Unit 5:

Cloud Security
• “Security in the Cloud is much like security
in your on-premises data centers - only
without the costs of maintaining facilities
and hardware. In the Cloud, you don’t
have to manage physical servers or
storage devices. Instead, you use
software-based security tools to monitor
and protect the flow of information into
and of out of your Cloud resources.”

• (The Beginner’s Guide to Cloud Security,

Amazon Web Services 2019)

BCA TU Complied By: Er. Nabin Adhikari 2

• The objective of Cloud security is keeping
your data secure in the Cloud.
• Although Cloud projects are becoming widely
popular, an increasing number of executives and
business owners is concerned with how to secure
their Cloud environment against cyberattacks,
data breaches and intrusions – and that,
rightfully so.
• According to Gartner, organizations should never
assume that using a Cloud service automatically
means that whatever they do within this Cloud
environment will be secure.
• As opposed to traditional IT security, Cloud
security solutions typically use third-party data
centers, require less upfront investments and are
extremely scalable and efficient
BCA TU Complied By: Er. Nabin Adhikari 3
 5.1 Introduction to Security

• Cloud security, also known as cloud computing

security, consists of a set of policies, controls,
procedures and technologies that work together to
protect cloud-based systems, data, and infrastructure.
• These security measures are configured to protect
cloud data, support regulatory compliance and protect
customers' privacy as well as setting authentication
rules for individual users and devices.
• From authenticating access to filtering traffic, cloud
security can be configured to the exact needs of the
business.
• And because these rules can be configured and
managed in one place, administration overheads are
reduced and IT teams empowered to focus on other
areas of the business.

BCA TU Complied By: Er. Nabin Adhikari 4

• The way cloud security is delivered will depend
on the individual cloud provider or the cloud
security solutions in place.
• However, implementation of cloud security
processes should be a joint responsibility
between the business owner and solution
provider.

BCA TU Complied By: Er. Nabin Adhikari 5

In fact, business owners and IT executives need to make Cloud security
a priority during the three main stages of a Cloud adoption project.
• Before Cloud Migration: Before going to the Cloud, organizations
must assess their readiness to the Cloud aligned with their business
risks, legal and technical considerations. During this phase,
organizations must understand their objectives of moving to the
Cloud, possible risks and expected outcomes.
• During Cloud Migration: As the Cloud environment is ever-evolving,
it is important to prioritize security all while moving your data to the
Cloud. During the Cloud migration phase, it is important to adopt a
risk-based approach to secure Cloud adoption to avoid potential
pitfalls.
• After Cloud Migration: Just because a Cloud migration project has
been completed doesn’t mean that your Cloud environment is secure.
Instead, organizations must continue to evaluate their Cloud security
posture on a regular basis, monitor their Cloud environment and be
vigilant about documenting any changes or potential Cloud risks.

BCA TU Complied By: Er. Nabin Adhikari 6

Cloud security offers many benefits, including:
• Centralized security: Just as cloud computing
centralizes applications and data, cloud security
centralizes protection.
• Cloud-based business networks consist of
numerous devices and endpoints that can be
difficult to manage.
• Disaster recovery plans can also be implemented
and actioned easily when they are managed in
one place.

BCA TU Complied By: Er. Nabin Adhikari 7

• Reduced costs: One of the benefits of utilizing cloud
storage and security is that it eliminates the need to
invest in dedicated hardware. Not only does this
reduce capital expenditure, but it also reduces
administrative overheads. Where once IT teams were
firefighting security issues reactively, cloud security
delivers proactive security features that offer
protection 24/7 with little or no human intervention.
• Reduced Administration: When you choose a
reputable cloud services provider or cloud security
platform, you can kiss goodbye to manual security
configurations and almost constant security updates.
These tasks can have a massive drain on resources,
but when you move them to the cloud, all security
administration happens in one place and is fully
managed on your behalf.

BCA TU Complied By: Er. Nabin Adhikari 8

• Reliability: Cloud computing services offer the
ultimate in dependability.
• With the right cloud security measures in place,
users can safely access data and applications
within the cloud no matter where they are or
what device they are using.
• More and more organizations are realizing the
many business benefits of moving their systems
to the cloud.
• Cloud computing allows organizations to operate
at scale, reduce technology costs and use agile
systems that give them the competitive edge.

BCA TU Complied By: Er. Nabin Adhikari 9

 Secure Data in the Cloud
• Cloud data security becomes increasingly important as
we move our devices, data centers, business
processes, and more to the cloud.
• Ensuring quality cloud data security is achieved
through comprehensive security policies, an
organizational culture of security, and cloud security
solutions.
• Selecting the right cloud security solution for your
business is imperative if you want to get the best from
the cloud and ensure your organization is protected
from unauthorized access, data breaches and other
threats.
• Forcepoint Cloud Access Security Broker
(CASB) is a complete cloud security solution that
protects cloud apps and cloud data, prevents
compromised accounts and allows you to set security
policies on a per-device basis.

BCA TU Complied By: Er. Nabin Adhikari 10

5.2 Cloud Security challenges and
Risks
• Many organizations are moderately to extremely
concerned about cloud security.
• When asked about what are the biggest security
threats facing public clouds, organizations
ranked:
 misconfiguration
 unauthorized access
 insecure interfaces and
 hijacking of accounts

BCA TU Complied By: Er. Nabin Adhikari 11

 The Top Security Issues in Cloud
Computing
Misconfiguration
• Misconfiguration of cloud infrastructure is a leading
contributor to data breaches. If an organization’s
cloud environment is not configured properly, critical
business data and applications may become
susceptible to an attack.
• misconfiguration poses serious cloud security
issues to businesses and the fallout can detrimentally
impact day-to-day operations.
• To prevent misconfigurations, those responsible for
overseeing their organization’s cloud solution should
be familiar with the security controls provided by their
cloud service provider.

BCA TU Complied By: Er. Nabin Adhikari 12

• Cyberattacks
• Cybercriminals and threat actors are constantly
practicing and perfecting their hacking
capabilities, and cloud environments are quickly
becoming one of their primary targets.
• It’s important for organizations to understand
their cyber risk so they can make the necessary
adjustments to proactively protect their business
from cyberattacks.

BCA TU Complied By: Er. Nabin Adhikari 13

Malicious Insiders
• Cyberattacks don’t just occur from external
threats – insider threats are a major concern for
businesses, too.
• In fact, according to the 2020 Verizon Data
Breach Investigations Report, 30% of data
breaches involved internal actors.
• Organizations must have the proper security
controls in place to identify malicious insider
activity and mitigate risks before there are any
significant impacts to business operations.

BCA TU Complied By: Er. Nabin Adhikari 14

Lack of Visibility
• A report by Forcepoint states that only 7% of
cybersecurity professionals have extremely good
visibility as to how employees use critical business data
across company-owned and employee-owned devices,
company-approved services (e.g., Microsoft Exchange),
and employee services, while 58% say they have only
moderate or slight visibility.
• In a cloud environment, this lack of visibility can lead
to cloud computing security issues that put organizations
at risk, including malicious insider threats and
cyberattacks that we discussed above.
• It is imperative organizations have comprehensive
visibility into their cloud environment on a continuous
basis.

BCA TU Complied By: Er. Nabin Adhikari 15

Insecure Application & Configurations
• According to a recent report from
McAfee, 99% of IaaS misconfigurations go
unnoticed, one of the most common entry
points for cloud-native breaches.
• As these misconfigurations are client-side,
this underscores the need for shared
responsibility and to consider cloud-native
tools such as data loss prevention (DLP)
that can help audit configurations to
ensure data is being stored and protected
against breach and non-compliance.

BCA TU Complied By: Er. Nabin Adhikari 16

• Data Leakage
• By sharing public links – or changing the settings
of a cloud-based file to “public” – anyone with
knowledge of the link can access the information
stored within them.
• Additionally, hackers leverage tools to actively
search the internet for instances of unsecured
cloud deployments just like these.
• If these resources contain proprietary company
data or sensitive information and wind up in the
wrong hands, there is an immediate threat of a
potentially serious data breach, which can impact
an organization.

BCA TU Complied By: Er. Nabin Adhikari 17

 How to Mitigate Cloud Security
Concerns and Issues
• Although the cloud is full of benefits, there are cloud
computing challenges and related security issues, and
through 2025, 99% of cloud security failures will be
the customer’s fault according to Gartner.
• To help mitigate risks, it is best to work with a
managed cloud service provider that you trust and
have full confidence in protecting your data. The trust
you build with your partner will go a long way to help
expand and secure your business in the cloud.
• When searching for a provider, you should investigate
what cybersecurity framework they use or
recommend. It’s an easy question to ask, but it’s
surprising how many managed service companies
won’t have an answer for you.

BCA TU Complied By: Er. Nabin Adhikari 18

BCA TU Complied By: Er. Nabin Adhikari 19
5.3 Software-as-a-Service Security

• SaaS Security refers to securing user

privacy and corporate data in
subscription-based cloud applications.
• SaaS applications carry a large amount of
sensitive data and can be accessed from
almost any device by a mass of users,
thus posing a risk to privacy and sensitive
information.

BCA TU Complied By: Er. Nabin Adhikari 20

• SaaS is the dominant cloud service model for the
foreseeable future and the area where the most
critical need for security practices and oversight will
reside.
• Just as with a managed service provider, corporations
or end users will need to research vendors’ policies on
data security before using vendor services to avoid
losing or not being able to access their data.
• The technology analyst and consulting firm Gartner
lists [6] seven security risks which one should discuss
with a cloud-computing vendor:
 Privileged user access
 Regulatory compliance
 Data location
 Data segregation
 Recovery
 Investigative support
 Long-term viability

BCA TU Complied By: Er. Nabin Adhikari 21

 • To address the security issues listed above, SaaS providers
will need to incorporate and enhance security practices
used by the managed service providers and develop new
ones as the cloud computing environment evolves.

Security management Vulnerability assessment

Security governance Security image testing
Data governance
Risk management Data security
Risk assessment Application security
Security awareness Virtual machine security
Education and training Identity Access Management (IAM)
Policies and standards Change management
Physical security
Third party Disaster recovery
risk management Data privacy

BCA TU Complied By: Er. Nabin Adhikari 22

• SaaS is exposed by attacks on API’s(Application
Programming Interface), publishers, web portals
and interfaces.
• The attacks on the SaaS are categorized into two
broad groups: attacks on development tools and
attacks on management tools.
• Most popular services on SaaS are web services, web
portals and APIs.
• Intruders’ attempt un-authorized access and gain of
services by attacking web portals and APIs.
• These attacks affect data privacy.
• Intruders try to extract the sensitive information of
API Keys, private keys, and credentials of publishers
via different kinds of attacks and automated tools.
• Another possibility of attack on this layer is exposure
of secure shell for extracting key credentials.

BCA TU Complied By: Er. Nabin Adhikari 23

BCA TU Complied By: Er. Nabin Adhikari 24
• Data protection
• In cloud computing applications are deployed in
shared resource environments; therefore, data
privacy is an important aspect.
• Data privacy has three major challenges:
integrity, authorized access and availability
(backup/ replication).
• Data integrity ensures that the data are not
corrupted or tampered during communication.
• Authorized access prevents data from intrusion
attacks while backups and replicas allow data
access efficiently even in case of a technical fault
or disaster at some cloud location.

BCA TU Complied By: Er. Nabin Adhikari 25

• Attacks on interfaces
• A successful attack on the cloud interfaces
can result in a root level access of a
machine without initiating a direct attack
on the cloud infrastructure.
• Two different kinds of attacks are
launched on authentication mechanism of
clouds.
• The control interfaces are vulnerable to
signature wrapping and advanced cross
site scripting (XSS) techniques.

BCA TU Complied By: Er. Nabin Adhikari 26

• Attacks on SSH (Secure Shell)
• Attacks on Secure Shell (SSH), the basic
mechanism used to establish trust and
connection with cloud services, are the most
alarming threat that compromises control trust.
• According to Ponemon 2014 SSH security
Vulnerability Report , 74 percent organizations
have no control to provision, rotate, track and
remove SSH keys.
• Cybercriminals take full advantage of these
vulnerabilities and use cloud computing to launch
different attacks.

BCA TU Complied By: Er. Nabin Adhikari 27

 5.4 Security Monitoring

• Monitoring is a critical component of cloud

security and management.
• Typically relying on automated solutions, cloud
security monitoring supervises virtual and
physical servers to continuously assess and
measure data, application, or infrastructure
behaviors for potential security threats.
• This assures that the cloud infrastructure and
platform function optimally while minimizing the
risk of costly data breaches.

BCA TU Complied By: Er. Nabin Adhikari 28

 BENEFITS OF CLOUD SECURITY
MONITORING
• Cloud monitoring provides an easier way to identify patterns
and pinpoint potential security vulnerabilities in cloud
infrastructure.
• As there’s a general perception of a loss of control when
valuable data is stored in the cloud, effective cloud monitoring
can put companies more at ease with making use of the cloud
for transferring and storing data.
• When customer data is stored in the cloud, cloud monitoring
can prevent loss of business and frustrations for customers by
ensuring that their personal data is safe.
• The use of web services can increase security risks, yet cloud
computing offers many benefits for businesses, from
accessibility to a better customer experience.
• Cloud monitoring is one initiative that enables companies to
find the balance between the ability to mitigate risks and
taking advantage of the benefits of the cloud – and it should
do so without hindering business processes.
BCA TU Complied By: Er. Nabin Adhikari 29
CHALLENGES OF CLOUD SECURITY
MONITORING
• Virtualization poses challenges for monitoring in the cloud,
and traditional configurations involving log management,
log correlation, and event management (SIEM) tools aren’t
routinely configured to adapt to dynamic environments
where virtual machines may come and go in response to
sharp increases or decreases in demand.
• Visibility can also be a concern when it comes to cloud
monitoring. Many companies rely on third-party cloud
services providers and may not have access to every layer
in the cloud computing stack, and therefore can’t gain full
visibility to monitor for potential security flaws and
vulnerabilities.
• Finally, shifts in scope are another common challenge when
dealing with cloud environments, as assets and applications
may move between systems which may not necessarily
have the same level of security monitoring.

BCA TU Complied By: Er. Nabin Adhikari 30

 HOW CLOUD SECURITY
MONITORING WORKS
• There are several approaches to cloud security
monitoring. Cloud monitoring can be done in the cloud
platform itself, on premises using an enterprise’s
existing security management tools, or via a third
party service provider. Some of the key capabilities of
cloud security monitoring software include:
• Scalability: tools must be able to monitor large
volumes of data across many distributed locations
• Visibility: the more visibility into application, user,
and file behavior that a cloud monitoring solution
provides, the better it can identify potential attacks or
compromises

BCA TU Complied By: Er. Nabin Adhikari 31

• Timeliness: the best cloud security monitoring
solutions will provide constant monitoring,
ensuring that new or modified files are scanned
in real time
• Integration: monitoring tools must integrate
with a wide range of cloud storage providers to
ensure full monitoring of an organization’s cloud
usage
• Auditing and Reporting: cloud monitoring
software should provide auditing and reporting
capabilities to manage compliance requirements
for cloud security

BCA TU Complied By: Er. Nabin Adhikari 32

 5.5 Security Architecture Design
• Cloud security architecture (also sometimes called a “cloud computing
security architecture”) is defined by the security layers, design, and
structure of the platform, tools, software, infrastructure, and best
practices that exist within a cloud security solution.
• A cloud security architecture provides the written and visual model to
define how to configure and secure activities and operations within the
cloud, including such things as:
 identity and access management;
 methods and controls to protect applications and data;
 approaches to gain and maintain visibility into compliance, threat posture,
and overall security;
 processes for instilling security principles into cloud services development
and operations;
 policies and governance to meet compliance standards; and
 physical infrastructure security components.

BCA TU Complied By: Er. Nabin Adhikari 33

 Key Elements of a Cloud Security
Architecture
• When developing a cloud security
architecture several critical elements should be
included:
 Security at Each Layer
 Centralized Management of Components
 Redundant & Resilient Design
 Elasticity & Scalability
 Appropriate Storage for Deployments
 Alerts & Notifications
 Centralization, Standardization, & Automation

BCA TU Complied By: Er. Nabin Adhikari 34

 Shared Responsibility within Cloud
Security Architectures
• The types of service models in use by a business define the types of
cloud security architectures that are most applicable.
• The service models are: Infrastructure as a Service (IaaS), Software
as a Service (SaaS), and Platform as a Service (PaaS).
• Organizations that offer cloud services typically adhere to a shared
responsibility model—that is, the cloud service provider is
responsible for the security of the components necessary to operate
the cloud service (software, computing, storage, database,
networking, hardware, infrastructure, etc.).
• The customer is responsible for protecting the data and information
that is stored in the cloud, as well as how they may access that data
(identity and access management).
• Responsibilities vary slightly depending on the type of service (IaaS,
SaaS, or PaaS)

BCA TU Complied By: Er. Nabin Adhikari 35

Infrastructure as a Service (IaaS) Shared
Responsibility
• With an IaaS, a business purchases the infrastructure from
a cloud provider and the business typically installs their
own operating systems, applications, and middleware.
• An example of an IaaS is Azure (Microsoft).
• In an IaaS, the customer is usually responsible for the
security associated with anything they own or install on the
infrastructure.
Software as a Service (SaaS) Shared Responsibility
• With a SaaS, an organization purchases the use of a cloud-
based application from a provider. Examples of SaaS
include Office 365 or Salesforce.
• In a SaaS, the customer is typically only responsible for the
security components associated with accessing the
software, such identity management, customer network
security, etc.
• The software provider manages the security backend.

BCA TU Complied By: Er. Nabin Adhikari 36

Platform as a Service (PaaS) Shared
Responsibility
• With a PaaS, a business purchases a platform
from a cloud provider to develop, run, and
manage applications without developing or
managing the underlying platform infrastructure
required for the applications.
• An example of a PaaS would be Amazon Web
Services (AWS).
• In a PaaS, the customer is responsible for the
security associated with application
implementation, configurations, and permissions.

BCA TU Complied By: Er. Nabin Adhikari 37

 Types of Cloud Security
Architectures
• A cloud security architecture typically includes
components and best practices relevant to the
types of cloud security services the business
wishes to secure.
• Examples include an AWS cloud
security architecture, Google infrastructure
security, or an Azure security architecture.
• Additional key components of a cloud security
architecture include the cloud “shared
responsibility model” and the principles of “zero
trust architecture.”

BCA TU Complied By: Er. Nabin Adhikari 38

 Principles of Cloud Security
Architecture
• A well-designed cloud security architecture should be
based on the following key principles:
• Identification—Knowledge of the users, assets,
business environment, policies, vulnerabilities and
threats, and risk management strategies (business
and supply chain) that exist within your cloud
environment.
• Security Controls—Defines parameters and policies
implemented across users, data, and infrastructure to
help manage the overall security posture.
• Security by Design—Defines the control
responsibilities, security configurations, and security
baseline automations. Usually standardized and
repeatable for deployment across common use cases,
with security standards, and in audit requirements.

BCA TU Complied By: Er. Nabin Adhikari 39

• Compliance—Integrates industry standards and
regulatory components into the architecture and
ensures standards and regulatory responsibilities are
met.
• Perimeter Security—Protects and secures traffic in
and out of organization’s cloud-based resources,
including connection points between corporate
network and public internet.
• Segmentation—Partitions the architecture into
isolated component sections to prevent lateral
movement in the case of a breach. Often includes
principles of ‘least privilege’.
• User Identity and Access Management—Ensures
understanding, visibility, and control into all users
(people, devices, and systems) that access corporate
assets. Enables enforcement of access, permissions,
and protocols.

BCA TU Complied By: Er. Nabin Adhikari 40

• Data encryption—Ensures data at rest and traveling
between internal and external cloud connection points
is encrypted to minimize breach impact.
• Automation—Facilitates rapid security and
configuration provisioning and updates as well as
quick threat detection.
• Logging and Monitoring—Captures activities and
constant observation (often automated) of all activity
on connected systems and cloud-based services to
ensure compliance, visibility into operations, and
awareness of threats.
• Visibility—Incorporates tools and processes to
maintain visibility across an organization’s multiple
cloud deployments.
• Flexible Design—Ensuring architecture design is
sufficiently agile to develop and incorporate new
components and solutions without sacrificing inherent
security.
BCA TU Complied By: Er. Nabin Adhikari 41
 Cloud Security Architecture
Threats
Cloud services are affected by the most common types
of concerns and threats:
• including data breaches,
• malware injections,
• regulatory non-compliance,
• insider threats,
• insecure application programming interfaces (APIs),
• account hijacking through stolen or compromised
credentials,
• phishing, and
• service disruptions due to denial-of-service attacks or
misconfigurations.
If a breach occurs, liability for the breach is based on
the shared responsibility model.
BCA TU Complied By: Er. Nabin Adhikari 42
IaaS Cloud Security Threats
• Availability disruption through denial-of-service
attacks
• Broken authentication
• Sensitive data exposure
• XML external entities
• Broken access control
• Security misconfigurations
• Using components with known vulnerabilities
• Insufficient logging and monitoring
• Data leakage (through inadequate ACL)
• Privilege escalation through misconfiguration
• DoS attack via API
• Weak privileged key protection
• Virtual machine (VM) weaknesses
• Insider data theft

BCA TU Complied By: Er. Nabin Adhikari 43

PaaS Cloud Security Threats
• Authorization weaknesses in platform services
• Run-time engine vulnerabilities
• Availability disruption through denial-of-service attacks
• Broken authentication
• Sensitive data exposure
• XML external entities
• Broken access control
• Security misconfigurations
• Using components with known vulnerabilities
• Insufficient logging and monitoring
• Data leakage (through inadequate ACL)
• Privilege escalation through misconfiguration
• DoS attack via API
• Privilege escalation via API
• Weak privileged key protection
• Virtual machine (VM) weaknesses
• Insider data theft

BCA TU Complied By: Er. Nabin Adhikari 44

• SaaS Cloud Security Threats
– Weak or immature identity and access management
– Weak cloud security standards
– Shadow IT/unsanctioned cloud applications/software
– Service disruption through denial-of-service attacks
– Phishing
– Weak compliance and auditing oversight
– Stolen or compromised credentials
– Weak vulnerability monitoring

BCA TU Complied By: Er. Nabin Adhikari 45

 5.6 Data Security

• Data security is the practice of protecting digital

information from unauthorized access,
corruption, or theft throughout its entire lifecycle.
• When properly implemented, robust data security
strategies will protect an organization’s
information assets against cybercriminal
activities, but they also guard against insider
threats and human error, which remains among
the leading causes of data breaches today.

BCA TU Complied By: Er. Nabin Adhikari 46

 Types of data security

Encryption
Using an algorithm to transform normal text characters
into an unreadable format, encryption keys scramble data
so that only authorized users can read it. File and
database encryption solutions serve as a final line of
defense for sensitive volumes by obscuring their contents
through encryption or tokenization. Most solutions also
include security key management capabilities.

Data Erasure
More secure than standard data wiping, data erasure uses
software to completely overwrite data on any storage
device. It verifies that the data is unrecoverable.

BCA TU Complied By: Er. Nabin Adhikari 47

• Data Masking
By masking data, organizations can allow teams to
develop applications or train people using real
data. It masks personally identifiable information
(PII) where necessary so that development can
occur in environments that are compliant.

Data Resiliency
Resiliency is determined by how well a data center
is able to endure or recover any type of failure –
from hardware problems to power shortages and
other disruptive events.
BCA TU Complied By: Er. Nabin Adhikari 48
 Data security strategies

• Physical security of servers and user devices

Regardless of whether your data is stored on-
premises, in a corporate data center, or in the public
cloud, you need to ensure that facilities are secured
against intruders and have adequate fire suppression
measures and climate controls in place. A cloud
provider will assume responsibility for these protective
measures on your behalf.
• Access management and controls
The principle of “least-privilege access” should be
followed throughout your entire IT environment. This
means granting database, network, and
administrative account access to as few people as
possible, and only those who absolutely need it to get
their jobs done.

BCA TU Complied By: Er. Nabin Adhikari 49

Application security and patching
All software should be updated to the latest version as
soon as possible after patches or new versions are
released.

Backups
Maintaining usable, thoroughly tested backup copies of
all critical data is a core component of any robust data
security strategy. In addition, all backups should be
subject to the same physical and logical security controls
that govern access to the primary databases and core
systems.
Network and endpoint security monitoring and
controls
Implementing a comprehensive suite of threat
management, detection, and response tools and
platforms across your on-premises environment and
cloud platforms can mitigate risks and reduce the
probability of a breach.

BCA TU Complied By: Er. Nabin Adhikari 50

 5.7 Application Security

• Application security describes security

measures at the application level that aim to
prevent data or code within the app from being
stolen or hijacked.
• Application security may include hardware,
software, and procedures that identify or
minimize security vulnerabilities.
• Cloud application security is a series of
defined policies, processes, controls, and
technology governing all information exchanges
that happen in collaborative cloud environments
like Microsoft Office 365, Google G Suite, etc.

BCA TU Complied By: Er. Nabin Adhikari 51

CLOUD APPLICATION SECURITY THREATS
• Misconfiguration of application setup is the single
biggest threat to cloud security because data
breaches tend to happen when services are
accidentally exposed to the public internet.
• Unauthorized access to a website, server, service,
or other system is also an area for great concern
because once they’re in, there’s no telling what
unauthorized users will do to create chaos.
• Insecure APIs and interfaces present easy
opportunities for attackers to breach systems because
they are the only asset(s) outside of the
organizational boundary with a public IP address.
• Account hijacking is feared because so much
sensitive data and resources is stored and accessed
on devices shared by many different users—and
because keeping tabs on rogue employees is difficult.

BCA TU Complied By: Er. Nabin Adhikari 52

 Types of application security

• Authentication: When software developers build

procedures into an application to ensure that only
authorized users gain access to it. Authentication
procedures ensure that a user is who they say they
are. This can be accomplished by requiring the user to
provide a user name and password when logging in to
an application.
• Authorization: After a user has been authenticated,
the user may be authorized to access and use the
application. The system can validate that a user has
permission to access the application by comparing the
user’s identity with a list of authorized users.
Authentication must happen before authorization so
that the application matches only validated user
credentials to the authorized user list.

BCA TU Complied By: Er. Nabin Adhikari 53

• Encryption: After a user has been authenticated
and is using the application, other security
measures can protect sensitive data from being
seen or even used by a cybercriminal. In cloud-
based applications, where traffic containing
sensitive data travels between the end user and
the cloud, that traffic can be encrypted to keep
the data safe.
• Logging: If there is a security breach in an
application, logging can help identify who got
access to the data and how. Application log files
provide a time-stamped record of which aspects
of the application were accessed and by whom.
• Application security testing: A necessary
process to ensure that all of these security
controls work properly.

BCA TU Complied By: Er. Nabin Adhikari 54

 5.8 Virtual Machine Security

• Virtualized security, or security virtualization,

refers to security solutions that are software-based
and designed to work within a virtualized IT
environment.
• This differs from traditional, hardware-based network
security, which is static and runs on devices such as
traditional firewalls, routers, and switches.
• In contrast to hardware-based security, virtualized
security is flexible and dynamic.
• Instead of being tied to a device, it can be deployed
anywhere in the network and is often cloud-based.

BCA TU Complied By: Er. Nabin Adhikari 55

• In the cloud environment, physical servers are
consolidated to multiple virtual machine instances
on virtualized servers.
• Not only can data center security teams replicate
typical security controls for the data center at
large to secure the virtual machines, they can
also advise their customers on how to prepare
these machines for migration to a cloud
environment when appropriate.
• Firewalls, intrusion detection and prevention,
integrity monitoring, and log inspection can all be
deployed as software on virtual machines to
increase protection and maintain compliance
integrity of servers and applications as virtual
resources move from on- premises to public
cloud environments.

BCA TU Complied By: Er. Nabin Adhikari 56

 Benefits of virtualized security

• Cost-effectiveness: Virtualized security allows an

enterprise to maintain a secure network without a
large increase in spending on expensive proprietary
hardware. Pricing for cloud-based virtualized security
services is often determined by usage, which can
mean additional savings for organizations that use
resources efficiently.
• Flexibility: Virtualized security functions can follow
workloads anywhere, which is crucial in a virtualized
environment. It provides protection across multiple
data centers and in multi-cloud and hybrid cloud
environments, allowing an organization to take
advantage of the full benefits of virtualization while
also keeping data secure.

BCA TU Complied By: Er. Nabin Adhikari 57

• Operational efficiency: Quicker and easier to
deploy than hardware-based security, virtualized
security doesn’t require IT teams to set up and
configure multiple hardware appliances. Instead,
they can set up security systems through
centralized software, enabling rapid scaling.
Using software to run security technology also
allows security tasks to be automated, freeing up
additional time for IT teams.
• Regulatory compliance: Traditional hardware-
based security is static and unable to keep up
with the demands of a virtualized network,
making virtualized security a necessity for
organizations that need to maintain regulatory
compliance.
BCA TU Complied By: Er. Nabin Adhikari 58
 Risks of virtualized security

• The increased complexity of virtualized security

can be a challenge for IT, which in turn leads to
increased risk.
• It’s harder to keep track of workloads and
applications in a virtualized environment as they
migrate across servers, which makes it more
difficult to monitor security policies and
configurations.
• And the ease of spinning up virtual machines can
also contribute to security holes.

BCA TU Complied By: Er. Nabin Adhikari 59

 How is physical security different
from virtualized security?
• Traditional physical security is hardware-based,
and as a result, it’s inflexible and static.
• The traditional approach depends on devices
deployed at strategic points across a network and
is often focused on protecting the network
perimeter (as with a traditional firewall).
• However, the perimeter of a virtualized, cloud-
based network is necessarily porous and
workloads and applications are dynamically
created, increasing the potential attack surface.

BCA TU Complied By: Er. Nabin Adhikari 60

• Traditional security also relies heavily
upon port and protocol filtering, an
approach that’s ineffective in a virtualized
environment where addresses and ports
are assigned dynamically.
• In such an environment, traditional
hardware-based security is not enough; a
cloud-based network requires virtualized
security that can move around the
network along with workloads and
applications.

BCA TU Complied By: Er. Nabin Adhikari 61

 Different types of virtualized security
• Segmentation, or making specific resources
available only to specific applications and users. This
typically takes the form of controlling traffic between
different network segments or tiers.
• Micro-segmentation, or applying specific security
policies at the workload level to create granular
secure zones and limit an attacker’s ability to move
through the network. Micro-segmentation divides a
data center into segments and allows IT teams to
define security controls for each segment individually,
bolstering the data center’s resistance to attack.
• Isolation, or separating independent workloads and
applications on the same network. This is particularly
important in a multitenant public cloud environment,
and can also be used to isolate virtual networks from
the underlying physical infrastructure, protecting the
infrastructure from attack.

BCA TU Complied By: Er. Nabin Adhikari 62

 5.9 Identity Management and
Access Control
• Identity management and access control is the
discipline of managing access to enterprise
resources to keep systems and data secure.
• As a key component of security architecture, it
can help verify the user’s identities before
granting them the right level of access to
workplace systems and information.
• While people might use the terms identity
management, authentication, and access control
interchangeably, each of these individually serve
as distinct layers for enterprise security
processes.

BCA TU Complied By: Er. Nabin Adhikari 63

• Identity management—also referred to as identity
and access management (IAM)—is the
overarching discipline for verifying a user’s
identity and their level of access to a particular
system.
• Within that scope, both authentication and access
control—which regulates each user’s level of
access to a given system—play vital roles in
securing user data.
• We interact with authentication mechanisms
every day.
• When you enter a username and password, use a
PIN, scan your fingerprint, or tap your bank card,
your identity is being verified for authentication
purposes.
BCA TU Complied By: Er. Nabin Adhikari 64
• Once your identity is verified, access
control is implemented to determine your
level of access.
• This is important for applications and
services that have different levels
of authorization for different users.
• Access control, for instance, will allow
software administrators to add users or
edit profiles while also barring lower-tier
users from accessing certain features and
information.

BCA TU Complied By: Er. Nabin Adhikari 65

 Types of Access Controls
1. Mandatory Access Control: This is a system-enforced
access control that is based on a subject’s clearance and an
object’s labels. It is usually associated with multilevel security
labels such as Top Secret, Confidential, and Secret.
2. Discretionary Access Control: This is a type of access
control that restricts access to objects based on the identity
of subjects and groups to which they belong. The controls are
discretionary in the sense that a subject with a certain access
permission is capable of passing that permission.
3. Rule Based Access Control: In this model, access rules
are pre-defined (for example, via an ACL) and are evaluated
to determine access permissions. Rule-based access defines
specific and detailed situations in which a subject can or
cannot access an object, and what that subject can do once
access is granted.
BCA TU Complied By: Er. Nabin Adhikari 66
4. Physical Access Control: Physical access controls
restrict access to a physical space within an
organization. This type of access control limits access to
rooms, buildings and physical IT assets. One benefit of
implementing these controls, is that you have a record
of everyone who is entering and leaving restricted areas.
5. Role Based Access Control: This is a type of control
that uses a user’s role as a basis to restrict access.
Custom roles are usually created such that the least
privilege policy is maintained, and the access is revoked
when no longer needed.
6. Attribute Based Access Control: This is a form of
access control that governs the access based on the
attributes. These can be user attributes, resource of
object attributes, and environmental attributes.
7. Policy Based Access Control: This is a strategy
used to manage access based on the policies which
determine what access role each person must have.
BCA TU Complied By: Er. Nabin Adhikari 67
 Identity Management best practices:
Listed below are the best practices to maintain the integrity of
user and device identities based on the security controls:
• Perform a SWOT (Strengths, Weaknesses, Opportunities,
Threats) analysis based on the risk appetite of your
company
• Least Privilege – be aware of any ‘allow all’ type or roles
and where/when those are being used
• Protect root level of access and restrict privilege abuse
• Detail and assess the out of the box roles before assigning
these
• Control groups for permission assignments and monitor the
access
• Be sure to have good password policies configured into
applications and processes
• Remove unused credentials

BCA TU Complied By: Er. Nabin Adhikari 68