Sécurité du Cloud Computing

5 ArcTIC

Mme Manel Medhioub

manel.madhioub@esprit.tn

Esprit 2022-2023
 Progress

• Duration: 30 Hours
 10 weeks ; 3 hours/lesson
 Blended learning
• Online digital media (GC)
– Activities, test, on-line courses…
– Coursework
• Traditional classroom (physical presence )
 100% Final Exam
• One mark filed

2
 Chapters

1. Introduction to Cloud Computing security

2. Cloud Computing Security requirements
3. Cloud Computing security threats/ vulnerabilities
4. Cloud Computing security attacks
5. Cloud Computing security mechanisms
6. Identity and access management
7. Governance, Compliance and Risk Management
8. Trust
9. Security in software development
3
 Sécurité du CLOUD
Chapter 1
Introduction to
Cloud Computing Security 5 ArcTIC

Manel Medhioub
manel.madhioub@esprit.tn

Esprit 2022-2023
 Lesson plan

1 Cloud Computing Overview

2 Security Concerns of Cloud Computing
3 Terminology and Principles
4 Cloud Security Reference Model

5
 Cloud Computing Overview
Definition

Cloud computing is a model for enabling

ubiquitous, convenient, on-demand network
access to a shared pool of configurable computing
resources (e.g., networks, servers, storage,
applications, and services) that can be rapidly
provisioned and released with minimal
management effort or service provider
interaction.

- NIST Special Publication 500-322

- February 2018

6
Cloud Computing Overview
The Concept

7
 Security Concerns of Cloud Computing

• In the information security space, in general, the

maturity of a particular technology can relate, at
least in part, to how secure it actually is.
• Cloud computing model is not an exceptional from
the list of new computing models which are always
facing the problems like security.
• Significant security concerns need to be addressed
when considering moving critical applications and
sensitive data to public and shared cloud
environments.
8
 Security Concerns of Cloud Computing

• The moving of business data to the cloud means

that the responsibility over data security
becomes shared with the cloud provider.

• In fact, Securing the cloud and its resources is all

the more critical for the cloud providers, for the
survival of their own business.

9
 Security Concerns of Cloud Computing

• A cloud is a target-rich environment for

malicious individuals and criminal organizations.

• The overlapping of trust boundaries can provide

malicious cloud consumers (human and
automated) opportunities to attack IT resources
and steal or damage business data.
10
 Security Concerns of Cloud Computing

• Along with the benefits of Cloud Computing, it also presents a number

of security issues that have restricted its deployment to date.

Reasons customers migrate to the cloud computing environment

11
Ponemon Institute-April 2011
 Security Concerns of Cloud Computing

obstacles to your adoption of cloud computing

12
SOURCE: TECHTARGET CLOUD INFRASTRUCTURE RESEARCH SURVEY, 2Q 2014
 Security Concerns of Cloud Computing

The 2016
Global Cloud Data Security Study," conducted
by the Ponemon Institute 13
 Security Concerns of Cloud Computing

https://www.infoworld.com/article/3561269/the-2020-idg-cloud-computing-survey.html 14
 Security Concerns of Cloud Computing

https://www.infoworld.com/article/3561269/the-2020-idg-cloud-computing-survey.html 15
 Terminology and Principles

• Cloud security is an evolving sub-domain of

computer security, network security, and,
more broadly, information security.

• It refers to a broad set of policies,

technologies, and controls deployed to
protect data, applications, and the associated
infrastructure of cloud computing.

16
 Terminology and Principles

• Information Security: This term refers to a broad

field that has to do with the protection of
information and information systems.
• The objective of information security is to protect
information as well as information systems from
 unauthorized access,
 use,
 disclosure,
 disruption,
 modification,
 destruction 17
 Terminology and Principles

• Confidentiality “Preserving authorized

restrictions on information access and
disclosure, including means for protecting
personal privacy and proprietary information.
 Within cloud environments, confidentiality
primarily pertains to restricting access to data in
transit and storage.
The message issued by the cloud consumer to the cloud service is considered
confidential only if it is not accessed or read by an unauthorized party.

18
 Terminology and Principles

• Integrity is the characteristic of not having

been altered by an unauthorized party.
• Integrity can extend to how data is stored,
processed, and retrieved by cloud services
and cloud-based IT resources.
• A cloud consumer should be guaranteed that
the data it transmits to a cloud service
matches the data received by that cloud
service.
19
 Terminology and Principles

The message issued by the cloud consumer to the cloud service is

considered to have integrity if it has not been altered.

20
 Terminology and Principles

• Availability “Ensuring timely and reliable

access to and use of information.
• In typical cloud environments, the availability
of cloud services can be a responsibility that
is shared by the cloud provider and the cloud
carrier.

21
 Terminology and Principles

• Authentication: The means to establish a

user’s identity, typically by presenting
credentials such as a user name and
password. Other means include biometric or
certificate-based schemes.
• Auditing: This encompasses various activities
that span the generation, collection and
review of network, system, and application
events to maintain a current view of security.
22
 Terminology and Principles

• A threat is a potential security violation that can

challenge defenses in an attempt to breach
privacy and/or cause harm.
• Both manually and automatically threats are
designed to exploit known weaknesses, also
referred to as vulnerabilities.
• A threat that is carried out results in an attack

23
 Terminology and Principles

• Threat agent: someone or something with some

capacity, a clear intention to manifest a threat, and
a record of past activities in this regard.
• Weakness: a type of mistake in software, in
operations and in the infrastructure that, in the right
conditions, could contribute to introducing
vulnerabilities.
• This term applies to mistakes in software, regardless
of whether they occur in implementation, design or
other phases of the software development life cycle.
24
 Terminology and Principles

• Vulnerability: an occurrence of a weakness (or multiple

weaknesses) within software, operations or infrastructure,
in which the weakness can be used by a party to perform
actions that were not specifically granted to the party
who takes advantage of the weakness.
• Impact: the effect of an event, incident or occurrence. In
cybersecurity, this means the effect of a loss of the
confidentiality, integrity or availability of information on
an organization’s operations, an organization’s assets,
individuals, other organizations or national interests.

25
 Terminology and Principles

• Risk is the possibility of loss or harm arising from

performing an activity.
• Risk is typically measured according to its threat level
and the number of possible or known vulnerabilities.
• Two metrics that can be used to determine risk for an
IT resource are:
 the probability of a threat occurring to exploit
vulnerabilities in the IT resource
 the expectation of loss upon the IT resource being
compromised
26
 Terminology and Principles

• Security Mechanisms: Countermeasures are

typically described in terms of security
mechanisms, which are components comprising a
defensive framework that protects IT resources,
information, and services.
• Security Policies: A security policy establishes a
set of security rules and regulations. Often,
security policies will further define how these
rules and regulations are implemented and
enforced.
27
Terminology and Principles

28
 Terminology and Principles
Security as a Service

• An emerging trend is the offering of security as a service (SecaaS)

to address a number of cloud security needs.

• The outsourcing of security according to SaaS principles

is referred to as Security as a Service (SECaaS)

• It attempts to respond to the numerous security gaps that exist in

diverse cloud implementations.

• Several security tools available in non-cloud environments could

be offered such as : IDS as a Service, Virus Protection as a Service, Logging as a
Service, Identity Management as a Service, Cryptography as a Service…..
29
 Terminology and Principles
Security as a Service

• Cloud customers who choose to use SecaaS options

may have access to a diverse set of services which can
address their security issues:
• Multiple Services –In the cloud, an organization could select from
multiple SecaaS solutions that meet the same objectives.
• On-Demand Costs – Security offerings might be better suited for
on-demand needs, as it offers the advantage of no permanent
investments.
• Focus – SecaaS providers might be more focused, as they would
offer a more specialized profile of services.
• Readiness – Automated failover capabilities and high SLA (service
level agreement) assurance might be offered by SecaaS.
30
 Cloud Security Reference Model

• A Reference Architecture (RA) “should”

provide a blueprint or template architecture
that can be reused by others wishing to adopt
a similar solution.

• A Reference Model (RM) should explain the

concepts and relationships that underlie the
RA.

31
 Cloud Computing
Conceptual reference Model

Cloud Provider Cloud Broker

Cloud
Consumer
Secure Functional layersService Secure
Orchestration
Deployment &service LayersSecure Secure Service Layers
Service Layers Cloud
SaaS Service
Cloud Auditor SaaS Management Secure
PaaS Service
Secure auditing
environnement
PaaS Secure Intermediation
IaaS support
Business
Secure Cloud EcosystemIaaS
Security Orchestration
Audit Secure
Secure Resource Abstraction Secure Service
and Control Layer Provisioning/ Aggregation
Privacy
Configuration
Impact Audit
Secure Physical Resource
Secure Secure
Layer
Hardware Portability/
Performance Service
Audit interoperability
Facility Arbitrage

Cloud Carrier
Secure transport support 32
NIST Special Publication 500-292
 Cloud Security Reference Model

• Cloud Consumer
 Secure Cloud Consumption Management
 Secure Configuration
 Secure Portability and Interoperability
 Secure Business Support
 Secure Organizational Support

33
 Conclusion

• Several efforts are underway to standardize

cloud security, including:
 the Cloud Security Alliance (CSA),
 European Network and Information Security
Agency (ENISA)
 Cloud Audit (A6),
 Open Cloud Computing Interface (OCCI).
• These efforts provide requirements against
which entities can evaluate security and
privacy.
34