are described as
follows:
1. The method of access to the cloud
2. The architecture of the cloud
3. The features of the multi-tenant environment
Cloud Based Software Testing
 Cloud-based software testing is a set of procedures,
tools, and processes that are leveraged by testers
inefficiently and precisely testing software.
 With the utilization of Cloud service models, enterprises
can implement testing as a service, without the need to
completely invest in testing labs, tools, or infrastructure.

 Cloud services deal with not just testing but also

everything from cloud security, software development,
resource utilization, etc.
Contd…
 Without a proper test, the software will always be
vulnerable to threats, errors, security breaches, and many
more factors that will significantly affect customer
experiences.
 Therefore, while selecting a test tool, infrastructure, or
automation service from the cloud, testers must completely
understand its platform compatibility, resource support,
flexibility, and service cost.
Contd…
 Benefits of Cloud-Based Software Testing
1. It significantly reduces the expenses and the process cycles
by sharing the resources when the testing strategy is
performed.
2. Better testing environment of testing and virtual
infrastructures.
3. The Pay per use policy of cloud services is the most notable
factor for enterprises.
Link
Case studies: successful ERM implementation
in businesses
 ERM -https://community.trustcloud.ai/docs/grc-
launchpad/grc-101/governance/understanding-enterprise-
risk-management/

Cloud Security Services

 https://chatgpt.com/c/67ecda78-f548-800a-a60a-
5241f2a234c6