class: title-slide .row[ .col-7[ .title[ # Cloud Computing ] .subtitle[ ## Cloud Computing ] .author[ ### Laxmikant Soni <br> [Web-Site](https://laxmikants.github.io) <br> [<i class="fab fa-github"></i>](https://github.com/laxmiaknts) [<i class="fab fa-twitter"></i>](https://twitter.com/laxmikantsoni09) ] .affiliation[ ] ] .col-5[ ] ] --- class: very-large-body # SECURITY CONCEPTS .pull-top[ * **Incident:** An event that compromises the confidentiality, integrity, or availability of an information system. * Example: Data breach, malware infection, system outage. * **Vulnerability:** A weakness in a system or application that can be exploited by a threat. * Example: Unpatched software, weak password, misconfiguration. * **Threat:** A potential danger that could exploit a vulnerability. * Example: Malicious actor, natural disaster, software bug. * **Exploit:** A technique used to take advantage of a vulnerability. * Example: SQL injection, buffer overflow. * **Malware:** Malicious software designed to harm or disrupt systems. * Example: Viruses, worms, ransomware, trojans. * **Security Policy:** A set of rules and guidelines that define an organization's security posture. * Example: Password policy, access control policy, incident response policy. ] --- class: very-large-body # SECURITY CONCEPTS .pull-top[ * **Confidentiality:** Ensuring that information is accessible only to authorized individuals. * Preventing unauthorized disclosure. * Example: Encryption, access controls. * **Integrity:** Maintaining the accuracy and completeness of data. * Preventing unauthorized modification or corruption. * Example: Hashing, digital signatures. * **Availability:** Ensuring that authorized users have reliable and timely access to resources. * Preventing disruptions to services. * Example: Redundancy, backups, DDoS protection. ] --- class: very-large-body # SECURITY CONCEPTS .pull-top[ * **Authentication:** Verifying the identity of a user or system. * "Who are you?" * Example: Passwords, biometrics, multi-factor authentication. * **Authorization:** Determining what actions a user or system is allowed to perform. * "What are you allowed to do?" * Example: Access control lists (ACLs), role-based access control (RBAC). * **Non-repudiation:** Ensuring that a party cannot deny their actions. * Providing proof of origin and integrity. * Example: Digital signatures, audit logs. ] --- class: very-large-body # Security in Cloud Cloud security refers to the set of policies, technologies, and controls used to protect data, applications, and infrastructure in cloud environments. It ensures data confidentiality, integrity, and availability while preventing unauthorized access and cyber threats. Security in the cloud is a shared responsibility between cloud providers and users. Cloud providers implement infrastructure security, while users are responsible for securing their data, configurations, and access controls. Cloud security is crucial as cloud environments are accessed over the internet, making them vulnerable to cyber threats like data breaches, denial-of-service (DoS) attacks, and unauthorized access. .pull-top[ ## Example: Think of cloud security like securing a rented apartment. The building owner (cloud provider) ensures the structure, locks, and security systems are in place, but it's up to the tenant (cloud user) to lock their doors, set up alarms, and control who enters. Similarly, cloud providers secure the infrastructure, while users must manage their access permissions, encrypt sensitive data, and configure security settings properly to ensure maximum protection. ] --- class: very-large-body # Security in Cloud .pull-top[ **Cloud Security** refers to a set of policies, controls, and technologies designed to protect data, applications, and infrastructure in cloud environments. ### Key Aspects: - **Data Protection:** Encryption, access controls, and backup strategies to secure stored and transmitted data. - **Identity & Access Management (IAM):** Ensures only authorized users can access cloud resources. - **Network Security:** Firewalls, intrusion detection, and VPNs to protect cloud networks. - **Compliance & Regulations:** Adherence to standards like GDPR, HIPAA, and ISO 27001 for data privacy. - **Threat Management:** Continuous monitoring, AI-driven threat detection, and incident response mechanisms. ] --- class: very-large-body # Security Model in Cloud .pull-top[ **Security models in cloud** computing refer to frameworks or approaches used to ensure the confidentiality, integrity, and availability (CIA) of data, applications, and services hosted in the cloud. These models guide how security controls are applied and how responsibilities are shared between cloud providers and users. | **Model** | **Description** | |-----------------------------------------------|--------------------------------------------------------------------------------------------------------------------| | Shared Responsibility Model | Outlines who is responsible for what in terms of security. | | Zero Trust Security Model | Never trust, always verify — every request must be authenticated, authorized, and encrypted. | | Identity and Access Management (IAM) Model | Ensures the right people (or machines) have the right access at the right time. | | Encryption-Based Security Model | Data is encrypted at rest, in transit, and sometimes during processing. | | Multitenancy Security Model | Ensures isolation between different users/tenants sharing the same cloud resources. | | Compliance and Governance Model | Ensures cloud setups meet regulatory and industry standards (e.g., GDPR, HIPAA, ISO 27001). | | Cloud Security Alliance Model | The Cloud Security Alliance is a non-profit organization that promotes best practices for securing cloud computing environments. | ] --- class: very-large-body # Cloud Security Responsibilities by Component .pull-top[ <div class="figure"> <img src="https://clouds.geant.org/wp-content/uploads/2018/11/sharedresp-fig1.png" alt="image." width="60%" /> <p class="caption">image.</p> </div> ] --- class: very-large-body # Shared Responsibility Model .pull-top[ **Definition:** Outlines who is responsible for what in terms of security. **Example:** - **In IaaS** (e.g., AWS EC2): Provider secures the infrastructure, while the customer secures the OS, applications, and data. - **In PaaS**: Provider secures the platform; customer handles the apps and data. - **In SaaS**: Provider secures everything except customer data and access control. **Why it's important:** Prevents confusion and helps both parties secure their layers properly. ] --- class: very-large-body # Zero Trust Security Model .pull-top[ ### 🔐 Zero Trust Security Model **Definition:** "Never trust, always verify" — assumes every access request could be a threat and requires continuous verification. **Example:** A user accessing internal apps must authenticate even within the company network using MFA (Multi-Factor Authentication) and device verification. **Why it's important:** Reduces the attack surface by minimizing implicit trust, which is critical in cloud environments with distributed access. ] --- class: very-large-body # Identity and Access Management (IAM) Model .pull-top[ ### 🔐 Identity and Access Management (IAM) Model **Definition:** Ensures the right individuals and machines have access to the right resources at the right time for the right reasons. **Example:** An admin configures IAM roles on AWS to restrict access to sensitive storage buckets based on user roles. **Why it's important:** Improper access controls are a major cause of cloud breaches — IAM strengthens access governance and accountability. ] --- class: very-large-body # Encryption-Based Security Model .pull-top[ ### 🔐 Encryption-Based Security Model **Definition:** Data is encrypted during its lifecycle — at rest, in transit, and sometimes during processing. **Example:** Using TLS for data in transit and AES-256 encryption for data stored in cloud databases like AWS RDS or Azure SQL. **Why it's important:** Protects sensitive data from unauthorized access and is often required for compliance with regulations like GDPR or HIPAA. ] --- class: very-large-body # Multitenancy Security Model .pull-top[ ### 🔐 Multitenancy Security Model **Definition:** Ensures that multiple customers (tenants) sharing cloud infrastructure remain logically and physically isolated. **Example:** Each tenant’s data and virtual machines are isolated from others in a SaaS CRM platform like Salesforce. **Why it's important:** Prevents data leakage or breaches across tenants, ensuring privacy and integrity in shared cloud environments. ] --- class: very-large-body # Cloud Security Alliance (CSA) Model .pull-top[ **Definition:** The Cloud Security Alliance provides frameworks and best practices (e.g., CSA CCM, CAIQ) for secure cloud adoption. **Example:** An organization uses the **CSA Cloud Controls Matrix (CCM)** to assess and improve its cloud security posture. **Why it's important:** Standardizes cloud security evaluation and promotes transparent communication between cloud providers and customers. ] --- class: very-large-body # Cloud Security Alliance Model .pull-top[ <div class="figure"> <img src="https://www.tutorialride.com/images/cloud-computing/csa-stack.jpeg" alt="image." width="60%" /> <p class="caption">image.</p> </div> ] --- class: very-large-body # CSA Stack Model .pull-top[ **Definition:** The CSA Stack Model outlines the security responsibilities of cloud service providers and customers across different cloud service models (IaaS, PaaS, SaaS). **Example:** - **IaaS**: Provider secures infrastructure; customer secures OS, apps, and data. - **PaaS**: Provider secures the platform; customer secures applications and data. - **SaaS**: Provider secures the full stack; customer is responsible for user access and data security. **Why it's important:** Clarifies security responsibilities, prevents gaps in protection, and helps organizations choose appropriate cloud security strategies. ] --- class: very-large-body # Cloud Security Challenges (CSC) .pull-top[ **Definition:** Cloud security challenges refer to the potential threats, vulnerabilities, and risks organizations face while using cloud services. Cloud security consists of set of policies, controls, procedures, technologies **Examples of Key Challenges:** - **Data Breaches:** Unauthorized access to sensitive data stored in the cloud. - **Misconfiguration:** Incorrect setup of cloud services leading to exposure. - **Insecure APIs:** Poorly designed or unsecured APIs can be exploited by attackers. - **Lack of Visibility:** Limited insight into cloud infrastructure, user activity, or data movement. - **Insider Threats:** Malicious or negligent insiders posing security risks. - **Shared Technology Vulnerabilities:** Risks from multi-tenancy and shared resources. - **Compliance Issues:** Difficulty in meeting regulatory standards like GDPR, HIPAA, etc. **Why it's important:** Understanding these challenges helps in implementing proactive security measures, selecting secure providers, and maintaining compliance. ] --- class: very-large-body # Data Breaches (CSC) .pull-top[ **Definition:** A data breach is an incident where unauthorized individuals gain access to sensitive, confidential, or protected data stored in the cloud. **Causes:** - Weak or stolen credentials - Misconfigured cloud storage (e.g., open S3 buckets) - Vulnerable applications or APIs - Lack of encryption and access control **Example:** An attacker exploits a misconfigured database hosted on a cloud platform and downloads customer personal and financial information. ] --- class: very-large-body # Data Breaches (CSC) .pull-top[ **Definition:** A data breach is an incident where unauthorized individuals gain access to sensitive, confidential, or protected data stored in the cloud. **Impact:** - Identity theft and financial fraud - Loss of customer trust and brand reputation - Legal consequences and non-compliance penalties (e.g., under GDPR, HIPAA) **Prevention:** - Implement strong authentication and authorization controls - Regularly audit and monitor cloud configurations - Use data encryption (in transit and at rest) - Apply least privilege access principles ] --- class: very-large-body # Misconfiguration (CSC) .pull-top[ **Definition:** Misconfiguration refers to incorrect, incomplete, or insecure setup of cloud services or resources that can unintentionally expose systems or data to external threats. **Causes:** - Default security settings left unchanged - Publicly accessible storage (e.g., open S3 buckets) - Overly permissive IAM roles or access policies - Absence of configuration reviews or monitoring **Example:** A company deploys a cloud-based storage service without restricting public access, making confidential documents accessible to anyone with the link. ] --- class: very-large-body # Misconfiguration (CSC) .pull-top[ **Definition:** Misconfiguration refers to incorrect, incomplete, or insecure setup of cloud services or resources that can unintentionally expose systems or data to external threats. **Impact:** - Accidental data exposure or leakage - Increased vulnerability to attacks and unauthorized access - Regulatory non-compliance and financial penalties - Damage to organizational reputation **Prevention:** - Follow cloud provider security best practices - Conduct regular configuration audits and vulnerability assessments - Use automated security tools to detect misconfigurations - Enforce the principle of least privilege in access management ] --- class: very-large-body # Insecure APIs (CSC) .pull-top[ **Definition:** Insecure APIs (Application Programming Interfaces) are poorly designed or improperly secured interfaces that allow unauthorized access, data leakage, or manipulation of cloud services. **Causes:** - Lack of authentication or weak authentication mechanisms - Inadequate input validation - Exposure of sensitive data in API responses - Improper error handling and logging **Example:** An API endpoint that exposes user account information without requiring authentication, allowing attackers to retrieve data by simply sending HTTP requests. ] --- class: very-large-body # Insecure APIs (CSC) .pull-top[ **Definition:** Insecure APIs (Application Programming Interfaces) are poorly designed or improperly secured interfaces that allow unauthorized access, data leakage, or manipulation of cloud services. **Impact:** - Unauthorized access to data and services - Data breaches and service disruptions - Exploitation of business logic flaws - Damage to trust and brand reputation **Prevention:** - Enforce strong authentication and authorization for all APIs - Use input validation and output encoding - Limit data exposure in API responses - Perform regular API security testing (e.g., penetration testing, fuzzing) ] --- class: very-large-body # Lack of Visibility (CSC) .pull-top[ **Definition:** Lack of visibility in cloud environments refers to the limited ability to monitor, track, and understand user activity, data movement, and system behavior within cloud infrastructure. **Causes:** - Decentralized and dynamic cloud resources - Limited logging or monitoring by default - Use of multiple cloud providers (multi-cloud) - Insufficient access to cloud service provider logs **Example:** An organization fails to detect unauthorized data transfers because activity logs are not enabled or integrated with a centralized monitoring system. ] --- class: very-large-body # Lack of Visibility (CSC) .pull-top[ **Definition:** Lack of visibility in cloud environments refers to the limited ability to monitor, track, and understand user activity, data movement, and system behavior within cloud infrastructure. **Impact:** - Delayed detection of threats and incidents - Inability to enforce security policies or perform audits - Compliance challenges and reporting issues - Increased risk of data loss or misuse **Prevention:** - Enable and centralize logging and monitoring across cloud services - Use Security Information and Event Management (SIEM) tools - Implement continuous compliance monitoring - Establish clear visibility and accountability for all users and assets ] --- class: very-large-body # Insider Threats (CSC) .pull-top[ **Definition:** Insider threats refer to security risks posed by individuals within the organization—such as employees, contractors, or business partners—who have authorized access to cloud systems and misuse it, either intentionally or unintentionally. **Causes:** - Disgruntled or malicious employees - Human error or negligence - Excessive access permissions - Lack of user activity monitoring **Example:** A former employee who still has access to the company’s cloud storage downloads confidential documents and shares them with competitors. ] --- class: very-large-body # Insider Threats (CSC) .pull-top[ **Definition:** Insider threats refer to security risks posed by individuals within the organization—such as employees, contractors, or business partners—who have authorized access to cloud systems and misuse it, either intentionally or unintentionally. **Impact:** - Data theft or sabotage - Loss of sensitive information - Legal issues and regulatory violations - Reputational and financial damage **Prevention:** - Enforce role-based access control (RBAC) and least privilege - Monitor user activity with behavior analytics tools - Conduct regular audits and revoke access for former employees - Provide security awareness training to all staff ] --- class: very-large-body # Shared Technology Vulnerabilities (CSC) .pull-top[ **Definition:** Shared technology vulnerabilities refer to security risks that arise from the underlying infrastructure, platforms, or services shared among multiple tenants in a cloud environment. **Causes:** - Insecure hypervisors or container platforms - Flaws in virtualization or isolation mechanisms - Inadequate separation between tenants in multi-tenant architecture - Exploitable bugs in shared services or libraries **Example:** An attacker exploits a vulnerability in the hypervisor to escape their virtual machine and access data or services of other customers hosted on the same physical server. ] --- class: very-large-body # Shared Technology Vulnerabilities (CSC) .pull-top[ **Definition:** Shared technology vulnerabilities refer to security risks that arise from the underlying infrastructure, platforms, or services shared among multiple tenants in a cloud environment. **Impact:** - Cross-tenant attacks and data breaches - Compromise of shared resources and workloads - Erosion of trust in cloud isolation and security - Challenges in detecting and mitigating threats at the infrastructure level **Prevention:** - Use trusted cloud providers with robust isolation mechanisms - Apply patches and updates to hypervisors and container platforms regularly - Conduct regular security assessments of shared components - Isolate sensitive workloads in dedicated environments when possible ] --- class: very-large-body # SaaS Security .pull-top[ **Definition:** SaaS (Software as a Service) security involves protecting cloud-hosted applications and the data they process, typically provided by third-party vendors over the internet. **Example:** A company using Google Workspace or Microsoft 365 must ensure user access is secure and sensitive data is protected — even though the application itself is managed by the provider. **Key Security Considerations:** - **Data Security:** Encrypt sensitive data at rest and in transit. - **Access Control:** Implement strong Identity and Access Management (IAM) policies (e.g., SSO, MFA). - **Compliance:** Ensure the provider meets standards like ISO 27001, SOC 2, or GDPR. - **Vendor Risk Management:** Evaluate the provider’s security practices and certifications. - **User Behavior Monitoring:** Detect anomalies or misuse via logs and threat detection tools. **Why it's important:** Even though the provider manages the application, customers are still responsible for protecting data, managing access, and ensuring regulatory compliance. ] ---