BCAM051

CLOUD COMPUTING

UNIT 4 Resource Management And

Security In Cloud

SYLLABUS

Resource Management And Security In Cloud: Inter Cloud Resource

Management – Resource Provisioning and Resource Provisioning
Methods – Global Exchange of Cloud Resources – Security Overview –
Cloud Security Challenges – Software‐as‐a‐Service Security – Security
Governance – Virtual Machine Security – IAM – Security Standards
Resource Management And Security In Cloud
The term resource management refers to the operations used to control how capabilities
provided by Cloud resources and services are made available to other entities, whether users,
applications, or services.

Types of Resources
Physical Resource: Computer, disk, database, network, etc.
Logical Resource: Execution, monitoring, and application to communicate
Resource Management in Cloud Computing Environment
On the Cloud Vendor’s View
•Provision resources on an on-demand basis.
•Energy conservation and proper utilization is maintained in Cloud Data Centers
On the Cloud Service Provider’s View
•To make available the best performance resources at the cheapest cost.
•QoS (Quality of Service) to their cloud users
On the Cloud User’s View
•Renting resources at a low price without compromising performance
•Cloud provider guarantees to provide a minimum level of service to the user
Resource Management Models
Compute Model
Resource in the cloud is shared by all users at the same time. It allows the user to reserve the
VM’s memory to ensure that the memory size requested by the VM is always available to
operate locally on clouds with a good enough level of QoS (Quality of Service) being delivered
to the end user.

Grid Strictly manages the workload of computing mode. Local resource manager such as
Portable Batch System, Condor, and Sun Grid Engine manages the compute resource for the
Grid site. Identify the user to run the job

Data Model
It is related to plotting, separating, querying, transferring, caching, and replicating data.

•Data is Stored at an Un-Trusted Host:- Although may not seem the best policy to store data
and let others use the data without permission moving data off-premises increases the number
of potential security risks.
•Data Replication over Large Areas:- Making sure data is available and durable whenever
demanded is of utmost importance for cloud storage providers. Data availability and durability
are typically achieved through under-the-covers replication i.e., data is automatically replicated
without customer interference or requests.
•Problems with Data Management:- Transactional data management is one of the biggest data
management problems. It is hard to ensure Atomicity, Consistency, Isolation, and Durability is
maintained during data replication over large distances. It is also risky to store such sensitive
data in untrusted storage.
Virtualization
It is the method by which we can create an emulation of software or hardware on our computer.
It has further two components:-
•Abstraction:- Provides the necessary virtual versions of raw compute, storage, and network
that can be unified as a pool of resources and resource overlay which includes data storage
services, and a web hosting environment.
•Encapsulation:- A virtual machine can be represented as a single file. Virtualization configures,
deploys, starts, migrates, suspends, resumes, and stops in each application. Provides better
security, manageability, and isolation.
Monitoring
The challenge that virtualization brings is that users don’t have a lot of control over the
monitoring resource. It is a method of reviewing, observing, and managing the operation of a
cloud-based IT infrastructure.

•In Cloud: Different levels of services can be offered to end users. The user is only exposed to a
limited Application Programming Interface. And lower-level resources are not revealed to the
user (PaaS, SaaS level some providers may choose to expose monitoring information at these
levels). The user does not have the capability to implement a new application of its own
monitoring infrastructure. Limited information returned to users restricts their knowledge about
the current status of the resource. Require to maintain business tracking, update, inspect and
troubleshoot the servers of the cloud organization, monitor virtual machines, and maintain the
functioning of the hardware.
•In Grid: Have a different trust model in which users via their identity delegation can access
and browse resources at different Grid sites and Grid resources are not highly abstracted and
virtualized as in Clouds.
Programming Model
User-level programming languages are used for accessing and operating the cloud.

•In Cloud: Makes use of Web Services where users have more control over the Cloud Services.
The translation of data for the receiving system and real-time data exchange between systems
without middleware of all the services and applications remain a big challenge.
•In Grid: Makes use of parallel and distributed computing environment
Challenges:
1.Multiple service providers allow to access data to clients with little authorization or
authentication
2.Diversity in resources in turn affects the performance and stability
3.Error handling in a continuously changing business environment
Security Model
Allows users to control the security of their own data by maintaining passwords, and receiving
any news regarding suspicious activity with their data via email.

Risks in the Security Model:-

1.Privileged use access
2.Regulatory compliance
3.Data location
4.Data partition
5.Recovery
6.Investigation support
 7.Long-term durability

Inter Cloud Resource Management

A theoretical model for cloud computing services is referred to as the “inter-cloud” or “cloud of
clouds.” combining numerous various separate clouds into a single fluid mass for on-demand
operations Simply put, the inter-cloud would ensure that a cloud could utilize resources outside
of its range using current agreements with other cloud service providers. There are limits to the
physical resources and the geographic reach of any one cloud.

Need of Inter-Cloud
Due to their Physical Resource limits, Clouds have certain Drawbacks:
•When a cloud’s computational and storage capacity is completely depleted, it is unable to
serve its customers.
•The Inter-Cloud addresses these circumstances when one cloud would access the computing,
storage, or any other resource of the infrastructures of other clouds.
Benefits of the Inter-Cloud Environment include:
•Avoiding vendor lock-in to the cloud client
•Having access to a variety of geographical locations, as well as enhanced application
resiliency.
•Better service level agreements (SLAs) to the cloud client
•Expand-on-demand is an advantage for the cloud provider.
Inter-Cloud Resource Management
A cloud’s infrastructure’s processing and storage capacity could be exhausted. combining
numerous various separate clouds into a single fluid mass for on-demand operations. Simply
put, the intercloud would ensure that a cloud could utilize resources outside of its range
combining numerous various separate clouds into a single fluid mass for on-demand
operations. Such requests for service allocations received by its clients would still be met by it.

Managing resources across multiple clouds requires careful orchestration and automation. For
those looking to streamline this process within a DevOps pipeline, the DevOps Engineering –
Planning to Production course covers how to integrate cloud resources effectively using
DevOps tools and best practices.
Types of Inter-Cloud Resource Management
1.Federation Clouds: A federation cloud is a kind of inter-cloud where several cloud service
providers willingly link their cloud infrastructures together to exchange resources. Cloud service
providers in the federation trade resources in an open manner. With the aid of this inter-cloud
technology, private cloud portfolios, as well as government clouds (those utilized and owned by
non-profits or the government), can cooperate.

2.Multi-Cloud: A client or service makes use of numerous independent clouds in a multi-cloud.

A multi-cloud ecosystem lacks voluntarily shared infrastructure across cloud service providers.
It is the client’s or their agents’ obligation to manage resource supply and scheduling. This
strategy is utilized to use assets from both public and private cloud portfolios. These multi-
cloud kinds include services and libraries.
Topologies used In InterCloud Architecture
1. Peer-to-Peer Inter-Cloud
Federation: Clouds work together directly,
but they may also utilize distributed entities as directories or brokers. Clouds communicate and
engage in direct negotiation without the use of intermediaries. The peer-to-peer federation
intercloud projects are RESERVOIR (Resources and Services Virtualization without Barriers
Project).

2. Centralized Inter-Cloud Federation: In

the cloud, resource sharing is carried out or
facilitated by a central body. The central
entity serves as a registry for the available
cloud resources. The inter-cloud initiatives
Dynamic Cloud Collaboration (DCC), and
Federated Cloud Management leverage
centralized inter-cloud federation.

3. Multi-Cloud Service: Clients use a service to

access various clouds. The cloud client hosts a service
either inside or externally. The services include
elements for brokers. The inter-cloud initiatives
OPTIMUS, contrail, MOSAIC, STRATOS, and commercial
cloud management solutions leverage multi-cloud
services.

4. Multi-Cloud Libraries: Clients use a uniform

cloud API as a library to create their own brokers.
Inter clouds that employ libraries make it easier to
use clouds consistently. Java library J-clouds,
Python library Apache Lib-Clouds, and Ruby library
Apache Delta-Cloud are a few examples of multiple
multi-cloud libraries.

Difficulties with Inter-Cloud Research

The needs of cloud users frequently call for various resources, and the needs are often variable
and unpredictable. This element creates challenging issues with resource provisioning and
application service delivery. The difficulties in federating cloud infrastructures include the
following:
•Prediction of Application Service Behaviour: It is essential that the system be able to
predict customer wants and service Behaviour. It cannot make rational decisions to dynamically
scale up and down until it has the ability to predict. It is necessary to construct prediction and
forecasting models. Building models that accurately learn and fit statistical functions suited to
various behaviors is a difficult task. Correlating a service’s various behaviors can be more
difficult.
•Flexible Service-Resource Mapping: Due to high operational expenses and energy
demands, it is crucial to enhance efficiency, cost-effectiveness, and usage. A difficult process of
matching services to cloud resources results from the system’s need to calculate the
appropriate software and hardware combinations. The QoS targets must be met simultaneously
with the highest possible system utilization and efficiency throughout the mapping of services.
•Techniques for Optimization Driven by Economic Models: An approach to decision-
making that is driven by the market and looks for the best possible combinations of services
and deployment strategies is known as combinatorial optimization. It is necessary to create
optimization models that address both resource- and user-centered QoS objectives.
•Integration and Interoperability: SMEs may not be able to migrate to the cloud since they
have a substantial number of on-site IT assets, such as business applications. Due to security
and privacy concerns, sensitive data in an organization may not be moved to the cloud. In
order for on-site assets and cloud services to work together, integration and interoperability are
required. It is necessary to find solutions for the problems of identity management, data
management, and business process orchestration.
•Monitoring System Components at Scale: In spite of the distributed nature of the
system’s components, centralized procedures are used for system management and
monitoring. The management of multiple service queues and a high volume of service requests
raises issues with scalability, performance, and reliability, making centralized approaches
ineffective. Instead, decentralized messaging and indexing models-based architectures are
required, which can be used for service monitoring and management services.

Resource Provisioning
The allocation of resources and services from a cloud provider to a customer is known as
resource provisioning in cloud computing, sometimes called cloud provisioning. Resource
provisioning is the process of choosing, deploying, and managing software (like load balancers
and database server management systems) and hardware resources (including CPU, storage,
and networks) to assure application performance.

To effectively utilize the resources without going against SLA and achieving the QoS
requirements, Static Provisioning/Dynamic Provisioning and Static/Dynamic Allocation of
resources must be established based on the application needs. Resource over and under-
provisioning must be prevented. Power usage is another significant restriction. Care should be
taken to reduce power consumption, dissipation, and VM placement. There should be
techniques to avoid excess power consumption.
Therefore, the ultimate objective of a cloud user is to rent resources at the lowest possible cost,
while the objective of a cloud service provider is to maximize profit by effectively distributing
resources.
Importance of Cloud Provisioning:
•Scalability: Being able to actively scale up and down with flux in demand for resources is one
of the major points of cloud computing
•Speed: Users can quickly spin up multiple machines as per their usage without the need for
an IT Administrator
•Savings: Pay as you go model allows for enormous cost savings for users, it is facilitated by
provisioning or removing resources according to the demand.
Efficient resource allocation is critical for optimizing cloud infrastructure. To explore how
resource management integrates with DevOps practices, the DevOps Engineering –
Planning to Production course offers insights into automating resource allocation in cloud
environments.
Challenges of Cloud Provisioning:
•Complex management: Cloud providers have to use various different tools and techniques
to actively monitor the usage of resources
•Policy enforcement: Organisations have to ensure that users are not able to access the
resources they shouldn’t.
•Cost: Due to automated provisioning costs may go very high if attention isn’t paid to placing
proper checks in place. Alerts about reaching the cost threshold are required.
Tools for Cloud Provisioning:
•Google Cloud Deployment Manager
•IBM Cloud Orchestrator
•AWS CloudFormation
•Microsoft Azure Resource Manager
Types of Cloud Provisioning:
•Static Provisioning or Advance Provisioning: Static provisioning can be used successfully
for applications with known and typically constant demands or workloads. In this instance, the
cloud provider allows the customer with a set number of resources. The client can thereafter
utilize these resources as required. The client is in charge of making sure the resources aren’t
overutilized. This is an excellent choice for applications with stable and predictable needs or
workloads. For instance, a customer might want to use a database server with a set quantity of
CPU, RAM, and storage.
When a consumer contracts with a service provider for services, the supplier makes the
necessary preparations before the service can begin. Either a one-time cost or a monthly fee is
applied to the client.
Resources are pre-allocated to customers by cloud service providers. This means that before
consuming resources, a cloud user must select how much capacity they need in a static sense.
Static provisioning may result in issues with over or under-provisioning.
•Dynamic provisioning or On-demand provisioning: With dynamic provisioning, the
provider adds resources as needed and subtracts them as they are no longer required. It
follows a pay-per-use model, i.e. the clients are billed only for the exact resources they use.
Consumers must pay for each use of the resources that the cloud service provider allots to
them as needed and when necessary. The pay-as-you-go model is another name for this.
“Dynamic provisioning” techniques allow VMs to be moved on-the-fly to new computing nodes
within the cloud, in situations where demand by applications may change or vary. This is a
suitable choice for programs with erratic and shifting demands or workloads. For instance, a
customer might want to use a web server with a configurable quantity of CPU, memory, and
storage. In this scenario, the client can utilize the resources as required and only pay for what
is really used. The client is in charge of ensuring that the resources are not oversubscribed;
otherwise, fees can skyrocket.
•Self-service provisioning or user self-provisioning: In user self-provisioning, sometimes
referred to as cloud self-service, the customer uses a web form to acquire resources from the
cloud provider, sets up a customer account, and pays with a credit card. Shortly after,
resources are made accessible for consumer use.

*Resource
Provisioning Methods*
https://ops.systemsapproach.org/provision.html

Global Exchange of Cloud Resources

An open compute exchange may provide a centralized

point where cloud consumers and providers would be
able to make decisions based upon which cloud
resources they may want to utilize as well as a clearing
house for providers with excess capacity.Another
example may be based on geographical cloud
computing.

It provides network sevices for enterprises,new

media providers and telecoms carriers. Their
services cover cloud centric connectivity from
managed SD-WAN and hybrid networks,to direct
cloud connections and 100Gbps+waves.

• Market directory
• Banking system
• Brokers
• Price setting mechanism
• Admission control mechanism
• Resource management system
• Consumers utility function
• Resource management proxy

Challenges:

• Unwillingness to shift from traditional controlled environment.

• Regulatory pressure
• How to obtain restitution in case of SLA violation.

Security Overview

Cloud computing security or, more simply, cloud security refers to a broad
set of policies, technologies, applications, and controls utilized to product
virtualized IP, data, applications, services, and the associated infrastructure
of cloud computing. It is a sub-domain of computer security.
Security Issues in Cloud Computing :
There is no doubt that Cloud Computing provides various Advantages but there are also some
security issues in cloud computing. Below are some following Security Issues in Cloud
Computing as follows.

1.Data Loss –
Data Loss is one of the issues faced in Cloud Computing. This is also known as Data Leakage.
As we know that our sensitive data is in the hands of Somebody else, and we don’t have full
control over our database. So, if the security of cloud service is to break by hackers then it may
be possible that hackers will get access to our sensitive data or personal files.

2.Interference of Hackers and Insecure API’s –

As we know, if we are talking about the cloud and its services it means we are talking about the
Internet. Also, we know that the easiest way to communicate with Cloud is using API. So it is
important to protect the Interface’s and API’s which are used by an external user. But also in
cloud computing, few services are available in the public domain which are the vulnerable part
of Cloud Computing because it may be possible that these services are accessed by some third
parties. So, it may be possible that with the help of these services hackers can easily hack or
harm our data.

3.User Account Hijacking –

Account Hijacking is the most serious security issue in Cloud Computing. If somehow the
Account of User or an Organization is hijacked by a hacker then the hacker has full authority to
perform Unauthorized Activities.

4.Changing Service Provider –

Vendor lock-In is also an important Security issue in Cloud Computing. Many organizations will
face different problems while shifting from one vendor to another. For example, An
Organization wants to shift from AWS Cloud to Google Cloud Services then they face various
problems like shifting of all data, also both cloud services have different techniques and
functions, so they also face problems regarding that. Also, it may be possible that the charges
of AWS are different from Google Cloud, etc.

5.Lack of Skill –
While working, shifting to another service provider, need an extra feature, how to use a feature,
etc. are the main problems caused in IT Companies who doesn’t have skilled Employees. So it
requires a skilled person to work with Cloud Computing.
6.Denial of Service (DoS) attack –
This type of attack occurs when the system receives too much traffic. Mostly DoS attacks occur
in large organizations such as the banking sector, government sector, etc. When a DoS attack
occurs, data is lost. So, in order to recover data, it requires a great amount of money as well as
time to handle it.

7.Shared Resources: Cloud computing relies on a shared infrastructure. If one customer’s

data or applications are compromised, it may potentially affect other customers sharing the
same resources, leading to a breach of confidentiality or integrity.

8.Compliance and Legal Issues: Different industries and regions have specific regulatory
requirements for data handling and storage. Ensuring compliance with these regulations can be
challenging when data is stored in a cloud environment that may span multiple jurisdictions.

9.Data Encryption: While data in transit is often encrypted, data at rest can be susceptible to
breaches. It’s crucial to ensure that data stored in the cloud is properly encrypted to prevent
unauthorized access.

10.Insider Threats: Employees or service providers with access to cloud systems may misuse
their privileges, intentionally or unintentionally causing data breaches. Proper access controls
and monitoring are essential to mitigate these threats.

11.Data Location and Sovereignty: Knowing where your data physically resides is important
for compliance and security. Some cloud providers store data in multiple locations globally, and
this may raise concerns about data sovereignty and who has access to it.

12.Loss of Control: When using a cloud service, you are entrusting a third party with your
data and applications. This loss of direct control can lead to concerns about data ownership,
access, and availability.

13.Incident Response and Forensics: Investigating security incidents in a cloud

environment can be complex. Understanding what happened and who is responsible can be
challenging due to the distributed and shared nature of cloud services.

14.Data Backup and Recovery: Relying on cloud providers for data backup and recovery can
be risky. It’s essential to have a robust backup and recovery strategy in place to ensure data
availability in case of outages or data loss.

15.Vendor Security Practices: The security practices of cloud service providers can vary. It’s
essential to thoroughly assess the security measures and certifications of a chosen provider to
ensure they meet your organization’s requirements.

16.IoT Devices and Edge Computing: The proliferation of IoT devices and edge computing
can increase the attack surface. These devices often have limited security controls and can be
targeted to gain access to cloud resources.

17.Social Engineering and Phishing: Attackers may use social engineering tactics to trick
users or cloud service providers into revealing sensitive information or granting unauthorized
access.
18.Inadequate Security Monitoring: Without proper monitoring and alerting systems in
place, it’s challenging to detect and respond to security incidents in a timely manner.

SaaS
Owning software is very expensive. For example, a ₹50 lakh software running on a ₹1 lakh
computer is a common place. As with hardware, owning software is the current tradition across
individuals and business houses. Often the usage of a specific software package does not exceed a
couple of hours of usage per week.
In this situation, it would be economically worthwhile to pay per hour of usage. This would also
free the user from the botherance of maintenance, upgradation, backup etc.
This is exactly what is advocated by SaaS.
Software As A Service (SaaS) is a software delivery model and involves customers to
pay for any software per unit time of usage, with the price reflecting market place
supply and demand.

In this context, SaaS makes a case for pay per usage of software rather than owning software for
use.
As we can see, SaaS shifts “ownership” of a software from a customer to a service provider.
Software owner provides maintenance, daily technical operation and support for the software.
Services are provided to the client on the amount of usage basis.
The service provider is a vendor who hosts the software and lets the users execute on-demand
charges per usage units. It also shifts the responsibility for hardware and software management
from customer to the provider. The cost of providing software services reduces as more and more
subscribe to the service.
It makes the software accessible to a large number of customers who cannot afford to purchase the
software outright.
If we compare SaaS to SOA, we can observe that SaaS is a software delivery model, whereas SOA
is a software construction model. Despite significant differences, both SOA and SaaS espouse
closely related architecture models. SaaS and SOA complement each other. SaaS helps to offer
components for SOA to use. SOA helps to quickly realize SaaS. Also, the main enabler of SaaS and
SOA are the internet and web services technologies.
Cloud Governance :

•It is the set of policies or principles that act as the guidance for the adoption use, and
management of cloud technology services.
•It is an ongoing process that must sit on top of existing governance models.
•It is a set of rules you create to monitor and amend as necessary in order to control costs,
improve efficiency, and eliminate security risks.
Need for Cloud Governance :
By implementing cloud governance, organizations can avoid the following issues as follows.

1. Security and privacy risks :

•This issue may arise due to unauthorized downloads/ installation of software, storage of
illegal data, and access to restricted sites by users.
 •Cloud Governance solutions cover multiple cloud security components. For example,
Encryption, Security groups, Audit trails, Application access rules, Access controls.
2. Vendor lock-in :

•Many vendors opt for this, as this clause causes organizations to depend on the cloud
service provider (or vendor) for products and services.
•This can be avoided by making changes to the SLA suitably and reduce dependencies on a
single vendor, thus ensuring freedom to the organization.
3. Cloud Sprawl :
•This happens when employees of different departments use different programs and cloud
infrastructure from third-party providers without involving the IT department and getting
necessary approvals.
•If not detected and restricted, crowd sprawl may lead to fragmented, redundant,
inefficient, and unmanaged cloud programs sitting on the enterprise cloud and
unnecessarily creating trouble.
4. Shadow IT and unwarranted usage of cloud resources :
•This happens when employees in various departments do not follow the rules and
regulations as imposed by the IT department on cloud usage resulting in security breaches
and fragmented control throughout the organization.
•This leads to not getting sufficient results from the cloud in the long run.
5. Lack of data portability and interoperability :
•This happens when the cloud service provider or the inbuilt cloud infrastructure is
incapable of connecting well with other software and products outside the organization.
•This may also lead to modules not compatible with each other and hence chaos in the
cloud due to an inefficient system.

Virtual Machine Security

The term “Virtualized Security,” sometimes known as “security virtualization,” describes
security solutions that are software-based and created to operate in a virtualized IT
environment. This is distinct from conventional hardware-based network security, which is
static and is supported by equipment like conventional switches, routers, and firewalls.

Virtualized security is flexible and adaptive, in contrast to hardware-based security. It can be

deployed anywhere on the network and is frequently cloud-based so it is not bound to a
specific device.
In Cloud Computing, where operators construct workloads and applications on-demand,
virtualized security enables security services and functions to move around with those on-
demand-created workloads. This is crucial for virtual machine security. It’s crucial to protect
virtualized security in cloud computing technologies such as isolating multitenant setups in
public cloud settings. Because data and workloads move around a complex ecosystem
including several providers, virtualized security’s flexibility is useful for securing hybrid and
multi-cloud settings.
Types of Hypervisors
Type-1 Hypervisors
Its functions are on unmanaged systems. Type 1 hypervisors include Lynx Secure, RTS
Hypervisor, Oracle VM, Sun xVM Server, and Virtual Logic VLX. Since they are placed on
bare systems, type 1 hypervisor do not have any host operating systems.

Type-2 Hypervisor
It is a software interface that simulates the hardware that a system typically communicates
with. Examples of Type 2 hypervisors include containers, KVM, Microsoft Hyper V,
VMWare Fusion, Virtual Server 2005 R2, Windows Virtual PC, and VMware
workstation 6.0.
Type I Virtualization
In this design, the Virtual Machine Monitor (VMM) sits directly above the hardware and
eavesdrops on all interactions between the VMs and the hardware. On top of the VMM is a
management VM that handles other guest VM management and handles the majority of a
hardware connections. The Xen system is a common illustration of this kind of virtualization
design.
Type II virtualization
In these architectures, like VMware Player, allow for the operation of the VMM as an application
within the host operating system (OS). I/O drivers and guest VM management are the
responsibilities of the host OS.
Securing virtual machines in the cloud is a top priority for DevOps teams. To learn more about
integrating security best practices into your DevOps pipeline, the DevOps Engineering –
Planning to Production course offers hands-on examples of securing cloud infrastructure.
Service Provider Security
The system’s virtualization hardware shouldn’t be physically accessible to anyone not
authorized. Each VM can be given an access control that can only be established through the
Hypervisor in order to safeguard it against unwanted access by Cloud administrators. The three
fundamental tenets of access control, identity, authentication, and authorization, will prevent
unauthorized data and system components from being accessed by administrators.
Hypervisor Security
The Hypervisor’s code integrity is protected via a technology called Hyper safe. Securing the
write-protected memory pages, expands the hypervisor implementation and prohibits coding
changes. By restricting access to its code, it defends the Hypervisor from control-flow hijacking
threats. The only way to carry out a VM Escape assault is through a local physical setting.
Therefore, insider assaults must be prevented in the physical Cloud environment. Additionally,
the host OS and the interaction between the guest machines need to be configured properly.
Virtual Machine Security
The administrator must set up a program or application that prevents virtual machines from
consuming additional resources without permission. Additionally, a lightweight process that
gathers logs from the VMs and monitors them in real-time to repair any VM tampering must
operate on a Virtual Machine. Best security procedures must be used to harden the guest
OS and any running applications. These procedures include setting up firewalls, host intrusion
prevention systems (HIPS), anti-virus and anti-spyware programmers, online application
protection, and log monitoring in guest operating systems.
Guest Image Security
A policy to control the creation, use, storage, and deletion of images must be in place for
organizations that use virtualization. To find viruses, worms, spyware, and rootkits that hide
from security software running in a guest OS, image files must be analyzed.
Benefits of Virtualized Security
Virtualized security is now practically required to meet the intricate security requirements of a
virtualized network, and it is also more adaptable and effective than traditional physical
security.
•Cost-Effectiveness: Cloud computing’s virtual machine security enables businesses to keep
their networks secure without having to significantly raise their expenditures on pricey
proprietary hardware. Usage-based pricing for cloud-based virtualized security services can
result in significant savings for businesses that manage their resources effectively.
•Flexibility: It is essential in a virtualized environment that security operations can follow
workloads wherever they go. A company is able to profit fully from virtualization while
simultaneously maintaining data security thanks to the protection it offers across various data
centers, in multi-cloud, and hybrid-cloud environments.
•Operational Efficiency: Virtualized security can be deployed more quickly and easily than
hardware-based security because it doesn’t require IT, teams, to set up and configure several
hardware appliances. Instead, they may quickly scale security systems by setting them up
using centralized software. Security-related duties can be automated when security technology
is used, which frees up more time for IT employees.
•Regulatory Compliance: Virtual machine security in cloud computing is a requirement for
enterprises that need to maintain regulatory compliance because traditional hardware-based
security is static and unable to keep up with the demands of a virtualized network.
Virtualization Machine Security Challenges
•As we previously covered, buffer overflows are a common component of classical network
attacks. Trojan horses, worms, spyware, rootkits, and DoS attacks are examples of
malware.
•In a cloud context, more recent assaults might be caused via VM rootkits, hypervisor malware,
or guest hopping and hijacking. Man-in-the-middle attacks against VM migrations are another
form of attack. Typically, passwords or sensitive information are stolen during passive attacks.
Active attacks could alter the kernel’s data structures, seriously harming cloud servers.
•HIDS or NIDS are both types of IDSs. To supervise and check the execution of code, use
programmed shepherding. The RIO dynamic optimization infrastructure, the v Safe and v
Shield tools from VMware, security compliance for hypervisors, and Intel vPro technology are
some further protective solutions.
Four Steps to ensure VM Security in Cloud Computing
Protect Hosted Elements by Segregation
To secure virtual machines in cloud computing, the first step is to segregate the newly hosted
components. Let’s take an example where three features that are now running on an edge
device may be placed in the cloud either as part of a private subnetwork that is invisible or as
part of the service data plane, with addresses that are accessible to network users.
All Components are Tested and Reviewed
Before allowing virtual features and functions to be implemented, you must confirm that they
comply with security standards as step two of cloud-virtual security. Virtual networking is
subject to outside attacks, which can be dangerous, but insider attacks can be disastrous.
When a feature with a backdoor security flaw is added to a service, it becomes a part of the
infrastructure of the service and is far more likely to have unprotected attack paths to other
infrastructure pieces.
Separate Management APIs to Protect the Network
The third step is to isolate service from infrastructure management and orchestration. Because
they are created to regulate features, functions, and service behaviors, management APIs will
always pose a significant risk. All such APIs should be protected, but the ones that keep an eye
on infrastructure components that service users should never access must also be protected.
Keep Connections Secure and Separate
The fourth and last aspect of cloud virtual network security is to make sure that connections
between tenants or services do not cross over into virtual networks. Virtual Networking is a
fantastic approach to building quick connections to scaled or redeployed
features, but each time a modification is made to the virtual network, it’s possible that an
accidental connection will be made between two distinct services, tenants, or feature/function
deployments. A data plane leak, a link between the actual user networks, or a management or
control leak could result from this, allowing one user to affect the service provided to another.

Identity and Access Management

In a recent study by Verizon, 63% of the confirmed data breaches are due to either weak, stolen, or default passwords
used. There is a saying in the cybersecurity world that goes like this “No matter how good your chain is it’s only as
strong as your weakest link.” and exactly hackers use the weakest links in the organization to infiltrate. They usually
use phishing attacks to infiltrate an organization and if they get at least one person to fall for it, it’s a serious turn of
events from thereon. They use the stolen credentials to plant back doors, install malware, or exfiltrate confidential data,
all of which will cause serious losses for an organization.

How Identity and Access Management Works?

AWS(Amazon Web Services) will allow you to
maintain the fine-grained permissions to the AWS account
and the services provided by Amazon Cloud. You can
manage the

permissions to the individual users or you can manage the

permissions to certain users as groups and roles will help
you to manage the permissions to the resources.

What Is Identity and Access Management(IAM)?

Identity and Access Management (IAM) is a combination of policies and technologies that allows organizations
to identify users and provide the right form of access as and when required. There has been a burst in the market with
new applications, and the requirement for an organization to use these applications has increased drastically. The
services and resources you want to access can be specified in IAM. IAM doesn’t provide any replica or backup. IAM
can be used for many purposes such as, if one want’s to control access of individual and group access for your AWS
resources. With IAM policies, managing permissions to your workforce and systems to ensure least-privilege
permissions becomes easier. The AWS IAM is a global service.

Components of Identity and Access Management (IAM)

Users
1.Roles

2.Groups

3.Policies

With these new applications being created over the cloud, mobile and on-premise can hold sensitive and regulated
information. It’s no longer acceptable and feasible to just create an Identity server and provide access based on the
requests. In current times an organization should be able to track the flow of information and provide least privileged
access as and when required, obviously with a large workforce and new applications being added every day it becomes
quite difficult to do the same. So organizations specifically concentrate on managing identity and its access with the
help of a few IAM tools. It’s quite obvious that it is very difficult for a single tool to manage everything but there are
multiple IAM tools in the market that help the organizations with any of the few services given below.

IAM Identities Classified As

1.IAM Users

2.IAM Groups

3.IAM Roles

Root User: The root user will automatically be created and granted unrestricted rights. We can create an admin user
with fewer powers to control the entire Amazon account.

IAM Users: We can utilize IAM users to access the AWS Console and their administrative permissions differ from
those of the Root user and if we can keep track of their login information.

Example
With the aid of IAM users, we can accomplish our goal of giving a specific person access to every service available in
the Amazon dashboard with only a limited set of permissions, such as read-only access. Let’s say user-1 is a user that I
want to have read-only access to the EC2 instance and no additional permissions, such as create, delete, or update. By
creating an IAM user and attaching user-1 to that IAM user, we may allow the user access to the EC2 instance with the
required permissions.

IAM Groups: A group is a collection of users, and a single person can be a member of several groups. With the aid of
groups, we can manage permissions for many users quickly and efficiently.

Example
Consider two users named user-1 and user-2. If we want to grant user-1 specific permissions, such as the ability to
delete, create, and update the auto-calling group only, and if we want to grant user-2 all the necessary permissions to
maintain the auto-scaling group as well as the ability to maintain EC2,S3 we can create groups and add this user to
them. If a new user is added, we can add that user to the required group with the necessary permissions.

IAM Roles
While policies cannot be directly given to any of the services accessible through the Amazon dashboard, IAM roles are
similar to IAM users in that they may be assumed by anybody who requires them. By using roles, we can
provide AWS Services access rights to other AWS Services.

Example
Consider Amazon EKS. In order to maintain an autoscaling group, AWS eks needs access to EC2 instances. Since we
can’t attach policies directly to the eks in this situation, we must build a role and then attach the necessary policies to
that specific role and attach that particular role to EKS.

IAM Policies
IAM Policies can manage access for AWS by attaching them to the IAM Identities or resources IAM policies defines
permissions of AWS identities and AWS resources when a user or any resource makes a request to AWS will validate
these policies and confirms whether the request to be allowed or to be denied. AWS policies are stored in the form of
Jason format the number of policies to be attached to particular IAM identities depends upon no.of permissions required
for one IAM identity. IAM identity can have multiple policies attached to them.
Access Management For AWS Resources Identity Management
•Access management

•Federation

•RBAC/EM
•Multi-Factor authentication

•Access governance

•Customer IAM

•API Security

•IDaaS – Identity as a service

•Granular permissions

•Privileged Identity management – PIM (PAM or PIM is the

same)

More About the Services: Looking into the services on brief, Identity management is purely responsible for managing
the identity lifecycle. Access management is responsible for the access to the resources, access governance is
responsible for access request grant and audits. PIM or PAM is responsible for managing all the privileged access to the
resources. The remaining services either help these services or help in increasing the productivity of these services.

Market for IAM: Current situation of the market, there are three market leaders (Okta, SailPoint and Cyberark) who
master one of the three domains (Identity Management, Identity Governance and Privilege access management),
according to Gartner and Forrester reports. These companies have developed solutions and are still developing new
solutions that allow an organization to manage identity and its access securely without any hindrances in the workflow.
There are other IAM tools, Beyond Trust, Ping, One login, Centrify, Azure Active Directory, Oracle Identity Cloud
Services and many more.

Benefits of IAM Systems

•Enhanced Security: IAM prevents unauthorized access to sensitive data and systems, thus minimizing the access of
the unauthorized personnel.

•Improved Compliance: It also guarantees that the organization complies with the legal requirements concerning the
access control as well as the tracking of activities performed by the users.

•Increased Productivity: Automates processes of the management of users and access, thus minimizing the numbers
of manual operations and providing faster access to the required resources.

•Reduced Risk: Portfolios reduce internal risks and data losses due to strict access protocols in place.
•Centralized management is capable of consolidating identity and company access control and enforcing the same
across different systems.

Importance of IAM for Organizations

•Security: IAM makes certain that only the right people are given access to core systems and information and thus
safeguards organizations from threats within and outside.

•Regulatory Compliance: IAM aids organizations in compliance with the legal and industry-compliant requirements
based on the accessibility and the log records of the user activities.

•Operational Efficiency: IAM provides means of minimizing workload to IT teams by automating tasks such as
onboarding, offboarding, and shifts in user roles.
•Risk Mitigation: IAM also helps in combating data breaches and cyber attacks since it has strict measures towards
providing access to users.

•User Experience: It provides easier access to the firm’s partners, employees, and customers in interacting with the
systems with increased security, thus enhancing productivity and customer satisfaction.

IAM and Compliance Regulations

•Access Control: IAM helps in authorizing only the right people access to information; this complies with data
protection laws such as GDPR and HIPAA.

•Audit Trails: Saves a rich history of users activities to assist in audits and other reporting requirements.
•Segregation of Duties: Implements strict access control with respect to the roles that inhabitants are to undertake to
avoid breaching conflict of interest rules as provided by SOX and its equivalents.

•Data Protection: Enhances data protection; the program is useful in supporting compliance with Data Security
policies in line with PCI-DSS and other standards.

•User Authentication: Provides multi-factor authentication, thus satisfies security standards for many compliance
programs.

IAM Technologies and Tools

•Single Sign-On (SSO): A choice that lets a user login and use multiple applications at once, as well as give more
security to the services. Example: Its competitors include Okta and Microsoft Azure AD.

•Multi-Factor Authentication (MFA): A second one is that you must verify your account with two or more ways to
boost its security. Example: Some of the examples of Two Factor Authentication applications are Duo Security and
Google Authenticator.

•Role-Based Access Control (RBAC): Secures the system based on employees’ roles, where the user will have the
least privilege to access the system. Example: IBM Security Identity Manager.

•Privileged Access Management (PAM): Performs functions associated with obtaining and maintaining high levels
of accessible (“privileged”) computing resources. Example: CyberArk, BeyondTrust.

Resource Access Control

Identity and access management (IAM) will allows you to manage the permissions to the resources in the AWS cloud
like users who can access particular serivce to which extent and also instead of mantaing the permissions individually
you can manage the permissions to group of users at a time.

1.Managing permissions: For example you want to assign an permission to the user that he/her can only perform
restart the instance task on AWS EC2 instance then you can do using AWS IAM.

2.Implemneting role-based access control(RBAC): Identity and Access Management (IAM) will helps you to
manage the permissions based on roles Roles will helps to assign the the permissions to the resourcesw in the AWS like
which resources can access the another resource according to the requirement.

3.Enabling single sign-on (SSO): Identity and Access Management will helps you to maintain the same password and
user name which will reduce the effort of remembering the different password.

IAM Features
Shared Access to your Account: A team working on a project can easily share resources with the help of the shared
access feature.

1.Free of cost: IAM feature of the AWS account is free to use & charges are added only when you access other
Amazon web services using IAM users.
2.Have Centralized control over your AWS account: Any new creation of users, groups, or any form of cancellation
that takes place in the AWS account is controlled by you, and you have control over what & how data can be
accessed by the user.

3.Grant permission to the user: As the root account holds administrative rights, the user will be granted permission to
access certain services by IAM.

4.Multifactor Authentication: Additional layer of security is implemented on your account by a third party, a six-digit
number that you have to put along with your password when you log into your accounts.

Accessing IAM
1.AWS Console: Access the AWS IAM through the GUI. It is an web application provided by the AWS (Amazon Web
Application) it is an console where users can access the aws console

2.AWS Command Line Tools: Instead of accessing the console you can access y the command line interface (CLI) to
access the AWS web application. You can autiomate the process by using the Scripts.

3.IAM Query API: Programmatic access to IAM and AWS by allowing you to send HTTPS requests directly to the
service.

What are Cloud Security Standards?

It was essential to establish guidelines for how work is done in the cloud due to the different
security dangers facing the cloud. They offer a thorough framework for how cloud security is
upheld with regard to both the user and the service provider.

•Cloud security standards provide a roadmap for businesses transitioning from a traditional
approach to a cloud-based approach by providing the right tools, configurations, and
policies required for security in cloud usage.
•It helps to devise an effective security strategy for the organization.
•It also supports organizational goals like privacy, portability, security, and interoperability.
•Certification with cloud security standards increases trust and gives businesses a
competitive edge.
Need for Cloud Security Standards
•Ensure cloud computing is an appropriate environment: Organizations need to make sure that
cloud computing is the appropriate environment for the applications as security and mitigating
risk are the major concerns.
•To ensure that sensitive data is safe in the cloud: Organizations need a way to make sure that
the sensitive data is safe in the cloud while remaining compliant with standards and
regulations.
•No existing clear standard: Cloud security standards are essential as earlier there were no
existing clear standards that can define what constitutes a secure cloud environment. Thus,
making it difficult for cloud providers and cloud users to define what needs to be done to
ensure a secure environment.
•Need for a framework that addresses all aspects of cloud security: There is a need for
businesses to adopt a
Lack of Cloud Security Standards
•Enterprises and CSPs have been forced to fumble while relying on an endless variety of
auditing needs, regulatory requirements, industry mandates, and data Centre standards to
offer direction on protecting their cloud environments due to the lack of adequate cloud
security standards.
•Because of this, the Cloud Security Alliance is more difficult to understand than it first
appears, and its fragmented strategy does not meet the criteria for “excellent security”.
Best Practices For Cloud Security
1. Secure Access to the Cloud
Although the majority of cloud service providers have their own ways of safeguarding the
infrastructure of their clients, you are still in charge of protecting the cloud user accounts and
access to sensitive data for your company. Consider improving password management in your
organization to lower the risk of account compromise and credential theft.

Adding password policies to your cybersecurity program is a good place to start. Describe the
cybersecurity practices you demand from your staff, such as using unique, complex passwords
for each account and routine password rotation.

2. Control User Access Rights

Some businesses give employees immediate access to a wide range of systems and data in
order to make sure they can carry out their tasks effectively. For cybercriminals, these
individuals’ accounts are a veritable gold mine because compromising them can make it
simpler to gain access to crucial cloud infrastructure and elevate privileges. Your company can
periodically review and revoke user rights to prevent this.

3. Transparency and Employee Monitoring

You can use specialized solutions to keep an eye on the behavior of your staff in order to
promote transparency in your cloud infrastructure. You can spot the earliest indications of a
cloud account compromise or an insider threat by keeping an eye on what your employees are
doing while they are at work. Imagine your cybersecurity experts discover a user accessing
your cloud infrastructure from a strange IP address or outside of normal business hours. In that
situation, they’ll be able to respond to such odd activity promptly because it suggests that a
breach may be imminent.

4. Data Protection

This involves data protection against unauthorized access, prevention of accidental data
disclosure, and ensuring ceaseless access to crucial data in the case of failures and errors.

5. Access Management

Three capabilities that are a must in access management are the ability to identify and
authenticate users, the ability to assign access rights to users, and the ability to develop and
enact access control policies for all the resources.
Common Cloud Security Standards

1. NIST (National Institute of Standards and Technology)

NIST is a federal organization in the US that creates metrics and standards to boost competition
in the scientific and technology industries. The National Institute of Regulations and Technology
(NIST) developed the Cybersecurity Framework to comply with US regulations such as the
Federal Information Security Management Act and the Health Insurance Portability and
Accountability Act (HIPAA) (FISMA). NIST places a strong emphasis on classifying assets
according to their commercial value and adequately protecting them.

2. ISO-27017

A development of ISO-27001 that includes provisions unique to cloud-based information

security. Along with ISO-27001 compliance, ISO-27017 compliance should be taken into
account. This standard has not yet been introduced to the marketplace. It attempts to offer
further direction in the cloud computing information security field. Its purpose is to supplement
the advice provided in ISO/IEC 27002 and various other ISO27k standards, such as ISO/IEC
27018 on the privacy implications of cloud computing, and ISO/IEC 27031 on business
continuity.

3. ISO-27018

The protection of personally identifiable information (PII) in public clouds that serve as PII
processors is covered by this standard. Despite the fact that this standard is especially aimed
at public-cloud service providers like AWS or Azure, PII controllers (such as a SaaS provider
processing client PII in AWS) nevertheless bear some accountability. If you are a SaaS provider
handling PII, you should think about complying with this standard.

4. CIS controls

Organizations can secure their systems with the help of Internet Security Center (CIS) Controls,
which are open-source policies based on consensus. Each check is rigorously reviewed by a
number of professionals before a conclusion is reached.
To easily access a list of evaluations for cloud security, consult the CIS Benchmarks customized
for particular cloud service providers. For instance, you can use the CIS-AWS controls, a set of
controls created especially for workloads using Amazon Web Services (AWS).

5. FISMA

In accordance with the Federal Information Security Management Act (FISMA), all federal
agencies and their contractors are required to safeguard information systems and assets. NIST,
using NIST SP 800-53, was given authority under FISMA to define the framework security
standards (see definition below).
6. Cloud Architecture Framework

These frameworks, which frequently cover operational effectiveness, security, and cost-value
factors, can be viewed as best parties standards for cloud architects. This framework,
developed by Amazon Web Services, aids architects in designing workloads and applications on
the Amazon cloud. Customers have access to a reliable resource for architecture evaluation
thanks to this framework, which is based on a collection of questions for the analysis of cloud
environments.

7. General Data Protection Regulation (GDPR)

For the European Union, there are laws governing data protection and privacy. Even though this
law only applies to the European Union, it is something you should keep in mind if you store or
otherwise handle any personal information of residents of the EU.

8. SOC Reporting

A form of audit of the operational processes used by IT businesses offering any service is
known as a “Service and Organization Audits 2” (SOC 2). A worldwide standard for
cybersecurity risk management systems is SOC 2 reporting. Your company’s policies, practices,
and controls are in place to meet the five trust principles, as shown by the SOC 2 Audit Report.
The SOC 2 audit report lists security, availability, processing integrity, confidentiality, and
confidentiality as security principles. If you offer software as a service, potential clients might
request proof that you adhere to SOC 2 standards.

9. PCI DSS

For all merchants who use credit or debit cards, the PCI DSS (Payment Card Industry Data
Security Standard) provides a set of security criteria. For businesses that handle cardholder
data, there is PCI DSS. The PCI DSS specifies fundamental technological and operational criteria
for safeguarding cardholder data. Cardholders are intended to be protected from identity theft
and credit card fraud by the PCI DSS standard.

10. HIPAA

The Health Insurance Portability and Accountability Act (HIPAA), passed by the US Congress to
safeguard individual health information, also has parts specifically dealing with information
security. Businesses that handle medical data must abide by HIPAA law. The HIPAA Security
Rule (HSR) is the best choice in terms of information security. The HIPAA HSR specifies rules for
protecting people’s electronic personal health information that a covered entity generates,
acquires, makes use of or maintains.
Organizations subject to HIPAA regulations need risk evaluations and risk management plans to
reduce threats to the availability, confidentiality, and integrity of the crucial health data they
manage. Assume your company sends and receives health data via cloud-based services
(SaaS, IaaS, PaaS). If so, it is your responsibility to make sure the service provider complies
with HIPAA regulations and that you have implemented best practices for managing your cloud
setups.
11. CIS AWS Foundations v1.2

Any business that uses Amazon Web Service cloud resources can help safeguard sensitive IT
systems and data by adhering to the CIS AWS Foundations Benchmark. Intelligence analysts
developed a set of objective, consensus-driven configuration standards known as the CIS
(Center for Internet Security) Benchmarks to help businesses improve their information
security. Additionally, CIS procedures are for fortifying AWS accounts to build a solid foundation
for running jobs on AWS.

12. ACSC Essential Eight

ACSC Essential 8 (also known as the ASD Top 4) is a list of eight cybersecurity mitigation
strategies for small and large firms. In order to improve security controls, protect businesses’
computer resources and systems, and protect data from cybersecurity attacks, the Australian
Signals Directorate (ASD) and the Australian Cyber Security Centre (ACSC) developed the
“Essential Eight Tactics.”