3. CLOUD SECURITY, ALSO KNOWN AS CLOUD COMPUTING SECURITY, IS A
COLLECTION OF SECURITY MEASURES DESIGNED TO PROTECT CLOUD-BASED
INFRASTRUCTURE, APPLICATIONS, AND DATA. THESE MEASURES ENSURE
USER AND DEVICE AUTHENTICATION, DATA AND RESOURCE ACCESS
CONTROL, AND DATA PRIVACY PROTECTION.
CLOUD SECURITY SERVICES
6. AUTHENTICATION CAN BE DEFINED AS DETERMINING
AN IDENTITY TO THE REQUIRED LEVEL OF
ASSURANCE……
AUTHENTICATION IS THE FIRST STEP IN ANY
CRYPTOGRAPHIC SOLUTION
- BECAUSE UNLESS WE KNOW WHO IS
COMMUNICATING, THERE IS NO POINT IN ENCRYPTION
WHAT IS BEING COMMUNICATED.
AUTHENTICATION
7. AUTHENTICATION IS ANY PROCESS BY WHICH A
SYSTEM VERIFIES THE IDENTITY OF A USER WHO
WISHES TO ACCESS IT…
AUTHENTICATION MAY BE IMPLEMENTED USING
CREDENTIAL, EACH OF WHICH IS COMPOSED OF AN
USER-ID AND PASSWORD. ALTERNATELY
AUTHENTICATION MAY BE IMPLEMENTED WITH
SMARD CARD, AN AUTHENTICATION SERVER OR
EVEN A PUBLIC KEY INFRASTRUCTURE…..
AUTHENTICATION
8. MANY WAYS TO PROVE WHO YOU ARE:
WHAT YOU KNOW
--PASSWORD / SECRET KEY
WHERE YOU ARE
-- IP ADDRESS < INTERNET PROTOCOL >
WHAT YOU ARE
BIOMETRICS IS AN AUTHENTICATION METHOD THAT IDENTIFIES
AND RECOGNIZES PEOPLE.
AUTHENTICATION
10. PASSWORD
A PASSWORD IS A STRING OF ALPHABET, NUMBERS
AND SPECIAL CHARACTERS WHICH IS SUPPOSED TO BE
KNOWN ONLY TO BE ENTITY THAT IS BEING
AUTHENTICATE…
AUTHENTICATION
11. GIVEN WHO YOU ARE, WHAT CAN YOU DO???
HOW DO WE CONTROL PRIVILEGE???
AUTHORIZATION
12. THE PROCESS OF GIVING THE USER PERMISSON TO
ACCESS A SPECIFIC RESOURCE OR FUNCTIONS…..
AUTHORIZATION
13. ACCESS CONTROL TYPES
ROLE BASED ACCESS CONTROL (RBAC)
CONTEXT BASED ACCESS CONTROL (CBAC)
CONTEXT AWARE ACCESS CONTROL (CAAC)
AUTHORIZATION
14. ROLE BASED ACCESS CONTROL(RBAC)
SANDHU ETAL FORMALIZED RBAC IN 1996.
USER U ACTING IN ROLE R IS GRANTED PERMISSON P.
ADVANTAGES: GREATLY IMPROVED EFFICIENCY
DISADVANTAGES: CAN’T SPECIFY FINEGRAINED RULE
AUTHORIZATION
15. CONTEXT BASED ACCESS CONTROL(CBAC)
WHAT IS CONTEXT?
CIRCUMSTANCES IN WHICH AN EVENT OCCURS.
SUBJECT OBJECT SYSTEM
NAME TYPE TIME
AGE OWNER DATE
ID CPU SPEED
LOCATION
AUTHORIZATION
16. CONTEXT BASED ACCESS CONTROL(CBAC)
ADVANTAGES:
ACCESS CONTROL IN CONTEXT-AWARE.
DISADVANTAGE:
THIS IS STILL A STATIC MODEL.
AUTHORIZATION
17. CONTEXT AWARE ACCESS CONTROL(CAAC)
DYNAMIC SPECIFICATION & ENFORCEMENT OF
ARBITARY ACCESS RULES…
SEPARATION OF OBJECT AND THE MAIN BUISNESS
LOGIC OF TARGET APPLICATION
AUTHORIZATION
18. Auditing is essentially the action of making sure someone
complies with a rule or follows safety procedures...
AUDITING
19. WHY DO WE NEED A CLOUD COMPUTING
AUDIT?????
The primary goal of a Cloud Audit Checklist is to assure
that all data requests, access, processing and storage are
properly documented for regulatory compliance.
A secondary goal of this Cloud Audit Checklist is to
establish a process which will allow an auditor to
document compliance with the security standards
required by law or regulation.
AUDITING
20. TYPES OF AUDIT
SYSTEM AUDIT
A SYSTEM AUDIT IS A ONE-TIME OR
PERIODIC EVENT TO EVALUATE SECURITY.
MONITORING
MONITORING IS AN ONGOING
ACTIVITY THAT EXAMINES THE EITHER THE
SYSTEM OR THE USERS
AUDITING
21. CLOUD AUDITOR
∆ A cloud auditor is a third party who examines
controls of cloud computing service providers.
∆ Cloud auditor performs an audit to verify compliance
with the standards and expressed his opinion through
a report.
AUDITING
22. INFORMATION TECHNOLOGY AUDITORS TYPICALLY
AUDIT THE FOLLOWING FUNCTIONS :-----
SYSTEM CONTROLS
SYSTEM DEVELOPMENT STANDARDS
BACKUP CONTROL
DATA DISPLAY PROCEDURES
DATA CENTER SECURITY
CONTINGENCY PLANS
AUDITING
23. ACCOUNTABILITY IS ALL ABOUT DEVELOPING A
HOLISTIC APPROACH TO ACHIEVING TRUST AND
SECURITY IN THE CLOUD, ENCOMPASSING
LEGAL
REGULATORY
TECHNICAL MECHANISMS
ACCOUNTABILITY
25. RESPONSIBILITY
YOU ARE RESPONSIBLE FOR PROTECTING THE SECURITY OF YOUR
DATA AND IDENTITIES, ON-PREMISES RESOURCES, AND THE
CLOUD COMPONENTS YOU CONTROL (WHICH VARIES BY SERVICE
TYPE).
ACCOUNTABILITY
26. REMEDIATION
The ability to detail the origin of policy violations in order to
provide appropriate responses.
The ability to suggest
response actions to ease
the process for customers
responding to the event.
ACCOUNTABILITY
27. ASSURANCE
THE CONTROLS INSIDE OF CLOUD ASSURANCE ARE
BUILT TO HELP BUILD STRONGER VALUE IN YOUR
BUSINESS SYSTEMS.
ACCOUNTABILITY
28. WITH THE HELP OF CLOUD SECURITY, YOU CAN CENTRALIZE THE
COMPANY’S SECURITY INFRASTRUCTURE FOR ENHANCED
PROTECTION.
TIME TO SAY GOODBYE TO HARDWARE
MINIMIZED CAPITAL EXPENDITURE HELPING YOU MANAGE
FINANCES.
LIMITS THE STAFF LOAD AND ADMINISTRATIVE OVERHEADS
NO NEED FOR MANUAL SECURITY CONFIGURATIONS
IT IS SCALABLE AS YOU ARE WELCOME TO ADD ADDITIONAL
FEATURES AND OFFERING ACCESS TO AS MANY USERS AS YOU
WANT WITHOUT BREACHING YOUR SECURITY
WHY DO WE NEED CLOUD SECURITY
????????????
29. THE CLOUDS ARE ACCESSIBLE BY THE TEAM AND DEVICES OUTSIDE
THE CORPORATE NETWORK THAT ARE NOT SUPERVISED BY IT
COMPROMISING THE ALL-TIME AND EXTENSIVE MONITORING. THIS
LOOPHOLE CAN LEAD TO CYBER-ATTACKS OR INFORMATION LEAKS.
AN EMPLOYEE WITH ACCESS TO THE CLOUD CAN GO ROGUE
EXPOSING OR EXPLOITING THE ORGANIZATION IN A THIRD-PARTY
CLOUD SERVICE PROVIDER’S SITUATION
HUMAN ERRORS CAN CAUSE MISCONFIGURATION OF USER ACCESS
CONTROLS.
THE CHIEF RISK OF USING THE CLOUD IS THAT THERE IS NO
PERIMETER AS ALL CLOUD ENVIRONMENTS SEEM EXCEEDINGLY
CONNECTED AND ACCOUNT HIJACKS CAN GET YOU INTO SERIOUS
PROBLEMS
CLOUD SECURITY CHALLENGES