Unit IV Cloud Computing

1. Data Privacy & Security in Cloud Computing

Cloud technology has given opportunities to many businesses to showcase their
potential in the business world. SMEs are not only getting an opportunity to grow,
they are also taking their business operations to the next level. Cloud technology has
opened a door for small & medium scale companies to acquire market share by
entering the yard of bigger players. As the business requirements have become on-
demand and need-based, it gave many companies a significant edge and allow them
to complete in a much larger business space.
Cloud technology provides various advantages. Starting from data management,
data storage, 0% downtime, CRM management, resource optimization to entire
business automation. It also reduces a high amount of investment and saves a lot of
time.
At the same time, cloud computing has raised multiple eyebrows with IT
management, especially when it comes to data security in the cloud
computing. Data security and privacy protection are two major factors. These two
factors are becoming more important for the future development of cloud
computing technology in business, industry, and government. While addressing this
fear, Google claimed that data stored in the cloud are much safer.
What are the Challenges?

Data Replication

Every business faces this challenge. Snapshots and data backups are taken on a daily
basis. They automatically stored in the cloud. Are you aware where they have been
stored and who can see and access them? Can you identify and control unauthorised
copying of your data?
Data Loss

Data loss can be a disaster for any business. Virtual data can be easily lost or exposed
as it moves between VMs or in the cloud. Are you sure that authorised users are
accessing your data within predefined policies? Do you have the authority to block
any user who is violating data use policies?
New Class of Users

Cloud computing need cooperation between security, storage, application, and

security admins. They all manage your sensitive business data. With more number of
users, the risk also increases. If one admin went wrong, entire data in the system will
be at risk.
Insecure APIs
Application Programming Interfaces (API) allow users to customize their cloud
computing practices. APIs can be a threat to cloud security because of their nature.
APIs give developers the tools to build solutions to integrate their applications with
other software. The vulnerability of an API depends on the communication that takes
place between applications. While this can help developers and businesses, they also
issue serious security concerns.
Internal Threat

Never keep this point out of your mind. You may be thinking data is safe inside. But
this is one of the biggest challenge company’s face. Employees can use their access
to an organisation’s cloud-based services to misuse or access information related to
finance, customer details etc.
How to Protect your Data?

You can protect your business data in the cloud from unauthorised access. All you
need is a sharp eye and an extra effort. Here are few practical tips to keep your cloud
data safe and secure.
Always keep backup locally

When it comes to business data, you have to be extra conscious. Always have a
backup for your data. It is always good to create hard copies of your business data
and keep it with yourself so that you can have access them even if you lost the
original one. You can use any cloud storage solutions to store your data. You can set
up a cloud account & can keep the backup copies. You have another option of
keeping the backup data in an external storage device also like a hard disk or a
thumb drive. This will allow you to access the information even if without the
internet.
Don’t store sensitive data
Technology is changing. Businesses are also changing as per the technology. Data is
playing an important role in businesses today. So, data privacy is one of the primary
aspects of any business. But if something is there on the internet, it is hard to trust it
is safe. So, one should avoid storing the most sensitive files or information in the
cloud. Identity theft is on rising and you can’t take any risk. You should keep those
files in cloud platform which you access frequently and should avoid putting
information related to financial details, competitor details, client details, contact
details like phone number/address etc. If you are keeping these files, make sure you
encrypt them before uploading.
Data encryption
One of the best ways to protect your data while using cloud storage is to do data
encryption. This is the best form of security because you need decryption before
accessing the data. This will protect data against service providers and users also. To
make it more protected, you can also ensure cloud encryption during uploading and
downloading phases. But, this will make data sharing and sync in the cloud platform
little slow.
Encrypted cloud service
There are few cloud services which provide local encryption and decryption of your
files and information inside that other than storage and backup. This means the
service takes care of both encrypting your files and storing them safely in the cloud.
This will ensure that no one including the service provider or the administrators can
have the access to your data files. There are many free versions and also trial
versions available in the market. You can use them to learn how it works and later
can upgrade to enjoy more space.
Using password

The first thing which can be done is to put strong password which can stand a
hacking. You can take the help of internet to learn how to create a strong password.
It is very important to change your password frequently and never use the same
password for all the accounts or folders. You can opt for 2-step verification for login
if your cloud service offers that option. Google drive use 2 phase log in option,
consist of password & code sent to the registered number. This added security will
make your data much safer.
Keep an eye on what you do online

The security of your cloud data largely depends on your online behaviour. While
using a public computer, never save your password, and always ensure that you
logged out properly. Another biggest concern is accessing cloud data in unsecured or
open Wi-Fi hotspots. Such connections are unencrypted, hackers can target your
data easily. Never save your password in any of the public forum or social media.
Change Wi-Fi passwords frequently.
Anti-virus is a must

Sometimes the weakest link happens to be the computer or device you use for cloud
data access. You need to put proper protection in your system/device. It will help in
securing your business data. If you expose yourself to bugs and viruses, hackers can
access your system easily. You need to choose a very effective and robust anti-virus
system for your system, which will protect all the files and information inside that. If
your system isn’t well protected, and if the system is not encrypted and secured
from bugs, hackers can get hold of your information.
Read your user agreement

If you are new to the world of cloud computing and not sure what cloud storage to
choose or how it really work, you have to read the user agreement of the service you
are going to sign up for. Initially, it will be difficult to understand and at times it will
test your patience, but you need to face this. User agreements always carry essential
information which can help you understand things in detail.
Access limitation
Give access to those users who really need. Internal users and third party vendors
should only get access to those files which will help them to do their jobs. Use
encryption keys if required. Make sure to evaluate the users and vendors regularly
and add/remove users as per the requirement.

Platform, control & service monitoring

Platform, control & services monitoring is usually performed as a dashboard

interface and makes it possible to identify the operational status of the platform
being monitored at any time. Each operational element which is monitored provides
an operational status indicator. This helps in determining which elements are
performing as per the established standards. By identifying such problems, you can
take defensive actions to prevent loss of data or service.
Continuous system updating
Cloud data security is enhanced with regular patching and upgrading of systems and
application software in the cloud platform. New patches, updates, and service packs
for the operating system are required to maintain high-end security levels and
support new versions of installed products. You have to be committed enough to
identify the market trends and new software versions and communicate gaps in
security that can appear in installed systems and applications.
Legal & regulatory challenges
Cloud services can give you the best solutions for your business related problems
when you are assured that your & your customers data are private and secure. This
should be the primary focus for cloud service providers. There are many legal &
regulatory challenges which needs to be addressed when data moves from one
country to another.
Multinational Framework on privacy and security :

Uncertainty about the legal and regulatory obligations related to data will increase
with the increase of the data in the cloud platform. To ensure every business and
country get full advantage of cloud computing, different countries have to cooperate
to develop a multinational framework on data privacy and security in the cloud. As
cloud computing evolves, and data flows from one country to another. For example,
data has been created in India using a software hosted in UK & stored in US with
users based in Australia. Cloud provider needs to coordinate this entire process to
make sure the data flow is going smooth & safe.
Rules on Cross-border data transfers :
To enhance the efficiency and security of cloud solutions and deliver quick results,
cloud service providers must be able to operate datacentres in multiple locations and
transfer data freely between them. Smooth data flow allows cloud providers to
optimize their service and deliver the best business solutions. However, restrictions
on cross-border data transfers can create uncertainty if the rules or the legal
framework are not followed.
Conflicting legal obligations :
Different governments have different policies when it comes to data flow in their
country. Cloud providers will be in legal trouble if they won’t follow the predefined
cyber laws. Divergent rules on privacy, data retention, law enforcement access and
other issues can lead to ambiguity. For example, one country might have certain
rules when it comes to cloud data storage, which might be in direct conflict with
another country or a particular service provider.

In order to protect data in the cloud platform, you need to keep all these above
things in mind.

2. Identity and access management (IAM)

Identity and access management (IAM) is a framework of business processes, policies

and technologies that facilitates the management of electronic or digital identities.
With an IAM framework in place, information technology (IT) managers can control
user access to critical information within their organizations. Identity and access
management products offer role-based access control, which lets system
administrators regulate access to systems or networks based on the roles of individual
users within the enterprise.

In this context, access is the ability of an individual user to perform a specific task,
such as view, create or modify a file. Roles are defined according to job competency,
authority and responsibility within the enterprise.

Systems used for identity and access management include single sign-

on systems, multi-factor authentication and privileged access management (PAM).
These technologies also provide the ability to securely store identity and profile data
as well as data governance functions to ensure that only data that is necessary and
relevant is shared. IAM systems can be deployed on premises, provided by a third-
party vendor through a cloud-based subscription model or deployed in a hybrid cloud.

Basic components of IAM

On a fundamental level, IAM encompasses the following components:

 How individuals are identified in a system.

 How roles are identified in a system and how they are assigned to individuals.

 Adding, removing and updating individuals and their roles in a system.

 Assigning levels of access to individuals or groups of individuals.

 Protecting the sensitive data within the system and securing the system itself.
What IAM systems should include

Identity access management systems should consist of all the necessary controls and
tools to capture and record user login information, manage the enterprise database of
user identities and orchestrate the assignment and removal of access privileges. That
means that systems used for IAM should provide a centralized directory service with
oversight as well as visibility into all aspects of the company user base.

Technologies for identity access and management should simplify the user

provisioning and account setup process. These systems should reduce the time it takes
to complete these processes with a controlled workflow that decreases errors as well
as the potential for abuse while allowing automated account fulfillment. An identity
and access management system should also allow administrators to instantly view and
change access rights.

These systems also need to balance the speed and automation of their processes with
the control that administrators need to monitor and modify access rights.
Consequently, to manage access requests, the central directory needs an access rights
system that automatically matches employee job titles, business unit identifiers and
locations to their relevant privilege levels.

Multiple review levels can be included as workflows to enable the proper checking of
individual requests. This simplifies setting up appropriate review processes for higher-
level access as well as easing reviews of existing rights to prevent privilege creep, the
gradual accumulation of access rights beyond what users need to do their jobs.

IAM systems should be used to provide flexibility to establish groups with specific
privileges for specific roles so that access rights based on employee job functions can
be uniformly assigned. The system should also provide request and approval
processes for modifying privileges because employees with the same title and job
location may need customized, or slightly different, access.

Benefits of identity and access management

IAM technologies can be used to initiate, capture, record and manage user identities
and their related access permissions in an automated manner. This brings an
organization the following benefits:

 Access privileges are granted according to one interpretation of policy and all
individuals and services are properly authenticated, authorized and audited.

 Companies that properly manage identities have greater control of user access,
reducing the risk of internal and external data breaches.

 Automating IAM systems allows businesses to operate more efficiently by

decreasing the effort, time and money that would be required to manage access to
their networks manually.

 In terms of security, the use of an IAM framework can make it easier to enforce
policies around user authentication, validation and privileges and address issues
regarding privilege creep.

 IAM systems help companies better comply with government regulations by

allowing them to show that corporate information is not being misused.
Companies can also demonstrate that any data needed for auditing can be made
available on-demand.

Additionally, by implementing identity access management tools and following

related best practices, a company can gain a competitive edge. For example, IAM
technologies allow the business to give users outside the organization, like customers,
partners, contractors and suppliers, access to its network across mobile applications,
on-premises apps and software-as-a-service apps without compromising security. This
enables better collaboration, enhanced productivity, increased efficiency and reduced
operating costs.

3. Risks associated with IAM

Implementing proper identity and access management tools or platforms means

storing all authorizations and credentials in one, unified place. When not secured
correctly, this can be a huge risk because if an attacker gains access to the system, all
digital identities can be compromised. Similarly, if a specific employee that is
authorized to the system does not follow security or password best practices, all of the
information could be easily leaked.

Another concern for adopting IAM are challenges in implementation. Legacy

systems will typically already have an identity management functionality in place,
therefore, converting resources to a new system could be challenging, expensive and
time-consuming. However, solutions for minimizing the need of technical support,
such as cloud services, are becoming more viable.

4. Trust in cloud computing

Trust issues become particularly important when data processing is decentralized
across geographically dispersed data centres and resources are distributed beyond a
definable and controllable perimeter, which is especially true in the Cloud computing
scenario. In the next section, we illustrate an example to show the importance of
trust establishment in Cloud computing, in particular establishing trust on Cloud
providers.

Current trends for trust establishment

There are ad-hoc approaches to support the consumers in selecting trustworthy (or
dependable) CPs. We classify and briefly analyse these approaches as follows.
  SLAs: In practice, one way to establish trust on CPs is the fulfilment of SLAs.
SLA validation and monitoring schemes are used to quantify what exactly a
CP is offering and which assurances are actually met. In Cloud computing
environments, customers are responsible for monitoring SLA violations and
informing the providers for compensation. The compensation clauses in SLAs
are written by the CPs in such a way so that the customers merely get the
advantage of applying for compensation (e.g., service credits) due to SLA
violation. This problem arise for not having standardized SLAs for the
stakeholders in Cloud computing marketplace. Although, the problem is
addressed by industry driven initiative for establishing standardized SLAs, this
initiative is far from implementation in practice.

  Audits: CPs use different audit standards (e.g., SAS 70 II, FISMA, ISO 27001) to
assure users about their offered services and platforms. For example, Google
lists SAS 70 II and FISMA certification to ensure users about the security and
privacy measures taken for Google Apps. The audit SAS 70 II covers only the
operational performance (e.g., policies and procedures inside datacenters)
and relies on a highly specific set of goals and standards. They are not
sufficient to alleviate the users’ security concerns and most of the CPs are not
willing to share the audit reports, which also leads to a lack of transparency.

  Measuring & Ratings: Recently, a Cloud marketplace has been launched to

support consumers in identifying dependable CPs. They are rated based on a
questionnaire that needs to be filled in by current CCs. In the future, Cloud
Commons aims to combine consumer feedback with technical measurements
for assessing and comparing the trustworthiness of CPs. Furthermore, there is
a new commercial Cloud marketplace named SpotCloud that provides a
platform where CCs can choose among potential providers in terms of cost,
quality, and location. Here, the CPs’ ratings are given in an Amazon-like “star”
interface with no documentation on how the ratings are computed.

  Self-assessment Questionnaires: The CSA proposed a detailed questionnaire

for ensuring security control transparency of CPs – called the CAIQ (Consensus
Assessment Initiative Questionnaire). This questionnaire provides means for
assessing the capabilities and competencies of CPs in terms of different
 attributes (e.g., compliance, information security, governance). However, the
CSA metrics working group does not provide any proposals for a metric to
evaluate CAIQ yet. This is necessary for comparing the potential CPs based on
the answered assessment questionnaire stored in the STAR. Furthermore, the
information stored in the STAR repository can be checked against the CCM
(Cloud Control Matrix) . This will provide the assurance whether services
offered by the CPs comply with the industry-accepted security standards,
audits, regulations, control frameworks or not.

5. Parameters of Cloud Infrastructure Security

 Network Security Control: The network has always been the backbone of

enterprise infrastructure, be it on-premise or the cloud. At the outset, it is
critical to map requirements (in-line with legal and regulatory norms)
assessing the current state of network security and the proposed
integrations. In virtual environments, orchestrating the set-up, segregating
data, proactively protecting assets, and fortifying cloud infrastructure
against external attacks are recommended. The cloud provider will deploy a
set of default configurations, which must then be aligned to specific
security requirements of the enterprise, either by an internal IT team or by
an expert and a trusted partner organization.

 Persona and Access Management: Cloud infrastructure combined with IoT

can help enterprises reach new levels of productivity and innovation.
However, this means that data will be accessed from different devices,
requiring different encryption mechanisms within and outside the
enterprise. Hence, IAM (identity access management) plays a big part in
limiting access as per individual persona, virtual machine roles, and need-
to-know basis. Analyzing existing cyber security controls, as well as other
app security controls for data privacy and protection, is crucial when
deciding on the IAM approach. Also, IAM features are unique to each public
cloud infrastructure, and require an expert partner with a  mastery of
 various public cloud infrastructure to customize these for the specific
access needs of an enterprise.

 Endpoint Security: The weakest link for any enterprise is often the
endpoint. Cloud infrastructure allows a virtually infinite number of devices
and interfaces to connect to a network. Every device will have to be
configured according to organizational security policies, with specific
guidelines for IoT and BYOD. Therefore, the targets of security architecture
need to be astutely planned, covering IAM integration with different
endpoints, followed by security testing to reduce the number of threats.
Other measures include regular VAPTs (vulnerability assessment and
penetration tests) and threat intelligence tools such as IllusionBLACK, which
activates a decoy whenever an attacker is detected.

 Governance and Risk Assessment (GRC): After the completion of the cloud

security planning and design stage, the environment should be stabilized.
Here, implementations must be reviewed even as security controls are
continually monitored. Continuous observation of cloud infrastructure
should be embedded into an organization’s operational policies. This can be
achieved through detailed logs and regular audits, once again unique to the
cloud infrastructure of an enterprise.                .

Approach for Implementation: Considering the admittedly difficult shift

from on-premise to cloud, enterprises need to develop a prescriptive
approach for cloud infrastructure security. Migration plan should include
security compliance checks and gap analysis to ensure transition and
mitigate risks. Cloud security solutions should not be limited to a specific or
predefined approach – instead, cloud security solutions can be
synchronized with enterprise requirements by:

• Individually defining the security architecture and migration approach to

–

o     Define the actual scope of the work during setup

o     Ensure every aspect of cloud security is mapped perfectly

 o     Offer a specific reference point to operations and governance teams

• Hosting and managing enterprise actions in close conjunction with the

cloud service provider

• Adopting a define, discover, diagnose, detail, deliver methodology for

regular assessments based on industry-recognized CSA, NIST   standards

• Conducting periodic reviews using a robust security management toolkit

• Incorporating best practices as per NIST and CIS-compliance through a

four-stage identify, analyze, define and implement, and stabilize process

This approach, considered holistically with SaaS, PaaS, and IaaS-based

security solutions, will assist IT decision-makers ensure security for their
cloud environment. Enterprises can boldly face risk, embrace innovation,
and maintain business continuity with zero disruptions during data
migration to the cloud.

6. Level of security

The fundamental basis for developing secure cloud environment is based on

various security principles:
 Confidentiality: The prevention of unauthorized disclosure of information
that may be intentionally or unintentionally refers to the confidentiality.
 Integrity: The concept of cloud information integrity is based on two
principles Prevention of modification of data from unauthorized users and
preventing the unauthorized modification of data by authorised user.
 Availability: This Principle ensures the availability of cloud data and
computing resources when needed.
 Authentication: It refers to the process of testing the user’s identity and
ensures that users are who they claim to be.
 Authorization: It refers to the privileges that are granted to individual or
process for enabling them to access any authorized data and computing
resources.
 Accountability: This is related to the concept of non-repudiation where the
person cannot deny from the performance of an action. It determines the
action and behaviour of single individual within cloud system.
Top security threats in cloud computing is classified as network level, host
level and application level.

6.1 Network level security issues

In public cloud architecture the data moves to or from the
organization, ensure confidentiality and integrity. The network level security risk is
classified as three types such as ensuring the data confidentiality,
availability and integrity. The data and recourses previously confined to a private
network are now exposed to the internet, share public network belonging to a
third-party cloud provider. The user is not using HTTPS (but using HTTP) so it
increase the risk. The types of network level security issues are
 Eavesdropping
The unauthorized user access the data due to interception of network traffic, it
result in failure of confidentiality. The Eavesdropper secretly listen the private
conversation of others. This attack may done over email, instant messaging, etc,
 Replay attack
Its a network attack in which a valid data transmission is maliciously or
fraudulently repeated or delayed. The attacker intercepts and save the old messages
and later it send to one of participants to gain access to unauthorized resources.
 In Sybil attack
The malicious user pretends to be distinct users after acquiring
multiple identities and tries to create relationship with honest user if malicious user
is successful to compromise one of the honest user then attack gain unauthorized
privileges that helps in attacking process.
 Reused IP address
If user moves out of the network then same IP address is reassigned and reused
by other customer, so it will create security risk to new user. A customer can’t
assume that network access to its resources is terminated upon release of its IP
address. The old IP address is assigned to new user still the chance of accessing the
data by some other user. The address still exists in the DNS cache, it violating the
privacy of the original user. IP addresses are finite quantity and billable assert.
There is a similar lag time between when physical (i.e., MAC) addresses are
changed in ARP tables and when old ARP addresses are cleared from cache, an old
address persists in ARP caches until they are cleared .
 DNS Attacks
It translate the domain name to an IP address, Since domain name is easier to
remember rather than IP address. The user using IP address in not feasible because
has been routed to some other cloud instead of the one he asked. The sender and a
receiver get rerouted through some evil connection. DNS security measures are
taken, still the route selected between the sender and receiver cause security
problems .
  BGP Prefix Hijacking
It’s a type of network attack in which wrong announcement on IP
address associated with a autonomous system (AS), so malicious parties get access
to the untraceable IP address.AS communicate using Border gateway protocol
model. Faulty AS broadcast wrongly about the IP associated with it. In this case
the actual traffic get routed to some other IP than the intended one.
 Sniffer Attack
Data is flowing in network, and chance to read the vital information, it can be
traced and captured. Sniffer program get recorded through the NIC (network
Interface Card) that the data/traffic linked to other systems. Its easily detect a
sniffing system running on a network is using ARP (Address resolution Protocol)
and RTT (round Trip time).
 Port Scanning
If the customer configures the security group to allow traffic
from any source to a specific port, then that specific port will be vulnerable to a port
scan. When Port scanning is detected it should be stopped and blocked.
 Dos Attack
Dos attack is an attack it force the system component to limit, or even halt,
normal services. The network is unavailable by flooding it , disrupting it, jamming
it, or crashing it. The problem in Denial of service on the internet is impossible to
prevent. DoS attacks can be prevented with a firewall but they have configured
properly.

 Distributed Denial of Service Attack

Distributed Denial of Service attack is a DoS attack that occurs from more than
one source, and from more than one location at the same time. DDoS attacks that
comes from many "dummy" computers at the same time to flood the server. This is
harder to trace or so that they can use more bandwidth.

6.2 Host Level Security issues:-

Cloud service provider do not publicly share information related to their host
platforms, host operating systems, and processes that are in place to secure the
hosts, since hackers can trying to intrude into the cloud service. The host level
security issues are
 Security concerns with the hypervisor
Hypervisor is defined as controller called as Virtual machine manager (VMM) that
allows multiple OS runs on single machine at a time. If number of Operating
system running on hardware platform, security issues get increased, because single
hardware unit is difficult to monitor multiple operating systems. eg.:- guest system
tries to run malicious code on the host system and get control of the system and
block other guest OS, even it can make changes to any guest OS. Advanced cloud
protection system can be developed, in order to monitor the guest VMs and inter
communication among the various infrastructure components
Virtualization platform is software. Major virtualization platform vendors are
VMware, Xen and microsoft. Its important to secure the layer of software that sits
between hardware and virtual servers. The isolation of customer VMs from each
other in a multitenant environment, it is very important to protect the hypervisors
from unauthorized users. To protect the hypervisor the Iaas customer should
understand the technology and security process controls instituted by the CSP.
 Virtual server Security
Customers of Iaas have full access to the virtualized guest VMs
that are hosted and isolated from each other by hypervisor technology. Virtual
server may be accessible on the internet, so sufficient network access preventive
steps should be taken to restrict access to virtual instances. The IaaS platform
creates a risk due to self provisioning of new virtual server, that leads to create
insecure virtual servers. Securing the virtual server in the cloud requires strong
operational security procedures.

Protect the integrity of the image from

unauthorized users.
• Secure the private keys in the
public cloud.
• Keep the decryption keys away
from the cloud
• Do not allow password-based
authentication for shell access.
• Require role-based access
password
• Run a host firewall and open only
the minimum ports necessary to
support the services on an instance.
• Run only the required services
and turn off the unused services
• Enable system auditing and event
logging,
• Secure the log events to a
dedicated log server.
• Keep the log server separate with
higher security protection, including
accessing controls.
Protect the integrity of the image from
unauthorized users.
• Secure the private keys in the
public cloud.
• Keep the decryption keys away
from the cloud
• Do not allow password-based
authentication for shell access.
• Require role-based access
password
• Run a host firewall and open only
the minimum ports necessary to
support the services on an instance.
• Run only the required services
and turn off the unused services
• Enable system auditing and event
logging,
• Secure the log events to a
dedicated log server.
• Keep the log server separate with
higher security protection, including
accessing controls.
Protect the integrity of the image from
unauthorized users.
• Secure the private keys in the
public cloud.
• Keep the decryption keys away
from the cloud
• Do not allow password-based
authentication for shell access.
• Require role-based access
password
• Run a host firewall and open only
the minimum ports necessary to
support the services on an instance.
• Run only the required services
and turn off the unused services
• Enable system auditing and event
logging,
• Secure the log events to a
dedicated log server.
• Keep the log server separate with
higher security protection, including
accessing co
• Protect the integrity of the image from unauthorized users.
• Secure the private keys in the public cloud.
• Keep the decryption keys away from the cloud
• Do not allow password-based authentication for shell access.
• Require role-based access password
• Run a host firewall and open only the minimum ports necessary to support
the services on an instance.
• Run only the required services and turn off the unused services
• Enable system auditing and event logging,
• Secure the log events to a dedicated log server.
• Keep the log server separate with higher security protection, including
accessing controls.
6.3 Application level security threats:-
Some company hosts an applications in internet that many user use without
considering about Where, how, by whom the services are provided, so proper
security mechanism should adapt. The types of Application level security threats
are :
 SQL Injection attack
Attackers inserted a malicious code into a standard SQL code and it allow
unauthorized person to download the entire database or interact it in other illicit
ways. The unauthorized user can access the sensitive data. This will be avoided the
usage of dynamically generated SQL in the code.
 Cross-site scripting [XSS]
It embedding script tags in URLs and when user clicks on them, the JavaScript
get executed on machine. In dynamic websites, some pop ups windows get
opened and request the user to click on that link, once user clicked the link the
hacker get control and access all our private information .

 EDoS
An attack against the billing model that underlies the cost of providing a service
with the goal of bankrupting the service itself. DoS attacks on pay-as-you-go cloud
applications will result dramatic increase in your cloud utility bill, increased use of
network bandwidth, CPU, and storage consumption. This type of attack is also
being characterized as economic denial of sustainability (EDoS).

 Cookie Poisoning
Cookies used to store User IDs. The two types of cookies are: persistent and non-
persistent. Persistent cookie is stored on the client hard-drive, hacker who can
access the client machine and easily access the cookies. Non-Persistent cookie is
stored in memory and more difficult to access. Another attack is unauthorized
person can change or modify the content of cookies to access the application or
web page. Cookies contain user identity credential information, one unauthorized
person access these details then they can able to forge as an authorized user. This
will be overcome by regular cookie cleanup.
 Backdoor and debug options
N ormally developers will enable the
debugging option while publishing the web site. So hacker can easily enter into the
web-site and make some changes . To prevent this attack developer should disable
the debugging option.
 Hidden field manipulation
While user accessing the web page some fields are hidden and its used by
developer. The hidden fields in HTML forms convey important information such
as price, user ID etc. The attacker can save the catalogue page and change the value
of hidden field and posted on web page. This will be severe security violation.
 Google Hacking
G oogle search engine is the best option for the
hacker to access the sensitive information. Even the hacker hack the user's account.
Generally they try to find out the security loopholes on Google they wish to hack
and then after having gathered the necessary information of the concerned system.
A group of hackers in china hacks the login details of various g-mail users. The
security threats can be launched at the application level and cause system
downtime disabling the application access even to the authorized users.
 Man in the middle attack
This attack is also a category of eavesdropping. The attacker set up the
connection between two user and tries to hear the conversation or it provide false
information between them. Tools like Dsniff, Cain, Ettercap, Wsniff, Airjack etc
have developed to protect from this attack
 Dos Attack
Dos attack the services assigned to the authorized users unable
to use by them. The attack, large number of services request handled by the server
exceeds become unavailable to the authorized user. DoS attack increases
bandwidth consumption besides causing congestion, Due to overloading of the
server with the requests. Making certain parts of the clouds inaccessible to the
users.Intrusion detection system (IDS) is the most popular method of defense
against this type of attacks.
 Distributed Denial of services
DDos is advanced version of DoS in terms of denying the
services running on a server is not able to handle it. Three functional units of DDos
attacks: A Master, A Sleve and A Victim. Mater being the attack launcher is behind
all these attacks causing DDoS, Slave is the network which acts like a launch pad
for the Master. It provides the platform to the Master to launch the attack on the
Victim. Hence it is also called as coordinated attack. The DDoS attack is
operational in two stages: the first one being Intrusion phase and second one DDos
tools. In intrusion phase the master tries to compromise the less important
machines to support in flooding the more important one. The installing DDos tools
and attacking the victim server or machine. DDos attack the services is unavailable
to authorized user Its similar to Dos Attack but the way of launching is different.
DDos attack was experienced with CNN news channel website is unable to access
the site for a period of three hours.
Other Security Threats:
 Failures in Providers Security
Security is necessary when designing cloud because cloud service provider controls
the hardware and hypervisor on which data is stored and application also runs on
the cloud infrastructure.
 Attacks by other Customer
The cloud service provider resources shared with untrusted parties. The one
customer can access the other customer sensitive information. This is highly
possible in cloud. To overcome this problem strong cryptography, application-layer
operation should be applied.
 Availability and reliability issues
Cloud service is accessible through internet, so internet
availability and reliability is essential. Service accessible through internet so
complexity increase due to change of failure. The countermeasures are monitoring
the availability carefully.
 Legal and Regulatory Issues
The cloud computing have many legal and regulatory issues
regarding the data exposed outside the jurisdiction.
 Perimeter security model broken
Many organizations use a perimeter security model with strong security at the
perimeter of the enterprise network. Now all critical data and applications are
stored in cloud but its outside the perimeter of enterprise control.
 Integrated Provider and customer Security
The problem is disconnected provider and customer security systems. If there is
any misbehaviour in cloud, not reported to the customer. The cloud service provider
should adapt Proper integrity identity management

INFRASTRUCTURE SECURITY: THE NETWORK LEVEL

As network level of infrastructure security is concerned , it is important to

distinguish between public clouds and private clouds. With private clouds, there
are no new attacks, vulnerabilities, or changes in risk specific to this topology that
information security personnel need to consider. If public cloud services are
chosen, changing security requirements will require changes to the network
topology and the manner in which the existing network topology interacts with the
cloud provider's network topology should be taken into account

There are four significant risk factors in this use case:

1. Ensuring the confidentiality and integrity of organization's data-in-transit to and

from a public cloud provider.

2. Ensuring proper access control

3. Ensuring the availability of the Internet-facing resources 4. Replacing the

established model of network zones and tiers with domains.

INFRASTRUCTURE SECURITY - THE HOST LEVEL

When reviewing host security and assessing risks, the context of cloud services
delivery models (SaaS, PaaS, and IaaS) and deployment models public, private,
and hybrid) should be considered . The host security responsibilities in SaaS and
PaaS services are transferred to the provider of cloud services. IaaS customers are
primarily responsible for securing the hosts provisioned in the cloud (virtualization
software security, customer guest OS or virtual server security).

INFRASTRUCTURE SECURITY THE APPLICATION LEVEL

Software security or applications should be a crucial element of a security

program. Most enterprises with information security programs have yet to
introduce an application security program to address this domain. Designing and
implementing applications aims at deployment on a cloud platform will require
existing application security programs to reexamine current practices and
standards. The application security spectrum ranges from single-user applications
to multiuser e-commerce applications used by many users. The level is responsible
for managing : _

 Application-level security threats;

 End user security;

 SaaS application security;

 PaaS application security;

 Customer-deployed application security

 IaaS application security

 Public cloud security limitation

7. Data security and storage:

A DEFINITION OF CLOUD STORAGE SECURITY

While cloud storage is convenient and gives employees access to their data
anywhere, at any time, on nearly any device, cloud storage security is a top
concern for organizations’ IT and security departments. The benefits brought by
cloud storage – from scalability and accessibility to decreased IT overhead – are
driving rapid adoption at enterprises around the world, and there are steps that
companies should take to improve cloud storage security and keep sensitive data
safe and secure in the cloud.

THE NEED FOR CLOUD STORAGE SECURITY

Businesses and enterprises use cloud services because they provide cost-effective
and flexible alternatives to expensive, locally-implemented hardware. But
conducting business in the cloud means that confidential files and sensitive data
are exposed to new risks, as cloud-stored data resides outside of the limits of many
safeguards used to protect sensitive data held on-premise. As such, enterprises
must take additional measures to secure cloud storage beyond the sometimes basic
protections offered by providers.
The rise of Internet of Things (IoT) technology and the connected office has also
made enterprises more reliant on cloud technology, albeit while driving security
risks. Even smart printers have been found vulnerable to data leakage, and as
more corporate devices become internet-connected, the potential for compromise
or unintended leakage increases.
CLOUD STORAGE SECURITY BASICS
As enterprises move further along the cloud adoption curve, cloud storage security
is becoming a top priority – both in enterprises’ IT architecture and information
security strategies. Companies now recognize that it’s critical to protect sensitive
data while enabling employees to enjoy the performance and flexibility of the
cloud.Cloud storage providers and enterprises share responsibility for cloud
storage security. Cloud storage providers implement baseline protections for their
platforms and the data they process, such authentication, access control, and
encryption. From there, most enterprises supplement these protections with added
security measures of their own to bolster cloud data protection and tighten access
to sensitive information in the cloud.

CLOUD STORAGE SECURITY CHALLENGES

One of the biggest challenges with cloud storage security is that employees use
free file sharing and cloud storage services that are not approved by the
organization and may not meet minimum security standards. Knowingly or not,
employees can put company data at risk by using these services, particularly
without the IT department’s knowledge or approval.
In addition to implementing security solutions to protect sensitive data against
unauthorized access or egress and enforce cloud security policies, it is critical that
organizations educate their employees on the risks posed by sharing and storing
information in the cloud. Additionally, organizations must take the appropriate
security measures to mitigate cloud storage security risks introduced by employees
who may inadvertently use services and applications that don’t meet the
company’s security standards.
There are complex data security challenges in the cloud:
 The need to protect confidential business, government, or regulatory data
 Cloud service models with multiple tenants sharing the same infrastructure
 Data mobility and legal issues relative to such government rules as the EU
Data Privacy Directive
 Lack of standards about how cloud service providers securely recycle disk
space and erase existing data
 Auditing, reporting, and compliance concerns
 Loss of visibility to key security and operational intelligence that no longer
is available to feed enterprise IT security intelligence and risk management
  A new type of insider who does not even work for your company, but may
have control and visible into your data.

CLOUD STORAGE SECURITY SOLUTIONS

Data protection solutions for cloud storage security provide complete visibility and
policy-based control over how data can be moved to and from the cloud, ensuring
that only authorized data leaves the company’s environment and that data access is
limited to authorized parties. In doing so, companies can enforce stricter
protections around sensitive data than what many cloud storage providers offer and
provide a second line of defense in the event that a provider has a security
compromise.

When choosing a cloud storage security solution, enterprises should be sure that it
provides continuous monitoring and visibility for all data interactions with cloud
storage applications, provides granular control over file movement based on
browser and OS events involving file sharing and cloud storage sites, integrates
with leading cloud storage providers to be able to extend data protection measures
to data stored in the cloud, automatically encrypts sensitive data prior to egress,
accurately classifies any data downloaded from web applications, and delivers
forensic event logs for effective alerting, reporting, and policy creation.

8. Five key legal considerations when negotiating cloud contracts

Cloud contracts 1: Understand provider’s terms

Cloud computing services are generally implemented on the provider’s terms -

although it can often be a struggle to figure out exactly what those terms are.

Watch out for some cloud providers’ complex, multi-document contract structures
that may be poorly updated and oddly worded. In particular, don’t assume that you
know what’s in a provision based on its heading. For example, in some terms,
 ‘force majeure’ seems to be elastic-sided enough to capture “changes in the
taxation basis of services delivered via the Internet” as a force majeure event!

Understandably, contracts for private cloud solutions and with system

integrators/resellers allow more scope for negotiation than contracts with public
cloud providers. However, even in public cloud deals, terms are increasingly
negotiable - although the degree of negotiability certainly pales in comparison with
traditional outsourcing contracts.

Some of the key issues that tend to recur in cloud contract negotiations include:

• customer control and visibility over subcontracting, with a general reluctance

from providers to allow approval over, or even to identify, subcontractors;
• limitations on the provider’s ability to change the nature of the services. (Here it’s
generally advisable for customers to focus on the commercial implications of such
changes, rather than the right itself);
• privacy and data security commitments;
• rights of the provider to suspend services, e.g., for non-payment or violation of an
acceptable use policy;
• limitations of liability; and

• exit provisions allowing the customer to extend service for a period after
termination or expiry to allow migration to the replacement solution.
Technical areas don’t tend to lend themselves to negotiation given the
commoditised nature of cloud solutions - and you can show your naivety by asking
for changes that directly contradict the services model.

Cloud contracts: 2. Due diligence

Because of the constraints on your ability to negotiate the provider’s cloud terms,
it’s essential to carry out appropriate due diligence on the provider. Areas of focus
should include:

 Location of services
 Service performance and usability
 Existing customers (references)
 Data location, processing, portability and recovery
 Security
 Interoperability
 Business continuity
 Exit
Cloud contracts: 3 - Data privacy remains centre stage

It’s also vital to understand how responsibility for data privacy obligations will be
allocated between you and the provider, including who is responsible for data
security.

Typically, providers have been more willing to take on responsibility for network
integrity, while trying to steer clear of obligations in relation to security of the data
itself.

However, over recent years, cloud service providers have been improving their
privacy offerings. For example, there has been an increased willingness of
providers to adopt the EU model clauses for data transfer.

In addition, many providers now offer European-based data centres, reacting to

commercial pressures from Europe-based clients.

When evaluating cloud solutions:

• classify the data concerned (including its sensitivity), and consider what would
happen if data was disclosed, lost or corrupted;
• consider what the business impact would be if you were unable to use the data;
• check whether the provider is compliant with ISO/IEC 27001/2 and, if a public
cloud provider, ISO/IEC 27018; and
• ensure that your deployment of cloud will comply with applicable data protection
law, taking into account all relevant regulatory guidance, e.g., the EU Data
Protection Working Party 29’s opinion on cloud, the EU Cloud Standardisation
Guidelines and the ICO’s guidance on cloud computing.

Cloud contracts: 4 - Performance commitments are hard to find

Ensure that you are comfortable with the level of service performance commitment
offered by the cloud provider.

Most cloud contracts remain pretty light in terms of service levels, with availability
being the typical measurement metric. Check the wording of the SLAs carefully –
watch out for references to ‘service levels designed to be available’, ‘target service
levels’, etc.

Also, identify the remedies available for service failure – it’s common for
providers to offer credit for additional services, despite the fact that it’s hard to see
‘more of the same’ as a valuable remedy.

Cloud contracts: 5 - Regulators are taking notice

If you are a regulated entity, you will need to take account of relevant regulatory
guidance. For example, the FCA published draft guidance on cloud computing in
November 2015 (due to be published in final form this year). This high level
guidance is aimed at ensuring regulated firms appropriately identify and manage
risks relating to the deployment of cloud-based solutions. Issues identified in the
guidance include:

• legal and regulatory considerations

• risk management
• oversight and audit
• data privacy and security
• change management
• business continuity
• exit

Cloud contracts: Conclusion

Ultimately, you need to approach cloud transactions with a heavy dose of

pragmatism, accepting that it may be very difficult to negotiate material changes to
a cloud provider’s terms.

You need to carry out a thorough risk/benefit analysis exercise in order to evaluate
whether the particular cloud solution is right for your business. If you perceive the
risks to be so great that significant contract negotiation seems essential before
putting services in the cloud, it may be that cloud isn’t the right solution for you
after all.

9. Commercial and Business consideration in cloud computing

Cloud computing technology has improved significantly in the past year, making it
an appealing tool for businesses of all sizes. Cloud computing can benefit
businesses in many ways, from cutting costs, to increasing business efficiency, to
guaranteeing data recovery in case of an accident. In fact, 47 percent of medium
and large enterprises say increased efficiency is the main benefit of cloud
computing, according to a new survey data on enterprise cloud computing.

What common mistakes should companies be aware of as they begin the migration
process? What steps should they take when implementing cloud infrastructure?
Moving to the Cloud can be complicated. Not all data, applications, and files are
suited for cloud storage and security issues may arise if proper safeguards are not
implemented properly.
Some common cloud implementation mistakes include,

 Solely relying on in-house resources

 Selecting a cloud service provider that does not meet you company’s
needs
 Starting off with a complex cloud solution before acquiring the
necessary knowledge and resources to maintain and secure the system
properly
Three crucial considerations will help businesses navigate these mistakes as they
prepare to adopt cloud infrastructure.

1. DETERMINE BUSINESS’ CLOUD COMPUTING NEEDS AND GOALS

Before adopting a new technology, the crucial question to ask is, “How can it meet
the company’s needs?”
These considerations require evaluating the following:

 Type and breadth of data a company needs to store

 Tasks they need to accomplish
 Level of security and privacy they need to maintain
 Standards and regulations to which they need to be compliant
 Features they need to ensure quality performance and enhanced
business function.
For example, if a company is choosing between the big four cloud providers –
Amazon Web Services (AWS), Microsoft Azure, Google Cloud, and IBM Cloud –
AWS may stand out because of its reputation as the cloud computing service that
dominates the market. However, if the company already uses Microsoft
applications, Azure may be the better choice.

“The most popular cloud vendor is Amazon. They are ahead of the game because
they offer services that are easy to implement and use. Then, Microsoft Azure and
Google follow Amazon. … But, if a company or enterprise is attached to Microsoft
products, then Microsoft Azure may be a better fit for them. It depends on the
company’s requirements.” – Jose Alvarez, director of IT infrastructure, Auxis
2. CHOOSE A CLOUD SOLUTION THAT MEETS YOUR COMPANY’S
NEEDS
The three cloud systems, public, private, and hybrid, have advantages and
disadvantages. Before adopting cloud infrastructure, it is important for businesses
to understand the similarities and differences of each cloud solution in order to
select the type that is most appropriate for their business goals.
First, the public cloud provides resources publicly over the Internet. While data
scalability and price flexibility are key advantages of this cloud solution, a business
that does not know how to monitor data security risks security breaches.
Second, private cloud solutions service a single company and are managed in-
house by the IT department. The main advantage of the private cloud is the high
level of security it offers. Businesses are responsible for the infrastructure.
However, maintaining a private cloud solution is more expensive and less flexible
than the public cloud.

Third, hybrid cloud solutions combine characteristics from both public and private
clouds. However, a business needs a knowledgeable IT staff on-hand to combat the
complexities inherent in this solution.

3. EVALUATE KNOWLEDGE AND RESOURCE GAPS IN IT

DEPARTMENT
Especially in the SMB market, cloud infrastructure adoption often slows due to a
fear of the Cloud. One explanation for this fear is the lack of knowledge and
resources available in-house to implement and maintain cloud solutions, according
to David Amaya, a consultant at Cardinal Solutions.

“Many [businesses] know just enough about the Cloud to be afraid of it and say,
‘I’m not touching that.’” – David Amaya
Another explanation highlights ever-present security and compliance concerns.

“I see the challenge of cloud security as an educational issue. People have to

understand and learn more about the Cloud to use it effectively.” – Randy Bias,
vice president of technology at EMC
To ensure your IT department can confront this fear of the cloud head on, it is
necessary to consider the following questions:

 Does the company have a dedicated IT team in-house?

 What roles will the IT team play after cloud infrastructure
implementation?
 What additional resources and training are needed to prepare the IT
team for the transition?
TAKEAWAYS
Cloud computing opens up numerous opportunities for businesses, and the
complexities inherent in adopting cloud infrastructure should not dissuade
businesses from embracing this technology. Outlining business needs and goals,
comparing these needs to the cloud solutions and services available, and
determining the resources required to facilitate the transition are key to a
successful and effective cloud implementation process.

10.Authentication in cloud computing:

Authentication
Authentication is the process that allows the user to provide proof of his
identity. It is often done through the login method, based on the using of a
username and a password. This static mechanism leaves the system vulnerable to
attacks, since hackers can use many techniques, such as sniffing and guessing, to
steal user passwords . So, to alleviate the problems associated with identity theft, it
is essential to adopt a strong form of authentication techniques.

The user authentication is generally based on three factors, something he

knows, who is he and what he possess. Something he know may be a password, a
pass phrase, a pin number or a secret question. Face recognition, iris scan or the
other authentication methods based on body parts allow to identify who is the user.
Finally, something that the user possesses may be a smart card, a software token or
even a mobile phone. When authentication is performed by combining two or more
of the factors presented above, it is named a two or a multiple factor
authentication.

3.2.1. General mechanisms used in Authentication:

3.2.1.1. Authentication by password

The login and the password are confidential information that the user employs
in order to access a specific service (mailbox, shopping sites, etc.). This is the
weakest authentication and identification mechanism, because it is possible to
intercept the password in transit or when it is typed on the keyboard.

 Typology of passwords
• Simple and easy to remember password: The choice of the password is often
left free to the user. Most users simply use an easy-to-remember password.
However, it is easy to be guessed.

• Complex passwords: A complex password is hard to be guessed. It combines

numbers and letters, with uppercase and special characters.
 • Identifiers and passwords with a lifetime: Although complex passwords are
more secure than simple ones, several mechanisms can be used to break them. To
reinforce the security policy, a password expiration period must be imposed.
Thanks to the lifetime technique, a hacked password cannot be used indefinitely.

• One time password (OTP): By adopting the OTP mechanism, the password
will be unique, automatically generated, random and can only be used once. For
each access request, a new password will be sent to the user, via SMS or email.

• Encrypted password: During communication between user and server, the

password is encrypted so as not to be revealed to a third party during transit or
recording.

 Uses of passwords
• Unique password: Single sign-on allows to use the same password to access
all services and applications, For example, one password can be used to access
both mailbox and social network.

• Multiple passwords: Adopting the technique of multiple passwords allows to

specify, one password per service depending on the confidentiality of the secret to
protect .

3.2.1.2. Authentication by Captcha or image scan

• Captcha: This is a sequence of characters that the user must type to prove
that he is not a robot.

• Image scan: When a user is connected to a service from the laptop and want
to be connected from the smartphone, the system provides to him an image that
must be scanned by this smartphone to access the service without having to remake
the whole authentication procedure.

3.2.1.3. Authentication by address, MAC or IP

• Authentication by MAC address: The authentication by MAC address

allows to authenticate the machine, not the person. It is a particularly effective
method of authenticating users who usually have access to their accounts from a
regular set of machines.

• Authentication by IP address: The authentication is successful or not

depending on the network from which the access requestor is connected.

3.2.1.4. Biometrics

Biometrics illustrated in Fig. 2 can be used to identify a user through his

physiological characteristics such as face, iris and fingerprint, or behavioral
characteristics such as gestures and signature. Everyone has his own unique
biometric feature. However, it can change over time (age, accident, injury, etc.).

Fig. 2. Biometrics

 Methods based on physical characteristics

• Face recognition: Authentication by face recognition is a widespread
technique. The significant features for face recognition are: eyes, mouth and face
shape. During the identification, the low frequency components contribute to the
overall description and allow to determine the sex of the user. On the other hand,
the high frequency components are more important for the authentication task.

• Iris scan: The detailed texture of the iris is specific to each individual.
Moreover, this texture is stable and cannot be modified without significant loss of
visual capacities.

• Finger scan: This is one of the first biometrics used in context of

authentication, and the most mature technology. The fingerprints are unique to
each person, and even to each finger. The fingerprint image is taken using a
specific image acquisition device.
  Methods based on behavioral characteristics
• Gestures scan: The authentication is done by hand gestures. Specifically, the
position of the fingers may be in the form of V, W, etc.

• Digital signature: A signature consists of a fixed and variable parts.

Authentication using signature allows to identify a user from the fixed part of his
signature, from the pressure exerted with the pen and also from the writing speed.
This solution requires the use of a touch screen equipment and a stylus.

3.2.1.5. Data encryption

This is a good authentication, avoiding the identity theft and the replay of an
authentication. It implements a proof of possession of a secret element
(cryptographic key), by means of an authentication protocol guaranteeing the
confidentiality of the secret element . Encryption is also an indispensable tool for
protecting information in computer systems.

3.2.1.6. Two factor and multi-factor authentication

Two-factor or multi-factor authentication provides strong authentication by the

combination of two or more of the solutions presented above.

3.2.1.7. Multilevel authentication

The multi-level authentication reinforces security by authenticating user at

several levels. The authentication process is made, for example, at the organization
level, then at the team level, and finally at the user level.

3.2.1.8. Authentication duration

Regardless of the used authentication method, when the user fails to

authenticate himself in the defined authentication duration, the action is recorded
as fraudulent and therefore access will be refused for him thereafter.
 3.2.2. Models specific to Cloud

3.2.2.1. Trust

Trust is currently used in Cloud Computing as a means of authentication.

Depending on the adopted security policy and the trust level of the user, which
judges his behavior, the authentication is accepted or refused.

3.2.2.2. Trusted third party (TTP)

A trusted third party (TTP) is an entity used in the context of the Cloud to
facilitate and secure interactions between two parties (consumer and provider) that
both trust this third party. It can manage authentication, control access to resources,
and more.

Table 3. Advantages and disadvantages of authentication models and mechanisms.

Authentication Advantages Disadvantages
models and
mechanisms
General models and mechanisms

Password

Simple - Cost-effective. - Easy to be found by a

passwor pirate.
d -Easy to use and
retain.

Comple -Guessed with - Forgetfulness.

x difficulty.
passwor -Not very robust, reusable
d by an attacker.

Passwor -The password -Possibility to find it after

d with discovered by a each renewal.
lifetime malicious user, will
not be usable
indefinitely in time.
 OTP -No forgetting and - Little comfort of use.
reuse, dynamism, and
randomization. -The use of the password
by a hacker before the
concerned person.

Encrypt -Difficult to be -Possibility to be seen

ed intercepted. when typing and
passwor authentication reply.
d

Unique -Easy authentication - The hacking of one

passwor and password account involves hacking
d memorization. of all other accounts at
once.

Multiple - The hacking of an - Difficult to remember.

passwor account does not
ds impact other accounts.
Captcha/scan

Captcha - Countermeasure - Unsecured method.

against DOS attacks.

Image - Flexibility and - Possibility to scan the

scan simplicity. image from the computer
by a nearby pirate.

MAC - Simple filtering. - Access to the

address authenticated machine by
- Authentication is a hacker.
authorized to a limited
@ MAC/IP

number of machines. -Tedious in a large

network.

IP -Simple to use. -Problem in the case of

address need to be connected from
another network.
Biometrics

Face -No forgetfulness. - Variations caused by

recognit makeup, aging and
ion expression of emotions.

- Easily counterfeited.

-The need for a camera.

Iris scan -Solution less binding. -Possibility to photograph

 the iris pattern for later
usurpation.

- Necessity to purchase
the device.

Finger -Mature technology, -The need for a specific

scan less intrusive, image acquisition device.
processing relatively
fast. -Problem in case of
injured or dirty fingers.

Gesture -Easy to use. -The need for a camera.

s scan

Digital -Easy to remember. - Necessity of a touch

signatur screen.
e
-The writing changes
during the life of the
individual.

Encrypted - High-level - Calculation time.

data authentication.
-Unable to manage and
inspect the client process.

Multi-factor -A strong - Complex.

authenticati authentication.
on

Multilevel -Authentication - Authentication problem

authenticati verified on several at the high-level
on levels. (organization), impacts
the authentication of all
users.

Authenticati -Securing user - Even if the user is

on duration accounts. authentic, when he has
difficulties to be
connected, he will be
impacted.

Trust -Dynamic - Not enough, the

Models

management of behavior of the user may

authentication change over time.
 specific to Cloud
corresponding to the
user behavior.

TTP -Management of -Difficulty of trusted

authentication by a third-party choice.
neutral third party.

11.Client access in cloud:

A Cloud Client consists of computer hardware and/or software that relies on

cloud computing for application delivery. A Cloud Client could also be
specifically designed for delivery of cloud services. In either case, the Cloud
Client is essentially useless without Cloud Services. Examples of Cloud
Clients include some computers, phones and other devices, operating systems
and browsers.
Users access cloud services by using networked cloud client devices, such
as desktop computers, laptops, tablets and smartphones. Some cloud
clients rely on cloud computing for all or a majority of their applications so
as to be essentially useless without it. Examples are thin clients and the
browser-based Chromebook. Many cloud applications do not require specific
software on the client and instead use a web browser to interact with the
cloud application. With Ajax and HTML5 these Web user interfaces can
achieve a similar or even better look and feel as native applications. Some
cloud applications, however, support specific client software dedicated to
these applications (e.g., virtual desktop clients and most email clients). Some
legacy applications (line of business applications that until now have been
prevalent in thin client Windows computing) are delivered via a screen-
sharing technology.
 12.Jurisdictional issues raised by data location :

The legal issues that frequently arise in the cloud are wide-ranging. However,
attempting a broad generalisation, mainly four types of issues arise therein:

1. Privacy of data and data security

2. Issues relating to contractual relation between the cloud service provider and
the customer
3. Complex jurisdictional issues, or issues relating to the location of the data
and the set of laws applicable
4. Commercial as well as business considerations

At the outset, it may very well be clarified that though cloud computing enables the
customer access to computing, networking, storage resources just like traditional
outsourcing services and Application Service Providers (ASPs), it has a legal
nature quite different from these two owing to its distinctive features like ‘on-
demand access’, and ‘unit-based pricing’ (pay-per-use).

Privacy and data security issues:

Seemingly, the main privacy/data security issue relating to the cloud is ‘data
breach’. Data breach may be in the generic sense defined as the loss of
unencrypted electronically stored personal information (Buyya, Broberg, &
Goscinski, 2015). A data breach can cause loss to both the provider as well as the
customer in numerous ways; with identity theft and chances of debit/credit card
fraud to the customer, and financial harm, loss of customer, loss of reputation,
potential lawsuits et cetera for the provider.
The American law requires data breach notification to be issued of affected
persons in such case of a data breach. Almost all the states in the United States
now require notification of affected persons upon the occurrence of a data breach.

Talking about the Indian scenario, most of the providers are seen to attempt at
lessening their risk liability in case of a data breach scenario. However, as more
sensitive information is entering the cloud every passing day, businesses and
corporations have started negotiating the contracts so as to insert terms that expand
the contractual obligations of the providers.

Problem arises when the data is subject to more than one jurisdictions, and the
jurisdictions have different laws regarding data privacy. For example, the
European Union Data Privacy Directive clearly states that ‘Data cannot leave the
EU unless it goes to a country that ensures an “adequate level of protection”.’
Now, although such statement makes the EU provisions easily enforceable, but it
restricts the data movement thereby reducing the data efficiency.

Contracting Issues:

Clearly, licensing agreements are fundamentally different from Service

agreements. Cloud essentially, in all its permutations (IaaS, PaaS, SaaS), is a
service, and therefore is governed by a Service agreement instead of a Licensing
agreement.

However, the main issue regarding the Cloud Service agreements is ‘contract of
adhesion’. Owing to the limited expansion of Cloud Services in India, most of the
time the ‘Click-wrap agreement’ model is used, causing the contract to be one of
the contract of adhesion. It leaves no or little scope for negotiation on the part of
the user/customer.

With the expansion of the Cloud computing, gradually the negotiation power of the
large corporation will cause the Cloud Contracts to be standard and negotiated
ones. However, at an individual level, this is still a far destination.

Legal provisions clearly cannot force the cloud providers to have a negotiating
session with each and every customer. However, legal provisions may be made to
ensure that the liability and risk responsibility clauses follow a standard pattern
which compensates the user for the lack of negotiation during the formation of the
contract.

Jurisdictional Issues:

Jurisdiction is the authority of a court to judge acts committed in a certain territory.

Jurisdiction in case of legal issues relating to the Cloud services becomes difficult
and critical because of the features of Cloud like ‘Virtualization’, and ‘Multi-
tenancy’.

While virtualization ensures the requirement of less hardware and consumption of

less power thereby ensuring computing efficiency, it also on the other hand makes
it difficult for the cloud user or the cloud provider to know what information is
housed on various machines at any given time.

Multi-tenancy refers to the ability of a cloud provider to deliver services to many

individuals or organisations from a single shared software. The risk with this is that
it makes it highly possible that the data of one user may be accessed in an
unauthorised manner by another user since the data of various users are only
virtually separated and not physically. Also, it makes it difficult to back up and
restore data.

The cloud enables a great deal of flexibility in data location, which ensures
maximum efficiency in data usage and accessibility. However, it creates a number
of legal issues as well. It makes it quite possible a scenario that the same data may
be stored in multiple locations at a given time. Now, if the multiple locations are
subject to different jurisdiction and different legal system, there arises a possibility
that there may be conflicting legal provisions regarding data in the two
aforementioned different locations. This gives rise to most of the jurisdictional
issues in Cloud computing.

Also, laws relating to confidentiality and Government access to data are different
across different nations. While the Indian laws manage to strike a balance between
national security and individual privacy, most of the nations do not prefer a
balance and have adopted a biased view on this. Problem of conflict of laws arises
herein, in such cases.

Commercial and Business Considerations:

Other commercial and business considerations like the urge to minimize risk,
maintain data integrity, accessibility and availability of data as well as Service
level Agreements have also significantly shaped the present as well as future of
Cloud Computing in India. It also creates a number of foreseeable as well as
unforeseeable issues that needs to be addressed by dedicated legislations therefor.

It is an accepted truth that Law always lags behind technical innovations, and the
complexities of the Cloud innovations and related Cloud Services like Software as
a Service (SaaS), Platform as a Service (PaaS), and Infrastructure as a Service
(IaaS) will force the law and legislations to catch up in order for an effective legal
system that provides legal remedies to prevent and redress the resultant harms.

Raising awareness, ensuring universal access to information, and resource

mobilizing are complimentary solutions that’ll never go wrong for the Indian
scenario in order to add to the effectiveness of an effective legal system.