Security Concerns in Cloud Computing

 Handling data by third party

 Cyber Attacks
 Insider Threats
 Government Intrusions
 Legal Liability
 Lack of Standardization
 Lack of Support
 Constant Risk

Cloud Supplier should build upon following rules for providing

better safety

 Where is Data
 Who has Access
 What are rigid needs
 Right to inspect
 Data Categorization
 Service Level Agreement (SLA)
 Training
 Long – term feasibility
 Effects of Safety Break
 Catastrophe Recovery / Corporation Permanence Strategy

Threats to Infrastructure, Data and Access Control

 Denial of Service
 Man in the Middle Attack
 Network Sniffing
 Port Scanning
 SQL Injection
 Cross Site Scripting

Cloud Information Security Objectives

 Reliability
 Secrecy, Veracity and Accessibility
 Intellectual Property Rights
 Encryption
 Accessibility

The following sections discuss how cloud computing corporations

should maintain safety, secrecy, integrity and accessibility of data

 Confidentiality
 Cloud Computing Environment and Accessibility
 Organizational Security and Privacy Requirements
 Client – side Computing Environment Requirement
 Cloud Security Services
 Integrity
Cloud Security Design Principles and Tools

 Qualys
 White Hat Security
 Okta
 Proofpoint
 Zscaler
 DocTrackr
 Vaultive
 Major Security Design Principles
 Least Privilege
 Separation of Duties
 Defence in Depth
 Defence in Multiple Places
 Layered Defences
 Security Robustness
 Deploy KMI / PKI
 Deploy Intrusion Detection Systems
 Fail – Safe
 Economy of Mechanism
 Complete Mediation
 Leveraging Existing Components

Cloud Security Services

 Authentication
 Authorization
 Auditing
o An IT evaluator audits following functions –
 System and Transaction Controls
 System’s Development Standards
 Backup Controls
 Data Library Procedures
 Data Centre Security
 Contingency Plans
 Accounting

Need for Cloud Testing

 To guarantee the importance of cloud based applications installed in

a cloud, with their operational services, business procedures and
system working with scalability based on array of application –
based system necessities in a cloud
 To legalize SaaS in a cloud system, with software scalability,
functioning, measurement and safety based on some financial
scales and pre – defined SLAs
 To verify the offered mechanical cloud – based operational services,
for instance, auto – provisioned operations
  To examine inter – operation ability and cloud compatibility among
SaaS applications in a cloud infrastructure

Secure Cloud Software Testing

 Stress Testing
 Load and Performance Testing
 Functional Testing
 Latency Testing
 Browser Performance Testing
 Compatibility Testing

Importance of Cloud Testing

 It reduces cost by controlling the computing resources that clouds

require. Virtualized resources are efficiently employed and cloud
infrastructure shared to eliminate the need of specific computer
resources and certified software in a test laboratory
 It takes the benefit of on – command test services (by a third party)
to accomplish large – scale and effectual synchronized online
collaboration for Internet – based software on clouds
 It easily influences scalable cloud system infrastructure for testing
and evaluating system scalability and functioning

Forms of Cloud Based Software Testing

 Testing SaaS on Clouds

 Testing of Clouds
 Testing inside Clouds
 Testing over Clouds
 TaaS process management
 QoS necessities management
 Test environment service
 Test solution services
 Test simulation services
 On – order test service
 Trailing and Scrutiny service
 TaaS pricing and billing

Internet – Based Software Testing V/S Cloud Testing

Internet – Based S/W Cloud – Based Software

Testing Testing
Testing Guarantees the importance Guarantees the importance
Objectives of system operations and of operations and
functioning based on functioning of applications,
certain stipulations clouds and SaaS by
controlling a Cloud System
Testing as a Internal interior software Concurrent on – order
Service testing as a engineering testing service proposed by
assignments a third – party
Testing and Offline test implementation On – order test
 Execution in a test lab; it also test implementation by third
Time goods prior to distribution parties. Online test
implementation in a public
cloud and offline test
implementation in a personal
cloud
Test Replicated online user Online or virtual user access
Simulation access and online traffic replication and traffic data
data replication
Function Validating element Cloud service or SaaS
Validation operations and service operations across application
characteristics operations
Security  Operation – based  Cloud / SaaS safety
Testing security aspects aspects, comprising
 User secrecy scrutiny and
 Server / Consumer measurement
Access Safety  User secrecy in
 Procedure Access different web
Safety consumers
 Message or Data  Laterally application
Reliability safety over clouds
 SaaS / Cloud API and
connectivity
 Security Testing with
virtual / real – time
tests in a vendor’s
cloud

Cloud Testing Environments

 Cloud / SaaS – oriented Testing

 Online – based Application Testing on Clouds
 Cloud – based Application Testing over Clouds

Secure Cloud Requirements

Internal – It is important to ensure that the software are absolute,

accurate and steady with the associated design necessities. The study must
tackle following:

 Security Constraints
 The Software’s non – functional properties
 The Software’s positive functional requirements

External – It is important to decide the following:

 The software guarantee necessities tackle the authorized rigid and

necessary strategy matters
 The non – operational safety necessities symbolize an appropriate
putrefaction of system’s safety targets
  Software guarantee necessities never clash with system’s safety
targets
 The software is flexible

Basic properties are:

 Specific
 Attainable
 Realizable
 Traceable
 Appropriate
 Reasonable

Non – Operational Necessities

Reliability Software must be consistent in case it works according

to the needs of user and restrains work appropriately
where required
Performance Software functioning must be accurate and spontaneous
Security Software must be secure, keeping in mind that the
user’s secure data must not be disclosed to unauthorized
users
Accuracy The software should give the correct outcome under
different circumstances
Cost The software should be realistic so that all users may
utilize it regularly
Maintainability Alterations in software are also simply diverted by the
software according to needs of user

Secure Development Practices

Public Data

Sensitive Data

Private Data

Confidential Data

Handling Data

Code Practices

Language Options

Physical Security of Systems

(1). To ensure server accessibility, following items should be

offered:-

 An uninterruptible power supply (UPS)

 Fire security to lessen the tools and personal loss
  Sufficient airing and cooling
 Sufficient workplace and lightning for supporting and advancement
of system
 Confined physical access to server

(2). To sustain individuality of active users, outer links should

integrate the following controls to defend IT resources:-

 At least, every outer link should integrate a firewall and employ a

safe gateway to permit in – house users to unite to outer networks.
In case the user accesses is derived from an external confined
network, the user should be recognized and authenticated at the
entry way. The in – house Domain Name Systems (DNSs) must be
concealed
 Utilize outer substantiation databases
 Dial – up modems must not be connected to computers which are
associated with the in – house network
 Endorse outer links before use. Outer links must be sporadically
evaluated by an autonomous association

(3). Any software shares three safety requirements which are as

follows:-

 It should be reliable under predictable working circumstances and

remain reliable even under unapproachable working circumstances
 It should be reliable in its personal deeds and in its incapability to
be negotiated by an attacker via utilization of susceptibility or
insertion of malicious policy
 Cloud software planning associated to operational safety and
protected assets are discovered in the perspective of clod software
requirements. Protected necessities for safety – related cloud
software functions normally classify what the software has to
achieve to work on a job steadily

Cloud Architectural Considerations

 Micro Architecture
 Pipelining
 Superscalar Processor
 Very – Long Instruction Word (VLIW) Processor
 Multiprogramming
 Multitasking
 Multiprocessing
 Multithreading
 Simultaneous Multithreading (SMT)
VM Security Recommendations

(1). Deploy antivirus software – As virus security software process

safety different from spyware. It is advised to utilize Windows Defender
on Windows Virtual Machines for extra protection. Defender is used along
with Windows.

(2). Select strong passwords – Weak passwords may be deduced,

hence providing somebody else access to system and files. Generate
passwords which are not less than 8 characters in length, including
numbers, lowercase and uppercase letters and symbols.

(3). Maintain Operating Systems efficiently – It is vital to maintain

host and virtual operating systems.

(4). Sustain replicas for every machine for security concerns – If

any guest is more vulnerable than other guests or host, it might get
access to a reunion of the rest of system.

(5). Regulate host access – Access to host should be regulated.

VM Security Techniques

 Employ strong passwords like extended, difficult – to – deduce

password with symbols, numbers and letters. Modify these
frequently.

 Stop unnecessary programs or services, particularly networked

services.

 Complete substantiation for access control is a must.

 The host must be personally firewalled.

 Repeatedly patch and renewal the host.

Some of the safety measures –

 Restraining physical access to the host

 Employing encrypted communications

 Immobilizing background tasks

 Updating and patching

 Retaining backup
Challenges to Cloud Security

 Internal Clouds Intrinsically Insecure

 Lack of Risk Awareness and Security Visibility

 Confidential Information Requiring Safer Storage

 Insecure Applications

 More Vigorous Authorization and Authentication

Physical Security of Systems

Cloud customers have no control over their personal data. Cloud customers
essentially lose control over physical security when they move to the cloud,
since genuine servers can be placed wherever the providers choose to
place them. As physical cloud infrastructure supports various cloud
customers collectively, its safety is essential to both its customers and
CSPs. CSP seeks to provide better services to clients but procedures,
policies and processes are significant elements for successful physical
security which can protect the device and information assembled in hosting
centre. Server security issues consist of identifying details of server
applications such as following:-

 Determining whether the server will be used for general purposes or

a specific application

 Analysing the network services offered on the server

 Analysing users and groups of users to whom access rights are given
on server

Risk Issues

 Identifying sensitive and critical assets

 Identification of potential risks

 Classification of risks into severity levels

 Association of potential risks with critical assets

Input Validation and Content Injection

User input that cannot be trusted must be verified and validated at all the
ends. User inputs are checked at various levels to prevent loss of data and
to maintain integrity. Content injection occurs when the cloud server takes
input from the user and applies the content of that input into commands or
SQL statements. Essentially, the user’s input is injected into a command
that is executed by server. Content injection can occur when the server
does not maintain clear distinction and separation between data input and
commands executed.

Database Integrity Issues

 Prevention of alteration of data by unofficial users

 Prevention of unintended or unofficial alteration of data by authorized

users

 Preservation of both internal and external consistency –

o Internal Consistency – Ensure that internal data is

consistent
o External Consistency – Ensure that data stored in database
is reliable. External reliability means that the item number
recorded in database for every section is equivalent to the item
number which actually subsists in that section

Regularity Issues

 Servers and Application Access

 Virtual Machine Security

 Transmission of Data

 Network Safety

 Data Safety

 Data Confidentiality

 Data Reliability

 Data Setting

 Data Accessibility
  Data Segregation
 Patch Management

 Security Policy and Conformity

Common Threats and Vulnerabilities

 Eavesdropping
o Passive Eavesdropping
o Active Eavesdropping

 Fraud

 Theft

 Sabotage

 External Attack

LOGON ABUSE

Logon mistreatment refers to users accessing services of a superior

security level that is actually not permitted to them. In distinct network
imposition, this sort of abuse principally focuses on those users who might
be genuine users of a diverse system or users having a lower security
categorization. It is also possible for intruders to pretend to be another
user. E.g. an attacker socially engineering passwords from an Internet
Service Provider (ISP).
Network Intrusion

It is a substantial challenge to secure the virtual network as virtual

switches may hardly be noticeable to system administrators, who mostly
implement safety at the network level. Since the virtual network traffic
might by no means leave the server, it is not possible for security
administrator to observe VM – to – VM traffic or intercept it, and therefore,
be able to understand what that traffic is being routed towards. Therefore,
logging of VM – to – VM network movement in a single server and
confirmation of virtual machines access for rigid reasons is a little difficult.
It is also difficult to rectify or watch the misuse of virtual network
resources and bandwidth consumption in VM – to – VM.

Therefore, for managing and observing VM – to – VM traffic, a firewall

service is needed. Virtual firewall (VF) offers a firewall service that
completely works on hypervisor. The regular packet of supervising and
filtering of VM – to – VM traffic is supplied by VF. The procedure of
discovering actions that can negotiate reliability, accessibility, secrecy of a
resource is known as Intrusion Detection (ID). The following are three key
types of technologies which are currently in use for ID:-

 Server – Based IDS – The activity log encompassing system calls,

application logs, file systems modifications etc. is studied. It works
well for supervised systems and might analyse applications running
on computer.

 Network – Based IDS – The network traffic and communicating

nodes are studied. It might manage the network traffic for identifying
DoS attacks, vulnerabilities, port scans etc. This type of IDS inhabits
the network and therefore, is relatively inaccessible from malicious
applications. Therefore, it is moderately less vulnerable to attacks.
However, it poorly studies managed systems and looks at malevolent
application activities running on these systems. Lest the network
traffic is encrypted, there is no effective means for the network –
based IDS to decrypt the traffic for analysis.

 Integrated IDS – It uses a server – based network and techniques

amalgamation. It studies network traffic along with system activity
logs. Firewalls manage the access between networks for preventing
problems, contrary to which IDS finds many opportunities to get into
a network. The only applicable means to make sure that these
possibilities must be clogged after an assault is to restore the
working system from the initial medium, smear the scraps and
restore every information and application. Piggybacking in the
network area means that hackers gain illicit access to a system via
authentic connection of the consumer in a condition such as when a
user logs off improperly or leaves a session open, allowing an illicit
user to resume the session.

Fragmentation Attack

IP fragmentation attacks generally use different IP datagram divisions as

TCP filtering devices are excessively proficient to conceal TCP packets. The
following are two examples of this type of attack:-

 A little portion is passed on by the hacker that crashes several TCP

header fields into a second portion. If the filtering devices of the
target do not execute the least section size, this illegal packet might
be conveyed via the target network.

 Subsequent packets overwrite the target address information of the

real packet and later the target filtering device approves the second
packet. This might happen if the target filtering device does not
 execute the smallest portion to counteract along with non – zero
counteracts.

Cloud Access Control Issues

 XML Signature Element Wrapping – For web services, XML

signature element wrapping is the most popular assail. It is used for
guarding the element name, feature and value from illegal parties
but is unable to protect the place in recognition. The intruder directly
trails to damage the system. The invader aims at the constituent by
working the SOAP messages and place something. This assail,
sometimes, uses a 3rd party certified digital certificate. We can use
certificate agencies and a combination of XML signature with Web
Services Security (WSS) to a specific constituent.

 Browser Security – Browser Security is the second matter. When a

consumer sends a request to the server through a web browser, the
web browser requires utilization of the SSL (Secure Socket Layer) to
encrypt the credentials to legalize the consumer. SSL’s point – to –
point support indicates if a 3rd party is present. Later, the host might
decrypt the data. Hackers conceal themselves and use a new
individuality. In case intruders mount packages on an intermediary
host, the intruders may get the consumer’s documents and use them
for authorization in cloud system. Therefore, dealers must use WSS
perception on web browsers as WSS performs all the message –
level, using XML encryption for constant encryption of SOAP
messages that do not have to be decrypted at negotiator hosts.

 Cloud Malware Injection Attack – Another issue is that of cloud

malware injection attacks which attempt to harm virtual machine,
malevolent service or applications. Malevolent software or codes are
used to access cloud setting. Once the malevolent software is
introduced into the cloud environment, the intruder considers the
malevolent software to be an authentic request. It is not easy to
determine what the authentic data is. If an affluent consumer
enquires about a malevolent service, only then are malicious users
detected. Hackers upload the virus program into cloud arrangement.
Once the cloud arrangements are activated from an authentic
service, the entry of virus is accomplished and the cloud setting is
affected. The consumer requests the malevolent program to check on
the cloud. In case of a virus infected cloud, it is disseminated to all
consumers. A virus infects the consumer’s device. Therefore,
authenticity of received messages must constantly be checked. The
original image or request file should be stored by using jumble
functions and it must be equated with the jumble value of all
impending service requests. Authentic jumble values are produced by
hacker for dealing with cloud systems.
 Flooding Attacks – The 4th issue is Flooding Attack. Since cloud
systems constantly expand in size whenever the requests from
customers increase, new service requests are initialized by the cloud
systems to retain the requirements of a customer. Flooding attack
refers to disbanding a huge sum of trash requests for certain
services. As soon as the intruder chucks an enormous amount of
requests by proposing more resources, the cloud system will try to
execute, flanking to the requests and ultimately the system
consumes all the resources and becomes incompetent to distribute
services to customary requests from consumers.

 Data Protection – The most essential factor in cloud computing is

data protection. It must be hard for the cloud’s consumers to
competently guarantee the behaviour of the cloud supplier and be
sure that information is administered in a certified way.

 Incomplete Data Deletion – In cloud computing, incomplete data

deletion is a hazard, since imitations are produced at numerous
places in a server. Deletion of correct data is unfeasible as copies of
data are saved as an imitation but are unavailable. Thus, virtualized
private networks must be used to make the data safe and use
inquiries which will eliminate the whole data from the main servers
together with its imitations.

 Lock – In – In case a consumer wishes to move from one cloud

supplier to another, or back to a home IT setting, the charge of
access control in the cloud should be equivalent with the value of the
confined information. Appropriate access controls facilitate complete
accessibility. Accessibility guarantees that certified consumers of the
system have continuous and timely access to the information in the
system. Consistency and utility are the aims of additional access
control. Access control must offer security from unanticipated,
unintentional or illicit change of data. With this security, the external
and internal consistency of data might be conserved. Data privacy
must be evenly maintained and data accessibility given on a timely
basis. These features cover the consistency, accessibility,
components and privacy of safety of data system. Accountability
features enable the activities of a system to be customized to suit
individuals.