Unit-4

CLOUD SECURITY AND DISASTER RECOVERY: Cloud Security:

Data, Network and host security, Cloud security services and
cloud security possible solutions. Cloud Disaster Recovery:
Disaster recovery planning, Disasters in the cloud, Disaster
management, Capacity planning and cloud scale.
Cloud Security: Data
• When it comes to cloud data protection methods, no particularly new technique is
required. Protecting data in the cloud can be similar to protecting data within a
traditional data center.
Cloud Security: Data
• What is Cloud security?
Cloud Security: Data
• What is Cloud security?
Cloud Security: Data
Cloud Security: Data
• What is Cloud security?
Public, Private or Hybrid?
Is Cloud Security really a concern?
How Secure should you make your application ?
How Secure should you make your application ?
How Secure should you make your application ?
Use Case
Use Case
Use Case
Cloud Security
Cloud Security
Cloud Security
Cloud Security
Cloud Security:Data
Cloud Security:AWS-Monitoring Data
Cloud Security:AWS-Monitoring Data
Cloud Security:AWS-Monitoring Data
Cloud Security:AWS
Cloud Security:AWS-Gaining Visibility
Cloud Security:AWS-Gaining Visibility
Cloud Security:AWS-Manging Access
Cloud Security:AWS-Managing Access
Cloud Security:AWS
Cloud Security:AWS
Cloud Data Security: Sensitive Data Categorization

• Authentication and identity, access control, encryption, secure deletion,

integrity checking, and data masking are all data protection methods that have
applicability in cloud computing.
• This section will briefly review these methods and will note anything that is
particularly unique to when these are deployed in a cloud.
Authentication and Identity:
• Maintaining confidentiality, integrity, and availability for data security is a
function of the correct application and configuration of familiar network, system,
and application security mechanisms at various levels in the cloud infrastructure.
• Authentication of users and even of communicating systems is performed by
various means, but underlying each of these is cryptography.
Cloud Data Security: Sensitive Data Categorization

• Authentication of users takes several forms, but all are based on a combination
of authentication factors : something an individual knows (such as a password),
something they possess (such as a security token), or some measurable quality
that is intrinsic to them (such as a fingerprint).
• Single factor authentication is based on only one authentication factor. Stronger
authentication requires additional factors; for instance, two factor authentication
is based on two authentication factors (such as a pin and a fingerprint).
• Cloud Data Security: Sensitive Data Categorization 137 of users is kept in flat files
that are used to verify identity and passwords, but this scheme does not scale to
more than a very few systems.
• Access control mechanisms are a key means by which we maintain a complex IT
environment that reliably supports separation and integrity of different levels or
categories of information belonging to multiple parties.
Cloud Data Security: Sensitive Data Categorization
we discuss access controls, we refer to:
• Subjects which are people or processes acting on their behalf
• Objects such as files or other resources (a directory, device, or service of some
sort)
Access controls are generally described as either discretionary or non-discretionary,
and the most common access control models are:
• Discretionary Access Control (DAC) In a system, every object has an owner. With
DAC, access control is determined by the owner of the object who decides who
will have access and what privileges they will have. Permission management in
DAC can be very difficult to maintain; furthermore, DAC does not scale well
beyond small sets of users.
Cloud Data Security: Sensitive Data Categorization
• Role Based Access Control (RBAC) Access policy is determined by the system.
Where with MAC access is based on subject trust or clearance , with RBAC access
is based on the role of the subject. A subject can access an object or execute a
function only if their set of permissions—or role—allows it.
• Mandatory Access Control (MAC) Access policy is determined by the system and
is implemented by sensitivity labels, which are assigned to each subject and
object. A subject's label specifies its level of trust, and an object's label specifies
the level of trust that is required to access it. If a subject is to gain access to an
object, the subject label must dominate—be at least as high as—the object label.
• Finally, although these three access models vary in fundamental ways DAC
generally includes a set of ownership representations (in UNIX: User, Group and
Other), a set of permissions (again, in UNIX: Read, Write, Execute), and an access
control list (ACL),
Cloud Data Security: Sensitive Data Categorization

Figure 1.Depicts this point by contrasting MAC with discretionary access controls (DAC) and
role-based access controls (RBAC).
Cloud Data Security: Sensitive Data Categorization
• Encryption is a key component to protect data at rest in the cloud. Employing appropriate
strength encryption is important.
There are multiple ways of encrypting data at rest.
• Full Disk Encryption of data at the disk level—the operating system, the applications in it,
and the data the applications use are all encrypted simply by existing on a disk that is
encrypted. This is a brute-force approach to encrypt data since everything is encrypted, but
this also entails performance and reliability concerns.
• If encryption is not done at the drive hardware level, then it can be very taxing on a system
in terms of performance. Another consideration is that even minor disk corruption can be
fatal as the OS, applications, and data.
• Directory Level (or Filesystem) In this use of encryption, entire data directories are
encrypted or decrypted as a container . Access to files requires use of encryption keys. This
approach can also be used to segregate data of identical sensitivity or categorization into
directories that are individually encrypted with different keys.
Cloud Data Security: Sensitive Data Categorization
• File Level Rather than encrypting an entire hard drive or even a directory, it can
be more efficient to encrypt individual files.
• Application Level The application manages encryption and decryption of
application-managed data.
Network and host security
• Host and network security is important in IT operations, including when migrating mission-
critical applications to the cloud.
• Customers are logically separated with Virtual Routing and Forwarding (VRF) and Virtual
LANs (VLANs).
• To access the cloud, it offers public networking, private networking, or a combination of
both.
• Customers can utilize as many dedicated VLANs and IP address ranges as desired. Firewall
rules can be defined on a VM-by-VM basis that Virtu stream applies at the hypervisor
level.
• There is a great deal of granular control over how traffic gets routed within a virtual private
cloud.
• These options include perimeter firewall, host and network intrusion detection
systems (IDS), host-level anti-virus/anti-malware, vulnerability scanning, file integrity
monitoring, and first-response remediation services
Network and host security
• Cloud security services:
• Identity and Access Management: should provide controls for assured identities and
access management. Identity and access management includes people, processes and
systems that are used to manage access to enterprise resources by assuring the identity of an
entity is verified and is granted the correct level of access based on this assured identity.
• Audit logs of activity such as successful and failed authentication and access attempts
should be kept by the application/solution.
• Data Loss Prevention: is the monitoring, protecting and verifying the security of data at
rest, in motion and in use in the cloud and on-premises. Data loss prevention services offer
protection of data usually by running as some sort of client on desktops/servers and running
rules around what can be done.
• Within the cloud, data loss prevention services could be offered as something that is
provided as part of the build, such that all servers built for that client get the data loss
prevention software installed with an agreed set of rules deployed.
Cloud security services:

• Web Security: is real-time protection offered either on-premise through software/appliance

installation or via the cloud by proxying or redirecting web traffic to the cloud provider.
This provides an added layer of protection on top of things like AV to prevent malware from
entering the enterprise via activities such as web browsing.
• Policy rules around the types of web access and the times this is acceptable also can be
enforced via these web security technologies.
• E-mail Security: should provide control over inbound and outbound e-mail, thereby
protecting the organization from phishing and malicious attachments, enforcing corporate
policies such as acceptable use and spam and providing business continuity options.
• The solution should allow for policy-based encryption of e-mails as well as integrating with
various e-mail server offerings.
• Digital signatures enabling identification and non-repudiation are features of many cloud e-
mail security solutions.
Cloud security services:
• Security Assessments: are third-party audits of cloud services or assessments of on-
premises systems based on industry standards. Traditional security assessments for
infrastructure and applications and compliance audits are well defined and supported by
multiple standards such as NIST, ISO and CIS. A relatively mature toolset exists, and a
number of tools have been implemented using the SaaS delivery model.
• In the SaaS delivery model, subscribers get the typical benefits of this cloud computing
variant elasticity, negligible setup time, low administration overhead and pay-per-use with
low initial investments.
• Intrusion Management: is the process of using pattern recognition to detect and react to
statistically unusual events. This may include reconfiguring system components in real time
to stop/prevent an intrusion.
• The methods of intrusion detection, prevention and response in physical environments are
mature; however, the growth of virtualization and massive multi-tenancy is creating new
targets for intrusion and raises many questions about the implementation of the same
protection in cloud environments
Cloud security services:
• Security Information and Event Management systems accept log and event information.
This information is then correlated and analyzed to provide real-time reporting and alerting
on incidents/events that may require intervention.
• The logs are likely to be kept in a manner that prevents tampering to enable their use as
evidence in any investigations.
• Encryption systems typically consist of algorithms that are computationally difficult or
infeasible to break, along with the processes and procedures to manage encryption and
decryption, hashing, digital signatures, certificate generation and renewal and key exchange.
• Business Continuity and Disaster Recovery are the measures designed and implemented
to ensure operational resiliency in the event of any service interruptions.
• Business continuity and disaster recovery provides flexible and reliable failover for
required services in the event of any service interruptions, including those caused by natural
or man-made disasters or disruptions.
• Cloud-centric business continuity and disaster recovery makes use of the cloud's flexibility
to minimize cost and maximize benefits.
Cloud security services:
• Network Security consists of security services that allocate access, distribute, monitor and protect the
underlying resource services. Architecturally, network security provides services that address security
controls at the network in aggregate or specifically addressed at the individual network of each
underlying resource.
• In a cloud/virtual environment, network security is likely to be provided by virtual devices alongside
traditional physical devices.
DR patterns:
• DR patterns are considered to be cold, warm, or hot. These patterns indicate how readily the system can
recover when something goes wrong. An analogy might be what you would do if you were driving and
punctured a car tire.
• How you deal with a flat tire depends on how prepared you are:
• Cold: You have no spare tire, so you must call someone to come to you with a new tire and replace it.
Your trip stops until help arrives to make the repair.
• Warm: You have a spare tire and a replacement kit, so you can get back on the road using what you
have in your car. However, you must stop your journey to repair the problem.
• Hot: You have run-flat tires. You might need to slow down a little, but there is no immediate impact on
your journey. Your tires run well enough that you can continue (although you must eventually address
the issue).
Cloud Security Possible Solutions:

• It doesn’t matter whether you’re a startup or an established company, if you’re connected to

the internet then you’re prone to cyber attacks. Hence, it is important to be vigilant and
protect your network from hackers.
• One way is to employ Cloud-based security solutions as they are always accessible. These
solutions offer to help secure your website in the following ways:
1. Cloud-based security has better tracking and monitoring of attacks than non-cloud based
security solutions. They provide real-time firewall and signature updates blocking harmful
traffic.
2.Provides 24*7 security and live monitoring of the website by encryption and tech support.
3.Apart from the application and network scanning Cloud-based security solutions also boost
the performance of your website speed by enabling CDN.
Now, that we’ve seen the benefits of cloud based security, let’s see the top 5 cloud security
solutions.
Cloud Security Possible Solutions:
1.Sophos:
• Established in the year 1985, Sophos is a Security Company that provides cloud solutions
like encryption, firewall, mobile and web security, etc. Its cloud based console is known as
Sophos Central.
Features that Sophos offers:
• Sophos Central provides runtime protection against attacks like ransomware,
preventing external DLLs to load, mitigating exploits in the web, java applications, plugins etc.
• • Provides security solutions like web, email, wireless, mobiles, encryption, web
servers etc.
2.SiteLock:
• Established in the year 2008, SiteLock secures over 12+ million websites all across the
globe. It is a cloud based security solution that protects websites from malware and other
cyber threats.
Cloud Security Possible Solutions:
Features that SiteLock offers:
• SiteLock offers website protection by scanning vulnerabilities, detecting and eliminating
malware, backdoors, and against attacks like DDoS, SQLi & XSS.
• It also offers static & dynamic caching, global CDN (Content Delivery Network) and load
balancing thereby, accelerating and improving website performance.
3.Proofpoint
• Established in the year 2002, Proofpoint is another leading cloud based security solution
providing protection against various cybersecurity threats. It is a security and compliance
company offering cloud based encryption support and solution.
• Features that Proofpoint offers:
• Proofpoint offers SaaS, email, social, attacks from email attachments and mobile solution
from targeted cyber threats.
• It protects sensitive business data through cloud email security, providing solutions to small
business and digital brands.
Cloud Security Possible Solutions:
4.Qualys:
• Established in the year 1999, Qualys is another secure cloud solutions provider that offers
security to your web and device apps, compliance and related services. It enables data
protection by identifying compromised assets and securing them.
• Features that Qualys offers:
• Qualys offers end-to-end solutions like Cloud Infrastructure Security, Web App security,
compliance, Endpoint security, DevSecOps etc keeping your teams in sync with each other.
• Offers security and reliability across public and private clouds, Vulnerability Management,
Threat Protection, File Integrity Monitoring, etc.
5.CipherCloud:
• Established in the year 2010, CipherCloud is another popular cloud based security company
across the three cloud models – IaaS, PaaS and SaaS. It helps in protecting your data by
monitoring and analyzing it.
Cloud Security Possible Solutions:
Features that CipherCloud offers:
• CipherCloud offers services across various sectors like government, telecommunication,
pharmaceutical firms etc. It protects popular cloud applications like Google Drive,
OneDrive, Dropbox, Office 365 etc.
• Some of the services CipherCloud offers are preventing data loss, cloud encryption
gateway, cloud computing and related security, tokenization etc.
Conclusion:
• The following 5 were my picks for the top cloud based security solutions. Different Cloud
security solutions have different features and pricing. When choosing a security solution,
figure out your needs and then choose the one that is best for you. Take care that the
solution you choose provides you adequate support and monitoring.
• Also, if you’re a new startup who is yet to figure out which cloud security solution to invest
in, one basic protection can be choosing the right cloud hosting. As right hosting can go a
long way in providing you additional security from hackers
Cloud Disaster Recovery:
Basics of Disaster Recovery planning
• DR is a subset of business continuity planning. DR planning begins with a business impact
analysis that defines two key metrics:
• A recovery time objective (RTO), which is the maximum acceptable length of time that
your application can be offline. This value is usually defined as part of a larger service level
agreement (SLA).
• A recovery point objective (RPO), which is the maximum acceptable length of time
during which data might be lost from your application due to a major incident. This metric
varies based on the ways that the data is used. For example, user data that's frequently
modified could have an RPO of just a few minutes. In contrast, less critical, infrequently
modified data could have an RPO of several hours. (This metric describes only the length of
time; it doesn't address the amount or quality of the data that's lost.)
• Typically, the smaller your RTO and RPO values are (that is, the faster your application
must recover from an interruption), the more your application will cost to run. The
following graph shows the ratio of cost to RTO/RPO.
Cloud Disaster Recovery:
Recovery Point and Recovery Time Objective
Cloud Disaster Recovery:
Recovery Point and Recovery Time Objective
Cloud Disaster Recovery:
Disaster
Cloud Disaster Recovery:
Disaster Recovery Time
 Cloud Disaster Recovery:
Why Google Cloud?
• Google Cloud can greatly reduce the costs that are associated with both RTO and RPO when
compared to fulfilling RTO and RPO requirements on premises. For example, traditional DR
planning requires you to account for a number of requirements, including the following:

1. Capacity: Securing enough resources to scale as needed.

2. Security: Providing physical security to protect assets.

3. Network infrastructure: Including software components such as firewalls and load balancers.

4. Support: making available skilled technicians to perform maintenance and to address issues.

5. Bandwidth: planning suitable bandwidth for peak load.

6. Facilities: ensuring physical infrastructure, including equipment and power.

Backup & Recovery Plan of AWS
Cloud Disaster Recovery:
Disaster Recovery Time
 Cloud Disaster Recovery:
• Backup and restore. This simple and low cost DR approach backs up your data and
applications from anywhere to the AWS cloud for use during recovery from a disaster.
Unlike conventional backup methods, data is not backed up to tape.
• Amazon Elastic Compute Cloud (Amazon EC2) computing instances are only used as
needed for testing. With Amazon Simple Storage Service (Amazon S3), storage costs are
as low as $0.015/GB stored for infrequent access.
• Pilot light. The idea of the pilot light is an analogy that comes from gas heating. In that
scenario, a small flame that’s always on can quickly ignite the entire furnace to heat up a
house.
• In this DR approach, you simply replicate part of your IT structure for a limited set of core
services so that the AWS cloud environment seamlessly takes over in the event of a
disaster.
• A small part of your infrastructure is always running simultaneously syncing mutable data
(as databases or documents), while other parts of your infrastructure are switched off and
used only during testing.
 Cloud Disaster Recovery:
• Unlike a backup and recovery approach, you must ensure that your most critical core
elements are already configured and running in AWS (the pilot light). When the time
comes for recovery, you can rapidly provision a full-scale production environment around
the critical core.
• Warm standby. The term warm standby is used to describe a DR scenario in which a
scaled-down version of a fully functional environment is always running in the cloud. A
warm standby solution extends the pilot light elements and preparation. It further decreases
the recovery time because some services are always running. By identifying your business-
critical systems, you can fully duplicate these systems on AWS and have them always on.
• Multi-site. A multi-site solution runs on AWS as well as on your existing on-site
infrastructure in an active- active configuration. The data replication method that you
employ will be determined by the recovery point that you choose, either Recovery Time
Objective (the maximum allowable downtime before degraded operations are restored) or
Recovery Point Objective (the maximum allowable time window whereby you will accept
the loss of transactions during the DR process).
PilotLight
Disaster fired for a webpage
Failover Recovery from Disaster
Failover Recovery from Disaster
 Disaster Recovery Plan of Google Cloud
• Google Cloud's focus on administrative simplicity means that the costs of managing a
complex application are reduced as well.
Google Cloud offers several features that are relevant to DR planning, including the
following:
• A global network. Google has one of the largest and most advanced computer networks
in the world. The Google backbone network uses advanced software-defined networking
and edge-caching services to deliver fast, consistent, and scalable performance.
• Redundancy. Multiple points of presence (PoPs) across the globe mean strong
redundancy. Your data is mirrored automatically across storage devices in multiple
locations.
• Scalability. Google Cloud is designed to scale like other Google products (for example,
search and Gmail), even when you experience a huge traffic spike. Managed services
such as App Engine, Compute Engine autoscalers, and Datastore give you automatic
scaling that enables your application to grow and shrink as needed.
Disaster Recovery Plan of Google Cloud
• Compliance. Google undergoes regular independent third-party audits to verify that
Google Cloud is in alignment with security, privacy, and compliance regulations and best
practices. Google Cloud complies with certifications such as ISO 27001, SOC 2/3, and PCI
DSS 3.0.
• Disasters in the cloud:
Assuming unlimited budget and capabilities, Cloud focus on three key things in disaster
recovery planning:
•Backups and data retention
•Geographic redundancy
•Organizational redundancy.
Disaster management:When companies fail at cloud disaster management, it’s often
because they fail at imagination. Either they assume disasters are too unpredictable to
prepare for, or else they assume everything will go as planned — no matter what befalls
them
 Capacity planning in Cloud
Capacity planning:
• For available resources, capacity planning seeks a heavy demand. It determines whether
the systems are working properly, used to measure their performance, determine the
usage of patterns and predict future demand of cloud-capacity.
• Capacity planning & system optimization are two both different concepts, and you mustn't
mix them as one.
'performance' deals with the rate at which a task get performed.
• Determine the distinctiveness of the present system.
• Determine the working load for different resources in the system such as CPU, RAM,
network, etc.
• Load the system until it gets overloaded; & state what's requiring to uphold acceptable
performance.
• Predict the future based on older statistical reports & other factors.
• Deploy resources to meet the predictions & calculations.
 Scale in the Cloud
• When you move scaling into the cloud, you experience an enormous amount of
flexibility that saves both money and time for a business. When your demand
booms, it’s easy to scale up to accommodate the new load.
• As things level out again, you can scale down accordingly. This is so significant
because cloud computing uses a pay-as-you-go model.
• The benefits of the scalable cloud are clear. You can support business growth
without making expensive or timely changes to your current setup.
• With a managed cloud provider, it’s quick and easy to get the resources you need
as you need them, and you’re not bound by the size of your server closet.
• The cloud provider will ensure that overloading is never a concern, as their team
will manage the servers within the data center. When you grow, the cloud will
grow.
 Scale in the Cloud
Diagonal Scaling:
• So what happens if you combine the two scaling methods? Well, you get diagonal
scaling, which allows you to experience the most efficient infrastructure scaling.
• When you combine vertical and horizontal, you simply grow within your existing
server until you hit the capacity.
• Then, you can clone that server as necessary and continue the process, allowing
you to deal with a lot of requests and traffic concurrently.