Chapter 6
Cloud Security
By Prof. Raj Sarode

Cloud Security Fundamentals
• There are a lot of security myths about cloud security needed to be
clarified.
lot of people think that as soon as they give something to the cloud, they do
not have to worry about compliance with security.
That is absolutely not correct. If you are a business, your clients are looking at
you for security. Whether you go to the cloud or you do it internally using
your private infrastructure, that doesn’t change your responsibility in terms of
who owns compliance to security. There needs to be a
Has to do with black and white, that either cloud is insecure by default or
cloud is secure by default.
None of that is correct. It really depends on the controls. You’re not
reinventing or eliminating any controls. You’re just moving where the controls
reside and changing who owns the controls. Cloud by default is neither
insecure nor secure, end of the day it’s how everything is implemented and
how the data flows. very clear demarcation line.
By Prof. Raj Sarode 2

Cloud Security Fundamentals
Data is encrypted all the time.
It really depends, and that’s a big myth. Some cloud service providers encrypt
your data; some do not. You need to find and understand how your data is
handled. Does your service providers have the key or does not. It all depends
on the model of the cloud. Whether you are at box.com or Dropbox or
Salesforce, it all depends on various processes that they’re doing on your data
and whether your data is really encrypted or not.
“It’s my data, I’ll get it back when I need it.”
It’s not necessarily, it depends on where typically the data has been residing.
And there are country specific laws that you need to know and understand
how to get your data ba
Cloud security considerations, whether it is compliance, identity and access
management, service integrity, endpoint integrity, information protection, IP
specific protection, all needs to be taken into consideration no matter how
you are using cloud and for what reasons.
By Prof. Raj Sarode 3

Cloud Security Fundamentals
Cloud Security: The security and risk management mechanisms and
operational proce
As a consumer of a cloud platform, application or service, it is the customer’s
responsibility to understand the inner-workings of the cloud model and
inherent risks with applicable available controls.
This includes understanding not only the services being provided but the
back-end processes including governance, physical security, network security
and other critical controls.
The Cloud Security Alliance (CSA) maintains an active body of work titled the
Cloud Controls Matrix, or CCM, currently in version 3.0.1 (here: https://
cloudsecurityalliance.org/research/ccm/), which provides an excellent way to
understand common available security controls for cloud services. sses
supporting the cloud computing IT model.
By Prof. Raj Sarode 4

Vulnerability Assessment Tool For Cloud
By Prof. Raj Sarode 5

Vulnerability Assessment Tool For Cloud
• Clouds provide a powerful computing platform that enables individuals
and organizations to perform variety levels of tasks such as: use of online
storage space, adoption of business applications, development of
customized computer software, and creation of a “realistic” network
environment.
• Vulnerability management tools help information security teams stay
ahead of the rising tide of security issues in their organizations.
• They combine state-of-the art vulnerability detection capabilities with
prioritization algorithms that help organizations identify the issues
requiring immediate attention, so they can focus efforts on the
vulnerabilities most likely to result in a breach.
By Prof. Raj Sarode 6

Vulnerability Assessment Life Cycle
By Prof. Raj Sarode 7

Vulnerability Management Product Features
 Quality and Speed of Updates.
 Compatibility with Your Environment.
 Support for Cloud Services.
 Compliance.
 Prioritization.
 Active and Passive Detection.
 Authenticated and Unauthenticated Scanning.
 Remediation Guidance.
 Vendor Support.
By Prof. Raj Sarode 8

List Of Vulnerability Tools
Name Owner Licence Platforms
Acunetix WVS Acunetix Commercial / Free (Limited Capability) Windows
AppScan IBM Commercial Windows
App Scanner Trustwave Commercial Windows
AppSpider Rapid7 Commercial Windows
AVDS Beyond Security Commercial / Free (Limited Capability) N/A
BlueClosure BC Detect BlueClosure Commercial, 2 weeks trial Most platforms supported
Burp Suite PortSwiger Commercial / Free (Limited Capability) Most platforms supported
Contrast Contrast Security Commercial / Free (Limited Capability) SaaS or On-Premises
GamaScan GamaSec Commercial Windows
Grabber Romain Gaucher Open Source Python 2.4, BeautifulSoup and PyXML
Grendel-Scan David Byrne Open Source Windows, Linux and Macintosh
GoLismero GoLismero Team GPLv2.0 Windows, Linux and Macintosh
IKare ITrust Commercial N/A
Indusface Web Application
Scanning
Indusface Commercial SaaS
N-Stealth N-Stalker Commercial Windows
Netsparker MavitunaSecurity Commercial Windows
Nexpose Rapid7 Commercial / Free (Limited Capability) Windows/Linux
Nikto CIRT Open Source Unix/Linux
ParosPro MileSCAN Commercial Windows
Proxy.app Websecurify Commercial Macintosh
QualysGuard Qualys Commercial N/A
Retina BeyondTrust Commercial Windows
By Prof. Raj Sarode 9

List Of Vulnerability Tools
By Prof. Raj Sarode 10
Securus Orvant, Inc Commercial N/A
Sentinel WhiteHat Security Commercial N/A
SOATest Parasoft Commercial Windows / Linux / Solaris
Tinfoil Security Tinfoil Security, Inc.
Commercial / Free (Limited
Capability)
SaaS or On-Premises
Trustkeeper Scanner Trustwave SpiderLabs Commercial SaaS
Vega Subgraph Open Source
Windows, Linux and
Macintosh
Wapiti Informática Gesfor Open Source
Windows, Unix/Linux and
Macintosh
WebApp360 TripWire Commercial Windows
WebInspect HP Commercial Windows
WebReaver Websecurify Commercial Macintosh
WebScanService German Web Security Commercial N/A
Websecurify Suite Websecurify
Commercial / Free (Limited
Capability)
Windows, Linux, Macintosh
Wikto Sensepost Open Source Windows
w3af w3af.org GPLv2.0 Linux and Mac
Xenotix XSS Exploit
Framework
OWASP Open Source Windows
Zed Attack Proxy OWASP Open Source
Windows, Unix/Linux and
Macintosh

Privacy and Security in Cloud
By Prof. Raj Sarode 11
• Cloud computing security or, more simply, cloud security refers to a broad
set of policies, technologies, and controls deployed to protect data,
applications, and the associated infrastructure of cloud computing. It is a
sub-domain of computer security, network security, and, more broadly,
information security.
• Well-known security issues such as data loss, phishing, botnet (running
remotely on a collection of machines) pose serious threats to
organization's data and software.
• Moreover, the multi- tenancy model and the pooled computing resources
in cloud computing has introduced new security challenges that require
novel techniques to tackle with.
• For example, hackers can use Cloud to organize botnet as Cloud often
provides more reliable infrastructure services at a relatively cheaper price
for them to start an attack

Cloud Security Architecture
By Prof. Raj Sarode 12

Cloud Security Architecture
By Prof. Raj Sarode 13

Identity Management & Access Control
By Prof. Raj Sarode 14
• Business demands on Identity Management & Access Control are changing
rapidly, resulting in the requirement to adopt emerging technologies
• Identity Management: Your online identity is established when you register.
During registration, some attributes are collected and stored in the database.
• The registration process can be quite different depending on what kind of
digital identity you will be issued.
• An identity management access (IAM) system is a framework for business
processes that facilitates the management of electronic identities.
• Access Control: So when the user identity is established he can access the
service? Wrong. Authentication != Authorization (!= is nerd language and
means “not equal”). After authentication there needs to be an access control
decision.
• The decision is based on the information available about the user. This is
where the attributes come into play.
• If the authentication process can deliver the required set of attributes to the
access control decision point, the process can then evaluate the attributes and
make the Yes/No decision.

Identity Management & Access Control
By Prof. Raj Sarode 15
• The difference between identity management and access management is
thus:
• Identity Management is about managing the attributes related to the user
• Access Management is about evaluating the attributes based on policies
and making Yes/No decisions

Cloud computing security challenges
By Prof. Raj Sarode 16
• Cloud computing security challenges fall into three broad categories:
• Data Protection: Securing your data both at rest and in transit
User Authentication: Limiting access to data and monitoring who accesses
the data.
• Disaster and Data Breach: Contingency Planning
• Advanced Attacks & Cyber Conflicts
• Service Provider Visibility
• Translating Enterprise Requirements into the Cloud

Thank You
By Prof. Raj Sarode 17