Cloud Security Management_CCA3006

Module-2

Core Security Controls for Cloud

Computing

By

Dr. Shahana Gajala Qureshi

Cloud Security
Security In-House (on-premise environment)vs.
Cloud

Understanding Cloud and On-Premise Security

 On-Premise Security allows full control over the security
infrastructure, located at the physical premises of an
organization. It includes everything, from the firewalls and
intrusion detection systems to physical access controls and
data encryption methods fully managed in-house.
 Cloud security relies on third-party service providers to
secure your data and applications in the data centers they
operate. For cloud security, massive economies of scale for
your cloud provider enable them to deploy advanced security
2
capabilities – an order of magnitude more than organizations
Cloud Security Cont...

3
Cloud Security Cont...
Security Considerations
1) On-Premise Security
 Physical control and specially designed security
methods, such as badge readers and cameras.
 Equipment management to destroy items having sensitive
data.
 No traffic in the means less incidence of threats outside the
business
2) Cloud Security
 Adherence to strict security protocols
 More affordable for many businesses
 Built-in features for various regulations

4
Cloud Security Cont...
Cost Comparison
1) On-Premise
 High initial costs for hardware and software licenses
 Ongoing expenses for maintenance, upgrades, and IT staff
2) Cloud
 Lower upfront costs
 Predictable monthly or annual fees
 Reduced IT staff requirements

5
Cloud Security Cont...
Scalability and Flexibility
1) On-Premise
 Limited by purchased hardware capacity
 Scaling up requires additional investment and time
2) Cloud
 Easily scalable resources on-demand
 Quick adaptation to changing business needs
In terms of work-from-home arrangements during the COVID-
19 pandemic, many businesses have scaled up dramatically in
their use of cloud resources. For instance, Zoom, a cloud video
conferencing company, increased its daily meeting
participants from 10 million back in December 2019 to 300
million in April 2020.
Hybrid Solutions Offer Best of Both
Most of the organizations adopt a hybrid approach when on-
premise and cloud solutions are being put together. The
rationale behind their decision to go hybrid is to:
A) Keep sensitive data at on-premise resources while benefiting
from the cloud for other jobs that aren’t that important.
6
Cloud Security Cont...
B) Scale resources whenever needed without obliterating
existing infrastructure.
C) Gradually transit to the cloud and experience minimal
disruption.
As per Flexera’s 2024 report, 89% companies had a hybrid
cloud strategy compared to 84% in previous years.

7
Cloud Security Cont...
Virtualization Security Primer
 The term “Virtualized Security,” sometimes known as
“security virtualization,” describes security solutions that
are software-based and created to operate in a virtualized IT
environment.
 This is distinct from conventional hardware-based network
security, which is static and is supported by equipment like
conventional switches, routers, and firewalls.
 Virtualized security is flexible and adaptive, in contrast to
hardware-based security. It can be deployed anywhere on the
network and is frequently cloud-based so it is not bound to a
specific device.
Types of Hypervisors
1) Type-1 Hypervisors: Its functions are on unmanaged
systems. Type 1 hypervisors include Lynx Secure, RTS
Hypervisor, Oracle VM, Sun xVM Server, and Virtual
Logic VLX. Since they are placed on bare systems, type 1
hypervisor do not have any host operating systems.
2) Type-2 Hypervisor: It is a software interface that simulates
the hardware that a system typically communicates with.
Examples of Type 2 hypervisors include containers, KVM,8
Cloud Security Cont...
3) Type I Virtualization: In this design, the Virtual Machine
Monitor (VMM) sits directly above the hardware and
eavesdrops on all interactions between the VMs and the
hardware. On top of the VMM is a management VM that
handles other guest VM management and handles the
majority of a hardware connections. The Xen system is a
common illustration of this kind of virtualization design.
4) Type II virtualization: In these architectures, like VMware
Player, allow for the operation of the VMM as an application
within the host operating system (OS). I/O drivers and guest
VM management are the responsibilities of the host OS.
Benefits of Virtualized Security
1) Cost-Effectiveness: Cloud computing’s virtual machine
security enables businesses to keep their networks secure
without having to significantly raise their expenditures on
pricey proprietary hardware. Usage-based pricing for cloud-
based virtualized security services can result in significant
savings for businesses that manage their resources effectively.
2) Flexibility: It is essential in a virtualized environment that
security operations can follow workloads wherever they go. A
company is able to profit fully from virtualization while9
Cloud Security Cont...
3) Operational Efficiency: Virtualized security can be
deployed more quickly and easily than hardware-based
security because it doesn’t require IT, teams, to set up and
configure several hardware appliances. Instead, they may
quickly scale security systems by setting them up using
centralized software. Security-related duties can be
automated when security technology is used, which frees up
more time for IT employees.
4) Regulatory Compliance: Virtual machine security in cloud
computing is a requirement for enterprises that need to
maintain regulatory compliance because traditional
hardware-based security is static and unable to keep up with
the demands of a virtualized network.
Virtualization Machine Security Challenges
 As we previously covered, buffer overflows are a common
component of classical network attacks. Trojan horses,
worms, spyware, rootkits, and DoS attacks are
examples of malware.
 In a cloud context, more recent assaults might be caused via
VM rootkits, hypervisor malware, or guest hopping and
hijacking. Man-in-the-middle attacks against VM migrations10
Cloud Security Cont...
 HIDS or NIDS are both types of IDSs. To supervise and check
the execution of code, use programmed shepherding. The RIO
dynamic optimization infrastructure, the v Safe and v
Shield tools from VMware, security compliance for hypervisors,
and Intel vPro technology are some further protective
solutions.
Working of Virtualized Security
 Virtualized security is like a digital guard for the virtual world,
such as cloud services and virtual machines. It blends into the
virtual setup, acting like an invisible shield that keeps each
part safe. Instead of watching over just one computer or
server, it oversees the whole virtual landscape, spotting and
stopping dangers.
 This security type is smart and can handle lots of virtual
spaces at once. It watches the data moving around in these
spaces to catch any harmful activity, like viruses or hackers.
When it finds something bad, it acts quickly to block it,
keeping every part of the virtual environment safe.
 Virtualized security is also flexible, growing or shrinking to
match the size of the virtual area it needs to protect. It's
always on duty, ensuring that even as the virtual world11
Cloud Security Cont...
Types of Security Virtualization
The types of virtualization include:
 Server virtualization: This splits one physical server into
several virtual servers. Each one acts like a separate
computer, running its own operating system and applications.
This setup increases efficiency, saves space, and reduces
costs.
 Desktop virtualization: It separates the desktop environment
from the physical device. You can access your desktop, with all
its apps and files, from any device, like a PC, laptop, or tablet.
This offers flexibility and secure remote access.
 Storage virtualization: This combines multiple physical storage
units into one virtual storage device. It’s like putting different
hard drives together to make a single, big storage space. This
makes managing storage easier and can improve performance
and data backup.
 Network virtualization: This type creates a virtual version of a
physical network. It allows you to split one physical network
into many separate, independent networks. This can enhance
security, speed up data transfer, and help manage network
resources better. 12
Cloud Security Cont...
Benefits of Virtualized Security Scalability
 Flexibility
 Cost-Effectiveness
 Efficiency
 Enhanced Protection
Disadvantages Virtualized Security (Risks)
 Shared Resources: In a virtualized environment, resources
like CPU, memory, and storage are shared among multiple
virtual machines. If one VM is compromised, it can potentially
impact the security of others sharing the same physical host.
 Complexity: The complexity of virtualized systems can
increase the risk of configuration errors, making the
environment more vulnerable to attacks. Properly securing a
virtualized environment requires a thorough understanding of
both virtualization technology and security principles.
 Hypervisor Vulnerabilities: The hypervisor, which creates
and runs virtual machines, is a critical component in
virtualization. If the hypervisor has vulnerabilities, it can be
exploited to gain control over the entire virtualized
environment. 13
Cloud Security Cont...
 Visibility and Control: Traditional security tools may not
have full visibility into the virtualized components, leading to
gaps in monitoring and control that attackers can exploit.
 Insider Threats: With virtualization, administrative access is
more powerful. Insiders with malicious intent or negligent
actions can cause significant damage or breaches.
 Dynamic and Elastic Nature: The ability to quickly spin up
and down virtual machines can be exploited by attackers to
create transient attack vectors that are hard to trace and
mitigate.

Physical Security vs. Virtual Security

14
Cloud Security Cont...

15
Cloud Security Cont...
Cloud Network Security
 Cloud network security describes the technology, policies,
controls, and processes used to protect public, private, and
hybrid cloud networks from unauthorized access, exposure,
modification, or misuse.
 Network security is a foundational component of a multi-layer
cybersecurity strategy used to prevent breaches, malware,
and other cyber-attacks on cloud users and resources. Keep
reading to learn how cloud network security works and best
practices to secure storage, VMs, APIs and workstreams.

16
Cloud Security Cont...
How does cloud network security work?
 Cloud network security combines multiple layers of defense
between edge devices and network infrastructure to protect
data and the people who use it.
 It works within software-defined networks (SDN) to inspect
packets and route traffic enforcing an organization’s pre-
defined rules and security policies.
 Each security layer, or key capability, uses packet analysis to
apply policies and controls to protect cloud deployments and
their digital assets.
 Cloud firewalls and gateways work similar to data center ones
by inspecting network packets in near real-time without
impacting application performance.
 Authorized users are allowed secure access to assigned
network resources, but malicious actors are blocked,
preventing attacks and data loss.
 Cloud network security provides operational simplicity through
API and other software integration techniques across multiple
vendor platforms and virtualization solutions.
 They easily deploy scalable firewalls and virtual gateways to
17
achieve enterprise-wide control required to perform network
Cloud Security Cont...
 Cloud gateways and firewalls are similar in function and
capability to on-premises devices of the same name, often
running the exact same software but in cloud vendor
infrastructure VMs (virtual machines).
 Premium security services are engineered to auto-scale with
gateway load balancers, virtual WAN (wide area networks),
and other cloud infrastructures to ensure cost-efficient
delivery of resources.
What are the common threats to cloud networks?
 Cloud computing consists of a Front Door that faces the
internet; where customers, partners prospects, and third-party
SaaS applications interact with cloud assets.
 This entry point is a high-traffic area, exposing the cloud
instance to a wide range of AI-based external threats from
across the world. Common Front
 Door attack vectors include exploiting software weaknesses,
such as the OWASP Top 10, known and unknown OSS security
vulnerabilities, DDoS attacks, insecure APIs, and unauthorized
access from misconfigured security settings.
 Your cloud security strategy should also include advanced
threat prevention and integration with WAF (Web Application18
Cloud Security Cont...
 This adds a crucial layer, protecting APIs and stopping attacks
like cross-site scripting (XSS), SQL injection, and other
application-layer threats before they reach cloud assets.
 The WAF inspects incoming requests and blocks any malicious
attempts to exploit vulnerabilities in the application code
base.
Cloud network security key capabilities
 Network security is a critical layer of defense for cloud
deployments, especially for smaller businesses where it may
be the only layer.
 Since cloud providers deploy a shared responsibility model,
customers of all sizes must protect their own data and
understand the security risk.
 So, cloud network security should protect against all known
and unknown threats requiring a wide range of capabilities,
including:
1) AI-powered threat prevention: To stay ahead of AI-enabled
attackers, you need advanced machine learning-based zero-
day, anti-phishing, and DNS security capabilities. As
cybercriminals leverage AI so must security vendors build and
train their own proprietary AI inference engines. 19
Cloud Security Cont...
3) SSL/TLS Traffic Inspection: Network traffic is often
encrypted, making it challenging to detect and block malicious
connections. Network security services need to provide
fast SSL/TLS traffic inspection with minimal latency.
4) Network Segmentation: Enables network macro-
segmentation and micro-segmentation in cloud environments.
This “fences off” network subnets from one another reducing
the potential threat blast radius if something does happen and
stopping lateral movement by an attacker if a breach occurs.
5) Automation: Cloud application infrastructure, often
container-based, can be ephemeral and highly dynamic
supporting fluctuating demand. A cloud network security
service must be responsive to support cloud native network
scaling and application load balancing.
6) Access Control: Governs access to the network, ensuring
that only authorized devices gain entry. Cloud network
security policies are enforced by cloud firewall and gateway
rules. Access control capabilities allow an organization to gain
visibility to cloud network traffic sources and destinations and
also limit network access to guests, contractors, and block
completely unauthorized or risky devices.
20
Cloud Security Cont...
8) Third-Party Integrations: Cloud network security operates
within a cloud provider environment alongside their existing
tools and solutions. Integration with third-party solutions helps
to optimize configuration management, network
monitoring, and lowers costs through security automation.
9) Cloud VPNs: Cloud VPNs (virtual private networks) allow
organizations to securely scale access to their cloud-based
resources from a home or public Wi-Fi network, enabling
employees, partners, and customers to safely use critical
cloud resources regardless of location.
10) Content Sanitization: Rather than completely blocking
potentially malicious content, high quality cloud network
security services should be able to remove malicious,
executable content and provide users with access to sanitized
content.
11) Firewalls: Monitors, filters, and controls incoming and
outgoing network traffic based on predefined security rules.
Acting as a barrier between trusted internal and untrusted
external networks, it works by inspecting data packets and
choosing to block or allow them.
12) Gateways and Next-Generation Firewalls
(NGFW): Incorporate deep packet inspection to enable21
Cloud Security Cont...
13) Intrusion Prevention Systems (IPS): Detect and block
known and unknown threats before they can impact the
network core or edge devices. In addition to north/south
(internet to network) and east/west (within or between
networks) deep packet inspection, including inspection of
encrypted traffic, they can also provide virtual patching, which
mitigates vulnerabilities at the network level.
14) DNS and URL filtering: As part of a data loss
prevention strategy, Domain Name System (DNS) filtering
stops domain-based attacks, such as DNS hijacking, and
tunneling. URL filtering prevents users and applications from
accessing suspicious URLs linked to malicious sites or
cybercriminal activity.
15) Antivirus and Sandboxing: Antivirus and sandboxing tools
are key to determining whether a file is malicious. While
antivirus blocks known malware threats, sandboxing provides
a safe environment to analyze suspicious files. When a user
downloads an email attachment the antivirus scans it for
known attack signatures and behaviors. If a threat is found the
software quarantines or deletes the file. For an unknown file,
sandboxing isolates it into a protected space where it can be
tested to see if it’s malicious and block it if necessary. 22
Cloud Security Cont...
Benefits of cloud network security
 Consistent policy enforcement: Easily enforce consistent
corporate and security policies across on premises, hybrid and
multi-cloud environments. A cloud security solution integrated
with existing on-premises solutions enables more consistent
security controls and threat monitoring.
 Centralized security orchestration and
automation: Allows security teams to quickly identify and
respond to potential threats to on premises and cloud-based
infrastructure, critically important when security is a shared
responsibility with vendors.
 Clear security visibility: On premises and cloud security
monitoring and management is delivered from a unified
management interface. This simplifies threat prevention,
security monitoring, reporting, forensics, and remediation for
cloud environments while reducing risk and SecOps costs.
 Reduced risk from attacks and ransomware: Strong,
robust security measures and deep packet inspection coupled
with AI-powered threat analysis can ensure your data stays
protected, and you won’t be paying ransom to get it back.
 Enhanced compliance and data privacy: Proactively23
Cloud Security Cont...
 Improved business continuity: Protected networks are
more resilient against potential disruptions and experience
minimal downtime, leading to optimal revenue generation and
customer satisfaction levels.
 Better network and application performance: Network
security prevents bad actors from disabling the network
ensuring resources are running optimally and safe from
cyberattacks.
Challenges of cloud network security
 Accuracy – Reduction of False Positives
 Human Error
 Increasing outsider and Insider threats
 Affordability
What is private cloud vs. public cloud network security?
 Because the resources within a private cloud are typically
visible to and under the control of an organization and its IT
teams, private clouds inherently offer a greater degree of
network security.
 Public cloud providers offer their customers more limited
visibility into their cloud environments, and the multi-tenanted24
Cloud Security Cont...

What are best practices for cloud network security?

 Implement identity and access management (IAM)
systems. Identity and access control solutions block
unauthorized access and ensure that each user has permission
to access only to the resources they need at any given time.
 Deploy continuous monitoring. Tools that continuously
scan virtual and physical systems for potential security threats
can help identify and remediate issues quickly.
25
Cloud Security Cont...
 Train end users in security awareness. Many successful
cyberattacks and data breaches are the result of human error.
Training employees to understand and recognize threats can
help to significantly improve security posture.
 Rely on Zero Trust networks. Under the Zero Trust security
model, every user and application must be authenticated
before being granted access to data and cloud assets.
 Segment networks and assets. Fine-grained security
policies enable segmentation
and microsegmentation solutions to neutralize attackers that
have successfully breached an organization’s defenses,
preventing threat actors from moving laterally within an
environment to access high-value targets.

Instance and Image Security

An Instance in Cloud
 Define Instance: A cloud instance is a virtual server in a cloud
computing environment. It is built and delivered by cloud
platforms such as Amazon Web Services. A cloud platform
offers computing resources & services.
26

Cloud Security Cont...
 One instance can host a workload or use a group of instances
in a cluster.
 You can spread out the instances in different geographical
regions. In AWS, these are called Regions and Availability
Zones.
 The cloud provider also categorizes the instances based
on use cases.
 In AWS, the instance comes with different purchasing options.
It depends on your specific requirements.
Different Instance Types
 The cloud instance type offers different compute, memory,
and storage capabilities.

27
Cloud Security Cont...
Instance Group: An instance group is a collection of virtual
machine instances managed as a single entity. It has the same
machine type, image, and the same configuration.

Instance Life Cycle

28
Cloud Security Cont...

1. Provisioning: In this stage, the instances are prepared to

enter the running state. The computing resources are
allocated & configured at this stage.
2. Running: In this stage, the instances are running and ready
for use. You can start hosting the workloads on the instances.
3. Shutting Down: In some cases, the instance may fail a
status check or not run as expected. In this stage, the instance
is prepared to shut down.
4. Terminated: You can delete an instance when you no longer
require it. It is called the termination state of the instance. 29
Cloud Security Cont...
1. Security services for instances
 We consider entropy to refer to the quality and source of
random data that is available to an instance. Cryptographic
technologies typically rely heavily on randomness, requiring a
high quality pool of entropy to draw from. It is typically hard
for a virtual machine to get enough entropy to support these
operations, which is referred to as entropy starvation. Entropy
starvation can manifest in instances as something seemingly
unrelated. For example, slow boot time may be caused by the
instance waiting for ssh key generation. Entropy starvation
may also motivate users to employ poor quality entropy
sources from within the instance, making applications running
in the cloud less secure overall.
 Fortunately, a cloud architect may address these issues by
providing a high quality source of entropy to the cloud
instances. This can be done by having enough hardware
random number generators (HRNG) in the cloud to support the
instances. In this case, “enough” is somewhat domain specific.
For everyday operations, a modern HRNG is likely to produce
enough entropy to support 50-100 compute nodes. High
bandwidth HRNGs, such as the RdRand instruction available
with Intel Ivy Bridge and newer processors could potentially30
Cloud Security Cont...
2. Scheduling instances to nodes
 Before an instance is created, a host for the image
instantiation must be selected. This selection is performed by
the nova-scheduler which determines how to dispatch
compute and volume requests.
 The FilterScheduler is the default scheduler for OpenStack
Compute, although other schedulers exist. This works in
collaboration with ‘filter hints’ to decide where an instance
should be started.
Filter schedulers fall under four main categories:
A. Resource based filters: These filters will create an instance
based on the utilizations of the hypervisor host sets and can
trigger on free or used properties such as RAM, IO, or CPU
utilization.
B. Image based filters: This delegates instance creation based
on the image used, such as the operating system of the VM or
type of image used.
C. Environment based filters: This filter will create an
instance based on external details such as in a specific IP
range, across availability zones, or on the same host as
another instance. 31
Cloud Security Cont...

3. Trusted images
 In a cloud environment, users work with either pre-installed
images or images they upload themselves. In both cases,
users should be able to ensure the image they are utilizing has
not been tampered with. The ability to verify images is a
fundamental imperative for security.
 A chain of trust is needed from the source of the image to the
destination where it’s used. This can be accomplished by
signing images obtained from trusted sources and by verifying
the signature prior to use. Various ways to obtain and create
32
Cloud Security Cont...
4. Image creation process
5. Image signature verification
6. Firewalls and other host-based security controls
An Image in Cloud
 An Amazon Machine Image (AMI) is an image that provides the
software that is required to set up and boot an Amazon EC2
instance. Each AMI also contains a block device mapping that
specifies the block devices to attach to the instances that you
launch. You must specify an AMI when you launch an instance.
The AMI must be compatible with the instance type that you
chose for your instance. You can use an AMI provided by AWS,
a public AMI, an AMI that someone else shared with you, or an
AMI that you purchased from the AWS Marketplace.
An AMI is specific to the following:
 Region
 Operating system
 Processor architecture
 Root device type
 Virtualization type
33
Cloud Security Cont...
 We can launch multiple instances from a single AMI when you
require multiple instances with the same configuration. You
can use different AMIs to launch instances when you require
instances with different configurations, as shown in the
following diagram.

34
Cloud Security Cont...
 We can create an AMI from your Amazon EC2 instances and
then use it to launch instances with the same configuration.
You can copy an AMI to another AWS Region, and then use it to
launch instances in that Region. You can also share an AMI
that you created with other accounts so that they can launch
instances with the same configuration. You can sell your AMI
using the AWS Marketplace.

Identity and Access Management

 AWS (Amazon Web Services) will allow you to maintain the

fine-grained permissions to the AWS account and the services
provided by Amazon Cloud. You can manage the permissions
to the individual users or you can manage the permissions to
certain users as groups and roles will help you to manage the
permissions to the resources.

35
Cloud Security Cont...

 Identity and Access Management (IAM) is a combination

of policies and technologies that allows organizations to
identify users and provide the right form of access as and
when required. There has been a burst in the market with new
applications, and the requirement for an organization to use
these applications has increased drastically.
 The services and resources you want to access can be
specified in IAM. IAM doesn’t provide any replica or backup.
IAM can be used for many purposes such as, if one want’s to
control access of individual and group access for your AWS
resources. With IAM policies, managing permissions to your
workforce and systems to ensure least-privilege permissions36
Cloud Security Cont...
Components of Identity and Access Management (IAM)
IAM Identities Classified As
1. IAM Users
2. IAM Groups
3. IAM Roles
 Root User: The root user will automatically be created and
granted unrestricted rights. We can create an admin user with
fewer powers to control the entire Amazon account.
 IAM Users: We can utilize IAM users to access the AWS
Console and their administrative permissions differ from those
of the Root user and if we can keep track of their login
information.
Example
With the aid of IAM users, we can accomplish our goal of
giving a specific person access to every service available in
the Amazon dashboard with only a limited set of permissions,
such as read-only access. Let’s say user-1 is a user that I want
to have read-only access to the EC2 instance and no
additional permissions, such as create, delete, or update. By
creating an IAM user and attaching user-1 to that IAM user, we37
Cloud Security Cont...
 IAM Groups: A group is a collection of users, and a single
person can be a member of several groups. With the aid of
groups, we can manage permissions for many users quickly
and efficiently.
Example
Consider two users named user-1 and user-2. If we want to
grant user-1 specific permissions, such as the ability to delete,
create, and update the auto-calling group only, and if we want
to grant user-2 all the necessary permissions to maintain the
auto-scaling group as well as the ability to
maintain EC2,S3 we can create groups and add this user to
them. If a new user is added, we can add that user to the
required group with the necessary permissions.
 IAM Roles
While policies cannot be directly given to any of the services
accessible through the Amazon dashboard, IAM roles are
similar to IAM users in that they may be assumed by anybody
who requires them. By using roles, we can provide AWS
Services access rights to other AWS Services.
 Example
 Consider Amazon EKS. In order to maintain an autoscaling38
Cloud Security Cont...
 IAM Policies
IAM Policies can manage access for AWS by attaching them to
the IAM Identities or resources IAM policies defines
permissions of AWS identities and AWS resources when a user
or any resource makes a request to AWS will validate these
policies and confirms whether the request to be allowed or to
be denied. AWS policies are stored in the form of Jason format
the number of policies to be attached to particular IAM
identities depends upon no.of permissions required for one
IAM identity. IAM identity can have multiple policies attached
to them.
Benefits of IAM Systems
 Enhanced Security: IAM prevents unauthorized access to
sensitive data and systems, thus minimizing the access of the
unauthorized personnel.
 Improved Compliance: It also guarantees that the
organization complies with the legal requirements concerning
the access control as well as the tracking of activities
performed by the users.
 Increased Productivity: Automates processes of the
management of users and access, thus minimizing the39
Cloud Security Cont...
IAM Features
I. Shared Access to your Account: A team working on a
project can easily share resources with the help of the shared
access feature.
II. Free of cost: IAM feature of the AWS account is free to use
& charges are added only when you access other Amazon
web services using IAM users.
III. Have Centralized control over your AWS account: Any
new creation of users, groups, or any form of cancellation
that takes place in the AWS account is controlled by you,
and you have control over what & how data can be accessed
by the user.
IV. Grant permission to the user: As the root account holds
administrative rights, the user will be granted permission to
access certain services by IAM.
V. Multifactor Authentication: Additional layer of security is
implemented on your account by a third party, a six-digit
number that you have to put along with your password when
you log into your accounts.

40
Cloud Security Cont...
Data Security for the Cloud
"Data security for the cloud" refers to the practices and
technologies used to protect sensitive data stored and
processed in cloud computing environments, ensuring its
confidentiality, integrity, and availability by implementing
measures like encryption, access controls, data classification,
and monitoring to prevent unauthorized access, data
breaches, and data loss, while maintaining compliance with
relevant regulations.
Key aspects of cloud data security:
Encryption:
 Encrypting data both at rest (stored on cloud servers) and in
transit (during data transfer) using strong algorithms like AES-
256 to scramble data and make it unreadable without the
decryption key.
Identity and Access Management (IAM):
 Implementing robust user authentication and authorization
controls to limit access to sensitive data only to authorized
users based on their roles and permissions.
Data Classification:
41

Cloud Security Cont...
Access Controls:
 Implementing granular access controls to restrict who can
access, modify, or delete data depending on their role and
need-to-know basis.
Data Loss Prevention (DLP):
 Utilizing tools to detect and prevent sensitive data leaks by
monitoring data usage and implementing policies to restrict
unauthorized data transfers.
Monitoring and Logging:
 Continuously monitoring cloud environments for suspicious
activities, unusual access patterns, and potential security
threats to detect and respond to incidents promptly.
Data Backup and Recovery:
 Regularly backing up cloud data to ensure the ability to
restore critical information in case of a system failure or
cyberattack.
Compliance with Regulations:
 Adhering to relevant data privacy regulations like GDPR,
HIPAA, and CCPA depending on the type of data being stored
and processed. 42
Cloud Security Cont...
Application Security for the Cloud
"Application Security for the Cloud" refers to the practice of
protecting cloud-based applications by implementing security
measures to safeguard data, user access, and the application
itself from potential threats, including unauthorized access,
data breaches, and vulnerabilities, leveraging specific security
controls designed for cloud environments like identity and
access management (IAM), encryption, vulnerability scanning,
and robust logging mechanisms.
Key aspects of Cloud Application Security:
 Identity and Access Management (IAM): Securely
managing user identities and access levels to cloud
applications through strong authentication methods like multi-
factor authentication (MFA) and granular permission controls.
 Data Encryption: Encrypting sensitive data both at rest and
in transit to protect against unauthorized access even if a
breach occurs.
 Vulnerability Management: Regularly scanning applications
for potential vulnerabilities and promptly patching them to
mitigate risks.
 Secure Development Practices: Implementing secure43
Cloud Security Cont...
 Network Security: Securing network connections between
cloud services and on-premises systems with firewalls,
intrusion detection/prevention systems (IDS/IPS), and network
segmentation.
 Logging and Monitoring: Implementing robust logging
systems to track user activity and detect suspicious behavior,
enabling timely threat detection and incident response.
 Compliance Management: Adhering to relevant industry
regulations and compliance standards related to data privacy
and security.
Challenges in Cloud Application Security:
 Shared Responsibility Model: Understanding the division of
security responsibilities between the cloud provider and the
application owner.
 Complexity of Cloud Environments: Managing security across
diverse cloud services and infrastructure components.
 Rapid Innovation: Keeping up with the latest cloud
technologies and security best practices.

44
Cloud Security Cont...
Benefits of Cloud Application Security:
 Improved Data Protection: Enhanced security measures to
safeguard sensitive data from unauthorized access.
 Reduced Risk of Breaches: Proactive identification and
mitigation of vulnerabilities to prevent data breaches.
 Enhanced Compliance: Meeting industry regulations and
compliance requirements.
 Operational Efficiency: Streamlined security management
across cloud environments.
Provider Security: Cloud Risk Assessment
A "Provider Security: Cloud Risk Assessment" refers to a
process where an organization evaluates the security posture
of their cloud service provider by examining their
infrastructure, configurations, and practices to identify
potential vulnerabilities and risks, allowing them to
understand and mitigate potential threats to their data stored
in the cloud.
Key aspects of a cloud risk assessment:
 Identifying cloud assets: Cataloging all data, applications,
and systems residing in the cloud to understand the scope of45
Cloud Security Cont...
 Analyzing cloud configurations: Reviewing settings and
configurations within the cloud environment to identify any
misconfigurations that could expose sensitive information.
 Evaluating access controls: Assessing the effectiveness of
user authentication, authorization, and privilege management
mechanisms to prevent unauthorized access.
 Data encryption practices: Examining how data is
encrypted at rest and in transit to protect against
unauthorized access even if breached.
 Compliance with standards: Checking whether the cloud
provider adheres to relevant industry security standards and
regulations like HIPAA, GDPR, or SOC 2.
 Incident response capabilities: Evaluating the provider's
plan for responding to security incidents and data breaches.
 Data sovereignty concerns: Assessing where data is stored
geographically and whether it complies with data residency
requirements.

46
Thank you

47