Cloud Computing (Unit 4)

 Cloud Management

computing management is maintaining and controlling the cloud services and resources be it public,
private or hybrid. Some of its aspects include load balancing, performance, storage, backups,
capacity, deployment etc. To do so a cloud managing personnel needs full access to all the
functionality of resources in the cloud. Different software products and technologies are combined to
provide a cohesive cloud management strategy and process.

Need of Cloud Management

Cloud is nowadays preferred by huge organizations as their primary data storage. A small downtime
or an error can cause a great deal of loss and inconvenience for the organizations. So as to design,
handle and maintain a cloud computing service specific members are responsible who make sure
things work out as supposed and all arising issues are addressed.

Cloud Management Platform :

A cloud management platform is a software solution that has a robust and extensive set of APIs that
allow it to pull data from every corner of the IT infrastructure. A CMP allows an IT organization to
establish a structured approach to security and IT governance that can be implemented across the
organization’s entire cloud environment.

Cloud Management Tasks :

The below figure represents different cloud management tasks :

 Auditing System Backups – It is required to audit the backups from time to time to ensure
restoration of randomly selected files of different users. This might be done by the
organization or by the cloud provider.

Dr. Yusuf Perwej Page 1

  Flow of data in the system – The managers are responsible for designing a data flow
diagram that shows how the data is supposed to flow throughout the organization.
 Vendor Lock-In – The managers should know how to move their data from a server to
another in case the organization decides to switch providers.
 Knowing provider’s security procedures – The managers should know the security plans of
the provider, especially Multitenant use, E-commerce processing, Employee screening and
Encryption policy.
 Monitoring the Capacity, Planning and Scaling abilities – The manager should know if
their current cloud provider is going to meet their organization’s demand in the future and
also their scaling capabilities.
 Monitoring audit log – In order to identify errors in the system, logs are audited by the
managers on a regular basis.
 Solution Testing and Validation – It is necessary to test the cloud services and verify the
results and for error-free solutions.

 InterCloud Resource Management

As we all know, management is very crucial everywhere. In cloud computing, it is the cloud
provider's duty to manage resources and their performance. Examples of resource
management in cloud computing are Load balancing, performance, storage, backups,
capacity, and deployment. To access the full capabilities of cloud resources, management is
required. Intercloud or 'cloud of clouds’-refer to a theoretical model for cloud computing
services. Combining many different individual clouds into one seamless mass in terms of on-
demand operations.

The intercloud would simply make sure that a cloud could use resources beyond its
reach.Taking advantage of pre-existing contracts with other cloud providers.Every single
cloud does not have infinite physical resources or ubiquitous geographic footprint.A cloud
may be saturated to the computational and storage resources of its infrastructure. It would still
be able to satisfy such requests for service allocations sent from its clients.

A single cloud cannot always fulfill the requests or provide required services.When two or
more clouds have to communicate with each other, or another intermediary comes into play
and federates the resources of two or more clouds. In inter-cloud, the intermediary is known
as a “cloud broker” or simply “broker.”A broker is the entity that introduces the cloud service
customer (CSC) to the cloud service provider (CSP).

• Inter-Cloud Resource Management Consists of

 Extended Cloud Computing Services

 Resource Provisioning and Platform Management
 Virtual Machine Creation and Management
 Global Exchange of Cloud Resources

Dr. Yusuf Perwej Page 2

  Six layers of cloud services

1. Software as a Service(SaaS)
2. Platform as a Service(PaaS)
3. Infrastructure as a Service(IaaS)
4. Hardware / Virtualization Cloud Services(HaaS)
5. Network Cloud Services (NaaS)
6. Collocation Cloud Services(LaaS)

 The top layer offers SaaS which provides cloud application.

 PaaS sits on top of IaaS infrastructure.
 The bottom three layers are more related to physical requirements.
 The bottommost layer provides Hardware as a Service (HaaS).
 NaaS is used for interconnecting all the hardware components.
 Location as a Service (LaaS), provides security to all the physical hardware and network
resources. This service is also called as Security as a Service.The cloud infrastructure layer
can be further subdivided asData as a Service (DaaS)
 Communication as a Service (CaaS)
 Infrastructure as a Service(IaaS)
 Cloud players are divided into three classes:Cloud service providers and IT administrators
 Software developers or vendors
 End users or business users.

 InterCloud
 The term "cloud computing management" refers to the process of maintaining and regulating
cloud services and resources, whether they are public, private, or hybrid. To do so, cloud
management professionals must have complete access to all cloud resource functionality. To
create a unified cloud management strategy and process, many software products and
technologies are merged.
 In 2008, Cisco announced the notion of Intercloud as a research project, which was later
refined by the Institute of Electrical and Electronics Engineers (IEEE). Most Intercloud
solutions have "pay-per-use" prime service flexibility, allowing clients to effectively manage
expenses.

Dr. Yusuf Perwej Page 3

  Advantages: Portability and Migration, Moving data from one supplier to the next might
become as simple as "dragging and dropping." Money, time, and human resources would all
be saved as a result of this.
 Private cloud infrastructure is administered by the company or by a third party for a single
enterprise.
 Public cloud services are supplied through an open network that is accessible to the whole
public. In this model, a private corporation owns the IT Infrastructure, and members of the
public can buy or rent data storage or computer resources as needed.
 Hybrid cloud setups are made up of a mix of public and private cloud services from various
vendors.
For privacy reasons, most businesses keep data on private cloud servers, while using public
cloud apps for less sensitive data at a reduced.

 Types of Inter-Cloud

 Federation Clouds: A Federation cloud is an Inter-Cloud where a set of cloud providers

willingly interconnect their cloud infrastructures in order to share resources among each
other10. The cloud providers in the federation voluntarily collaborate to exchange resources.
This type of Inter-Cloud is suitable for collaboration of governmental clouds (Clouds owned
and utilized by nonprofit institution or government) or private cloud portfolios (Cloud is a
part of a portfolio of clouds where the clouds belong to the same organization). Types of
federation clouds are Peer to Peer and Centralized clouds.
 Multi-Cloud: In a Multi-Cloud, a client or service uses multiple independent clouds. A multi-
cloud environment has no volunteer interconnection and sharing of the cloud service
providers’ infrastructures. Managing resource provisioning and scheduling is the
responsibility of client or their representatives9. This approach is used to utilize resources
from both governmental clouds and private cloud portfolios. Types of Multi-cloud are
Services and Libraries.

 Cloud Provisioning Benefits

 Scalability: The traditional information technology (IT) provisioning model requires

organizations to make large investments in their on-premises infrastructure. That needs
extensive preparation and forecasting of infrastructure needs since on-premises infrastructures
are often set up to last for many years. The cloud provisioning model, meanwhile, lets
companies simply scale up and down their cloud resources depending on their short-term
usage requirements.
 Speed: Organizations’ developers can quickly spin up several workloads on-demand, so
the companies no longer require IT administrators to provide and manage computing
resources.
 Cost savings: While traditional on-premises technology requires large upfront investments,
many cloud service providers let their customers pay for only what they consume. But the
attractive economics of cloud services presents challenges, too, which may require
organizations to develop a cloud management strategy.

 Challenges of cloud provisioning

 Policy enforcement: A model of self-service provisioning helps streamline how cloud

services are requested and handled by users but need strict guidelines to ensure that

Dr. Yusuf Perwej Page 4

 they do not include resources that they do not. Recognize that different user groups
need different levels of access and frequency — several daily updates can be deployed
by a team, whereas line-of-business users can use self-service provisioning. Set up
rules that regulate who can provide, for what time and with what budgetary controls,
including a chargeback mechanism, what types of services.
 Cost controls: Automated monitoring about consumption and pricing thresholds are
important, beyond provisioning policies. Be aware that these might not be real-time
warnings; in practice, hours or days after the fact, an alert about an approaching
budget overrun for a cloud service may arrive.
 Resource and service dependencies: Cloud applications and workloads also tap into
the capabilities of basic cloud infrastructure, such as processing, networking and
storage. In addition to these, the major selling point of public cloud providers is
higher-level ancillary services, such as fewer functions for servers, machine learning
and big data capabilities. These services, however, can bear dependencies that may not
be apparent, which can lead to unintended overuse and cost surprises.
 Complex management and monitoring: To optimize how they use cloud services,
companies can need to rely on multiple provisioning tools. On more than one cloud
platform, several companies often deploy workloads, making it much more difficult to
provide a single console to display anything.

 Cloud Management Requirements

Large enterprises are increasingly turning to the cloud for their primary data storage. A minor
outage or error can result in significant financial loss and inconvenience for businesses.
Specific members are responsible for designing, managing, and maintaining a cloud
computing service, ensuring that everything runs well and that any difficulties that arise are
resolved.
 Resource Management

Resource management is the process of allocating to a group of applications in order to match

the infrastructure providers' and cloud users' performance goals and needs.

1. Computing
2. Storage
3. Networking
4. and Energy resources

 Cloud Management Platform

A cloud management platform is a software solution with a powerful and wide set of APIs
that enables it to pull data from any part of the IT infrastructure. A CMP enables an IT
company to build a standardized approach to security and IT governance that can be applied
throughout the full cloud environment of the organization.

 Cloud Management Tasks

 Auditing System Backups - It is necessary to check backups on a regular basis to verify the
restoration of randomly selected files from various users. This could be done by the company
or by the cloud service provider.

Dr. Yusuf Perwej Page 5

  Data Flow of the System- The managers are in charge of creating a diagram that depicts a
thorough process flow. The transportation of data belonging to an organization throughout the
cloud solution is described in this process flow.
 Vendor Lock-In - Managers should be able to transfer data from one server to another if the
company decides to change providers.
 Knowing Provider’s Security Procedures - Managers should be aware of the provider's
security plans for the following services:
• Multitenant use
• E-commerce processing
• Employee screening
• Encryption policy

 Resource provisioning

 Resource provisioning means the

• Selection
• deployment, and
• run-time management of S/W & H/W resources for ensuring guaranteed performance for
Applications

 Resource provisioning phases

• Reservation phase – reserve resources
• Expending phase - utilize resources
• On-demand phase–provision of more resources

 Resource provisioning techniques are used to improve the following QoS parameters.
• Response time
• Minimizing cost
• Maximizing Revenue
• Fault tolerant
• Reduced SLA violation
• Reduced power consumption

Dr. Yusuf Perwej Page 6

  Resource Provisioning and Resource Provisioning Methods

 In general, Provisioning means making something available, or “providing”. In information

technology jargon, it means putting up an IT infrastructure or otherwise referring to the
procedures of making data and resources available to the system and users. Provisioning can
refer to a variety of processes, which we are going to look at in this article. The term
“provisioning” is seldom confused with “configuration,” although both are steps in the
deployment process. Provisioning comes first, then configuration, after something has been
provisioned. We can provide a variety of processes, which include:

 Server Provisioning

 User Provisioning

 Network Provisioning

 Device Provisioning

 Internet Access Provisioning

1. Server provisioning: It is the process of giving a server in a network the desired resources
it will need to operate, which depends completely on the job that particular server is doing. So
it is important to gather information about a server’s intended use before provisioning. As
there are many servers categorized according to their uses, Each of them has unique
provisioning requirements, and the choice of the server itself will be driven by the intended
use.

2. User Provisioning: User provisioning is identity management that monitors authorization

and authentication of privileges and rights in a business or information technology
infrastructure. This technology is involved in modifying, disabling, creating, and deleting user
accounts and profiles. In a business setup, this is important as it automates administrative
workforce activities, off-boarding, and on-boarding activities.

3. Network Provisioning: Network provisioning is mainly concerned with setting up a

network in an information technology environment so that devices, servers, and authorized
users can gain access to it. Network provisioning is becoming more widespread in
corporations, and it focuses on limiting access to a system to only specified users. The
procedure begins when the network is first set up and users are granted access to specific
devices and servers. It is paramount that security and connectivity are given priority in this
provisioning so as to safeguard identity and device management.

4. Device Provisioning: This technology is mostly used when you’re deploying your IoT
network. In this, a device is configured, secured, customized, and certified, after which a user
is allocated these devices. This enables improved device management, flexibility, and device
sharing.

Dr. Yusuf Perwej Page 7

 5. Internet- access Provisioning: This simply means granting internet access to individuals
and devices on a network. There is a lot more as, although it may appear straightforward, it
necessitates the installation of firewalls, virus protection, cyber security tools, and editing
software, among other things. Furthermore, everything will need to be correctly adjusted,
which could take some time. This is especially true for larger networks, which will necessitate
a higher level of protection.

 Resource Provisioning Types

As per the requirement of the application, resource provisioning techniques can be
categorized into two types:
1. Static Resource Provisioning
If any application is having expected and fixed demands, one can use static provisioning
effectively. User has to mention fixed requirements so that service provider will be able to
provide the same while starting the application.
2. Dynamic Resource Provisioning
If any application is having unexpected and varying demands, dynamic provisioning is used
whereby VM may be migrated on-the-fly to new VM. In this case, service provider assigns
extra VMs to the users if needed and removes them.

 Parameters of Resource Provisioning

1) Response time: The algorithm of resource provisioning is designed to give response in
minimum time after completing any task.
2) Minimize Cost: The cloud services cost should be less for the cloud consumer.
3) Revenue Maximization: The cloud services provider should be earned maximum revenue.
4) Fault tolerant: The algorithm provide services continuously in spite of collapse of nodes.
5) Reduced SLA Violation: The design of algorithm should be capable to decrease SLA
violation.
6) Reduced Power Consumption: The placement & migration methods of virtual machine
should be consume low power.

 Global Exchange of Cloud Resources

Global Cloud exchange (GCX) provides network services for enterprises, new media
providers and telecoms carriers. Their services cover cloud-centric connectivity from
managed SD-WAN and hybrid networks, to direct Cloud connections and 100 Gbps+ waves.
GCX provides connectivity throughout the Emerging Markets Corridor into Asia via the vast
GCX global network (the world’s largest private submarine cable network), with extensions
available into more than 200 countries worldwide. It supports brokering and exchanging
cloud resources for scaling applications across multiple clouds. It aggregates the infrastructure
demands from application brokers and evaluates them against the available supply. It supports
the trading of cloud services based on competitive economic models such as commodity
markets and auctions.

• Market directory

Dr. Yusuf Perwej Page 8

 A market directory is an extensive database of resources, providers, and participants using the
resources. Participants can use the market directory to find providers or customers with
suitable offers.
• Auctioneers
Auctioneers clear bids and ask from market participants regularly. Auctioneers sit between
providers and customers and grant the resources available in the Global exchange of cloud
resources to the highest bidding customer.
• Brokers
Brokers mediate between consumers and providers by buying capacity from the provider and
sub-leasing these to the consumers. They must select consumers whose apps will provide the
most utility. Brokers may also communicate with resource providers and other brokers to
acquire or trade resource shares. To make decisions, these brokers are equipped with a
negotiating module informed by the present conditions of the resources and the current
demand.

• Service-level agreements(SLAs)
The service level agreement (SLA) highlights the details of the service to be provided in
terms of metrics that have been agreed upon by all parties, as well as penalties for meeting
and failing to meet the expectations. The consumer participates in the utility market via a
resource management proxy that chooses a set of brokers based on their offering.SLAs are
formed between the consumer and the brokers, which bind the latter to offer the guaranteed
resources. After that, the customer either runs their environment on the leased resources or
uses the provider's interfaces to scale their applications.
• Providers
A provider has a price-setting mechanism that determines the current price for their source
based on market conditions, user demand, and the current degree of utilization of the
resource. Based on an initial estimate of utility, an admission-control mechanism at a
provider's end selects the auctions to participate in or to negotiate with the brokers.
• Resource management system
The resource management system provides functionalities such as advance reservations that
enable guaranteed provisioning of resource capacity.

 Security overview in cloud computing

Dr. Yusuf Perwej Page 9
 Cloud security refers to the technologies, policies, controls, and services that protect cloud data,
applications, and infrastructure from threats. Cloud security, also known as cloud computing
security, is a collection of security measures designed to protect cloud-based infrastructure,
applications, and data. These measures ensure user and device authentication, data and resource
access control, and data privacy protection. They also support regulatory data compliance. Cloud
security is employed in cloud environments to protect a company's data from distributed denial
of service (DDoS) attacks, malware, hackers, and unauthorized user access or use.

 What Is Cloud Security?

• Secure cloud computing encompasses three core capabilities: confidentiality, integrity, and
availability. Confidentiality is the ability to keep information secret from people who
shouldn’t have access. Integrity means that systems operate as they are intended to function
and produce outputs that are not unexpected or misleading. Availability speaks to maintaining
service uptime for cloud infrastructure and cloud-based services, which includes preventing
denial-of-service (DoS) attacks.
• Security is only as strong as the layer below it. Businesses that are crafting their cloud
security policies need to consider a “defense in depth” strategy. This means building from the
ground up with a trusted foundation in the hardware layer. Applications and software in the
cloud will run more securely when they are deployed on a secure foundation.
• There are numerous Intel® hardware-enabled tools that address these core capabilities in
cloud platforms, and with security features built into every piece of Intel® siliconall you have
to do is enable them. Tools such as encryption, firmware, and platform protections serve as a
good starting point to help address the IT security concerns of businesses and government
agencies. With improved data security features available in the cloud, you can finally realize
the cost and agility benefits that come with public cloud, private cloud, or hybrid cloud
deployments through technologies that help enable confidential computing.

 Why is cloud security important?

Cloud security is critical since most organizations are already using cloud computing in one form or
another. This high rate of adoption of public cloud services is reflected in Gartner’s recent
prediction that the worldwide market for public cloud services will grow 23.1% in 2021.

• IT professionals remain concerned about moving more data and applications to the cloud due
to security, governance, and compliance issues when their content is stored in the cloud. They
worry that highly sensitive business information and intellectual property may be exposed
through accidental leaks or due to increasingly sophisticated cyber threats.
• A crucial component of cloud security is focused on protecting data and business content,
such as customer orders, secret design documents, and financial records. Preventing leaks and
data theft is critical for maintaining your customers’ trust and protecting the assets that
contribute to your competitive advantage. Cloud security's ability to guard your data and
assets makes it crucial to any company switching to the cloud.

 How does cloud security work?

Every cloud security measure works to accomplish one or more of the following:
Enable data recovery in case of data loss Protect storage and networks against malicious data
theft Deter human error or negligence that causes data leaks reduce the impact of any data or
system compromise.

Dr. Yusuf Perwej Page 10

 • Data security is an aspect of cloud security that involves the technical end of threat
prevention. Tools and technologies allow providers and clients to insert barriers between the
access and visibility of sensitive data. Among these, encryption is one of the most powerful
tools available. Encryption scrambles your data so that it's only readable by someone who has
the encryption key. If your data is lost or stolen, it will be effectively unreadable and
meaningless. Data transit protections like virtual private networks (VPNs) are also
emphasized in cloud networks.
• Identity and access management (IAM) pertains to the accessibility privileges offered to
user accounts. Managing authentication and authorization of user accounts also apply here.
Access controls are pivotal to restrict users both legitimate and malicious from entering and
compromising sensitive data and systems. Password management, multi-factor authentication,
and other methods fall in the scope of IAM.
• Governance focuses on policies for threat prevention, detection, and mitigation. With SMB
and enterprises, aspects like threat intel can help with tracking and prioritizing threats to keep
essential systems guarded carefully. However, even individual cloud clients could benefit
from valuing safe user behavior policies and training. These apply mostly in organizational
environments, but rules for safe use and response to threats can be helpful to any user.
• Data retention (DR) and business continuity (BC) planning involve technical disaster
recovery measures in case of data loss. Central to any DR and BC plan are methods for data
redundancy such as backups. Additionally, having technical systems for ensuring
uninterrupted operations can help. Frameworks for testing the validity of backups and detailed
employee recovery instructions are just as valuable for a thorough BC plan.
• Legal compliance revolves around protecting user privacy as set by legislative bodies.
Governments have taken up the importance of protecting private user information from being
exploited for profit. As such, organizations must follow regulations to abide by these policies.
One approach is the use of data masking, which obscures identity within data via encryption
methods.

 What are the biggest cloud security threats?

Some of the biggest threats to cloud-based operations include:

External data breaches. The risk of data loss whether financial, customer-related or IP through
a breach is a perennial issue that is exacerbated by expanding cloud computing environments.
These attacks may be due to the provider’s failure to properly secure its network or the
customer’s failure to properly patch its operating systems and applications, which open the
organization up to external attacks, such as DDoS and other malware.
Misconfiguration. Cloud security is naturally complex, and the risk of configuring something
incorrectly is high, particularly when an organization engages with a new service provider or
expands their cloud user base.
Poor authentication controls. Controlling access to cloud resources is more complex than on an
internal network, creating more opportunities for misconfigurations.
Account hijacking via phishing. The risk of data theft from a phishing attack targeted at
stealing usernames and passwords intensifies in cloud applications.
API insecurities. Insecure APIs used to access cloud resources are increasingly common
avenues for cyber attackers attempting to gain access

 Cloud Security Challenges

1. Data Breaches

Dr. Yusuf Perwej Page 11

 There is no concern more palpable than a data breach. It’s something every organization is
focused on. However, few have the resources and strategies in place to truly tackle it in a
worthy manner. This makes it a critical concern (and something that has to be dealt with in a
proactive and preventative way). Failure to deal with data properly (through deliberate
encryption) opens your business up to huge compliance risks – not to mention data breach
penalties, fines, and serious violations of customer trust. The onus is on you to protect your
customer and employee data, regardless of what any Service-Level Agreement (SLA) says.
2. Compliance With Regulatory Mandates
It’s commonplace for organizations – particularly smaller and mid-size companies – to
assume that they’re getting maximum protection simply by working with a cloud solutions
provider. But there’s more to it than meets the eye. Compliance goes beyond international and
federal regulations. There are also additional industry mandates that must be addressed.
Examples include EU data protection, PCI DSS, FISMA, GLBA, HIPAA, and FERPA – to
name a few. The right cloud security solutions provide the technical capacity to abide by
regulatory mandates, but there has to be regular oversight and granular attention to
detail. Under the responsibility model, the cloud provider offers security of the cloud, while
the end user provides security in the cloud.
3. Lack of IT Expertise
According to the Cloud Security Alliance “Cloud Adoption Practices & Priorities Survey
Report,” 34 percent of companies are currently avoiding the cloud because they don’t believe
their IT and business managers have the knowledge and experience to handle the demands of
cloud computing. This makes it one of the top-four concerns businesses have in regards to
cloud security. The average enterprise now has between three and four clouds. This creates
added layers of complexity that require technical competence and relevant experience.
This speaks to a larger trend that we’ll expect to see emerge in the coming months and years.
Rather than just having managerial experience and financial literacy, IT and business
managers will be required to bring technical cloud competency to the table. This doesn’t
mean they’ll have to be cloud experts, but basic understanding and the ability to lead targeted
initiatives becomes integral.
4. Cloud Migration Issues
Cloud migration is happening in droves, but it has to be handled properly (otherwise, it
exposes the business to unnecessary risk). According to one report, the four biggest
challenges facing businesses are visibility into infrastructure security (43 percent),
compliance (38 percent), setting security policies (35 percent), and security failing to keep up
with the pace of change in applications (35 percent). As a result, security professionals and IT
pros are feeling overwhelmed by everything that’s asked of them. Simpler and more straight
forward migration strategies will help businesses manage this transition flawlessly. Trying to
accomplish everything at once is a major mistake. The migration process should be broken
down into stages to reduce the risk of critical errors that could corrupt data and/or lead to
vulnerabilities.
5. Unsecured APIs
The difficult thing about the cloud is that there are so many different possible entry points for
attacks. So while the surface attack area may be smaller in totality, it’s much more
fragmented. Perhaps this can be seen most clearly when it comes to micro-service architecture
and the increasing trend around serverless functions. APIs are great, but you have to consider
how they impact the larger system. Even if the cloud is technically safe and sound, intruders
can hijack data by hacking into less-secure APIs. This is problematic! The proper cloud
security solutions can help you carefully vet each application to protect against weak points
like these.
6. Insider Threats

Dr. Yusuf Perwej Page 12

 It’s a good business practice to trust your employees. Unfortunately, many businesses take
this trust too far or fail to vet the driving factors behind their trust on the front end. According
to research from Intel, insider threats are responsible for an incredible 43 percent of all
breaches. Half are intentional and half are accidental. More specifically, businesses need to
think about access management and limiting who can access what and when. Access to cloud
applications and data sources should be given on an as-required basis. Nobody should have
more access than is needed to complete their job-related responsibilities.
7. Open Source
Use of open source to develop applications. Open source packages are vulnerable. Most often
hackers poison the well in the Git repo, waiting for developers to use the packages and later
compromise the application through a well prepared attack vector.
8. Cyber attacks
The security provided by the cloud service providers is a significant concern for
organizations. Companies worry that cyber attackers would easily penetrate the cloud than
legacy systems. One severe cyber attack has the power to cause huge data loss and damage
the reputation and integrity of an organization. There are a number of cybersecurity threats
that can affect a company’s cloud computing services. Some of these are:
Cloud malware injection attack: This comes on top in the cloud security risks’ list. Here,
the main aim is to inject malware into the cloud infrastructure to get the user’s information
access in the cloud.
Distributed Denial of Service (DDoS): This floods your system with heavy traffic that your
servers are not capable to cope with. Such attacks can shut your system and make it
unavailable to your staff, users, and customers.
Man-in-the-middle: This is when an unauthorized user/hacker manages to position in
between the conversation of two or more parties. If the hacker succeeds, he can alter the data.
9. Human Error
According to Gartner, through 2025, 99% of all cloud security failures will be due to some
level of human error. Human error is a constant risk when building business applications.
However, hosting resources on the public cloud magnifies the risk. The cloud’s ease of use
means that users could be using APIs you’re not aware of without proper controls and
opening up holes in your perimeter. Manage human error by building strong controls to help
people make the right decisions. One final rule don’t blame people for errors. Blame the
process. Build processes and guardrails to help people do the right thing. Pointing fingers
doesn’t help your business become more secure.
10. Misconfiguration
Cloud settings keep growing as providers add more services over time. Many companies are
using more than one provider. Providers have different default configurations, with each
service having its distinct implementations and nuances. Until organizations become
proficient at securing their various cloud services, adversaries will continue to exploit
misconfigurations.

 Software‐as‐a‐Service Security

SaaS Security refers to securing user privacy and corporate data in subscription-based cloud
applications. SaaS applications carry a large amount of sensitive data and can be accessed
from almost any device by a mass of users, thus posing a risk to privacy and sensitive
information. SaaS security is the managing, monitoring, and safeguarding of sensitive data
from cyber-attacks. With the increase in efficiency and scalability of cloud-based IT
infrastructures, organizations are also more vulnerable.

Dr. Yusuf Perwej Page 13

 SaaS maintenance measures such as SaaS security posture management ensure privacy and
safety of user data. From customer payment information to inter-departmental exchange of
information, strengthening the security of SaaS applications is vital to your success. To help
this cause, regulatory bodies worldwide have issued security guidelines such as GDPR
(General Data Protection Regulation of EU), EU-US and the Swiss-US Privacy Shield
Frameworks. Every SaaS business must adopt these guidelines to offer safe and secure
services. Whether you are starting anew or adding an aspect to your IT arsenal, SaaS security
is essential for successful ventures. Below are SaaS security practices that organizations can
adopt to protect data in their SaaS applications.

Detect rogue services and compromised accounts: Organizations can use tools, such as
cloud access security brokers (CASB) to audit their networks for unauthorized cloud services
and compromised accounts.
Apply identity and access management (IAM): A role-based identity and access
management solution can ensure that end users do not gain access to more resources than they
require for their jobs. IAM solutions use processes and user access policies to determine what
files and applications a particular user can access. An organization can apply role-based
permissions to data so that end users will see only the data they're authorized to view.
Encrypt cloud data: Data encryption protects both data at rest (in storage) and data in transit
between the end user and the cloud or between cloud applications. Government regulations
usually require encryption of sensitive data. Sensitive data includes financial information,
healthcare data, and personally identifiable information (PII). While a SaaS vendor may
provide some type of encryption, an organization can enhance data security by applying its
own encryption, such as by implementing a cloud access security broker (CASB).
Enforce data loss prevention (DLP): DLP software monitors for sensitive data within SaaS
applications or outgoing transmissions of sensitive data and blocks the transmission. DLP
software detects and prevents sensitive data from being downloaded to personal devices and
blocks malware or hackers from attempting to access and download data.
Monitor collaborative sharing of data: Collaboration controls can detect granular
permissions on files that are shared with other users, including users outside the organization
who access the file through a web link. Employees may inadvertently or intentionally share
confidential documents through email, team spaces, and cloud storage sites such as Dropbox.
Check provider's security: An audit of a SaaS provider can include checks on its
compliance with data security and privacy regulations, data encryption policies, employee
security practices, cybersecurity protection, and data segregation policies.

 Security Governance
Security governance is a process for overseeing the cybersecurity teams who are responsible
for mitigating business risks. Security governance leaders make the decisions that allow risks
to be prioritized so that security efforts are focused on business priorities rather than their
own. They also govern the interplay of mitigating identified business risks, addressing
internal and external threats, and dealing with compliance.

Security governance is the set of responsibilities and practices exercised by executive

management with the goal of providing strategic direction, ensuring that objectives are
achieved, ascertaining that risks are managed appropriately, and verifying that the enterprise’s
resources are used responsibly. Our research has shown that through their emerging
capabilities in the area of security governance and risk management, many organizations are
taking proactive steps to ensure that their investments in security controls directly support

Dr. Yusuf Perwej Page 14

 their objectives for the business. A consistent, organization-wide view of security risks
integrating both physical security and IT security is an essential element of this strategy. By
combining superior security governance and risk management with an integrated approach to
logical and physical security, organizations gain an advantage for competing in the global
economy with a distinct advantage through an optimized IT infrastructure and better
protection for their digital, physical, and human assets.

 Cloud Security Governance and Its Need

By implementing cloud governance, organizations can avoid the following issues as follows.

1. Security and privacy risks :

This issue may arise due to unauthorized downloads/ installation of software, storage of
illegal data, and access to restricted sites by users. Cloud Governance solutions cover multiple
cloud security components. For example, Encryption, Security groups, Audit trails,
Application access rules, Access controls.
2. Vendor lock-in :
Many vendors opt for this, as this clause causes organizations to depend on the cloud service
provider (or vendor) for products and services. This can be avoided by making changes to the
SLA suitably and reduce dependencies on a single vendor, thus ensuring freedom to the
organization.
3. Cloud Sprawl :
This happens when employees of different departments use different programs and cloud
infrastructure from third-party providers without involving the IT department and getting
necessary approvals. If not detected and restricted, crowd sprawl may lead to fragmented,
redundant, inefficient, and unmanaged cloud programs sitting on the enterprise cloud and
unnecessarily creating trouble.
4. Shadow IT and unwarranted usage of cloud resources :
This happens when employees in various departments do not follow the rules and regulations
as imposed by the IT department on cloud usage resulting in security breaches and
fragmented control throughout the organization. This leads to not getting sufficient results
from the cloud in the long run.
5. Lack of data portability and interoperability :
This happens when the cloud service provider or the inbuilt cloud infrastructure is incapable
of connecting well with other software and products outside the organization. This may also
lead to modules not compatible with each other and hence chaos in the cloud due to an
inefficient system.

 How to develop a cloud governance strategy

Building a governance strategy can feel overwhelming, but breaking down the process into
key steps can help.

• Before starting out, understand what’s in your organization’s cloud. Take the time to
inventory the assets that have already been deployed in the cloud, learn about how they inter-
operate, and note potential security concerns.
• Optimize for cost and performance. Ensure that the cloud strategy aligns with the broader
business and IT strategies. On this account, you may choose to swap out one cloud provider’s
services for those of a vendor whose structure better fits in with your operational needs. You
may also opt for another vendor to take advantage of discounted pricing offers.

Dr. Yusuf Perwej Page 15

 • Develop processes and practices. Clarify how different departments intend to use cloud-
based resources and understand their access requirements. Collaborate with the appropriate
stakeholders across your enterprise to create optimal rules for cloud governance. Keep the
need for flexibility and the prospect of possible revisions to policies in mind as you move
forward.
• Security policy management. Security policies are undoubtedly the most important element
of cloud governance. The absence of effective policies almost guarantees that your
organization will experience a security breach. Deploy security policies to assets in the cloud,
in relation to access control, encryption key management and more. Many organizations rely
on a standard set of policies and compliance standards that pertain to their specific industry.
• Consider cloud governance automation software. This technology can execute
predetermined procedures in the event of a rule violation. Cloud governance automation
software can also request approval for an event beyond the parameters of set governance
rules, or automatically remove an asset. In short, cloud governance automation software can
remove a large portion of the manual work involved in cloud governance.

 Virtual Machine
• A Virtual Machine (VM) is a compute resource that uses software instead of a physical
computer to run programs and deploy apps. One or more virtual “guest” machines run
on a physical “host” machine. Each virtual machine runs its own operating
system and functions separately from the other VMs, even when they are all running on the
same host. This means that, for example, a virtual MacOS virtual machine can run on a
physical PC.
• Virtual machine technology is used for many use cases across on-premises and cloud
environments. More recently, public cloud services are using virtual machines
to provide virtual application resources to multiple users at once, for even more cost efficient
and flexible compute.

 Advantages of Virtual Machine

 Virtual machines are easy to manage and maintain, and they offer several advantages over
physical machines:
 VMs can run multiple operating system environments on a single physical computer, saving
physical space, time and management costs.
 Virtual machines support legacy applications, reducing the cost of migrating to a new
operating system. For example, a Linux virtual machine running a distribution of Linux as the
guest operating system can exist on a host server that is running a non-Linux operating
system, such as Windows.
 VMs can also provide integrated disaster recovery and application provisioning options.

 Disadvantages of Virtual Machine

While virtual machines have several advantages over physical machines, there are also
some potential disadvantages.

 Running multiple virtual machines on one physical machine can result in unstable
performance if infrastructure requirements are not met.

Dr. Yusuf Perwej Page 16

  Virtual machines are less efficient and run slower than a full physical computer. Most
enterprises use a combination of physical and virtual infrastructure to balance
the corresponding advantages and disadvantages.

 Types of Virtual Machine

Users can choose from two different types of virtual machines process VMs and system
VMs:

 A process virtual machine allows a single process to run as an application on a host

machine, providing a platform-independent programming environment by masking the
information of the underlying hardware or operating system. An example of a process VM is
the Java Virtual Machine, which enables any operating system to run Java applications as if
they were native to that system.
 A system virtual machine is fully virtualized to substitute for a physical machine. A system
platform supports the sharing of a host computer’s physical resources between multiple
virtual machines, each running its own copy of the operating system. This virtualization
process relies on a hypervisor, which can run on bare hardware, such as VMware ESXi, or on
top of an operating system.

 Characteristics of a Virtual Machine

 After defining virtual machine concept and having exposed some of its functionalities, it is
essential to know its principal characteristics:
 Almost every operating system can be installed in the majority of virtual machines, such as
Windows, Linux, Android or Mac OS X. Notwithstanding, there exist others allowing only
one operating system to be displayed.
 Each operating system that is being virtualized is completely independent from the rest of the
operating systems. Therefore, if a virtual machine suffers any problem or stops working
directly, others will not be affected and will continue their course and functioning.
 Operating systems’ mode of use from a virtual machine is identical to that of an operating
system installed on any computer.
 Elements composing a virtual machine are the same as those available in a physical computer.
From the RAM and hard disk, to the CD-ROM drive, video card and network card, are
included in a virtual machine, the virtualization of all these elements being the only difference
with respect to a real computer.
 All of the elements in a virtual machine are included in a set of files. In this way, a copy of a
virtual operating system is made possible from a computer to another, as well as the
generation of backup copies. Both processes are carried out quickly and easily; technical
problems are avoided too.

 Virtual Machine Security

Virtualized security, or security virtualization, refers to security solutions that are software-
based and designed to work within a virtualized IT environment. This differs from traditional,
hardware-based network security, which is static and runs on devices such as traditional
firewalls, routers, and switches. In contrast to hardware-based security, virtualized security is
flexible and dynamic. Instead of being tied to a device, it can be deployed anywhere in the
network and is often cloud-based. This is key for virtual machine security in cloud
computing, in which operators spin up workloads and applications dynamically; virtualized

Dr. Yusuf Perwej Page 17

 security allows security services and functions to move around with those dynamically
created workloads. Virtual machine security in cloud computing mechanisms such as
isolating multitenant environments in public cloud environments is also important to
virtualized security. The flexibility of virtualized security is helpful for securing hybrid and
multi-cloud environments, where data and workloads migrate around a complicated
ecosystem involving multiple vendors.

 What are the benefits of virtualized security?

Virtualized security is now effectively necessary to keep up with the complex security
demands of a virtualized network, plus it’s more flexible and efficient than traditional
physical security. Here are some of its specific benefits:

 Cost-effectiveness: Virtualized security allows an enterprise to maintain a secure network

without a large increase in spending on expensive proprietary hardware. Pricing for cloud-
based virtualized security services is often determined by usage, which can mean additional
savings for organizations that use resources efficiently.
 Flexibility: Virtualized security functions can follow workloads anywhere, which is crucial
in a virtualized environment. It provides protection across multiple data centres and in multi-
cloud and hybrid cloud environments, allowing an organization to take advantage of the full
benefits of virtualization while also keeping data secure.
 Operational efficiency: Quicker and easier to deploy than hardware-based security,
virtualized security doesn’t require IT teams to set up and configure multiple hardware
appliances. Instead, they can set up security systems through centralized software, enabling
rapid scaling. Using software to run security technology also allows security tasks to be
automated, freeing up additional time for IT teams.
 Regulatory compliance: Traditional hardware-based security is static and unable to keep
up with the demands of a virtualized network, making virtualized security a necessity for
organizations that need to maintain regulatory compliance.

 How does virtualized security work?

• Virtualized security can take the functions of traditional security hardware appliances (such as
firewalls and antivirus protection) and deploy them via software. In addition, virtualized
security can also perform additional security functions. These functions are only possible due
to the advantages of virtualization, and are designed to address the specific security needs of a
virtualized environment.
• For example, an enterprise can insert security controls (such as encryption) between the
application layer and the underlying infrastructure, or use strategies such as micro-
segmentation to reduce the potential attack surface.
• Virtualized security can be implemented as an application directly on a bare metal
hypervisor (a position it can leverage to provide effective application monitoring) or as a
hosted service on a virtual machine. In either case, it can be quickly deployed where it is most
effective, unlike physical security, which is tied to a specific device.

 System virtual machine

These types of virtual machines gives us complete system platform and gives the execution of
the complete virtual operating system. Just like virtual box, system virtual machine is
providing an environment for an OS to be installed completely. We can see in below image

Dr. Yusuf Perwej Page 18

 that our hardware of Real Machine is being distributed between two simulated operating
systems by Virtual machine monitor. And then some programs, processes are going on in that
distributed hardware of simulated machines separately.

 Process Virtual Machine

While process virtual machines, unlike system virtual machine, does not provide us with the
facility to install the virtual operating system completely. Rather it creates virtual
environment of that OS while using some app or program and this environment will be
destroyed as soon as we exit from that app. Like in below image, there are some apps running
on main OS as well some virtual machines are created to run other apps. This shows that as
those programs required different OS, process virtual machine provided them with that for the
time being those programs are running.

Example – Wine software in Linux helps to run Windows applications.

 Identity and Access Management (IAM)

Identity and access management provides control over user validation and resource access.
Commonly known as IAM, this technology ensures that the right people access the right
digital resources at the right time and for the right reasons. Identity and access management
(IAM) is the practice of making sure that people and entities with digital identities have the
right level of access to enterprise resources like networks and databases. User roles and access
privileges are defined and managed through an IAM system.

Dr. Yusuf Perwej Page 19

 Identity and access management, or IAM, is a foundational component of virtually any
modern application environment. By providing a systematic way to assign roles and
permissions to users and groups, IAM plays a central role in securing resources, mitigating
security vulnerabilities, and (when properly implemented) enforcing the principle of least
privilege.

Identity and access management (IAM) is a software service or framework that allows
organizations to define user or group identities within software environments, then associate
permissions with them. The identities and permissions are usually spelled out in a text file,
which is referred to as an IAM policy. As an example of an IAM policy, a team could create a
rule that grants a specific user the right to list files within an object storage bucket in the
cloud. Or, an IAM policy could grant a group of users in a branch office the ability to both
read and upload files to a local database. These are just basic examples. In a large-scale
environment, a team might maintain dozens or even hundreds of different IAM policies. The
policies can be used to manage access rights for any of the dozens of services that the
organization may use, either on-premises or in the cloud.

 Why Is IAM Important?

Identity and access management is important because it allows organizations to share IT
resources among multiple users and groups. It helps organizations establish trust for who can
be signed in to an account (authentication) while at the same time ensuring that each user or
group has only the specific access rights that he or she requires (authorization). Without IAM,
teams would struggle to manage access rights in an efficient way. They would have to rely on
alternatives such as creating an entirely separate cloud computing account for each user. That
would be inefficient to manage, and would make it difficult to share cloud resources between
users.

They could also simply allow every user within their team to have the same level of access to
every resource in their environment. But that would be insecure because each individual
typically needs to access only certain resources. For example, developers who work for the
HR department may need to access databases and virtual machines associated only with their
applications, while other developers who build software for the finance department require
different permissions. If you were to give all developers access to all resources, you would
increase the risk of security oversights and exposures. With IAM, it’s easy to ensure that each
user and group has exactly the level of access rights he, she, or they need no more and no less.
Doing so adheres to the principle of least privilege, which states that access rights should be
restricted to the minimum necessary for a user to complete his or her work.

 Advantages of Identity and Access Management (IAM)

• IAM enhances security. This is perhaps the most important benefit organizations can get from
IAM. By controlling user access, companies can eliminate instances of data breaches, identity
theft, and illegal access to confidential information. IAM can prevent the spread of
compromised login credentials, avoid unauthorized entry to the organization’s network, and
provide protection against ransomware, hacking, phishing, and other kinds of cyber attacks.
• IAM streamlines IT workload. Whenever a security policy gets updated, all access
privileges across the organization can be changed in one sweep. IAM can also reduce the
number of tickets sent to the IT helpdesk regarding password resets. Some systems even have
automation set for tedious IT tasks.

Dr. Yusuf Perwej Page 20

 • IAM helps in compliance. With IAM, companies can quickly meet the requirements of
industry regulations (like HIPAA and GDPR) or implement IAM best practices.
• IAM allows collaboration and enhances productivity. Companies can provide outsiders
(like customers, suppliers, and visitors) access to their networks without jeopardizing
security.
• IAM improves user experience. There's no need to enter multiple passwords to access
multiple systems under SSO. If biometrics or smart cards are used, users may have no more
need to remember complex passwords.
• Eliminating weak passwords—research shows over 80% of data breaches are caused by
stolen, default, or weak passwords. IAM systems enforce best practices in credential
management, and can practically eliminate the risk that users will use weak or default
passwords. They also ensure users frequently change passwords.
• Mitigating insider threats—a growing number of breaches is caused by insiders. IAM can
limit the damage caused by malicious insiders, by ensuring users only have access to the
systems they work with, and cannot escalate privileges without supervision.
• Advanced tracking of anomalies—modern IAM solutions go beyond simple credential
management, and include technologies such as machine learning, artificial intelligence, and
risk-based authentication, to identify and block anomalous activity.
• Multi-factor security—IAM solutions help enterprises progress from two-factor to three-
factor authentication, using capabilities like iris scanning, fingerprint sensors, and face
recognition.

 Disadvantages of Identity and Access Management (IAM)

• Cloud security breaches

If a business is committed to the cloud, access management and user identities must be secure
to ensure minimal risk to the company’s and clients’ data. If a company’s IAM is unsecure, it
has the potential to result in serious damage, which could be detrimental to the business.
Those responsible for dealing with the cloud and IAM within the business must make certain
that they cover their bases to ensure a seamless, secure IAM.
• Infrequent audits
While IAM makes business policy implementation a simple, streamline process, we must not
forget about updating audit practices so they pertain to the access policies currently in place.
It’s advised that businesses continue to schedule regular audits to allow for the potential
discovery of vulnerabilities as well as for defining what can and should be automated.
Not only that, audits also help businesses gain insights as to where they could tighten up
security by removing unnecessary access.
• Business scaling issues
With the possibility of new technologies, staff, policies, or other elements businesses may add
as they grow, the IAM framework must scale to keep up with any of these changes. IAM, in
some scenarios, can limit how these implementations scale.
This is not always the case, but for many businesses that wish to scale as fast as possible, this
is certainly something to consider.
• Incorrect definition of roles or attributes
With somewhat of a vague idea of what access is required for certain user groups, many
businesses often include too many users in a single group. Based on how permissions are
defined, whether it’s by roles or attributes, business leaders must take into account why a
person needs access to a particular resource.
Doing so ensures access permissions are not too vague or broad or and that nonew access
requests are granted than are necessary.

Dr. Yusuf Perwej Page 21

 • Offboarding of staff
Believe it or not, off boarding employees can, at times, pose serious threats to a business in
the long run. Though this is rarely a concern and only in some cases amounts to anything
serious, the chance for a former employee to utilize their old business permissions with
malicious intent always exists.
• Password problems
The growth of cloud-based applications means that employees must remember an increasing
number of passwords for applications that may cross domains and use numerous different
authentication and attribute-sharing standards and protocols. User frustration can mount when
an employee spends more and more time managing the resulting lists of passwords which, for
some applications, may require changing every 30 days. Plus, when employees have trouble
with their passwords, they most often contact IT staff for help, which can quickly and
repeatedly drain important resources.
• Distributed applications
With the growth of cloud-based and Software as a Service (SaaS) applications, users now
have the power to log in to critical business apps like Salesforce, Office365, Concur, and
more anytime, from any place, using any device. However, with the increase of distributed
applications comes an increase in the complexity of managing user identities for those
applications. Without a seamless way to access these applications, users struggle with
password management while IT is faced with rising support costs from frustrated users.

 Functions of Identity and Access Management (IAM)

IAM solutions provide role-based access control, enabling administrators to regulate access to
systems or networks for individual users. Its core purpose involves capturing user
information, managing user identities, and orchestrating access privileges with an eye on
managing the lifecycle of the identity.
 Identity governance: Manages the user account lifecycle including entitlements and
provisioning.
 Access management: Controls unified access policies often with single sign-on (SSO) and
Multifactor authentication (MFA) enablement.
 Directory services: Centralized and consolidated credential management and
synchronization.
 User provisioning: Automates creation and assignment of new user accounts.
 Identity analytics: Detects and prevents suspicious identity activities through machine
learning.
 Single sign-on (SSO): Provides the consolidation of user password and credentials behind a
single account with strong password enablement to simplify access to services.
 Multifactor authentication (MFA): Steps up authentication in the form of secondary
authentication controls to ensure the authenticity of users and reduce exposure from stolen
credentials.
 Risk-based authentication: Uses algorithms to calculate risks of user actions. Blocks and
reports actions with high risk scores.
 Identity governance and administration (IGA): Reduces the risk that is associated with
excessive access and privileges by controlling entitlements.

 Cloud Security Standards

• Cloud security standards and frameworks are key to securing systems and maintaining
privacy.

Dr. Yusuf Perwej Page 22

 • For identifying and responding to network threats, refers to security standards and
organizational norms. Furthermore, a cloud security framework lays out the policies, tools,
configurations, and procedures that must be followed to keep a cloud platform secure.

 Need for Cloud Security Standards

• As organizations continue to migrate workloads to the cloud, they must ensure that cloud
computing is the correct delivery environment for their applications. The main concern is
security and mitigating risk. Businesses are evaluating whether sensitive data is safe in the
cloud and how to adopt cloud services while remaining compliant with standards and
regulations.
• The cloud is, by nature, an attractive target for cyber-attacks, because it is exposed to public
networks by default and is a well-documented environment that attackers are learning to
exploit. Cloud configurations are complex, and the large number of moving parts such as
VMs, server less functions, containers and storage buckets each represent a threat surface.
• Both cloud providers and cloud users are finding it difficult to define what they need to do to
ensure a secure environment. There are many research bodies, security best practices, and
regulatory requirements, but no clear standard or consensus on what constitutes a truly secure
cloud environment.
• This makes it more important than ever for businesses to adopt a framework that will help
them address all aspects of cloud security including identity and access management (IAM),
network security, virtualization security, Zero Trust Network Access (ZTNA), endpoint
security, data privacy and content security.

 Cloud Security Standards

• 1. ISO-27001 / ISO-27002
Someone must have encountered ISO-27001 when it comes to information security needs. As,
ISO-27001 holds identification for Information Security Management System (ISMS). This is
useful when the project is in its starting phase or if you can’t commit to full implementation
of the project. Furthermore, ISO-27002 defines control which is put in observation with IS0-
27001. By adhering to the ISO-27002, it exhibits that the organization follows information
security seriously and is eligible to do best practices to secure data.
• 2. ISO-27017
ISO/IEC-27017 provides guidelines for Cloud Security that can help organizations approach
Cloud Security more systematically and dependably. Further, ISO-27017 is a security
standard established for cloud service providers and consumers with the goal of reducing the
risk of a security incident in the cloud. In addition, it is also a standard for cloud-based
organizations that helps with control recommendations and implementation. This is true for
organizations that store data in the cloud and companies that provide cloud-based services to
other companies that may have sensitive data.
• 3. ISO-27018
ISO-27018 is used to protect personally identifiable information (PII) in the communal cloud
as PII processors. It follows all the principles of ISO/IEC-29100 for cloud computing
environments in public. Moreover, ISO-27018 can also be applied to any type and size of
organization: public or private, government organization, or not-for-profit organizations.
The instructions in ISO-27018 are also applicable to PII-controlled organizations.
Nevertheless, PII controllers can be hinged to protection legislation, regulations, and
obligations. However, these are not applicable to PII processors.
• 4. General Data Protection Regulation (GDPR)

Dr. Yusuf Perwej Page 23

 The GDPR condition is enforced on every member of the European Union(EU). It’s objective
is to build undeviating protection of consumer data all across European union members.
Conditions of GDPR in data protection and privacy are:
 Whenever a data breach occurs in the system, it must be notified in a specific period.
 Cautiously handling data whenever there is an exchange through borders.
 It is essential to consider that any market or company collaborating with the EU is subject to
its rule. This reason makes the EU have an impact all over the world in terms of data
protection.
• 5. System and Organisation Controls (SOC) Reporting
SOC (System and Organization Controls) reporting gives inclusive assurance (SOC 1, SOC 2,
SOC 2+ and SOC 3) to users about transparency and trust issues on risk management.
Developing SOC ensures that they apply the proper rules and controls and only share vital
information with stakeholders. Furthermore, SOC reports provide suggestions to improvise on
some specific areas and identify gaps that are lagging with potential.
• 6. Payment Card Industry Data Security Standard (PCI DSS)
Payment Card Industry Data Security Standard is a security of information that only applies
to the organization that handles significant card schemes. It is a set of requirements to certify
that all companies with access to a process which collect and transmit credit card information
have to maintain a secure environment.
• 7. Health Insurance Portability and Accountability Act (HIPAA)
Health Insurance Portability and Accountability Act (HIPAA) is the United States
constitution that facilitates security services to safeguard medical information and maintain
data privacy. This law came into the picture when many health-related data were being
hacked and ransomware attacks were seen by providers.
• 8. CIS AWS Foundations v1.2
By following the CIS AWS Foundations Benchmark, any firm that uses Amazon Web
Service cloud resources can help protect sensitive IT systems and data. The CIS (Center for
Internet Security) Benchmarks are a set of objective, consensus-driven configuration criteria
created by intelligence analysts to assist enterprises in optimizing their information security.
In addition, CIS protocols are for strengthening AWS accounts to create a stable base for
executing jobs on AWS.
• 9. CIS Controls Top 20
The Top 20 Controls (formerly known as the SANS Top 20 Critical Security Controls) is a
prioritized list of the best-organized plan by the Center for Internet Security (CIS) to combat
today’s most ubiquitous and severe threats. It was created by top security professionals from
across the world and is updated and validated annually. Using the CIS top 20 key security
protocols is an excellent method to shield your company against the most common threats.
• 10. ACSC Essential Eight
The ACSC Essential 8 (a widespread ASD Top 4) lists eight cybersecurity mitigation
techniques for businesses and large companies. The Essential eight tactics were established by
the Australian Signals Directorate (ASD) in collaboration with the Australian Cyber Security
Centre (ACSC) to tighten security controls, safeguard organizations’ computer resources and
systems, to keep data safe from cybersecurity threats.

Dr. Yusuf Perwej Page 24