Security Architecture In Cloud || Data Security || Application Security || Virtual Machine Security

In cloud security architecture, responsibility is shared between the cloud provider and customer. As more organizations shift and share their data in the cloud, the more important it becomes to have a security architecture in place to secure data.
The cloud can be delivered in multiple formats. As such, cloud security architectures are designed to work in a combination of software as a service (SaaS), platform as a service (PaaS) and infrastructure as a service (IaaS) environments -- in addition to areas such as the public or private cloud.
The goal of a cloud security architecture is met through a series of functional elements. These elements are often considered separately rather than as part of a coordinated architectural plan. This includes access security or access control, network security, application security and contractual security as well as monitoring, sometimes called service security. Finally, there's data protection, which is the measures that are applied at the protected-asset level.
A complete cloud security architecture addresses the goals by uniting the functional elements.
  • A security architecture framework should be established with consideration of processes (enterprise authentication and authorization, access control, confidentiality, integrity, nonrepudiation, security management, etc.), operational procedures, technology specifications, people and organizational management, and security program compliance and reporting. 
  • A security architecture document should be developed that defines security and privacy principles to meet business objectives. 
  • Documentation is required for management controls and metrics specific to asset classification and control, physical security, system access controls, network and computer management, application development and maintenance, business continuity, and compliance. 
  • A design and implementation program should also be integrated with the formal system development life cycle to include a business case, requirements definition, design, and implementation plans. 
  • Technology and design methods should be included, as well as the security processes necessary to provide the following services across all technology layers: 
1. Authentication 
2. Authorization 
3. Availability 
4. Confidentiality 
5. Integrity 
6. Accountability 
7. Privacy 
  • The creation of a secure architecture provides the engineers, data center operations personnel, and network operations personnel a common blueprint to design, build, and test the security of the applications and systems. 
  • Design reviews of new changes can be better assessed against this architecture to assure that they conform to the principles described in the architecture, allowing for more consistent and effective design reviews.
6.3.22 Data Security 
  • The ultimate challenge in cloud computing is data-level security, and sensitive data is the domain of the enterprise, not the cloud computing provider. 
  • Security will need to move to the data level so that enterprises can be sure their data is protected wherever it goes. 
  • For example, with data-level security, the enterprise can specify that this data is not allowed to go outside of the United States. It can also force encryption of certain types of data, and permit only specified users to access the data. It can provide compliance with the Payment Card Industry Data Security Standard (PCI DSS). True unified end-to-end security in the cloud will likely requires an ecosystem of partners.

6.3.23 Application Security 
  • Application security is one of the critical success factors for a world-class SaaS company. This is where the security features and requirements are defined and application security test results are reviewed. Application security processes, secure coding guidelines, training, and testing scripts and tools are typically a collaborative effort between the security and the development teams. Although product engineering will likely focus on the application layer, the security design of the application itself, and the infrastructure layers interacting with the application, the security team should provide the security requirements for the product development engineers to implement. This should be a collaborative effort between the security and product development team. External penetration testers are used for application source code reviews, and attack and penetration tests provide an objective review of the security of the application as well as assurance to customers that attack and penetration tests are performed regularly. Fragmented and undefined collaboration on application security can result in lower-quality design, coding efforts, and testing results. 

Since many connections between companies and their SaaS providers are through the web, providers should secure their web applications by following Open Web Application Security Project (OWASP)15 guidelines for secure application development (mirroring Requirement 6.5 of the PCI DSS, which mandates compliance with OWASP coding practices) and locking down ports and unnecessary commands on Linux, Apache, MySQL, and PHP (LAMP) stacks in the cloud, just as you would on-premises. LAMP is an open-source web development platform, also called a web stack, that uses Linux as the operating system, Apache as the web server, MySQL as the relational database management system RDBMS, and PHP as the object-oriented scripting language. Perl or Python is often substituted for PHP.1

6.3.24 Virtual Machine Security 
In the cloud environment, physical servers are consolidated to multiple virtual machine instances on virtualized servers. Not only can data center security teams replicate typical security controls for the data center at large to secure the virtual machines, they can also advise their customers on how to prepare these machines for migration to a cloud environment when appropriate. 

Firewalls, intrusion detection and prevention, integrity monitoring, and log inspection can all be deployed as software on virtual machines to increase protection and maintain compliance integrity of servers and applications as virtual resources move from on-premises to public cloud environments. By deploying this traditional line of defense to the virtual machine itself, you can enable critical applications and data to be moved to the cloud securely. To facilitate the centralized management of a server firewall policy, the security software loaded onto a virtual machine should include a bidirectional stateful firewall that enables virtual machine isolation and location awareness, thereby enabling a tightened policy and the flexibility to move the virtual machine from on-premises to cloud resources. Integrity monitoring and log inspection software must be applied at the virtual machine level. 

This approach to virtual machine security, which connects the machine back to the mother ship, has some advantages in that the security software can be put into a single software agent that provides for consistent control and management throughout the cloud while integrating seamlessly back into existing security infrastructure investments, providing economies of scale, deployment, and cost savings for both the service provider and the enterprise. 


In the cloud environment, where services are offered on demand and they can continuously evolve, aspects of current models such as trust assumptions, privacy implications, and operational aspects of authentication and authorization, will be challenged. Meeting these challenges will require a balancing act for SaaS providers as they evaluate new models and management processes for IAM to provide end-to-end trust and identity throughout the cloud and the enterprise. Another issue will be finding the right balance between usability and security. If a good balance is not achieved, both business and IT groups may be affected by barriers to completing their support and maintenance activities efficiently

Software-as-a-Service Security

  • Cloud computing models of the future will likely combine the use of SaaS (and other XaaS’s as appropriate), utility computing, and Web 2.0 collaboration technologies to leverage the Internet to satisfy their customers’ needs. 
  • New business models being developed as a result of the move to cloud computing are creating not only new technologies and business operational processes but also new security requirements and challenges.
  • As the most recent evolutionary step in the cloud service model, SaaS will likely remain the dominant cloud service model for the foreseeable future and the area where the most critical need for security practices and oversight will reside.
SaaS providers handle much of the security for a cloud application. The SaaS provider is responsible for securing the platform, network, applications, operating system, and physical infrastructure. However, providers are not responsible for securing customer data or user access to it. Some providers offer a bare minimum of security, while others offer a wide range of SaaS security options.

Just as with an managed service provider, corporations or end users will need to research vendors’ policies on data security before using vendor services to avoid losing or not being able to access their data. The technology analyst and consulting firm Gartner lists seven security issues which one should discuss with a cloud-computing vendor:

1. Privileged user access—Inquire about who has specialized access to data, and about the hiring and management of such administrators.

2. Regulatory compliance—Make sure that the vendor is willing to undergo external audits and/or security certifications.

3. Data location—Does the provider allow for any control over the location of data?

4. Data segregation—Make sure that encryption is available at all stages, and that these encryption schemes were designed and tested by experienced professionals.

5. Recovery—Find out what will happen to data in the case of a disaster. Do they offer complete restoration? If so, how long would that take?

6. Investigative support—Does the vendor have the ability to investigate any inappropriate or illegal activity?

7. Long-term viability—What will happen to data if the company goes out of business? How will data be returned, and in what format?


Below are SaaS security practices that organizations can adopt to protect data in their SaaS applications.

  • Detect rogue services and compromised accounts 
The average organization uses 1,935 unique cloud services. Unfortunately, the IT departments believe they use only 30 cloud services, according to the 2019 McAfee Cloud Adoption and Risk Report. Moreover, nearly 9% of those cloud services were rated as high-risk services. Organizations can use tools, such as cloud access security brokers (CASB) to audit their networks for unauthorized cloud services and compromised accounts.
  • Apply identity and access management (IAM) 
A role-based identity and access management solution can ensure that end users do not gain access to more resources than they require for their jobs. IAM solutions use processes and user access policies to determine what files and applications a particular user can access. An organization can apply role-based permissions to data so that end users will see only the data they're authorized to view.
  • Encrypt cloud data 
Data encryption protects both data at rest (in storage) and data in transit between the end user and the cloud or between cloud applications. Government regulations usually require encryption of sensitive data. Sensitive data includes financial information, healthcare data, and personally identifiable information (PII). While a SaaS vendor may provide some type of encryption, an organization can enhance data security by applying its own encryption, such as by implementing a cloud access security broker (CASB).
  • Enforce data loss prevention (DLP) 
DLP software monitors for sensitive data within SaaS applications or outgoing transmissions of sensitive data and blocks the transmission. DLP software detects and prevents sensitive data from being downloaded to personal devices and blocks malware or hackers from attempting to access and download data.
  • Monitor collaborative sharing of data 
Collaboration controls can detect granular permissions on files that are shared with other users, including users outside the organization who access the file through a web link. Employees may inadvertently or intentionally share confidential documents through email, team spaces, and cloud storage sites such as Dropbox.
  • Check provider's security 
The Cloud Adoption and Risk Report surveyed respondents on their trust of cloud providers' security. It found that nearly 70% of them trust their providers to secure their data. However, only 8% of cloud services actually meet the data security requirements defined in the CloudTrust Program. Only 1 in 10 providers encrypt data at rest, and just 18% support multifactor authentication. Clearly, not all of that customer trust is deserved. An audit of a SaaS provider can include checks on its compliance with data security and privacy regulations, data encryption policies, employee security practices, cybersecurity protection, and data segregation policies.

SaaS security solutions: Several types of security solutions can help organizations improve SaaS security. The solutions can be implemented separately or together as part of a CASB.
  • Data loss prevention (DLP) ) safeguards intellectual property and protects sensitive data in cloud applications, as well as at endpoints such as laptops. Organizations can define data access policies that DLP enforces.
  • Compliance solutions provide controls and reporting capabilities to ensure compliance with government and industry regulations.
  • Advanced malware prevention includes technologies such as behavioral analytics and real-time threat intelligence that can help detect and block zero-day attacks and malicious files that may be spread through cloud email and file sharing applications.
  • Cloud access security brokers (CASBs) protect enterprise data and users across all cloud services, including SaaS, PaaS, and IaaS. According to Gartner's Magic Quadrant for Cloud Access Security Brokers, CASBs detect threats and provide IT departments with greater visibility into data usage and user behavior for cloud services, end users, and devices. CASBs also act immediately to remediate security threats by eliminating security misconfigurations and correcting high-risk user activities applications. CASBs provide a variety of security services, including:
    • Monitoring for unauthorized cloud services
    • Enforcing data security policies including encryption
    • Collecting details about users who access data in cloud services from any device or location
    • Restricting access to cloud services based on the user, device, and application
    • Providing compliance reporting

CASB solutions, which are typically SaaS applications, may provide additional capabilities. These may include:

  • File encryption
  • Pre-built policy templates to guide IT staff through the process of policy creation
  • User entity behavior analytics (UEBA) backed by machine learning
  • In-application coaching to help end users learn improved security practices
  • Security configuration audits to suggest changes to security settings based on best practices

IT departments can learn to protect their cloud applications and data by following cloud security best practices and implementing effective SaaS security solutions.

6.3.2 Security Governance

A security steering committee should be developed whose objective is to focus on providing guidance about security initiatives and alignment with business and IT strategies. A charter for the security team is typically one of the first deliverables from the steering committee. This charter must clearly define the roles and responsibilities of the security team and other groups involved in performing information security functions. Lack of a formalized
strategy can lead to an unsustainable operating model and security level as it evolves. In addition, lack of attention to security governance can result in key needs of the business not being met, including but not limited to, risk management, security monitoring, application security, and sales support. Lack of proper governance and management of duties can also result in potential security risks being left unaddressed and opportunities to improve
the business being missed because the security team is not focused on the key security functions and activities that are critical to the business.

6.3.3 Risk Management

Effective risk management entails identification of technology assets; identification of data and its links to business processes, applications, and data stores; and assignment of ownership and custodial responsibilities. Actions should also include maintaining a repository of information assets. Owners have authority and accountability for information assets including protection requirements, and custodians implement confidentiality, integrity, availability, and privacy controls. A formal risk assessment process should be
created that allocates security resources linked to business continuity.

6.3.10 Security Monitoring and Incident Response 
Centralized security information management systems should be used to provide notification of security vulnerabilities and to monitor systems continuously through automated technologies to identify potential issues. They should be integrated with network and other systems monitoring processes (e.g., security information management, security event management, security information and event management, and security operations centers that use these systems for dedicated 24/7/365 monitoring). Management of periodic, independent third-party security testing should also be included. Many of the security threats and issues in SaaS center around application and data layers, so the types and sophistication of threats and attacks for a SaaS organization require a different approach to security monitoring than traditional infrastructure and perimeter monitoring. The organization may thus need to expand its security monitoring capabilities to include application- and data-level activities. This may also require subject-matter experts in applications security and the unique aspects of maintaining privacy in the cloud. Without this capability and expertise, a company may be unable to detect and prevent security threats and attacks to its customer data and service stability. 

Security in Cloud : Cloud Security Challenges

Security in cloud computing is a major concern. Data in cloud should be stored in encrypted form. To restrict client from accessing the shared data directly, proxy and brokerage services should be employed.

Cloud security refers to a broad set of policies, technologies, applications, and controls utilized to protect virtualized IP, data, applications, services, and the associated infrastructure of cloud computing.

Cloud Security Challenges

With the cloud model, you lose control over physical security. In a public cloud, you are sharing computing resources with other companies. In a shared pool outside the enterprise, you don’t have any knowledge or control of where the resources run. Exposing your data in an environment shared with other companies could give the government “reasonable cause” to seize your assets because another company has violated the law. Simply because you share the environment in the cloud, may put your data at risk of seizure.

1. Data breaches

  • A data breach is a security violation, in which sensitive, protected or confidential data is copied, transmitted, viewed, stolen or used by an individual unauthorized to do so. Other terms are unintentional information disclosure, data leak, information leakage, and data spill.
  • Traditionally, IT professionals have had great control over the network infrastructure and physical hardware (firewalls, etc.) securing proprietary data. 
  • In the cloud (in all scenarios including private cloud, public cloud, and hybrid cloud situations), some of those security controls are relinquished (give up, voluntarily cease to keep or claim) to a trusted partner meaning cloud infrastructure can increase security risks. 
  • Choosing the right vendor, with a strong record of implementing strong security measures, is vital to overcoming this challenge.

Consequences of a data breach may include:

  • Impact to reputation and trust of customers or partners
  • Loss of intellectual property (IP) to competitors, which may impact products release
  • Regulatory implications that may result in monetary loss
  • Brand impact which may cause a market value decrease due to previously listed reasons
  • Legal and contractual liabilities
  • Financial expenses incurred due to incident response and forensics

2. DDoS and Denial-of-Service Attacks

  • As more and more businesses and operations move to the cloud, cloud providers are becoming a bigger target for malicious attacks. 
  • Distributed denial of service (DDoS) attacks are more common than ever before.
  •  Verisign reported IT services, cloud platforms (PaaS) and SaaS was the most frequently targeted industry during the first quarter of 2015.
  • A DDoS attack is designed to overwhelm website servers so it can no longer respond to legitimate user requests. 
  • If a DDoS attack is successful, it renders a website useless for hours, or even days. This can result in a loss of revenue, customer trust and brand authority.
  • Complementing cloud services with DDoS protection is no longer just good idea for the enterprise; it’s a necessity. 
  • Websites and web-based applications are core components of 21st century business and require state-of-the-art cybersecurity.

3. Lack of Cloud Security Architecture and Strategy

  • Worldwide, organizations are migrating portions of their IT infrastructure to public clouds. 
  • One of the biggest challenges during this transition is the implementation of appropriate security architecture to withstand cyber attacks. 
  • Unfortunately, this process is still a mystery for many organizations.
  • Data are exposed to different threats when organizations assume that cloud migration is a “lift-and-shift” endeavor of simply porting their existing IT stack and security controls to a cloud environment.
  •  A lack of understanding of the shared security responsibility model is also another contributing factor.

4. Insecure access control points

  • One of the great benefits of the cloud is it can be accessed from anywhere and from any device. But, what if the interfaces and particularly the application programming interfaces (APIs) users interact with aren’t secure? 
  • Cloud computing providers expose a set of software user interfaces (UIs) and APIs to allow customers to manage and interact with cloud services. 
  • The security and availability of general cloud services are dependent on the security of these APIs. 
  • From authentication and access control to encryption and activity monitoring, these interfaces must be designed to protect against both accidental and malicious attempts to circumvent the security policy.
  • Poorly designed APIs could lead to misuse or—even worse—a data breach. Broken, exposed, or hacked APIs have caused some major data breaches. 
  • Organizations must understand the security requirements around designing and presenting these interfaces on the internet.
  • Hackers can find and gain access to these types of vulnerabilities and exploit authentication via APIs if given enough time.

Insecure Access Points

A behavioral web application firewall examines HTTP requests to a website to ensure it is legitimate traffic. This always-on device helps protect web applications and APIS from security breaches within cloud environments and data centers that are not on-premises.

5. Notifications and alerts

  • Awareness and proper communication of security threats is a cornerstone of network security and the same goes for cloud computing security. 
  • Alerting the appropriate website or application managers as soon as a threat is identified should be part of a thorough data security and access management plan. 
  • Speedy mitigation of a threat relies on clear and prompt communication so steps can be taken by the proper entities and impact of the threat minimized.

6. Insufficient Identity, Credential, Access and Key Management

Cloud computing introduces multiple changes to traditional internal system management practices related to identity and access management (IAM). It isn’t that these are necessarily new issues. Rather, they are more significant issues when dealing with the cloud because cloud computing profoundly impacts identity, credential and access management. In both public and private cloud settings, CSPs and cloud consumers are required to manage IAM without compromising security.

7. Account Hijacking

  • Account hijacking is a threat in which malicious attackers gain access to and abuse accounts that are highly privileged or sensitive. 
  • In cloud environments, the accounts with the highest risks are cloud service accounts or subscriptions. 
  • Phishing attacks, exploitation of cloud-based systems, or stolen credentials can compromise these accounts.

 8. Limited Cloud Usage Visibility

Limited cloud usage visibility occurs when an organization does not possess the ability to visualize and analyze whether cloud service use within the organization is safe or malicious. 

This concept is broken down into two key challenges.

Un-sanctioned app use: This occurs when employees are using cloud applications and resources without the specific permission and support of corporate IT and security. This scenario results in a self-support model called Shadow IT. When insecure cloud services activity does not meet corporate guidelines, this behavior is risky— especially when paired with sensitive corporate data. Gartner predicts that by 2020, one-third of all successful security attacks on companies will come through shadow IT systems and resources.

Sanctioned app misuse: Organizations are often unable to analyze how their approved applications are being leveraged by insiders who use a sanctioned app. Frequently, this use occurs without the explicit permission of the company, or by external threat actors who target the service using methods such as credential theft, Structured Query Language (SQL) injection, Domain Name System (DNS) attacks and more.

REF

https://www.cdnetworks.com/cloud-security-blog/5-key-cloud-security-challenges/

https://cloudsecurityalliance.org/blog/2020/02/18/cloud-security-challenges-in-2020/

Monk and Inversions

using System; public class Solution { public static void Main () { int T = Convert . ToInt32 ( Console . ReadLine...