Cloud Security and Applica on Development

Chapter 1

OVERVIEW OF CLOUD COMPUTING

Cloud compu ng is a paradigm that involves delivering compu ng services over the internet.
Instead of owning and maintaining physical servers or hardware, users can access compu ng
resources, such as servers, storage, databases, networking, so ware, and analy cs, on-
demand from a cloud service provider. This approach offers scalability, flexibility, cost-
efficiency, and the ability to access resources from anywhere with an internet connec on.
Cloud compu ng is typically categorized into three service models:

 Infrastructure as a Service (IaaS): Provides virtualized computing resources over the

internet, including virtual machines, storage, and networks.
 Platform as a Service (PaaS): Offers a platform allowing developers to build, deploy,
and scale applications without managing the underlying infrastructure.
 Software as a Service (SaaS): Delivers software applications over the internet,
eliminating the need for users to install, manage, and maintain software locally.

Chapter 2
OVERVIEW OF VIRTUALIZATION

Virtualization is a key technology underlying cloud computing. It involves creating a virtual

(rather than actual) version of something, such as a server, storage device, or network resource.
In the context of cloud computing, server virtualization is particularly crucial. It enables
multiple virtual servers to run on a single physical server, allowing better resource utilization,
cost savings, and increased flexibility.
Virtualization abstracts the hardware layer, enabling the decoupling of physical resources from
the software applications and operating systems. This abstraction facilitates the creation of
isolated, independent virtual environments that can run various applications and operating
systems simultaneously on a single physical machine. Virtualization contributes to the
efficiency, agility, and manageability of IT infrastructure, making it a foundational element in
the broader landscape of cloud computing.
Virtualization is widely used in IT to enhance resource utilization. Examples include server
virtualization using hypervisors like VMware, allowing multiple virtual servers on one physical
machine. Desktop virtualization, like Citrix or VirtualBox, isolates desktop environments.
Storage virtualization abstracts physical storage, and network virtualization, like Cisco's ACI,
separates network resources from hardware, enhancing flexibility.

B.E, AIML/BNMIT Page 1 2023-24

Cloud Security and Applica on Development

Chapter 3
CLOUD SECURITY RISKS

Traditional Security Threats in Cloud Computing

 Attacks on Infrastructure - Cloud computing faces traditional security threats such as
DDoS attacks, malware, and unauthorized access attempts targeting the infrastructure.
 Authentication and Authorization Vulnerabilities - Cloud services can be vulnerable to
authentication and authorization weaknesses, leading to unauthorized access to
sensitive data and resources.
 Merging Internal Security Policies with Cloud Services - Organizations may face
challenges when integrating their existing security policies with cloud services,
potentially creating gaps in security coverage.
Attacks on Cloud Service Providers

Availability Concerns
 System Failures - Availability concerns in cloud computing include system failures,
which can result in extended downtime and loss of access to cloud services.
 Power Outages - Power outages can disrupt cloud services, leading to temporary
unavailability and potential data loss.
 Catastrophic Events - Catastrophic events such as natural disasters or cyber attacks can
cause widespread disruption and prolonged downtime in cloud services.
 Ensuring Correctness of Results - Cloud users face challenges in ensuring the
correctness of results from cloud-hosted applications, as they rely on the cloud
provider's infrastructure and processes.

B.E, AIML/BNMIT Page 2 2023-24

Cloud Security and Applica on Development

Third-Party Data Control

Concerns arise from the lack of transparency and limited user control over third-party
subcontractors, leading to risks of data loss or compromise.

Top Threats to Cloud Computing identified by CSA

User Concerns

Security Concerns

 Unauthorized Access: Users are concerned about the possibility of unauthorized

individuals gaining access to their data stored in the cloud.
 Data Theft: Users worry about the risk of their data being stolen or compromised while
stored in the cloud.
 Lack of Control over Data Lifecycle: Users may have concerns about not having full
control over the storage, retention, and deletion of their data in the cloud.
 Lack of Transparency: Users may feel uncertain about the transparency of cloud service
providers regarding their security practices and data handling procedures.
 Impact of Evolving Technologies: Users may have concerns about the potential risks
and vulnerabilities introduced by emerging technologies like autonomic computing.

B.E, AIML/BNMIT Page 3 2023-24

Cloud Security and Applica on Development

Privacy Concerns

Challenges in Addressing Privacy

 Lack of User Control: Users may have limited control over their data stored in the cloud,
raising concerns about privacy and security.
 Potential Unauthorized Secondary Use: Cloud service providers may have access to
users' data, which can potentially be used for secondary purposes without the users'
consent.
 Data Proliferation: Cloud computing involves the storage and processing of vast
amounts of data, leading to concerns about the proliferation of personal and sensitive
information.
 Dynamic Provisioning: The dynamic nature of cloud computing, with data being moved
and replicated across multiple servers, can create challenges in ensuring data privacy
and security.

Proposed Solutions

 Evaluate Security Policies - One proposed solution for addressing cloud security
concerns is to thoroughly evaluate and update security policies to ensure they align with
industry best practices and regulatory requirements.
 Analyze Data to be Stored on the Cloud - Another proposed solution is to carefully
analyze the data that will be stored on the cloud and classify it based on sensitivity. This
will help determine the appropriate security measures and encryption methods to be
applied.
 Define Contractual Obligations with Cloud Service Providers - It is crucial to clearly
define contractual obligations with cloud service providers to ensure that security
requirements are met. This includes specifying data protection measures, incident
response protocols, and liability provisions.
 Encryption for Sensitive Data - Encryption is highly recommended for sensitive data
stored on the cloud. However, challenges such as loss of indexing and searching may
arise. It is important to carefully consider these challenges and implement encryption
solutions accordingly.

B.E, AIML/BNMIT Page 4 2023-24

Cloud Security and Applica on Development

Privacy Impact Assessment (PIA)

Importance of Privacy Impact Assessment (PIA)

Privacy Impact Assessment (PIA) tools are crucial for identifying and addressing privacy
issues in information systems. They play a vital role in ensuring the protection of user data and
maintaining privacy standards.

However, one of the challenges in implementing PIA is the lack of international standards.
Without standardized guidelines, organizations may struggle to conduct thorough assessments
and address privacy concerns effectively.

To overcome this challenge, it is essential for organizations to adopt a proactive approach to

privacy considerations in system design. By integrating privacy measures from the early stages
of development, organizations can mitigate risks and ensure compliance with privacy
regulations.

Chapter 4
TRUST, OS AND VM SECURITY
Definition

Assured reliance on the character, ability, strength, or truth.

Conditions for Development

 Risk - Risk is a condition that must be present for the development of trust in cloud
computing. By acknowledging and addressing potential risks, organizations can
establish a foundation of trust with their cloud service providers.
 Interdependence - Interdependence is another condition necessary for the development
of trust in cloud computing. Organizations and cloud service providers must rely on
each other and work together to ensure the security and reliability of cloud-based
systems.

B.E, AIML/BNMIT Page 5 2023-24

Cloud Security and Applica on Development

Trust Phases

 Building - During the building phase, trust is established between the cloud provider
and the customer. This involves setting expectations, establishing security measures,
and building a foundation of trust.
 Stability - In the stability phase, trust is maintained and strengthened through consistent
and reliable performance of the cloud service. This includes meeting service level
agreements, providing secure access, and ensuring data integrity.
 Dissolution - The dissolution phase occurs when trust between the cloud provider and
the customer is broken. This may happen due to a security breach, data loss, or failure
to meet expectations. It is important to have contingency plans in place for such
situations.

Forms of Trust

 Utilitarian Trust - Based on the perception that using the cloud provides benefits and
value.
 Calculus-based Trust - Based on calculation of potential benefits and risks of using the
cloud.
 Relational Trust - Based on belief that cloud provider will act in the best interest of the
user.
 Persistent Trust - Based on a long-standing and consistent relationship with the cloud
provider.
 Dynamic Trust - Based on the ability of the cloud provider to adapt and respond to
changing circumstances.

Challenges in Online Trust

 Anonymity in Online Transactions - The lack of personal interaction and physical

presence in online transactions makes it difficult to establish trust between parties.
 Loss of Clues for Trust - In online interactions, individuals lose the ability to rely on
nonverbal cues and physical evidence to assess trustworthiness.
 Lack of Guarantees about Entities' Understanding of Their Roles - Online platforms
may not provide sufficient assurances that entities involved in transactions understand
their roles and responsibilities, leading to potential trust issues.

Security Mechanisms Needed

 Access Control - Implementing strong access control measures is essential for ensuring
trust in cloud computing. This involves defining and enforcing policies that determine
who can access and modify data and resources within the cloud environment.
 Identity Transparency - Identity transparency is crucial for establishing trust in cloud
computing. It involves providing clear and verifiable information about the identities
of users and entities accessing the cloud, ensuring that only authorized individuals or
systems can interact with the cloud resources.

B.E, AIML/BNMIT Page 6 2023-24

Cloud Security and Applica on Development

 Surveillance - Surveillance mechanisms are necessary to monitor and detect any

unauthorized activities or potential security breaches within the cloud environment.
This includes real-time monitoring, logging, and analysis of system and network
activities to ensure the integrity and confidentiality of data and resources.

Security in Operating Systems

 Operating Systems and Security - Operating systems play a crucial role in ensuring the
security of computer systems and protecting against malicious attacks.
 Access Control - Operating systems implement access control mechanisms to regulate
user access to resources and prevent unauthorized access.
 Authentication - Operating systems provide authentication mechanisms to verify the
identity of users and ensure that only authorized users can access the system.
 Cryptography - Operating systems incorporate cryptographic algorithms and protocols
to protect sensitive data and ensure secure communication.

Virtual Machine Security

Traditional System VM Model - Virtual machine security is achieved through the traditional
system VM model, which provides better isolation among virtual machines.
Security of Virtualization

 Ability to Save and Share VM States

 Benefits of IaaS Support and Increased Reliability
 Challenges of Increased System Heterogeneity
 Impact on Software Life Cycle

Chapter 5
SECURITY RISKS POSED BY IMAGES

Introduction to Risks in Image Sharing

In the Infrastructure as a Service (IaaS) model, image sharing is a common practice. However,
users often underestimate the risks associated with shared cloud images, particularly in the
creation of Amazon Machine Images (AMIs). It is important to be aware of these risks and take
appropriate security measures to protect sensitive data.

Security Risks in Windows AMIs

 98% of audited Windows AMIs have critical vulnerabilities, putting users at risk of
security breaches.
 Some Windows AMIs contain malware, such as Trojans, which can lead to keylogging
and data theft.

B.E, AIML/BNMIT Page 7 2023-24

Cloud Security and Applica on Development

Specific Security Risks in Linux AMIs

 Unauthorized Remote Access - Approximately 22% of scanned AMIs contain

credentials that allow unauthorized remote access.
 Backdoors - Backdoors can be exploited if the creator does not remove their own public
key or password.
 Unsolicited Connections - Unsolicited connections pose a threat, allowing outside
entities to access privileged information.
 Omission of the Cloud-Init Script - The omission of the cloud-init script increases the
risk of man-in-the-middle attacks.

Privacy Risks for Image Creators

 Recovery of Private Keys - Private keys used for image creation can be potentially
recovered by malicious agents, compromising the security of the image and the creator's
data.
 IP Addresses and Browser History - When images are published, the IP addresses of
image creators and their browser history may be exposed, posing privacy risks and
potential tracking by malicious entities.
 Recovery of Deleted Files - Deleted files from published images can be potentially
recovered, leading to the unauthorized access and retrieval of sensitive information by
malicious actors.
 Exploitation of AWS API Keys - Malicious agents can exploit AWS API keys used by
image creators, resulting in unauthorized usage and potential cost implications for the
key owner.

Security Risks in Management OS

 Vulnerabilities in Hypervisor and Management OS - Compromises overall security

 Risks in Dom0 during VM Creation - Denial-of-service attacks, Modification of guest
OS kernels, Undermining VM integrity
 Encryption Challenges in Run-time Communication - Introduction of encryption
challenges
 Exploitation of XenStore - Entire system state maintained by XenStore can be exploited

Security Measures for Dom0

 Restricting Foreign Mapping - Dom0's use of foreign mapping for sharing memory with
VMs should be restricted unless initiated by DomU. This measure ensures that only
authorized memory sharing occurs and prevents unauthorized access to sensitive data.
 Monitoring by Hypervisor - The hypervisor should closely monitor the use of foreign
mapping by Dom0. This monitoring helps detect any unauthorized or suspicious
activity and allows for timely intervention and response.
 Intercepting and Controlling Hypercalls - Hypercalls, which are used for
communication between Dom0 and VMs, should be intercepted and controlled. This

B.E, AIML/BNMIT Page 8 2023-24

Cloud Security and Applica on Development

measure helps protect virtual CPU privacy and integrity, as well as VM virtual memory.
It also ensures the freshness of the system by preventing unauthorized modifications.

Security Overhead

Enhanced Security Measures - Enhanced security measures in image sharing result in

increased overhead. The factors for different operations are as follows:

 Domain Build: The security overhead factor ranges from 1.3 to 2.3.
 Domain Save: The security overhead factor ranges from 1.3 to 1.5.
 Domain Restore: The security overhead factor ranges from 1.7 to 1.9.

Chapter 6
CLOUD APPLICATION DEVELOPMENT

Key Questions Addressed

 Ease of Use - Assessing the ease of using the cloud involves understanding the user
interface, accessibility, and availability of support resources.
 Networking and Security - Understanding the required knowledge about networking
and security is essential for effectively utilizing cloud computing services.
 Porting Existing Applications - Porting existing applications to the cloud involves
considering compatibility, data migration, and potential performance improvements.
 Developing New Cloud Applications - Developing new cloud applications requires
understanding cloud-native architectures, scalability, and integration with existing
systems.

B.E, AIML/BNMIT Page 9 2023-24

Cloud Security and Applica on Development

AWS and Cloud Application Development

Amazon Management Console (AMC) - AMC is a web-based interface that allows you to
access and manage your AWS resources.

AWS Categories

 Computing- AWS provides a wide range of computing services to meet your

application needs.
 Networking - AWS offers networking services to enable secure and reliable
communication between your resources.
 Storage - AWS provides scalable and durable storage options for your data.
 Content Delivery - AWS offers content delivery services to deliver your content to end
users with low latency and high transfer speeds.
 Deployment - AWS provides tools and services to help you deploy and manage your
applications efficiently.
 Management - AWS offers services to help you manage your resources and monitor
the performance of your applications.
 Databases - AWS provides a variety of database services to meet your application's data
storage and retrieval needs.
 Application Services - AWS offers a range of application services to help you build,
deploy, and scale your applications.

Challenges and Learning Curve

 Understanding Cloud Concepts - One of the main challenges for application developers
transitioning to cloud computing is understanding the fundamental concepts of cloud
computing. This includes understanding the different types of cloud services, such as
Infrastructure as a Service (IaaS), Platform as a Service (PaaS), and Software as a
Service (SaaS), as well as the concepts of virtualization and scalability.
 Learning AWS Services - Another challenge is learning the various AWS services and
understanding how they can be used to build and deploy applications. This includes
services such as Amazon EC2 for virtual servers, Amazon S3 for object storage, and
Amazon RDS for managed databases. It is important for application developers to
familiarize themselves with these services and understand how they can be integrated
into their applications.
 Security and Compliance - Security and compliance are critical considerations when
developing applications in the cloud. Application developers need to understand how
to implement proper security measures, such as encryption and access controls, to
protect sensitive data. They also need to ensure that their applications comply with
relevant regulations and industry standards.
 Managing Costs - Cloud computing offers scalability and flexibility, but it is important
for application developers to be mindful of costs. They need to understand the pricing
models of different AWS services and optimize their applications to minimize costs.
This includes monitoring resource usage, optimizing code, and leveraging cost
management tools provided by AWS.

B.E, AIML/BNMIT Page 10 2023-24

Cloud Security and Applica on Development

Security and Firewall

Firewall Evolution

 First-generation firewalls were basic packet filters that examined network traffic based
on source and destination IP addresses, ports, and protocols.
 Second-generation firewalls introduced stateful inspection, which allowed them to
analyze the context and state of network connections to make more intelligent
decisions.
 Third-generation firewalls incorporate deep packet inspection, application-level
filtering, and advanced threat detection capabilities.

Function and Role

 Firewalls act as a barrier between internal networks and external networks, monitoring
and controlling incoming and outgoing network traffic based on predetermined security
rules.
 They help prevent unauthorized access, protect against network threats, and enforce
security policies.

Firewall Support in Operating Systems

 Operating systems provide built-in firewall functionality to protect against

unauthorized access and network attacks.
 In Linux/Unix systems, the iptables command is commonly used to configure the
firewall rules and policies.

Amazon EC2 and Security Groups

B.E, AIML/BNMIT Page 11 2023-24

Cloud Security and Applica on Development

DNS and IP Addressing in EC2

Mapping IP Addresses in EC2

 EC2 instances are assigned private IP addresses for communication within the Virtual
Private Cloud (VPC).
 Public IP addresses can be associated with EC2 instances to enable communication over
the internet.
 Elastic IP addresses provide a static public IP that can be associated with EC2 instances
and persist even if the instance is stopped or terminated.

Security Group Rules

 Security group rules control inbound and outbound traffic to EC2 instances based on
protocols, ports, and IP addresses.
 Application layer protocols like HTTP (port 80) and HTTPS (port 443) can be allowed
or restricted using security group rules.
 Transport layer protocols like TCP (Transmission Control Protocol) and UDP (User
Datagram Protocol) can also be controlled using security group rules.

Using S3 in Java
 Java API for AWS SDK - The AWS SDK for Java provides a Java API for interacting
with Amazon S3 (Simple Storage Service).
 Creating an S3 Client - To create an S3 client in Java, you can use the access and secret
keys provided by AWS.

B.E, AIML/BNMIT Page 12 2023-24

Cloud Security and Applica on Development

Batch Operations and Object Listing

B.E, AIML/BNMIT Page 13 2023-24

Cloud Security and Applica on Development

Managing SQS Services in C#

Overview of Simple Queue Service (SQS)

Simple Queue Service (SQS) is a fully managed message queuing service that enables you to
decouple and scale microservices, distributed systems, and serverless applications. It provides
reliable and scalable queuing functionality and supports automated workflows with message
queues.

Creating an SQS Connection in C#

To create an SQS connection in C#, you can use the AWS SDK for .NET. The SDK provides
a high-level API for interacting with SQS and simplifies the process of sending and receiving
messages from queues.

Actions: Create a Queue, Send/Receive Messages, and Delete a Queue

With the SQS connection in C#, you can perform various actions on the queues. These actions
include creating a queue, sending and receiving messages, and deleting a queue.

B.E, AIML/BNMIT Page 14 2023-24