CC UNIT – 4

Inter Cloud Resource Management

A theoretical model for cloud computing services is referred to as the “inter-
cloud” or “cloud of clouds.” combining numerous various separate clouds into
a single fluid mass for on-demand operations Simply put, the inter-cloud
would ensure that a cloud could utilize resources outside of its range using
current agreements with other cloud service providers. There are limits to the
physical resources and the geographic reach of any one cloud.
Need of Inter-Cloud
Due to their Physical Resource limits, Clouds have certain Drawbacks:
 When a cloud’s computational and storage capacity is completely
depleted, it is unable to serve its customers.
 The Inter-Cloud addresses these circumstances when one cloud would
access the computing, storage, or any other resource of the
infrastructures of other clouds.
Benefits of the Inter-Cloud Environment include:

 Avoiding vendor lock-in to the cloud client

 Having access to a variety of geographical locations, as well as enhanced
application resiliency.
 Better service level agreements (SLAs) to the cloud client
 Expand-on-demand is an advantage for the cloud provider.
Inter-Cloud Resource Management
A cloud’s infrastructure’s processing and storage capacity could be
exhausted. combining numerous various separate clouds into a single fluid
mass for on-demand operations. Simply put, the intercloud would ensure that
a cloud could utilize resources outside of its range combining numerous
various separate clouds into a single fluid mass for on-demand operations.
Such requests for service allocations received by its clients would still be met
by it.

Types of Inter-Cloud Resource Management

1. Federation Clouds: A federation cloud is a kind of inter-cloud where
several cloud service providers willingly link their cloud infrastructures
together to exchange resources. Cloud service providers in the federation
trade resources in an open manner. With the aid of this inter-cloud
technology, private cloud portfolios, as well as government clouds (those
utilized and owned by non-profits or the government), can cooperate.
2. Multi-Cloud: A client or service makes use of numerous independent
clouds in a multi-cloud. A multi-cloud ecosystem lacks voluntarily shared
infrastructure across cloud service providers. It is the client’s or their
agents’ obligation to manage resource supply and scheduling. This
 strategy is utilized to use assets from both public and private cloud
portfolios. These multi-cloud kinds include services and libraries.

Topologies used In InterCloud Architecture

1. Peer-to-Peer Inter-Cloud Federation: Clouds work together directly, but

they may also utilize distributed entities as directories or brokers. Clouds
communicate and engage in direct negotiation without the use of
intermediaries. The peer-to-peer federation intercloud projects are
RESERVOIR (Resources and Services Virtualization without Barriers
Project).

2. Centralized Inter-Cloud Federation: In the cloud, resource

sharing is carried out or facilitated by a central body. The central
entity serves as a registry for the available cloud resources. The
inter-cloud initiatives Dynamic Cloud Collaboration (DCC), and
Federated Cloud Management leverage centralized inter-cloud
federation.
3. Multi-Cloud Service: Clients use a service to access various clouds. The
cloud client hosts a service either inside or externally. The services include
elements for brokers. The inter-cloud initiatives OPTIMUS, contrail, MOSAIC,
STRATOS, and commercial cloud management solutions leverage multi-
cloud services.

4. Multi-Cloud Libraries: Clients use a uniform cloud API as a library to

create their own brokers. Inter clouds that employ libraries make it easier to
use clouds consistently. Java library J-clouds, Python library Apache Lib-
Clouds, and Ruby library Apache Delta-Cloud are a few examples of multiple
multi-cloud libraries.

Difficulties with Inter-Cloud Research

The needs of cloud users frequently call for various resources, and the
needs are often variable and unpredictable. This element creates
challenging issues with resource provisioning and application service
delivery. The difficulties in federating cloud infrastructures include the
following:
 Prediction of Application Service Behaviour: It is essential that the
system be able to predict customer wants and service Behaviour. It
cannot make rational decisions to dynamically scale up and down until it
has the ability to predict. It is necessary to construct prediction and
forecasting models. Building models that accurately learn and fit statistical
functions suited to various behaviors is a difficult task. Correlating a
service’s various behaviors can be more difficult.
 Flexible Service-Resource Mapping: Due to high operational expenses
and energy demands, it is crucial to enhance efficiency, cost-
effectiveness, and usage. A difficult process of matching services to cloud
resources results from the system’s need to calculate the appropriate
software and hardware combinations. The QoS targets must be met
simultaneously with the highest possible system utilization and efficiency
throughout the mapping of services.
 Techniques for Optimization Driven by Economic Models: An
approach to decision-making that is driven by the market and looks for the
best possible combinations of services and deployment strategies is
known as combinatorial optimization. It is necessary to create
optimization models that address both resource- and user-centered QoS
objectives.
 Integration and Interoperability: SMEs may not be able to migrate to
the cloud since they have a substantial number of on-site IT assets, such
 as business applications. Due to security and privacy concerns, sensitive
data in an organization may not be moved to the cloud. In order for on-
site assets and cloud services to work together, integration and
interoperability are required. It is necessary to find solutions for the
problems of identity management, data management, and business
process orchestration.
 Monitoring System Components at Scale: In spite of the distributed
nature of the system’s components, centralized procedures are used for
system management and monitoring. The management of multiple
service queues and a high volume of service requests raises issues with
scalability, performance, and reliability, making centralized approaches
ineffective. Instead, decentralized messaging and indexing models-based
architectures are required, which can be used for service monitoring and
management services.

Resource Allocation Methods in Cloud

Computing
The allocation of resources and services from a cloud provider to a customer
is known as resource provisioning in cloud computing, sometimes called
cloud provisioning. Resource provisioning is the process of choosing,
deploying, and managing software (like load balancers and database server
management systems) and hardware resources (including CPU, storage,
and networks) to assure application performance.
To effectively utilize the resources without going against SLA and achieving
the QoS requirements, Static Provisioning/Dynamic Provisioning and
Static/Dynamic Allocation of resources must be established based on the
application needs. Resource over and under-provisioning must be prevented.
Power usage is another significant restriction. Care should be taken to
reduce power consumption, dissipation, and VM placement. There should be
techniques to avoid excess power consumption.
Therefore, the ultimate objective of a cloud user is to rent resources at the
lowest possible cost, while the objective of a cloud service provider is to
maximize profit by effectively distributing resources.

Importance of Cloud Provisioning:

 Scalability: Being able to actively scale up and down with flux in demand
for resources is one of the major points of cloud computing
 Speed: Users can quickly spin up multiple machines as per their usage
without the need for an IT Administrator
 Savings: Pay as you go model allows for enormous cost savings for users,
it is facilitated by provisioning or removing resources according to the
demand

Challenges of Cloud Provisioning:

 Complex management: Cloud providers have to use various different tools

and techniques to actively monitor the usage of resources
 Policy enforcement: Organisations have to ensure that users are not able
to access the resources they shouldn’t.
 Cost: Due to automated provisioning costs may go very high if attention
isn’t paid to placing proper checks in place. Alerts about reaching the cost
threshold are required.

Tools for Cloud Provisioning:

 Google Cloud Deployment Manager

 IBM Cloud Orchestrator
 AWS CloudFormation
 Microsoft Azure Resource Manager

Types of Cloud Provisioning:

 Static Provisioning or Advance Provisioning: Static provisioning can be used

successfully for applications with known and typically constant demands
or workloads. In this instance, the cloud provider allows the customer with
a set number of resources. The client can thereafter utilize these
resources as required. The client is in charge of making sure the
resources aren’t overutilized. This is an excellent choice for applications
with stable and predictable needs or workloads. For instance, a customer
might want to use a database server with a set quantity of CPU, RAM,
and storage.
When a consumer contracts with a service provider for services, the
supplier makes the necessary preparations before the service can begin.
Either a one-time cost or a monthly fee is applied to the client.
Resources are pre-allocated to customers by cloud service providers.
This means that before consuming resources, a cloud user must select
how much capacity they need in a static sense. Static provisioning may
result in issues with over or under-provisioning.
 Dynamic provisioning or On-demand provisioning: With dynamic provisioning,
the provider adds resources as needed and subtracts them as they are no
longer required. It follows a pay-per-use model, i.e. the clients are billed
only for the exact resources they use. Consumers must pay for each use
of the resources that the cloud service provider allots to them as needed
 and when necessary. The pay-as-you-go model is another name for this.
“Dynamic provisioning” techniques allow VMs to be moved on-the-fly to
new computing nodes within the cloud, in situations where demand by
applications may change or vary. This is a suitable choice for programs
with erratic and shifting demands or workloads. For instance, a customer
might want to use a web server with a configurable quantity of CPU,
memory, and storage. In this scenario, the client can utilize the resources
as required and only pay for what is really used. The client is in charge of
ensuring that the resources are not oversubscribed; otherwise, fees can
skyrocket.
 Self-service provisioning or user self-provisioning: In user self-provisioning,
sometimes referred to as cloud self-service, the customer uses a web
form to acquire resources from the cloud provider, sets up a customer
account, and pays with a credit card. Shortly after, resources are made
accessible for consumer use.

Global exchange of cloud resources

Introduction

Cloud Exchange (CEx) serves as a market maker, bringing service providers and
users together. The University of Melbourne proposed it under Intercloud
architecture (Cloudbus). It supports brokering and exchanging cloud resources for
scaling applications across multiple clouds. It aggregates the infrastructure demands
from application brokers and evaluates them against the available supply. It supports
the trading of cloud services based on competitive economic models such as
commodity markets and auctions.
Entities of the Global exchange of cloud resources

Now we will talk about the various entities of the global exchange of cloud resources.

Market directory
A market directory is an extensive database of resources, providers, and participants
using the resources. Participants can use the market directory to find providers or
customers with suitable offers.

Auctioneers
Auctioneers clear bids and ask from market participants regularly. Auctioneers sit
between providers and customers and grant the resources available in the Global
exchange of cloud resources to the highest bidding customer.

Brokers
Brokers mediate between consumers and providers by buying capacity from the
provider and sub-leasing these to the consumers. They must select consumers
whose apps will provide the most utility. Brokers may also communicate with
resource providers and other brokers to acquire or trade resource shares. To make
decisions, these brokers are equipped with a negotiating module informed by the
present conditions of the resources and the current demand.

Service-level Agreements (SLAs)

The service level agreement (SLA) highlights the details of the service to be provided
in terms of metrics that have been agreed upon by all parties, as well as penalties for
meeting and failing to meet the expectations.

The consumer participates in the utility market via a resource management proxy
that chooses a set of brokers based on their offering.SLAs are formed between the
consumer and the brokers, which bind the latter to offer the guaranteed resources.
After that, the customer either runs their environment on the leased resources or
uses the provider's interfaces to scale their applications.

Providers
A provider has a price-setting mechanism that determines the current price for their
source based on market conditions, user demand, and the current degree of
utilization of the resource.

Based on an initial estimate of utility, an admission-control mechanism at a provider's

end selects the auctions to participate in or to negotiate with the brokers.

Resource management system

The resource management system provides functionalities such as advance
reservations that enable guaranteed provisioning of resource capacity.
Definition of cloud security
Cloud security, also known as cloud computing security, is a collection of security
measures designed to protect cloud-based infrastructure, applications, and data.
These measures ensure user and device authentication, data and resource access
control, and data privacy protection. They also support regulatory data compliance.
Cloud security is employed in cloud environments to protect a company's data from
distributed denial of service (DDoS) attacks, malware, hackers, and unauthorized
user access or use.

Security Issues in Cloud Computing

Need of Cloud Computing :

Before using Cloud Computing, most of the large as well as small IT
companies use traditional methods i.e. they store data in Server, and they
need a separate Server room for that. In that Server Room, there should be
a database server, mail server, firewalls, routers, modems, high net speed
devices, etc. For that IT companies have to spend lots of money. In order to
reduce all the problems with cost Cloud computing come into existence and
most companies shift to this technology.

Security Issues in Cloud Computing :

There is no doubt that Cloud Computing provides various Advantages but there are
also some security issues in cloud computing. Below are some following Security
Issues in Cloud Computing as follows.

Data Loss –
Data Loss is one of the issues faced in Cloud Computing. This is also known as Data
Leakage. As we know that our sensitive data is in the hands of Somebody else, and
we don’t have full control over our database. So, if the security of cloud service is to
break by hackers then it may be possible that hackers will get access to our sensitive
data or personal files.

Interference of Hackers and Insecure API’s –

As we know, if we are talking about the cloud and its services it means we are
talking about the Internet. Also, we know that the easiest way to communicate with
Cloud is using API. So it is important to protect the Interface’s and API’s which are
used by an external user. But also in cloud computing, few services are available in
the public domain which are the vulnerable part of Cloud Computing because it may
be possible that these services are accessed by some third parties. So, it may be
possible that with the help of these services hackers can easily hack or harm our
data.
User Account Hijacking –
Account Hijacking is the most serious security issue in Cloud Computing. If
somehow the Account of User or an Organization is hijacked by a hacker then the
hacker has full authority to perform Unauthorized Activities.

Changing Service Provider –

Vendor lock-In is also an important Security issue in Cloud Computing. Many
organizations will face different problems while shifting from one vendor to another.
For example, An Organization wants to shift from AWS Cloud to Google Cloud
Services then they face various problems like shifting of all data, also both cloud
services have different techniques and functions, so they also face problems
regarding that. Also, it may be possible that the charges of AWS are different from
Google Cloud, etc.

Lack of Skill –
While working, shifting to another service provider, need an extra feature, how to use
a feature, etc. are the main problems caused in IT Company who doesn’t have
skilled Employees. So it requires a skilled person to work with Cloud Computing.

Denial of Service (DoS) attack –

This type of attack occurs when the system receives too much traffic. Mostly DoS
attacks occur in large organizations such as the banking sector, government sector,
etc. When a DoS attack occurs, data is lost. So, in order to recover data, it requires
a great amount of money as well as time to handle it.

What is SaaS Security?

SaaS security is the managing, monitoring, and safeguarding of

sensitive data from cyber-attacks. With the increase in efficiency and
scalability of cloud-based IT infrastructures, organizations are also
more vulnerable.

SaaS maintenance measures such as SaaS security posture

management ensure privacy and safety of user data. From customer
payment information to inter-departmental exchange of information,
strengthening the security of SaaS applications is vital to your
success.

To help this cause, regulatory bodies worldwide have issued security

guidelines such as GDPR (General Data Protection Regulation of
EU), EU-US and the Swiss-US Privacy Shield Frameworks.
 Every SaaS business must adopt these guidelines to offer safe and
secure services. Whether you are starting anew or adding an aspect
to your IT arsenal, SaaS security is essential for successful ventures.

Who needs SaaS Security?

Do you cater to a sizeable market?

Do you deal with hundreds of concurrent sessions?

Are these sessions run by thousands of users every day?

If your answer to the above questions is yes, SaaS security is a must

for you. Moreover, if you relate to the following statements, you need
to have s SaaS Security system in place on the double!

 I wish to eliminate the legacy IT infrastructure. It gets outdated faster

than we can adapt to it. However, I am worried about data privacy.
 I am sure that SaaS and cloud-based technologies are the future,
but how does one ensure that there are no data breaches?
 It is high time that we employ cloud-based products and services.
The competition is killing us in the market. But how will we secure
user data without physical servers?

Whether you’re an established business or an upcoming start-up,

safeguarding user data proves to be very helpful in attracting,
engaging, and retaining customers. Hyper-competitive markets of
today leave no space for error. A single data breach can be the cause
of your SaaS business being blacklisted in the minds of consumers
forever.

The Anatomy of SaaS Security

Every organization offering a cloud-based service can leverage

preventive measures such as SaaS security posture management to
continuously monitor and protect sensitive information.

Let us understand the anatomy of SaaS security in cloud computing

environments. If we look at an ideal SaaS product technology stack
from a bird’s eye view, it forms a three-layer cake where each part
represents different environments.
 Three layers of SaaS security:

 Infrastructure (server-side)
 Network (the internet)
 Application and Software (client-side)

Infrastructure

The server-side of your technology stack refers to the internal

exchange of information. For instance, if your SaaS business is using
AWS, you must secure every point of information exchange between
the cloud storage provider and your software platform.

Every IoP initiated from the client-side starts at this level. Moreover,
depending upon the kind of storage you purchase (shared, dedicated,
or individual server), you must enhance your SaaS security
measures.

Network

The exchange of information between the server-side and client-side

is done over the internet. This is by far the most vulnerable layer of
every SaaS business. Hackers are well versed in finding back-doors
through weak encryptions of data packets exchanged over the
internet.
 The effectiveness of SaaS security is directly proportional to the
integrity of data encryption methods and the ability for real-time
monitoring of information exchange over the internet. With the advent
of digital payments and online KYCs, businesses are constantly
sending and receiving sensitive information. Hence it becomes even
more important to install network security measures.

Application and Software

Application and software are the final layers of SaaS security. As

mentioned above, a single data breach could very well be the cause
of unparalleled user attrition. Therefore, to ensure the safety of user
data, we must deploy impenetrable SaaS security measures.

We must ensure that all the 3rd party applications and software that
you use are continuously monitored. Further, the unpredictability of
the client-side environment demands higher standards of security
measures than conventional methods.

SaaS Security Best Practices for Secure Products

The competition in every market is such that companies must

necessarily evolve and introduce new features/tools in existing SaaS
products. Whether you are removing bugs or adding new features, it
is crucial to have security processes for such events. Let’s take a look
at SaaS security best practices that you can follow for your
organization:

Encryption is a must

Data encryption ensures that every piece of information is protected

from cyberattacks at all times. From internal communication to
customer service conversations, your data must be encrypted at all
times. Here are a few encryption types that you can employ in your
SaaS product:

 Data Encryption Standard (DES)

 TripleDES
 RSA
 Advanced Encryption Standard
 TwoFish
All of these encryption types enhance the security of your SaaS
products through their innate mathematically secure algorithms made
by the brightest minds in data encryption.

Back-up User Data in Multiple Locations

Effective customer data management is essential for offering

satisfactory services. Backing up user data in multiple locations, i.e.,
disaster recovery ensures that one system’s failure does not
compromise the ability of the entire infrastructure. Many cloud
platforms offer backup functionality. However, you must be diligent
with timely backups.

Customer Education

A Gartner’s report suggests that over 95% of all cloud security

failures will happen from the consumer end. When onboarding a new
user, it is essential to educate them about the best practices for data
safety. Ensure that your customers know the standard operating
procedures of your SaaS platforms. Vigilant subscribers will serve as
additional security layers for your organization.

Compulsory Strong Passwords

The virtual world is all about passwords, from email to banking;

passwords primarily protect everything. Hackers these days are
becoming intelligent at cracking passwords based on the public
information available on the internet. Therefore, you must have strong
password policies that ensure users set strong passwords that cannot
be cracked easily.

Consult a SaaS Security Firm

When in doubt, consult an expert. SaaS security firms such as

Cloudlytics employ the brightest minds in data encryption, software
monitoring, and AI-based vigilance. You can leverage our testing
protocols and monitoring systems to build a safe and secure SaaS
platform.
How can Cloudlytics help?

Cloudlytics is a cloud-driven security provider for modern enterprises

that offer compliance solutions, security analytics, and asset
monitoring. Over the years, we have had the good fortune of working
with enterprises from various industries such as OTT platforms. We
offer an extensive range of future-proof SaaS security solutions such
as:

Compliance Manager

An all-inclusive compliance manager maintains an unwavering

security posture by identifying, prioritizing, and remediating
compliance. The platform offers actionable insights on the well-being
of your SaaS platform and user information.

Event Analytics

Driven by machine learning and big-data analysis, event

analytics solutions from Cloudlytics present a secure environment for
developing resolute applications of the future.

AWS Architecture Review

AWS architecture review offers a detailed analysis of your AWS

environment. It employs a structured framework of testing operational
excellence, security, cost optimization, and performance of your
hosting environment.

Cloud Intelligence Engine

Record resource configurations and capture changes with cloud

intelligence engines. The SMART engine helps organizations retain
configurations long after the resources have been deleted.

These are a few of the many ways that Cloudlytics can help you build
SaaS security measures for successful future platforms. We are
passionate about security because we believe that the world would be
a better place if our data is secure against malicious forces of the
internet.
Let’s build impenetrable SaaS platforms that offer safety and security
to their users. Get in touch to know more about Cloudlytics SaaS
security products and services.

Cloud Governance and Its Need

Cloud Governance :
 It is the set of policies or principles that act as the guidance for the
adoption use, and management of cloud technology services.
 It is an ongoing process that must sit on top of existing governance
models.
 It is a set of rules you create to monitor and amend as necessary in order
to control costs, improve efficiency, and eliminate security risks.
Need for Cloud Governance :
By implementing cloud governance, organizations can avoid the following
issues as follows.
1. Security and privacy risks :

 This issue may arise due to unauthorized downloads/ installation of

software, storage of illegal data, and access to restricted sites by users.
 Cloud Governance solutions cover multiple cloud security components.
For example, Encryption, Security groups, Audit trails, Application access
rules, Access controls.

2. Vendor lock-in :
 Many vendors opt for this, as this clause causes organizations to depend
on the cloud service provider (or vendor) for products and services.
 This can be avoided by making changes to the SLA suitably and reduce
dependencies on a single vendor, thus ensuring freedom to the
organization.

3. Cloud Sprawl :
 This happens when employees of different departments use different
programs and cloud infrastructure from third-party providers without
involving the IT department and getting necessary approvals.
 If not detected and restricted, crowd sprawl may lead to fragmented,
redundant, inefficient, and unmanaged cloud programs sitting on the
enterprise cloud and unnecessarily creating trouble.

4. Shadow IT and unwarranted usage of cloud resources :

 This happens when employees in various departments do not follow the
rules and regulations as imposed by the IT department on cloud usage
resulting in security breaches and fragmented control throughout the
organization.
 This leads to not getting sufficient results from the cloud in the long run.

5. Lack of data portability and interoperability :

 This happens when the cloud service provider or the inbuilt cloud
infrastructure is incapable of connecting well with other software and
products outside the organization.
 This may also lead to modules not compatible with each other and hence
chaos in the cloud due to an inefficient system.

Virtual Machine Security in Cloud

The term “Virtualized Security,” sometimes known as “security
virtualization,” describes security solutions that are software-based and
created to operate in a virtualized IT environment. This is distinct from
conventional hardware-based network security, which is static and is
supported by equipment like conventional switches, routers, and firewalls.
Virtualized security is flexible and adaptive, in contrast to hardware-based
security. It can be deployed anywhere on the network and is frequently
cloud-based so it is not bound to a specific device.
In Cloud Computing, where operators construct workloads and applications
on-demand, virtualized security enables security services and functions to
move around with those on-demand-created workloads. This is crucial for
virtual machine security. It’s crucial to protect virtualized security in cloud
computing technologies such as isolating multitenant setups in public cloud
settings. Because data and workloads move around a complex ecosystem
including several providers, virtualized security’s flexibility is useful for
securing hybrid and multi-cloud settings.

Types of Hypervisors

Type-1 Hypervisors

Its functions are on unmanaged systems. Type 1 hypervisors include Lynx

Secure, RTS Hypervisor, Oracle VM, Sun xVM Server, and Virtual Logic
VLX. Since they are placed on bare systems, type 1 hypervisor do not have
any host operating systems.

Type-2 Hypervisor

It is a software interface that simulates the hardware that a system typically

communicates with. Examples of Type 2 hypervisors include containers,
KVM, Microsoft Hyper V, VMWare Fusion, Virtual Server 2005 R2,
Windows Virtual PC, and VMware workstation 6.0.
Type I Virtualization

In this design, the Virtual Machine Monitor (VMM) sits directly above the
hardware and eavesdrops on all interactions between the VMs and the
hardware. On top of the VMM is a management VM that handles other guest
VM management and handles the majority of a hardware connections. The
Xen system is a common illustration of this kind of virtualization design.

Type II virtualization

In these architectures, like VMware Player, allow for the operation of the
VMM as an application within the host operating system (OS). I/O drivers
and guest VM management are the responsibilities of the host OS.
Service Provider Security
The system’s virtualization hardware shouldn’t be physically accessible to
anyone not authorized. Each VM can be given an access control that can
only be established through the Hypervisor in order to safeguard it against
unwanted access by Cloud administrators. The three fundamental tenets of
access control, identity, authentication, and authorization, will prevent
unauthorized data and system components from being accessed by
administrators.
Hypervisor Security
The Hypervisor’s code integrity is protected via a technology called Hyper
safe. Securing the write-protected memory pages, expands the hypervisor
implementation and prohibits coding changes. By restricting access to its
code, it defends the Hypervisor from control-flow hijacking threats. The only
way to carry out a VM Escape assault is through a local physical setting.
Therefore, insider assaults must be prevented in the physical Cloud
environment. Additionally, the host OS and the interaction between the guest
machines need to be configured properly.
Virtual Machine Security
The administrator must set up a program or application that prevents virtual
machines from consuming additional resources without permission.
Additionally, a lightweight process that gathers logs from the VMs and
monitors them in real-time to repair any VM tampering must operate on a
Virtual Machine. Best security procedures must be used to harden the guest
OS and any running applications. These procedures include setting up
firewalls, host intrusion prevention systems (HIPS), anti-virus and anti-
spyware programmers, online application protection, and log monitoring in
guest operating systems.
Guest Image Security
A policy to control the creation, use, storage, and deletion of images must be
in place for organizations that use virtualization. To find viruses, worms,
spyware, and rootkits that hide from security software running in a guest OS,
image files must be analyzed.
Benefits of Virtualized Security
Virtualized security is now practically required to meet the intricate security
requirements of a virtualized network, and it is also more adaptable and
effective than traditional physical security.
 Cost-Effectiveness: Cloud computing’s virtual machine security enables
businesses to keep their networks secure without having to significantly
raise their expenditures on pricey proprietary hardware. Usage-based
pricing for cloud-based virtualized security services can result in
significant savings for businesses that manage their resources effectively.
 Flexibility: It is essential in a virtualized environment that security
operations can follow workloads wherever they go. A company is able to
profit fully from virtualization while simultaneously maintaining data
security thanks to the protection it offers across various data centers, in
multi-cloud, and hybrid-cloud environments.
 Operational Efficiency: Virtualized security can be deployed more
quickly and easily than hardware-based security because it doesn’t
require IT, teams, to set up and configure several hardware appliances.
Instead, they may quickly scale security systems by setting them up using
centralized software. Security-related duties can be automated when
security technology is used, which frees up more time for IT employees.
 Regulatory Compliance: Virtual machine security in cloud computing is
a requirement for enterprises that need to maintain regulatory compliance
because traditional hardware-based security is static and unable to keep
up with the demands of a virtualized network.
Virtualization Machine Security Challenges
 As we previously covered, buffer overflows are a common component of
classical network attacks. Trojan horses, worms, spyware, rootkits,
and DoS attacks are examples of malware.
 In a cloud context, more recent assaults might be caused via VM rootkits,
hypervisor malware, or guest hopping and hijacking. Man-in-the-middle
attacks against VM migrations are another form of attack. Typically,
passwords or sensitive information are stolen during passive attacks.
Active attacks could alter the kernel’s data structures, seriously harming
cloud servers.
 HIDS or NIDS are both types of IDSs. To supervise and check the
execution of code, use programmed shepherding. The RIO dynamic
optimization infrastructure, the v Safe and v Shield tools from VMware,
security compliance for hypervisors, and Intel vPro technology are some
further protective solutions.
Four Steps to ensure VM Security in Cloud Computing

Protect Hosted Elements by Segregation

To secure virtual machines in cloud computing, the first step is to segregate

the newly hosted components. Let’s take an example where three features
that are now running on an edge device may be placed in the cloud either as
part of a private subnetwork that is invisible or as part of the service data
plane, with addresses that are accessible to network users.

All Components are Tested and Reviewed

Before allowing virtual features and functions to be implemented, you must

confirm that they comply with security standards as step two of cloud-virtual
security. Virtual networking is subject to outside attacks, which can be
dangerous, but insider attacks can be disastrous. When a feature with a
backdoor security flaw is added to a service, it becomes a part of the
infrastructure of the service and is far more likely to have unprotected attack
paths to other infrastructure pieces.

Separate Management APIs to Protect the Network

The third step is to isolate service from infrastructure management and

orchestration. Because they are created to regulate features, functions, and
service behaviors, management APIs will always pose a significant risk. All
such APIs should be protected, but the ones that keep an eye on
infrastructure components that service users should never access must also
be protected.

Keep Connections Secure and Separate

The fourth and last aspect of cloud virtual network security is to make sure
that connections between tenants or services do not cross over into virtual
networks. Virtual Networking is a fantastic approach to building quick
connections to scaled or redeployed features, but each time a
modification is made to the virtual network, it’s possible that an accidental
connection will be made between two distinct services, tenants, or
feature/function deployments. A data plane leak, a link between the actual
user networks, or a management or control leak could result from this,
allowing one user to affect the service provided to another.

Identity and Access Management

(IAM)
In a recent study by Verizon, 63% of the confirmed data breaches are due to
either weak, stolen, or default passwords used. There is a saying in
the cybersecurity world that goes like this “No matter how good your chain is
it’s only as strong as your weakest link.” and exactly hackers use the
weakest links in the organization to infiltrate. They usually use phishing
attacks to infiltrate an organization and if they get at least one person to fall
for it, it’s a serious turn of events from thereon. They use the stolen
credentials to plant back doors, install malware or exfiltrate confidential data,
all of which will cause serious losses for an organization. And so Identity and
Access Management (IAM) is a combination of policies and technologies that
allows organizations to identify users and provide the right form of access as
and when required. There has been a burst in the market with new
applications, and the requirement for an organization to use these
applications has increased drastically. The services and resources you want
to access can be specified in IAM. IAM doesn’t provide any replica or
backup. IAM can be used for many purposes such as, if one want’s to
control access of individual and group access for your AWS resources. With
IAM policies, managing permissions to your workforce and systems to
ensure least-privilege permissions becomes easier. The AWS IAM is a global
service.
Components of IAM
 Users
 Roles
 Groups
 Policies
With these new applications being created over the cloud, mobile and on-
premise can hold sensitive and regulated information. It’s no longer
acceptable and feasible to just create an Identity server and provide access
based on the requests. In current times an organization should be able to
track the flow of information and provide least privileged access as and when
required, obviously with a large workforce and new applications being added
every day it becomes quite difficult to do the same. So organizations
specifically concentrate on managing identity and its access with the help of
a few IAM tools. It’s quite obvious that it is very difficult for a single tool to
manage everything but there are multiple IAM tools in the market that help
the organizations with any of the few services given below.
Services By IAM

 Identity management
 Access management
 Federation
 RBAC/EM
 Multi-Factor authentication
 Access governance
 Customer IAM
 API Security
 IDaaS – Identity as a service
 Granular permissions
 Privileged Identity management – PIM (PAM or PIM is the same)

Figure – Services under IAM

More About the Services: Looking into the services on brief, Identity
management is purely responsible for managing the identity lifecycle. Access
management is responsible for the access to the resources, access
governance is responsible for access request grant and audits. PIM or PAM
is responsible for managing all the privileged access to the resources. The
remaining services either help these services or help in increasing the
productivity of these services.
Market for IAM: Current situation of the market, there are three market
leaders (Okta, SailPoint and Cyberark) who master one of the three domains
(Identity Management, Identity Governance and Privilege access
management), according to Gartner and Forrester reports. These companies
have developed solutions and are still developing new solutions that allow an
organization to manage identity and its access securely without any
hindrances in the workflow. There are other IAM tools, Beyond Trust, Ping,
One login, Centrify, Azure Active Directory, Oracle Identity Cloud Services
and many more.
Cloud Security Standards
Cloud-based services are now a crucial component of many businesses, with
technology providers adhering to strict privacy and data security guidelines
to protect the privacy of user information. Cloud security standards assist
and guide organizations in ensuring secure cloud operations.
What are Cloud Security Standards?
It was essential to establish guidelines for how work is done in the cloud due
to the different security dangers facing the cloud. They offer a thorough
framework for how cloud security is upheld with regard to both the user and
the service provider.
 Cloud security standards provide a roadmap for businesses transitioning
from a traditional approach to a cloud-based approach by providing the
right tools, configurations, and policies required for security in cloud
usage.
 It helps to devise an effective security strategy for the organization.
 It also supports organizational goals like privacy, portability, security, and
interoperability.
 Certification with cloud security standards increases trust and gives
businesses a competitive edge.
Need for Cloud Security Standards
 Ensure cloud computing is an appropriate
environment: Organizations need to make sure that cloud computing is
the appropriate environment for the applications as security and mitigating
risk are the major concerns.
 To ensure that sensitive data is safe in the cloud: Organizations need
a way to make sure that the sensitive data is safe in the cloud while
remaining compliant with standards and regulations.
 No existing clear standard: Cloud security standards are essential as
earlier there were no existing clear standards that can define what
constitutes a secure cloud environment. Thus, making it difficult for cloud
providers and cloud users to define what needs to be done to ensure a
secure environment.
 Need for a framework that addresses all aspects of cloud
security: There is a need for businesses to adopt a
Lack of Cloud Security Standards
 Enterprises and CSPs have been forced to fumble while relying on an
endless variety of auditing needs, regulatory requirements, industry
mandates, and data Centre standards to offer direction on protecting their
cloud environments due to the lack of adequate cloud security standards.
 Because of this, the Cloud Security Alliance is more difficult to understand
than it first appears, and its fragmented strategy does not meet the criteria
for “excellent security”.
Best Practices For Cloud Security

1. Secure Access to the Cloud

Although the majority of cloud service providers have their own ways of
safeguarding the infrastructure of their clients, you are still in charge of
protecting the cloud user accounts and access to sensitive data for your
company. Consider improving password management in your organization to
lower the risk of account compromise and credential theft.
Adding password policies to your cybersecurity program is a good place to
start. Describe the cybersecurity practices you demand from your staff, such
as using unique, complex passwords for each account and routine password
rotation.

2. Control User Access Rights

Some businesses give employees immediate access to a wide range of

systems and data in order to make sure they can carry out their tasks
effectively. For cybercriminals, these individuals’ accounts are a veritable
gold mine because compromising them can make it simpler to gain access to
crucial cloud infrastructure and elevate privileges. Your company can
periodically review and revoke user rights to prevent this.

3. Transparency and Employee Monitoring

You can use specialized solutions to keep an eye on the behavior of your
staff in order to promote transparency in your cloud infrastructure. You can
spot the earliest indications of a cloud account compromise or an insider
threat by keeping an eye on what your employees are doing while they are at
work. Imagine your cybersecurity experts discover a user accessing your
cloud infrastructure from a strange IP address or outside of normal business
hours. In that situation, they’ll be able to respond to such odd activity
promptly because it suggests that a breach may be imminent.

4. Data Protection

This involves data protection against unauthorized access, prevention of

accidental data disclosure, and ensuring ceaseless access to crucial data in
the case of failures and errors.
5. Access Management
Three capabilities that are a must in access management are the ability to
identify and authenticate users, the ability to assign access rights to users,
and the ability to develop and enact access control policies for all the
resources.

Common Cloud Security Standards

1. NIST (National Institute of Standards and Technology)

NIST is a federal organization in the US that creates metrics and standards

to boost competition in the scientific and technology industries. The National
Institute of Regulations and Technology (NIST) developed the Cybersecurity
Framework to comply with US regulations such as the Federal Information
Security Management Act and the Health Insurance Portability and
Accountability Act (HIPAA) (FISMA). NIST places a strong emphasis on
classifying assets according to their commercial value and adequately
protecting them.

2. ISO-27017

A development of ISO-27001 that includes provisions unique to cloud-based

information security. Along with ISO-27001 compliance, ISO-27017
compliance should be taken into account. This standard has not yet been
introduced to the marketplace. It attempts to offer further direction in the
cloud computing information security field. Its purpose is to supplement the
advice provided in ISO/IEC 27002 and various other ISO27k standards, such
as ISO/IEC 27018 on the privacy implications of cloud computing, and
ISO/IEC 27031 on business continuity.

3. ISO-27018

The protection of personally identifiable information (PII) in public clouds that

serve as PII processors is covered by this standard. Despite the fact that this
standard is especially aimed at public-cloud service providers like AWS or
Azure, PII controllers (such as a SaaS provider processing client PII in AWS)
nevertheless bear some accountability. If you are a SaaS provider handling
PII, you should think about complying with this standard.

4. CIS controls

Organizations can secure their systems with the help of Internet Security
Center (CIS) Controls, which are open-source policies based on consensus.
Each check is rigorously reviewed by a number of professionals before a
conclusion is reached.
To easily access a list of evaluations for cloud security, consult the CIS
Benchmarks customized for particular cloud service providers. For instance,
you can use the CIS-AWS controls, a set of controls created especially for
workloads using Amazon Web Services (AWS).

5. FISMA

In accordance with the Federal Information Security Management Act

(FISMA), all federal agencies and their contractors are required to safeguard
information systems and assets. NIST, using NIST SP 800-53, was given
authority under FISMA to define the framework security standards (see
definition below).

6. Cloud Architecture Framework

These frameworks, which frequently cover operational effectiveness,

security, and cost-value factors, can be viewed as best parties standards for
cloud architects. This framework, developed by Amazon Web Services, aids
architects in designing workloads and applications on the Amazon cloud.
Customers have access to a reliable resource for architecture evaluation
thanks to this framework, which is based on a collection of questions for the
analysis of cloud environments.

7. General Data Protection Regulation (GDPR)

For the European Union, there are laws governing data protection and
privacy. Even though this law only applies to the European Union, it is
something you should keep in mind if you store or otherwise handle any
personal information of residents of the EU.

8. SOC Reporting

A form of audit of the operational processes used by IT businesses offering

any service is known as a “Service and Organization Audits 2” (SOC 2). A
worldwide standard for cybersecurity risk management systems is SOC 2
reporting. Your company’s policies, practices, and controls are in place to
meet the five trust principles, as shown by the SOC 2 Audit Report. The SOC
2 audit report lists security, availability, processing integrity, confidentiality,
and confidentiality as security principles. If you offer software as a service,
potential clients might request proof that you adhere to SOC 2 standards.
9. PCI DSS

For all merchants who use credit or debit cards, the PCI DSS (Payment Card
Industry Data Security Standard) provides a set of security criteria. For
businesses that handle cardholder data, there is PCI DSS. The PCI DSS
specifies fundamental technological and operational criteria for safeguarding
cardholder data. Cardholders are intended to be protected from identity theft
and credit card fraud by the PCI DSS standard.

10. HIPAA

The Health Insurance Portability and Accountability Act (HIPAA), passed by

the US Congress to safeguard individual health information, also has parts
specifically dealing with information security. Businesses that handle
medical data must abide by HIPAA law. The HIPAA Security Rule (HSR) is
the best choice in terms of information security. The HIPAA HSR specifies
rules for protecting people’s electronic personal health information that a
covered entity generates, acquires, makes use of or maintains.
Organizations subject to HIPAA regulations need risk evaluations and risk
management plans to reduce threats to the availability, confidentiality, and
integrity of the crucial health data they manage. Assume your company
sends and receives health data via cloud-based services (SaaS, IaaS,
PaaS). If so, it is your responsibility to make sure the service provider
complies with HIPAA regulations and that you have implemented best
practices for managing your cloud setups.

11. CIS AWS Foundations v1.2

Any business that uses Amazon Web Service cloud resources can help
safeguard sensitive IT systems and data by adhering to the CIS AWS
Foundations Benchmark. Intelligence analysts developed a set of objective,
consensus-driven configuration standards known as the CIS (Center for
Internet Security) Benchmarks to help businesses improve their information
security. Additionally, CIS procedures are for fortifying AWS accounts to
build a solid foundation for running jobs on AWS.

12. ACSC Essential Eight

ACSC Essential 8 (also known as the ASD Top 4) is a list of eight

cybersecurity mitigation strategies for small and large firms. In order to
improve security controls, protect businesses’ computer resources and
systems, and protect data from cybersecurity attacks, the Australian Signals
Directorate (ASD) and the Australian Cyber Security Centre (ACSC)
developed the “Essential Eight Tactics.”