UNIT – 3 Prepared By MAV

Unit III
ACCESS CONTROL AND IDENTITY MANAGEMENT
Access control requirements for Cloud infrastructure – User Identification –
Authentication and Authorization – Roles-based Access Control – Multi-factor
authentication – Single Sign-on, Identity Federation – Identity providers and service
consumers – Storage and network access control options – OS Hardening and
minimization – Verified and measured boot – Intruder Detection and prevention

1.Access control requirements for Cloud infrastructure

Access control is a security technique that regulates who or what can view or use
resources in a computing environment. It is a fundamental concept in security
that minimizes risk to the business or organization.
There are two types of access control:
✓ physical
✓ logical
❖ Physical access control limits access to campuses, buildings, rooms and physical IT
assets.
❖ Logical access control limits connections to computer networks, system files and data.
❖ To secure a facility, organizations use electronic access control systems that rely on
user credentials, access card readers, auditing and reports to track employee access to
restricted business locations and proprietary areas, such as data centers.
❖ Some of these systems incorporate access control panels to restrict entry to rooms and
buildings, as well as alarms and lockdown capabilities, to prevent unauthorized access
or operations.
❖ Logical access control systems perform identification authentication and
Authorization of users and entities by evaluating required login credentials that can
include passwords, personal identification numbers, biometric scans, security tokens
or other authentication factors. Multifactor authentication (MFA), which requires two
or more authentication factors, is often an important part of a layered defense to
protect access control systems.

Dept., of CSE. /III CSE/SEM-VI 1 A.V.C.C.E

UNIT – 3 Prepared By MAV

Why is access control important?

❖ The goal of access control is to minimize the security risk of unauthorized access to
physical and logical systems.
❖ Access control is a fundamental component of security compliance programs that
ensures security technology and access control policies are in place to protect
confidential information, such as customer data.
❖ Most organizations have infrastructure and procedures that limit access to networks,
computer systems, applications, files and sensitive data, such as personally identifiable
information and intellectual property.
❖ Access control systems are complex and can be challenging to manage in dynamic IT
environments that involve on-premises systems and cloud services. After high-profile
breaches, technology vendors have shifted away from single sign-on systems to
unified access management, which offers access controls for on-premises and cloud
environments.
How access control works
❖ Access controls identify an individual or entity, verify the person or application is
who or what it claims to be, and authorizes the access level and set of actions
associated with the username or IP address.
❖ Directory services and protocols, including Lightweight Directory Access Protocol
and Security Assertion Markup Language, provide access controls for authenticating
and authorizing users and entities and enabling them to connect to computer
resources, such as distributed applications and web servers.
❖ Organizations use different access control models depending on their compliance
requirements and the security levels of IT they are trying to protect.

Dept., of CSE. /III CSE/SEM-VI 2 A.V.C.C.E

UNIT – 3 Prepared By MAV

Types of access control

The main models of access control are the following:
• Mandatory access control (MAC). This is a security model in which access rights
are regulated by a central authority based on multiple levels of security. Often used
in government and military environments, classifications are assigned to system
resources and the operating system or security kernel. MAC grants or denies access
to resource objects based on the information security clearance of the user or device.
For example, Security-Enhanced Linux is an implementation of MAC on Linux.
• Discretionary access control (DAC). This is an access control method in which
owners or administrators of the protected system, data or resource set the policies
defining who or what is authorized to access the resource. Many of these systems
enable administrators to limit the propagation of access rights. A common criticism
of DAC systems is a lack of centralized control.
• Role-based access control (RBAC). This is a widely used access control mechanism
that restricts access to computer resources based on individuals or groups with
defined business functions -- e.g., executive level, engineer level 1, etc. -- rather than
the identities of individual users. The role-based security model relies on a complex
structure of role assignments, role authorizations and role permissions developed
using role engineering to regulate employee access to systems. RBAC systems can
be used to enforce MAC and DAC frameworks.
• Rule-based access control. This is a security model in which the system
administrator defines the rules that govern access to resource objects. These rules
are often based on conditions, such as time of day or location. It is not uncommon to
use some form of both rule-based access control and RBAC to enforce access policies
and procedures.
• Attribute-based access control. This is a methodology that manages access rights by
evaluating a set of rules, policies and relationships using the attributes of users,
systems and environmental conditions.

Dept., of CSE. /III CSE/SEM-VI 3 A.V.C.C.E

 UNIT – 3 Prepared By MAV

Implementing access control

Access control is integrated into an organization's IT environment. It can involve
identity management and access management systems. These systems provide access
control software, a user database and management tools for access control policies,
auditing and enforcement.
When a user is added to an access management system, system administrators
use an automated provisioning system to set up permissions based on access control
frameworks, job responsibilities and workflows.
The best practice of least privilege restricts access to only resources that
employees require to perform their immediate job functions.
Challenges of access control
Many of the challenges of access control stem from the highly distributed nature of
modern IT. It is difficult to keep track of constantly evolving assets because they are
spread out both physically and logically. Specific examples of challenges include the
following:
• dynamically managing distributed IT environments;
• password weakness;
• compliance visibility through consistent reporting;
• centralizing user directories and avoiding application-specific silos; and
• data governance and visibility through consistent reporting.
❖ Many traditional access control strategies -- which worked well in static environments
where a company's computing assets were help on premises -- are ineffective in today's
dispersed IT environments.
❖ Modern IT environments consist of multiple cloud-based and hybrid implementations,
which spreads assets out over physical locations and over a variety of unique devices, and
require dynamic access control strategies. Organizations often struggle to understand the
difference between authentication and authorization. Authentication is the process of
verifying individuals are who they say they are using biometric identification and MFA.

Dept., of CSE. /III CSE/SEM-VI 4 A.V.C.C.E

 UNIT – 3 Prepared By MAV

The distributed nature of assets gives organizations many avenues for authenticating an
individual.
❖ Authorization is the act of giving individuals the correct data access based on their
authenticated identity. One example of where authorization often falls short is if an
individual leaves a job but still has access to that company's assets.
❖ This creates security holes because the asset the individual used for work -- a smartphone
with company software on it, for example -- is still connected to the company's internal
infrastructure but is no longer monitored because the individual is no longer with the
company. Left unchecked, this can cause major security problems for an organization.
❖ If the ex-employee's device were to be hacked, for example, the attacker could gain access
to sensitive company data, change passwords or sell the employee's credentials or the
company's data. One solution to this problem is strict monitoring and reporting on who
has access to protected resources so, when a change occurs, it can be immediately
identified and access control lists and permissions can be updated to reflect the change.
Another often overlooked challenge of access control is user experience.
❖ If an access management technology is difficult to use, employees may use it incorrectly or
circumvent it entirely, creating security holes and compliance gaps.
❖ If a reporting or monitoring application is difficult to use, the reporting may be
compromised due to an employee mistake, which would result in a security gap because
an important permissions change or security vulnerability went unreported.
Access control software
Many types of access control software and technology exist, and multiple
components are often used together as part of a larger identity and access
management (IAM) strategy. Software tools may be deployed on premises, in the cloud
or both. They may focus primarily on a company's internal access management or
outwardly on access management for customers. Types of access management software
tools include the following:
• reporting and monitoring applications
• password management tools

Dept., of CSE. /III CSE/SEM-VI 5 A.V.C.C.E

UNIT – 3 Prepared By MAV

• provisioning tools
• identity repositories
• security policy enforcement tools

2.Roles-based Access Control

❖ Role-Based Access Control (RBAC) is a method for restricting network access based
on the roles of individual users. RBAC allows employees to access only the
information they need to do their job.
❖ Employee roles in an organization determine the privileges granted to individuals
and prevent lower-level employees from accessing sensitive information or
performing higher-level tasks. In the role-based access control data model, roles are
based on several factors, including authorizations, responsibilities, and job skill.
❖ This model allows businesses to specify whether individuals are end-users,
administrators, or expert users. Additionally, a user’s access to computing resources
may be restricted to certain operations, such as viewing, creating, or modifying files.
❖ Network access restrictions are especially important for organizations with large
numbers of employees and for organizations that allow access to third parties such as
customers and suppliers, which can be difficult to monitor. Companies that rely on
RBAC can better protect their sensitive data and applications.
How Role-Based Access Control Works
Before implementing RBAC in an enterprise, the organization should define the
permissions for each role as thoroughly as possible. This includes precisely defining
permissions in the following areas:
• Permissions to modify data (e.g., read, write, full access)
• Permission to access company applications
• Permissions inside an application

Dept., of CSE. /III CSE/SEM-VI 6 A.V.C.C.E

 UNIT – 3 Prepared By MAV

❖ The first step to getting the most out of RBAC is to model roles and permissions. This
includes assigning all employee responsibilities to specific roles that determine
appropriate privileges.
❖ The organization can then assign roles based on the employee’s responsibilities. Role-
based access control allows organizations to assign one or more roles to each user or
assign permissions individually. The goal is to define permissions that allow users to
perform their tasks without further changes.
❖ Organizations use Identity and Access Management (IAM) systems to implement and
monitor RBAC. IAM primarily supports businesses with large numbers of employees by
logging, monitoring, and updating all identities and permissions.
❖ Assigning permission is called “provisioning” and removing permission is called
“deprovisioning”. This type of system requires organizations to establish a unified and
standardized set of roles.
What Is an RBAC Role?
❖ Within the RBAC framework, roles are semantics that organizations can use to build
their privileges. Roles can be defined by various criteria, such as authority,
responsibility, cost center, business unit, and more.
❖ A role is a collection of user privileges. Roles are different from traditional groups,
which are collections of users. In the context of RBAC, permissions are not directly
associated with identities but rather with roles.
❖ Roles are more reliable than groups because they are organized around access
management. In a typical organization, features and activities change less frequently
than identities.

The RBAC Model

❖ There are three types of access control in the RBAC standard: core, hierarchical,
and restrictive.

Dept., of CSE. /III CSE/SEM-VI 7 A.V.C.C.E

UNIT – 3 Prepared By MAV

i. Core RBAC
The core model describes the key elements of a role-based access control system. Core
RBAC can serve as a standalone access control method, but it is also the basis for the
hierarchical and constraint models.
All RBAC models must adhere to the following rules:
• Role assignment—a subject can only exercise privileges when the subject is
assigned a role.
• Role authorization—the system must authorize a subject’s active role.
• Permission authorization—a subject can only apply permissions granted to the
subject’s active role.
ii. Hierarchical RBAC
Hierarchical RBAC builds on the basic RBAC model and introduces a role hierarchy.
A role hierarchy is a way to structure roles to reflect a complex organizational structure
and enable sharing and inheritance of permissions between roles. A simple example of
hierarchical RBAC is a series of roles, in which each role inherits the permissions of the
previous one, and adds more permissions:
• Guest user – limited permissions
• Regular user – same permissions as guest user and more
• Power user – same permissions as regular user and more
• Administrator – same permissions as a power user and more
This is useful because any permission added to the guest user, for example, will
automatically be added to all roles.
Hierarchical RBAC supports several types of hierarchies:
• Tree – bottom-up hierarchy in which the elements at the bottom of the tree grant
permissions to elements higher up. For example, at the bottom is a departmental
role with general permissions, which grants permissions to multiple employees.
• Inverted tree – top-down hierarchy in which senior roles inherit some of their
permissions to junior roles under them.

Dept., of CSE. /III CSE/SEM-VI 8 A.V.C.C.E

UNIT – 3 Prepared By MAV

• Lattice – a combination of bottom-up and top-down, where every role can inherit
permissions from nodes below it and above it.

iii.Constrained RBAC
Constrained RBAC adds separation of duties to the core model. There are two types of
separation of duties:
• Static Separation of Duties (SSD)—no single user can have mutually exclusive roles
(as defined by the organization). SSD prevents, for example, one person from making
purchases and approving those purchases.
• Dynamic Segregation of Duties (DSD)—users can be members of conflicting roles.
However, the same user cannot perform both roles in a single session. This constraint
helps control internal security threats by, for example, enforcing a two-person rule
that requires two different users to approve an action.

Examples of Role-Based Access Control

RBAC allows organizations to specify whether users are administrators, expert users,
or end-users. Additional options include:
• Software engineering users who receive access to development tools like cloud
services or source control repositories.
• Marketing users who receive access to marketing tools like web analytics, content
management systems (CMS), or customer relationship management (CRM).
• Finance users who receive access to billing systems or accounting software.
Each role can include a separate management layer and contributor layer. Different
roles have varying privilege levels within a given application.
When an end-user’s job changes, the organization must manually reassign the roles to
other users—or alternatively, assign the roles to a role group and use role assignment
policies to add or remove members of role groups.
When users join a role group, they have access to all the roles in that group. Removing
a user from a group restricts that user’s access. Another option is to temporarily assign

Dept., of CSE. /III CSE/SEM-VI 9 A.V.C.C.E

 UNIT – 3 Prepared By MAV

users to multiple groups, granting them access to certain data or programs and
removing them when they no longer need access.

3.Multi-Factor Authentication (MFA)

What is Multi-Factor Authentication (MFA)?
❖ Multi-factor Authentication (MFA) is an authentication method that requires the user
to provide two or more verification factors to gain access to a resource such as an
application, online account, or a VPN.
❖ MFA is a core component of a strong identity and access management (IAM) policy.
Rather than just asking for a username and password, MFA requires one or more
additional verification factors, which decreases the likelihood of a successful cyber
attack.

Why is MFA Important?

The main benefit of MFA is it will enhance your organization's security by requiring your
users to identify themselves by more than a username and password. While important,
usernames and passwords are vulnerable to brute force attacks and can be stolen by third
parties. Enforcing the use of an MFA factor like a thumbprint or physical hardware key
means increased confidence that your organization will stay safe from cyber criminals.

How Does MFA work?

Dept., of CSE. /III CSE/SEM-VI 10 A.V.C.C.E

UNIT – 3 Prepared By MAV

❖ MFA works by requiring additional verification information (factors). One of the

most common MFA factors that users encounter are one-time passwords (OTP).
❖ OTPs are those 4-8 digit codes that you often receive via email, SMS or some sort
of mobile app. With OTPs a new code is generated periodically or each time an
authentication request is submitted.
❖ The code is generated based upon a seed value that is assigned to the user when
they first register and some other factor which could simply be a counter that is
incremented or a time value.

Types of MFA Authentication Methods

Most MFA authentication methodology is based on one of three types of
additional information:
✓ Things you know (knowledge), such as a password or PIN
✓ Things you have (possession), such as a badge or smartphone
✓ Things you are (inherence), such as a biometric like fingerprints or voice
recognition
Other Types of Multi-Factor Authentication
As MFA integrates machine learning and artificial intelligence (AI),
authentication methods become more sophisticated, including:
Location-based
Location-based MFA usually looks at a user’s IP address and, if possible, their
geo location. This information can be used to simply block a user’s access if their
location information does not match what is specified on a whitelist or it might be used
as an additional form of authentication in addition to other factors such as a password
or OTP to confirm that user’s identity.
Adaptive Authentication or Risk-based Authentication
Another subset of MFA is Adaptive Authentication also referred to as Risk-based
Authentication. Adaptive Authentication analyzes additional factors by considering

Dept., of CSE. /III CSE/SEM-VI 11 A.V.C.C.E

 UNIT – 3 Prepared By MAV

context and behavior when authenticating and often uses these values to assign a level
of risk associated with the login attempt.
For example:
✓ From where is the user when trying to access information?
✓ When you are trying to access company information? During your normal hours
or during "off hours"?
✓ What kind of device is used? Is it the same one used yesterday?
✓ Is the connection via private network or a public network?
❖ The risk level is calculated based upon how these questions are answered and can be
used to determine whether or not a user will be prompted for an additional
authentication factor or whether or not they will even be allowed to log in. Thus another
term used to describe this type of authentication is risk-based authentication.
❖ Adaptive Authentication in place, a user logging in from a cafe late at night, an activity
they do not normally do, might be required to enter a code texted to the user’s phone in
addition to providing their username and password. Whereas, when they log in from
the office every day at 9 am they are simply prompted to provide their username and
password.
❖ Cyber criminals spend their lives trying to steal your information and an effective and
enforced MFA strategy is your first line of defense against them. An effective data
security plan will save your organization time and money in the future.

Dept., of CSE. /III CSE/SEM-VI 12 A.V.C.C.E

UNIT – 3 Prepared By MAV

Difference between MFA and Two-Factor Authentication (2FA):

❖ MFA is often used interchangeably with two-factor authentication (2FA). 2FA is
basically a subset of MFA since 2FA restricts the number of factors that are required
to only two factors, while MFA can be two or more.

4.Single Sign-on, Identity Federation

What Is SSO (Single Sign-On)?
❖ Single Sign-On (SSO) is a protocol used to authenticate and authorize users to
multiple applications using a single set of credentials. SSO is very convenient for
users because they don’t need to memorize multiple passwords and don’t need to
perform multiple login operations.
❖ When implemented correctly, Single Sign-On (SSO) solutions also improve
security and reduce risks created by weak, repeated, or lost passwords.

How does single sign-on work?

SSO can be used by enterprises, small and midsize organizations, and individuals to ease
the management of multiple credentials. Single sign-on is a federated identity

Dept., of CSE. /III CSE/SEM-VI 13 A.V.C.C.E

UNIT – 3 Prepared By MAV

management arrangement. The use of such a system is sometimes called identity

federation.

In a basic web SSO service, authenticates the end user for all the applications the user
has been given rights to and eliminates future password prompts for individual
applications during the same session.
Working
❖ To make SSO possible, an identity provider (IdP) must provide a central
authentication server, which multiple applications can use to verify user identities.
The authentication server validates user identities and confirms their identity to the
application by providing an encrypted access token.
❖ When a user first logs into an application, they are redirected to the IdP and are
asked to provide their credentials, typically username and password.
❖ The authentication server checks the user’s credentials against its central user
directory, and if they are valid, starts an SSO session. Subsequently, the user can
access the application for a predetermined period without logging in again.
❖ When the user attempts to access another application from the trusted group, there
is no need to request credentials again. The application requests authentication
from the IdP, leveraging the open SSO session. The IdP provides an access token,

Dept., of CSE. /III CSE/SEM-VI 14 A.V.C.C.E

UNIT – 3 Prepared By MAV

and the application grants access to the user without showing the login screen
again.

Here is an example of an SSO workflow:

1. The user requests a resource from their desired application/website.

2. The application/website redirects the user to the Identity Provider for

authentication, using SAML, OpenID Connect, etc.

3. The IdP authenticates the user and passes a token to the SSO server.

4. The SSO server delivers the token to the application.

5. The application grants access to the user.

Now, the user can access all other applications which are configured for SSO. If the

user wants to access a resource from another application, that application checks if

they have an active SSO session, and if so, uses the same token to grant access.

Dept., of CSE. /III CSE/SEM-VI 15 A.V.C.C.E

UNIT – 3 Prepared By MAV

Types of SSO
When identifying and operating SSO, you need to be aware of the different protocols
and standards. These include:
Security Access Markup Language (SAML)
SAML is an open standard for encoding text into machine language and exchanging
identifying information. It has become one of the core standards for SSO and is used by
many application providers to validate authentication requests. SAML 2.0 is optimized
for web applications and can send information through a web browser.
Open Authorization (OAuth)
OAuth is an open standard authentication protocol that encrypts identity
information and transmits it securely between applications. This allows users to access
data from other applications without having to manually verify their identity. This is
especially useful for native mobile applications.

Dept., of CSE. /III CSE/SEM-VI 16 A.V.C.C.E

UNIT – 3 Prepared By MAV

OpenID Connect (OIDC)

OIDC is an extension of OAuth 2.0, which adds information about users and enables
SSO. This allows multiple applications to use one login session. For example, users can
log into a service using their Facebook or Google account instead of entering their
credentials.
Kerberos
Kerberos is a ticket-granting protocol that allows mutual authentication, enabling a user
and a server to authenticate each other over an insecure network connection. It is
commonly used for authentication in Windows environments and for software
applications like email clients.
Advantages and disadvantages of SSO
Advantages of SSO
✓ Users need to remember and manage fewer passwords and usernames for each
application.
✓ The process of signing on and using applications is streamlined -- no need to
reenter passwords.
✓ The chances of phishing are lessened.
✓ IT help desks are likely to see fewer complaints or trouble about passwords.
Disadvantages of SSO
✓ It does not address certain levels of security each application sign-on may need.
✓ If availability is lost, users are locked out of all systems connected to SSO.
✓ If unauthorized users gain access, they could access more than one application.

5. Identity providers and service consumers

Identity federation standards identify two operational roles in the identity and access
management (IAM) and federated networks: the identity provider (IdP) and the service
provider (SP). The IdP authenticates the user and provides the SP with the identity
information that it requires to grant access to the services and resources that the user
needs to do their job.

Dept., of CSE. /III CSE/SEM-VI 17 A.V.C.C.E

UNIT – 3 Prepared By MAV

Identity federation allows both providers to define a trust relationship where the SP
provides access to resources using identity information provided by the IdP.

When a user requests access to a resource:

❖ The SP sends the user to the IdP for authentication. The IdP prompts the user for
authentication and verifies the user identity with user information such as
usernames, passwords, biometric information, or passwords.
❖ After the user has been authenticated by the IdP, a trusted authentication token
(containing the information used to authenticate the user) is sent to the SP. The SP
checks for the verified user information and grants the user access to a resource.
What is an IdP?
An IdP is a federation partner, organization, or business responsible for managing a
user's digital identity and provides identity authentication and verification services, also
known as identity as a service (IDaaS). It can manage and verify various identity
information, such as usernames, passwords, or biometric information, to vouch for the
identity of a user to a relying application or SP.

Dept., of CSE. /III CSE/SEM-VI 18 A.V.C.C.E

 UNIT – 3 Prepared By MAV

When the federation protocol is OpenID Connect (OIDC), an IdP is also called an
OpenID Provider (OP).
How does an IdP work?
When a user requests access to a resource, the SP sends the user to the IdP for
authentication. The IdP authenticates and checks the identity of the user against the
identity information managed by the IdP. After the IdP validates the user's identity, it
issues an authentication token that includes the user's information to verify the identity
of the user to the SP.
Why use an IdP?
An IdP securely manages your user identity information and authorizes users to
access your organization's resources from a central location. When an IdP is used to
oversee the management and verification of user identities, it frees the SP from this
responsibility.

6. OS Hardening and Minimization

❖ OS hardening and minimization are security practices that focus on reducing the
attack surface and strengthening the security of operating system.
❖ It is a type of system hardening. It involves patching and applying advanced
system security procedures to secure the server's OS. Automatically installing
updates, patches, and service packs are some of the most effective methods to
harden the OS.
❖ An OS hardening is similar to application hardening in that the OS is a type of
software. Operating system hardening provides basic software that grants those
applications access to specific activities on your server.
❖ Operating system developers frequently perform a good job of issuing OS updates
and encouraging users to install them on Microsoft, Linux, and iOS. These

Dept., of CSE. /III CSE/SEM-VI 19 A.V.C.C.E

UNIT – 3 Prepared By MAV

frequent updates can help to keep your system secure and resilient to cyber-
attacks.

Operating System Hardening Tips

1. Patch Management
It includes planning, testing, timely installation, and ongoing auditing to guarantee that
client computer' operating systems and regularly apply security patches most recent
versions.

2. Service Packs
Service packs keep updated applications and install the most recent version. There is no
single activity that can protect against all types of attacks, including zero-day assaults;
however, applying service packs minimizes these risks.

3. Endpoint Protection
Windows Defender is a powerful endpoint protection solution included with the OS.
Endpoint protection platforms (EPP) provide numerous levels of protection for OS,
including email and social engineering protection, malware prevention, detection of
malicious processes, and automated OS isolation in the case of an infection.

4. Access Control
Use features to limit access to networks, files, and some other resources. Its management
features for individuals and groups are available in all major OS, such as Linux,
Windows, and OS X. As the default settings are typically less stringent than required, you
must configure access to use the principle of least privilege.

5. Security Templates
Use templates to handle and enforce security configurations in a good manner. Templates
may be used to keep track of group policies and guarantee consistency.

Dept., of CSE. /III CSE/SEM-VI 20 A.V.C.C.E

 UNIT – 3 Prepared By MAV

6. Establish Group policies

Sometimes, user error may lead to a successful cyber attack. One method to avoid this is
to define the groups to whom access is granted clearly and to stick to those guidelines.
Update user policies and ensure that everyone is aware of and attaches to them. Enforce
wise behaviors like using strong passwords.

7. Clean Programs
Any apps which are no longer in use should be removed. This method may assist you in
identifying and repairing security flaws and reducing risk. Any app installed on the
system should be checked on a regular basis because it could be a gateway for malicious
attackers. It should not be permitted to use software that the company has not approved
or reviewed.

8. Data and workload isolation

Data and workload isolation ensure that critical databases and applications run on
separate virtual machines, isolating them from unrelated workloads and lowering the
attack surface. You may also isolate programs by limiting network access between
distinct workloads. As a result, if an attacker gains control of one workload, they may not
gain access to another.

OS Minimization
i. Remove unnecessary software and packages: Uninstall or disable unnecessary
software packages, or components to reduce the attack surface and minimize potential
vulnerabilities.

ii.Disable unused protocols and services: Disable or deactivate unused network

protocols and services to reduce the exposure to potential exploits.

iii.Secure configuration settings: Configure OS settings to enforce secure configuration,

such as disabling auto run functionality, enabling strong encryption algorithms.

Dept., of CSE. /III CSE/SEM-VI 21 A.V.C.C.E

 UNIT – 3 Prepared By MAV

iv.Least privilege principle: Follow the principal of least privilege, granting user and
process only the minimum privileges required to perform their tasks.

v.Application whitelisting: To allow only authorized and trusted applications to run

on the system, reducing the risk of malware execution.

Advantages:

✓ Reduced attack surface

✓ Improved security
✓ Increased performance

7. Verified and Measured boot

❖ Verified boot and measured boot are two security features that help to product cloud
based system from malware and other attacks.
❖ Verified boot ensure that only trusted software is loaded when the system startup, it
does this by verifying the signature of all the software that is loaded, starting with the
bootloader and continue through the operating system and drivers.
❖ Measured boot goes a step further by creating a cryptographic hash of all the software
that is loaded during the boot process. This hash then stored in a secure area of the
system such as trusted platform model (TPM)

Verified Boot:

✓ Verified boot ensure that only trusted and authorized software component are
executed during the boot process.
✓ The boot process starts with a root of trust, a secure boot hardware component which
verify the digital signature of the bootloader.
✓ Each component in the boot chain is cryptographically signed and their signature
are verified.

Dept., of CSE. /III CSE/SEM-VI 22 A.V.C.C.E

 UNIT – 3 Prepared By MAV

✓ If a component fails the verification process, the boot process is not allowed to
proceed.
✓ Verified boot helps protect against bootloader attacks, rootkits, and other malware.

Measured Boot:

✓ Measured boot provides a mechanism to measure and store integrity

measurements of the boot process at different stages.
✓ Each component in the boot chain is loaded and executed, its integrity is measured
and recorded in a secure location known as a Trusted Platform Module (TPM).
✓ Measured boot helps detect and identify any unauthorized modification to the
boot process, providing a mechanism for verifying the system integrity and
identifying potential security breaches.

8. Intruder Detection and Preventions systems

❖ An intrusion detection and prevention system (IDPS) is a network monitoring strategy

that works by both passively monitoring traffic and actively blocking suspicious or
malicious behaviour once it is flagged.
❖ An IDPS can also be described as a visibility tool that sits off to the side of the network
and monitors traffic. It consists of a management console and sensors that – when
encountering something matching a previously detected attack signature – report the
activity to the console.
❖ An intrusion detection and prevention system (IDPS) is defined as a system that monitors
a network and scans it for possible threats to alert the administrator and prevent potential attacks.

Dept., of CSE. /III CSE/SEM-VI 23 A.V.C.C.E

 UNIT – 3 Prepared By MAV

Intrusion Detection System (IDS)

❖ An Intrusion Detection System (IDS) maintains network traffic looks for unusual

activity and sends alerts when it occurs. The main duties of an Intrusion Detection
System (IDS) are anomaly detection and reporting, however, certain Intrusion Detection
Systems can take action when malicious activity or unusual traffic is discovered.
❖ intrusion detection system (IDS) observes network traffic for malicious transactions and

sends immediate alerts when it is observed. It is software that checks a network or

system for malicious activities or policy violations.
❖ Each illegal activity or violation is often recorded either centrally using an SIEM system

or notified to an administration. IDS monitors a network or system for malicious activity

and protects a computer network from unauthorized access from users, including
perhaps insiders.
❖ The intrusion detector learning task is to build a predictive model (i.e. a classifier)

capable of distinguishing between ‘bad connections’ (intrusion/attacks) and ‘good

(normal) connections’.

Dept., of CSE. /III CSE/SEM-VI 24 A.V.C.C.E

 UNIT – 3 Prepared By MAV

Working of Intrusion Detection System(IDS)

• An IDS (Intrusion Detection System) monitors the traffic on a computer network

to detect any suspicious activity.

• It analyzes the data flowing through the network to look for patterns and signs
of abnormal behavior.

• The IDS compares the network activity to a set of predefined rules and patterns
to identify any activity that might indicate an attack or intrusion.

• If the IDS detects something that matches one of these rules or patterns, it sends
an alert to the system administrator.

• The system administrator can then investigate the alert and take action to
prevent any damage or further intrusion.

Classification of Intrusion Detection System(IDS)

i. Network Intrusion Detection System (NIDS): Network intrusion detection systems

(NIDS) are set up at a planned point within the network to examine traffic from all
devices on the network. It performs an observation of passing traffic on the entire subnet
and matches the traffic that is passed on the subnets to the collection of known attacks.
Once an attack is identified or abnormal behaviour is observed, the alert can be sent to
the administrator.

Dept., of CSE. /III CSE/SEM-VI 25 A.V.C.C.E

UNIT – 3 Prepared By MAV

ii. Host Intrusion

Detection
System (HIDS):
A HIDS monitors the incoming and outgoing packets from the device only and will alert
the administrator if suspicious or malicious activity is detected. It takes a snapshot of
existing system files and compares it with the previous snapshot. If the analytical system
files were edited or deleted, an alert is sent to the administrator to investigate. An
example of HIDS usage can be seen on mission-critical machines, which are not expected
to change their layout.

iii.Protocol-based Intrusion Detection System (PIDS): Protocol-based intrusion

detection system (PIDS) comprises a system or agent that would consistently reside at
the front end of a server, controlling and interpreting the protocol between a user/device
and the server. It is trying to secure the web server by regularly monitoring the HTTPS
protocol stream and accepting the related HTTP protocol

Dept., of CSE. /III CSE/SEM-VI 26 A.V.C.C.E

 UNIT – 3 Prepared By MAV

iv.Application Protocol-based Intrusion Detection System (APIDS): An application

Protocol-based Intrusion Detection System (APIDS) is a system or agent that generally
resides within a group of servers. It identifies the intrusions by monitoring and
interpreting the communication on application-specific protocols.

v.Hybrid Intrusion Detection System: Hybrid intrusion detection system is made by the
combination of two or more approaches to the intrusion detection system. In the hybrid
intrusion detection system, the host agent or system data is combined with network
information to develop a complete view of the network system. The hybrid intrusion
detection system is more effective in comparison to the other intrusion detection system.
Prelude is an example of Hybrid IDS.

Advantages:

✓ Detects malicious activity

✓ Improves network performance
✓ Provides insights

Intrusion Prevention System (IPS)

❖ Intrusion Prevention System is also known as Intrusion Detection and Prevention

System. It is a network security application that monitors network or system activities for
malicious activity. Major functions of intrusion prevention systems are to identify
malicious activity, collect information about this activity, report it and attempt to block
or stop it.
❖ Intrusion prevention systems are contemplated as augmentation of Intrusion Detection
Systems (IDS) because both IPS and IDS operate network traffic and system activities for
malicious activity.

Dept., of CSE. /III CSE/SEM-VI 27 A.V.C.C.E

 UNIT – 3 Prepared By MAV

❖ IPS typically record information related to observed events, notify security

administrators of important observed events and produce reports. Many IPS can also
respond to a detected threat by attempting to prevent it from succeeding.
❖ They use various response techniques, which involve the IPS stopping the attack itself,
changing the security environment or changing the attack’s content.

Types of IPS

There are two main types of IPS:

1. Network-Based IPS: A Network-Based IPS is installed at the network perimeter

and monitors all traffic that enters and exits the network.
2. Host-Based IPS: A Host-Based IPS is installed on individual hosts and monitors
the traffic that goes in and out of that host.

Classification of Intrusion Prevention System (IPS):

Intrusion Prevention System (IPS) is classified into 4 types:

1. Network-based intrusion prevention system (NIPS):

It monitors the entire network for suspicious traffic by analyzing protocol
activity.
2. Wireless intrusion prevention system (WIPS):
It monitors a wireless network for suspicious traffic by analyzing wireless
networking protocols.
3. Network behavior analysis (NBA):
It examines network traffic to identify threats that generate unusual traffic flows,

Dept., of CSE. /III CSE/SEM-VI 28 A.V.C.C.E

UNIT – 3 Prepared By MAV

such as distributed denial of service attacks, specific forms of malware and policy
violations.
4. Host-based intrusion prevention system (HIPS):
It is an inbuilt software package which operates a single host for doubtful
activity by scanning events that occur within that host.

Dept., of CSE. /III CSE/SEM-VI 29 A.V.C.C.E