Lecture4_Mechanisms_and_Security.pptx

Transcript

CS 5610
Introduction to Cloud
Computing

1
 Lecture 4
Cloud Mechanisms
Cloud Security
[email protected]

2
 Learning Objectives
 Understand the building blocks for cloud
environment.
 Explain how cloud services and features are
supported through the implementation of the
cloud mechanisms
 Understand the fundamental terms and concepts
of cloud security
 Explain the common threats and attacks in cloud
environments
 Understand the shared security responsibility
between cloud consumers and cloud providers

3
Section I – Cloud
Mechanisms

4
 Cloud Mechanisms
 The technology-centric nature of cloud computing
requires the establishment of a set of
mechanisms that act as building blocks for
supporting cloud services:
- Cloud Virtual Server and - Automated Scaling
Hypervisor - Load Balancer
- Logical Network Perimeter - Failover Systems
- Cloud Storage - Resource Cluster
- Cloud Usage Monitor - Multi-device Broker
- Cloud Resource Replication
- Ready-Made Environment

5
 Cloud Virtual Server
Mechanism
 A virtual server is a virtualized (emulated) server from a
physical server.
 Virtual servers are used by cloud providers to share the
same physical server with multiple cloud consumers by
providing cloud consumers with individual virtual server
instances
 Each virtual server can host numerous IT resources and
cloud-based solutions.
 The number of instances a given physical server can share
is limited by the capacity.
 The terms virtual server and virtual machine (VM) are used
synonymously.

 The virtual server mechanism represents the most
foundational building block of cloud environments. 6
Cloud Virtual Server

Figure - The first physical
server hosts two virtual
servers, while the second
physical server hosts one
virtual server.

7
 Cloud Hypervisor
 A Cloud Hypervisor is software that enables the
sharing of cloud provider’s physical compute and
memory resources across multiple virtual
machines (VMs).
 Type-1 Hypervisor software can be installed
directly in bare-metal servers and provides
features for controlling, sharing and scheduling
the usage of hardware resources, such as
processor power, memory, and I/O.
 Cloud providers most commonly deploy a Type 1
Hypervisor.

8
 Cloud Hypervisor
 Cloud providers most commonly deploy a Type 1
(bare-metal, native) hypervisor, where
virtualization software is installed directly on the
hardware.
They generally perform better and more
efficiently than hosted hypervisors.
As well, because bare-metal hypervisors are
isolated from the attack-prone operating system,
they are more secure.

9
 Pre-made VM Images
 In order to enable the on-demand quick creation
of virtual servers, cloud providers can provide
cloud consumers with a set of template virtual
servers that are made available through pre-
made VM images.
E.g., Amazon Machine Images (AMIs), Google Cloud
images

o https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/AMIs.html
o https://cloud.google.com/compute/docs/images

10
 Cloud Virtual Infrastructure
Manager
 The Virtual Infrastructure Manager (VIM) is
often used in the cloud data center to
coordinate the physical servers in relation to the
creation of virtual server instances.
This approach is used to apply a uniform
implementation of the virtualization platform
layer.
The VIM provides a range of features for
administering multiple hypervisors across
physical servers.
(see the next slide)

11
Hypervisor and VIM

Virtual servers are created via the physical servers’
hypervisors and a central VIM.
All three hypervisors are jointly controlled by the
same VIM. 12
Hypervisor and VIM
VIM can help do
live migration of
virtual servers
among physical
servers inside the
same data center

A virtual server capable of
auto-scaling experiences an
increase in its workload (1).

The VIM decides that the
virtual server cannot scale
up because its underlying
physical server host is being
used by other virtual
servers (2).

13
Hypervisor and VIM
The VIM commands the
hypervisor on the busy
physical server to suspend
execution of the virtual server
(3).

The VIM then commands the
instantiation of the virtual
server on the idle physical
server. State information (such
as dirty memory pages and
processor registers) is
synchronized via a shared
cloud storage device (4).

The VIM commands the
hypervisor at the new physical
server
Virtual to resume
servers are ablethe
to virtual
live
server
migrate processing (5).
from one physical server to
another

14
 Logical Network Perimeter
Mechanism
 The Logical Network Perimeter is a virtual
network boundary that separates an
environment from the rest of a communication
network, creating a secure, isolated network
space within a cloud infrastructure.
This mechanism is established using a combination of
software-defined networking (SDN) technologies, virtual
networks, and security mechanisms
o to ensure secure communication between internal resources
and external systems.
o to isolate the cloud-based IT resources from other cloud
consumers and non-authorized users

15
 Logical Network Perimeter
 Key Features:
Isolation of Resources
o VMs, databases, etc.
Virtual Firewalls and Security Groups
o filter network traffic
Virtual Networks (VPNs and VLANs)
o Segment, connections
IP Address Management for secure communication
 In cloud environments,
Virtual Private Cloud (VPC) in AWS or Virtual
Network (VNet) in Azure represent implementations
of logical network perimeters.
16
 Cloud Storage Mechanism
 The cloud storage mechanism refers to the
technologies and processes that allow data to be
stored, managed, and accessed over the internet
using remote servers hosted by cloud service
provider.
 Instances of these storage devices can be
virtualized, similar to how physical servers can
spawn virtual servers.
 Cloud storage mechanism is one of the
foundational building blocks of cloud
environments.

17
 Types of Cloud Storage
 Cloud storage mechanisms provide common
types of data storage, such as:
File storage – Organizes data in a hierarchical structure
(files and directories).
Block storage – Treats data as blocks, similar to a
traditional hard drive.
Object storage – Stores data as objects, where each
object contains data, metadata, and a unique identifier.
Data are organized as Web-based resources.
 Each is associated with a certain type of technical
interface and a particular type of cloud storage
device.

18
Cloud Storage Types

Figure - Different cloud service
consumers utilize different
technologies to interface with
virtualized cloud storage
devices.

POSIX: Portable Operating System Interface is
a family of standards specified by the IEEE
Computer Society for maintaining compatibility
between operating systems

CRUD: Create, read, update and delete

19
Cloud Usage Monitor Mechanism

 The Cloud Usage Monitor mechanism refers to the
tools and processes that track, collect, and
analyze data about the usage of cloud resources
and services.
 Three types of monitors are commonly
implemented in cloud environments
Pay-per-use monitor
SLA monitor
Audit monitor
 There are also some specialized monitors.

20
 Pay-per-use Monitor
 The pay-per-use monitor tracks the usage of
cloud resources to calculate billing based on the
"pay-as-you-go" pricing model.
 Some typical monitoring variables are:
- request/response message quantity
- service uptime
- transmitted data volume
- bandwidth consumption
 The data collected by the pay-per-use monitor is
processed by a billing management system that
calculates the fees.

21
 Pay-per-use Monitor
Figure - A cloud service
consumer sends a request
message to the cloud service
(1).
The pay-per-use monitor
intercepts the message (2),
forwards it to the cloud
service (3a), and stores the
usage information in
accordance with its
monitoring metrics (3b). The
cloud service forwards the
response messages back to
the cloud service consumer
to provide the requested
service
The figure illustrates a pay-per-use monitor that (4).
transparently
intercepts and analyzes runtime communication with a cloud
service.
22
 SLA Monitor
 The SLA (Service Level Agreement) monitor
is used to specifically observe the runtime
performance/quality of cloud services to ensure
that they are fulfilling the contractual QoS
requirements, as defined in SLAs.
 The data collected by the SLA monitor is
processed by an SLA management system to
be aggregated into SLA reporting metrics.

23
SLA Monitor
Figure - The SLA monitor polls the cloud
service by sending over polling request
messages (MREQ1 to MREQN). The monitor
receives polling response messages (MREP1 to
MREPN) that report that the service was “up” at
each polling cycle (1a). The SLA monitor stores
the “up” time—time period of all polling cycles
1 to N—in the log database (1b).

The SLA monitor polls the cloud service that
sends polling request messages (MREQN+1 to
MREQN+M). Polling response messages are not
received (2a). The response messages
continue to time out, so the SLA monitor
stores the “down” time—time period of all
polling cycles N+1 to N+M—in the log
database (2b).

The SLA monitor sends a polling request
message (MREQN+M+1) and receives the polling
response message (MREPN+M+1) (3a). The SLA24
 Audit Monitor
 The audit monitor is used to track and log cloud
activities for compliance, auditing, and security
purpose.
To check whether using the cloud IT resources is in
compliance with legal or policy requirements.

Figure in the next slide depicts an audit monitor that intercepts
“login” requests and stores the requestor’s security
credentials, as well as both failed and successful login
attempts, in a log database for future audit reporting purposes.

25
Audit Monitor

Figure - A cloud service consumer
requests access to a cloud service by
sending a login request message
with security credentials (1). The
audit monitor intercepts the
message and forwards it to the
authentication service (2). The
authentication service processes the
security credentials. A response
message is generated for the cloud
service consumer, in addition to the
results from the login attempt (3).
The audit monitor intercepts the
response message and stores the
entire collected login event details in
the log database, as per the
organization’s audit policy
requirements (4). Access has been
granted (5), and a response is sent26
 Cloud Usage Monitor
 Examples:
AWS Billing and Cost Management, Azure Cost
Management and Billing, Google Cloud Billing
AWS CloudWatch, Azure Monitor, Google Cloud
Operations Suite
AWS CloudTrail, Azure Activity Log, Google Cloud
Audit Logs

27
Resource Replication Mechanism

 Resource replication, defined as the creation of
multiple instances of the same IT resource, is
typically performed to enhance availability,
performance and fault tolerance.
 To implement resource replication, various
technologies such as virtualization and
containerization, are often used to replicate
cloud-based IT resources.

28
Resource Replication

Figure - The
hypervisor
accesses a stored
virtual server
image and
replicates several
instances.

29
Ready-Made Environment Mechanism

 The ready-made environment mechanism is a
defining component of the PaaS cloud delivery
model.
PaaS represents a pre-defined, cloud-based platform comprised
of a set of already installed IT resources, ready to be used and
customized by a cloud consumer.
 These environments are utilized by cloud
consumers to remotely develop and deploy their
applications within a cloud.
 Typical ready-made environments include pre-
installed IT resources, such as databases,
libraries, and development tools.
30
Ready-Made Environment

Figure - A cloud
consumer accesses a
ready-made
environment.

31
Automated Scaling Mechanism
 The automated scaling mechanism triggers
the dynamic allocation of cloud IT resources
based on predefined scaling conditions
automatically.
 The core component in this mechanism is the
scaling listeners
are deployed within the cloud to track workload status
information.

32
 Automated Scaling
Figure 1, 2, 3 illustrate the process of automated scaling

Figure 1 -Cloud service consumers are sending requests to a
cloud service (1). The automated scaling listener monitors the
cloud service to determine if predefined capacity thresholds
are being exceeded (2).
33
 Automated Scaling

Figure 2 - The number of requests coming from cloud service consumers
increases (3). The workload exceeds the performance thresholds. The
automated scaling listener determines the next action based on a
predefined scaling policy (4). If the cloud service implementation is
deemed eligible for additional scaling, the automated scaling listener
initiates the scaling process (5).
34
 Automated Scaling

Figure 3 - The automated scaling listener sends a signal to the resource
replication mechanism (6), which creates more instances of the cloud
service (7). Now that the increased workload has been accommodated,
the automated scaling listener resumes monitoring and detracting and
adding IT resources, as required (8).
35
 Automated Scaling
 The scaling listeners can provide different types
of responses to workload fluctuation conditions,
such as:
Automatically scaling IT resources out or in based on
parameters previously defined by the cloud consumer.
Automatic notification of the cloud consumer when
workloads exceed current thresholds or fall below
allocated resources.
o This way, the cloud consumer can choose to adjust its
current IT resource allocation.

36
 Load Balancer Mechanism
 The load balancer mechanism is used to
balance a workload across two or more IT
resources to increase performance and capacity.
 The load balancer mechanisms can be:
Hardware based or
Software based
 The load balancer is typically located on the
communication path between the IT resources
generating the workload and the IT resources
performing the workload processing.
 A load balancer is programmed or configured with
a set of performance and QoS rules.
37
Load Balancer

Figure - A load balancer
implemented as a
service agent
transparently
distributes incoming
workload request
messages across two
redundant cloud
service
implementations, which
in turn maximizes
performance for the
cloud service
consumers.

38
 Failover System Mechanism
 The failover system mechanism is used to
increase the reliability and availability of IT
resources.
 A failover system is configured to
automatically switch over to a redundant or
standby IT resource instance whenever the
currently active IT resource becomes
unavailable.
 Failover systems are commonly used for mission-
critical programs and reusable services that can
introduce a single point of failure for multiple
applications.
39
 Failover System
 A failover system can span more than one
geographical region so that each location hosts
one or more redundant implementations of the
same IT resource.
 The resource replication mechanism is sometimes
utilized by the failover system to provide
redundant IT resource instances, which are
actively monitored for the detection of errors and
unavailability conditions.
 Failover systems come in two basic
configurations:
 Active - Active
 Active - Passive 40
Failover System: Active-Active
In an active – active configuration,
redundant implementations of the IT resources
actively serve the workload synchronously.

Figure - The
failover system
monitors the
operational status
of Cloud Service
A.

41
Failover System: Active-Active
Load balancing among active instances is required.
When a failure is detected, the failed instance is
removed from the load balancing scheduler. Whichever
IT resource remains operational when a failure is
detected takes over the processing.

Figure -When a failure
is detected in one
Cloud Service A
implementation, the
failover system
commands the load
balancer to switch over
the workload to the
redundant Cloud
Service A
42
implementation.
Failover System: Active-Active

Figure - The failed
Cloud Service A
implementation is
recovered or
replicated into an
operational cloud
service. The failover
system now
commands the load
balancer to
distribute the
workload again.

43
Failover System: Active-Passive
 In an active-passive configuration, a standby
or inactive implementation is activated to take
over the processing from the IT resource that
becomes unavailable, and the corresponding
workload is redirected to the instance taking over
the operation (Figures in the next slide)

44
Failover System: Active-Passive

Figure - The
failover system
monitors the
operational
status of Cloud
Service A. The
Cloud Service A
implementation
acting as the
active instance is
receiving cloud
service consumer
requests.
45
Failover System: Active-Passive

Figure - The Cloud
Service A
implementation acting
as the active instance
encounters a failure
that is detected by the
failover system, which
subsequently activates
the standby Cloud
Service A
implementation and
redirects the workload
toward it. The newly
invoked Cloud Service
A implementation now
assumes the role of
active instance.
46
Failover System: Active-Passive

Figure - The failed Cloud
Service A implementation
is recovered or replicated
an operational cloud
service, and is now
positioned as the standby
instance, while the
previously invoked Cloud
Service A continues to
serve as the active
instance.

47
 Resource Cluster Mechanism
 Cloud-based IT resources can be logically
combined into groups to improve their allocation
and use.
 The resource cluster mechanism is used to
group multiple IT resource instances so that
they can be operated as single IT resource
instance.
 This increases the combined capacity and
availability of the clustered IT resources.

48
 Resource Cluster Mechanism
 A cluster management platform is usually
responsible for these activities.
running as distributed middleware
implements a coordination function that allows
clustered IT resources to appear as one IT resource.
 Resource cluster mechanism relies on high-speed
dedicated network connections between IT
resource instances to communicate about
workload distribution, task scheduling, data
sharing, and system synchronization.

49
 Resource Cluster
 Common resource cluster
types include:
Server Cluster –
o Physical or virtual servers are
clustered to increase
performance and
availability.
o Hypervisors running on
different physical servers can
be configured to share virtual
server execution state in order
to establish clustered virtual
servers.

50
 Resource Cluster
Storage Cluster –
o Designed to improve data availability, this high-
availability resource cluster has a synchronization
feature that maintains the consistency of data being
stored at different storage devices used in the cluster.

51
Connect the clustered storage
and the clustered servers.

52
Multi-Device Broker Mechanism
 An individual cloud service may need to be accessed
by a range of cloud service consumers
differentiated by their hosting hardware devices
and/or communication requirements.
 The multi-device broker mechanism is used to
facilitate runtime data transformation so as to make a
cloud service accessible to a wider range of cloud
service consumer programs and devices.
To overcome incompatibilities between a cloud service and a
disparate cloud service consumer.

53
Multi-Device Broker

Figure - A multi-device broker
contains the mapping logic
necessary to transform data
exchanges between a cloud
service and different types of
cloud service consumer
devices.

54
Section II – Cloud
Security

55
 Cloud Security Incidents

A more recent report
Sources: says that more than
https://www.immuniweb.com/blog/top-10-cloud-security-incidents-in-2022 80% of organizations.html have experienced a
cloud-related security
https://www.helpnetsecurity.com/2020/07/09/public-cloud-security-inciden
t/ incident over the past
12 month.
https://www.helpnetsecurity.com/2020/06/03/cloud-data-breach/
56
 Cloud Security
 Cloud computing security or, more simply, cloud
security, refers to the policies, technologies, best
practices, and controls utilized to secure data,
applications, services, and infrastructure in cloud
environments.
It is a sub-domain of computer security, and, more
broadly, information security or cybersecurity.

The next a few slides define fundamental security
terms and concepts relevant to cloud computing.

57
Cloud Security

4 basic concepts
related to cloud
security

58
 Confidentiality
 Confidentiality is the characteristic of
something being made accessible only to
authorized parties.

59
 Integrity
 Integrity is the characteristic of not having been
altered by an unauthorized party.
An important issue that concerns data integrity in the
cloud is whether a cloud consumer can be guaranteed
that the data it transmits to a cloud service matches the
data received by that cloud service.

61
 Integrity

Figure - The message sent by the cloud
consumer to the cloud service is
considered to have integrity if it has not
been altered.

62
 Availability
 Availability is the characteristic of being
accessible and usable during a specified time
period.
 In typical cloud environments, the availability of
cloud services can be a responsibility that is
shared by the cloud provider and the cloud
carrier.

63
 Availability
 Availability (A) can be calculated using the
equation:

64
 Availability

Availability Total downtime per
year
99% (two nines) 3.6 days
99.9% (three nines) 8 hours 46 minutes
99.99% (four nines) 52 minutes 36 seconds
99.999% (five nines) 5 minutes 15 seconds
99.9999% (six 32 seconds
nines)

65
 Authenticity
 Authenticity is the characteristic of something
being genuine and being able to be verified
and trusted.

 Authentication is the process or action of
verifying a user or process before allowing access
to a system or resources.

66
 Challenge/Discussion
 Calculate availability
1. What is the availability value of a
system/service if its total downtime
in one year (365 days) is 10 hours?

2. To reach 5-9s (99.999%) availability,
what is the total allowable downtime
(in seconds) of the service in one
year?

67
 Challenge/Discussion
 The following figure explains the
cloud security concept of
_____________
A. Integrity
B. Confidentiality
C. Authenticity
D. Availability

68
 Threat Agents
 A threat agent is an entity that exploits a
vulnerability and poses a threat.
It is capable of carrying out an attack.
 Cloud security threats can originate either
internally or externally, from humans or software
programs.
 Types of threat agents in cloud environment:
Anonymous attacker
Malicious tenant
Malicious insider

69
 Threat Agents: Anonymous
Attacker
 An anonymous attacker is a non-trusted
attacker without permission in the cloud.
 It typically launches network-level attacks
through public networks.
 Anonymous attackers often resort to committing
acts like intercepting messages, bypassing user
accounts or stealing user credentials.
When anonymous attackers have limited information on
security policies and mechanisms, it can inhibit their
ability to formulate effective attacks.

70
 Threat Agents: Malicious
Tenant
 A malicious tenant is a cloud consumer who
attempts to exploit legitimate credentials to targe
cloud providers and other cloud consumers.
 Malicious tenants can use cloud-based IT
resources for a wide range of exploitations,
including:
the hacking of weak authentication processes
the breaking of encryption
the spamming of email accounts
the launching of DoS campaigns.

71
 Threat Agents: Malicious
Tenant
 Because they are actually the cloud consumers,
Also known as Trusted attackers
 Unlike anonymous attackers, malicious tenants
usually launch their attacks from within a cloud
by abusing legitimate credentials.

72
 Threat Agents: Malicious
Insider
 Malicious insiders are human threat agents
acting on behalf of or in relation to the cloud
provider.
 They are typically current or former employees
or third parties with access to the cloud
provider’s premises.
 This type of threat agent carries tremendous
damage potential
As the malicious insider may have administrative
privileges for accessing cloud IT resources.

73
 Common Cloud Threats and
Attacks
 The common threats and attacks in cloud
environments are:
Misconfiguration of Cloud Services
Insufficient Authorization and Unauthorized
Access
Insecure Interfaces and APIs
Cloud Malware Injection Attacks
Traffic Eavesdropping
Denial of Services

74
 Common Cloud Threats and
Attacks
 A survey conducted in 2022 to 775 cyber-security
professionals had to say about the current state
of cloud security and the biggest cloud security
threat:

Source:
https://pages.checkpoint.com/2022-cloud-security-report.ht
ml 75
Misconfiguration of Cloud Services

 Although the cloud has been around for over a
decade, it’s still a fairly new technology that IT
professionals are still learning how to implement
properly.
 Security misconfiguration refers to the failure to
properly configure cloud computing resources and
infrastructure to protect against cyber threats.

76
Misconfiguration of Cloud Services

 Cloud misconfiguration is one of the biggest cloud
security threats.
 Examples:
One real-life example is the Alteryx breach in 2017,
during which the online marketing firm exposed data
from millions of households by misconfiguring an AWS
S3 Bucket.
In 2022, McGraw Hill was informed that 22 TB of data,
including student grades and personal information, had
been exposed since 2015 because of a misconfigured
AWS S3 bucket. This misconfiguration meant that around
117 million files could have been accessed by any threat
actor with a simple web browser.
Source:
https://www.wiz.io/academy/common-cloud-vulnerabilities
77
Misconfiguration of Cloud Services

 Misconfiguration is mostly due to human
negligence:
 For example:
Using Default Account and Password (publicly known)
Excessive/Unnecessary Access
Unencrypted Storage / Unsecured backup
Missing Updates and Patches
Unrestricted ports, both inbound and outbound.

78
Misconfiguration of Cloud Services

 Misconfiguration is due to human negligence, so
it is also preventable:
Deploy MFA (multi-factor authentication) to reduce
the security risk of unauthorized access due to
credential compromise
Apply the Principle of Least Privilege (PoLP) for both
machines and humans for access to all systems
Automate security and configuration checks (tools
help)
Follow the correct configuration procedures and
best practices

79
 Insufficient Authorization
 Insufficient authorization is a security
vulnerability that can allow unauthorized access,
data breaches, and other security incidents,
leading to potential harm, data loss, or legal
liability.
This is due to a lack of proper authentication or
authorization mechanisms.
 The insufficient authorization attack occurs when
access is granted to an attacker erroneously or
too broadly, resulting in the attacker getting
access to cloud IT resources that are normally
protected.
80
 Insufficient Authorization
 A variation of this attack known as weak
authentication, can result when weak passwords
or shared accounts are used to protect the IT
resources.
 Within the cloud environments, these types of
attacks can lead to significant impacts
depending on the range of IT resources and the
range of access to those IT resources the attacker
gains.

81
Insufficient Authorization

Figure - An attacker has
cracked a weak
password used by Cloud
Service Consumer A. As
a result, a malicious
cloud service consumer
is designed to pose as
Consumer A in order to
gain access to the cloud-
based virtual server.

82
 Insufficient Authorization
 Example:
The Broward Health public health system has disclosed a large-scale
data breach incident impacting 1,357,879 individuals. An investigation
revealed that the threat actors gained access to patient's personal
medical information.
Source: https://www.wiz.io/academy/common-cloud-vulnerabilities

 To mitigate insufficient authorization
/unauthorized access:
Use biometric or other multi-factor authentication (MFA)
methods
Implement a strong password policy
Conduct regular access audits
Deploy a detection and response tool
Implement least privilege access and other best practices to
cloud resources
83
 Insecure APIs
 Organizations/businesses typically depend on
Application Programming Interfaces (APIs) for
mission-critical applications and processes.
 APIs can contain security flaws that must be
addressed by each organization according to its
security needs. APIs are just as susceptible to a
breach as other weaknesses on company servers
and networks.

84
 Insecure APIs
 Due to the growing popularity of API usage,
securing APIs has become paramount. Insecure
APIs is a leading cause of incidents and data
breaches:
Example: The attack vector for the Optus data breach
in 2022 was an unsecured and publicly available API that
didn't require any authentication protocols to access.
The breach compromised the sensitive records of around
10 million customers.
Source:
https://www.wiz.io/academy/common-
cloud-vulnerabilities

85
 Insecure APIs
 Key Principles for Proper API Usage:
The attack surface provided by APIs should be tracked,
configured, and secured.
Traditional controls, change management policies, and
approaches need to be updated to keep pace with cloud-
based API growth.
Companies should embrace automation and employ
technologies that monitor continuously for anomalous
API traffic and remediate problems in near real-time.

https://cloudsecurityalliance.org/blog/2022/07/30
/top-threat-2-to-cloud-computing-insecure-interfa
ces-and-apis/

86
 Cloud Malware Injection
Attacks
 Cloud malware injection attacks are a type of
cyber attack that involves injecting malicious
software, such as viruses or ransomware, into
cloud computing resources.
As a result, it creates malicious service implementation
modules or virtual machine instances related to either
SaaS, PaaS, or IaaS.

87
 Cloud Malware Injection
Attacks
 Examples:
A cloud malware, Cloud Snooper, infected cloud infrastructure
servers hosted in the AWS cloud (EC2) - reported by Sophos in
2020.
o https://www.darkreading.com/cloud/-cloud-snooper-attack-circumvents-
aws-firewall-controls
Microsoft Azure VMs Hijacked in Cloud Cyberattack in 2023
o https://www.darkreading.com/cloud/microsoft-azure-vms-highjacked-in-
cloud-cyberattack
 To prevent cloud malware injection attack:
Abide by a zero-trust model
o “never trust, always verify”
Implement a malware threat detection solution
Segment your network when suffering from a malware attack

88
 Traffic Eavesdropping
 Traffic eavesdropping occurs when data being
transferred to or within a cloud (usually from the
consumer to the cloud provider) is intercepted by
a malicious service agent for illegitimate
information gathering purposes.
 The aim of this attack is to directly compromise
the confidentiality of the data and, possibly, the
confidentiality of the relationship between the
cloud consumer and cloud provider.

89
 Traffic Eavesdropping
 Because of the passive nature of this attack, it
can more easily go undetected for an extended
period of time.
 Detecting eavesdropping attacks is challenging. A
proactive approach is therefore critical for
eavesdropping attack prevention:
Ensure that your cloud resources leverage some means
of authentication for inbound network traffic
Segment networks
Inspect malicious links
Monitor networks and use firewalls

90
Traffic Eavesdropping

Figure - An externally
positioned malicious
service agent carries
out a traffic
eavesdropping attack
by intercepting a
message sent by the
cloud service consumer
to the cloud service.
The service agent
makes an unauthorized
copy of the message
before it is sent along
its original path to the
cloud service.

91
 Denial of Service
 The objective of the denial of service (DoS) attack is to
overload IT resources to the point where they cannot
function properly.
Distributed Denial-of-Service (DDoS)
 This form of attack is commonly launched in one of the
following ways:
The workload on cloud services is artificially increased with
repeated requests, each of which is designed to consume
excessive memory and processing resources
Application-layer attacks

The network is overloaded with traffic to reduce its responsiveness
and cripple its performance.

92
Denial of Service

Figure - Cloud Service
Consumer A sends
multiple messages to
a cloud service (not
shown) hosted on Virtual
Server A. This overloads
the capacity of the
underlying physical
server, which causes
outages with Virtual
Servers A and B. As a
result, legitimate cloud
service consumers, such
as Cloud Service
Consumer B, become
unable to communicate
with any cloud services
93
hosted on Virtual Servers
 Denial of Service
 Example
AWS was hit by a gigantic DDoS attack in February 2020.
The attack lasted for three days.
o https://www.a10networks.com/blog/5-most-famous-dd
os-attacks/
 To prevent DoS attacks on cloud services:
Implement sound network monitoring practices
Explore cloud-based DDoS protection solutions
Be ready with a DDoS response battle plan
Ensure sufficient server capacity

94
Shared Security Responsibility
 The cloud security responsibility is shared
between the Cloud Provider and the
Customer.

95
Shared Security Responsibility

Cloud Service Provider Service Customer
Global infrastructure Data encryption
(Regions, Availability zones, Operating systems
Edge locations) configuration
Hardware Network configuration
Networking Firewall configuration
Database Platform management
Storage Identity and access
Compute management
Software Customer data

96
 Cloud Security Alliance
 The Cloud Security Alliance (CSA) is the world’s
leading organization dedicated to defining and
raising awareness of best practices to help create
a secure cloud computing environment.
 https://cloudsecurityalliance.org/

97
 Cloud Security Alliance
 Categories of SECaaS defined by CSA
Category 1 - Identity and Access Management
Category 2 - Data Loss Prevention
Category 3 - Web Security
Category 4 - Email Security
Category 5 - Security Assessments
Category 6 - Intrusion Management
Category 7 - Security Information and Event
Management
Category 8 - Encryption

https://cloudsecurityalliance.org/press-releases/2012/08/07/input-
on-secaas-implementation-guidance/

98
 Challenge/Discussion
 Search for and list a few examples of
SECaaS.

99
 Summary of Key Points
Cloud mechanisms are building blocks of cloud
environments
A virtual server is a form of virtualization software that
emulates a server.
Logical network perimeter mechanism can be
implemented to Isolate IT resources in a cloud from others.
Cloud storage mechanism represents storage devices
that are designed specifically for cloud-based provisioning.
Cloud usage monitor mechanism is a lightweight and
autonomous software program collecting IT resource usage
data
Resource replication mechanism is typically performed
when an IT resource’s availability and performance need to
be enhanced.
The ready-made environment mechanism is a defining 100
 Summary of Key Points (cont.)
 The automated scaling mechanism is to do quick
resource scaling in an automated way.
 The load balancer mechanism is used to balance a
workload across two or more IT resources.
 A failover system can switch over to a redundant or
standby IT resource instance whenever the active IT
resource becomes unavailable. There are active-active and
active-passive failover systems.
 The resource cluster mechanism groups multiple IT
resource instances so that they can be operated as single IT
resource instance.
 The multi-device broker facilitates runtime data
transformation so as to make a cloud service accessible to a
wide range of devices.
101
 Summary of Key Points (cont.)
 Confidentiality, integrity, authenticity, and availability are
characteristics that can be associated with measuring
security.
 An anonymous attacker is a non-trusted threat agent that
usually attempts attacks from outside of a cloud’s boundary
 A malicious tenant (trusted attacker) exists as an
authorized cloud service consumer with legitimate
credentials that uses to exploit access to cloud-based IT
resources.
 A malicious insider is a human that attempts to abuse
access privileges to cloud premises.

102
 Summary of Key Points (cont.)
 Cloud misconfigurations and insecure APIs can place threats
on cloud resources.
 The insufficient authorization attack occurs when access is
granted to an attacker erroneously or too broadly, or when
weak passwords are used.
 Malware can be used and injected into cloud resources.
 Traffic eavesdropping attacks are usually carried out by
malicious service agents that intercept network traffic
 A denial of service attack occurs when a targeted IT
resource is overloaded with requests in an attempt to
cripple or render it unavailable.
 The cloud security responsibility is shared between the
Cloud Service Provide and the Customer.
 The Cloud Security Alliance (CSA) leads the industry in 103