Module 7_Cloud and Virtualization Security

Cloud Computing

It is a model for enabling ubiquitous, convenient, on-demand network access to a shared pool of configurable computing resources (e.g., networks, servers, storage, applications, and services) that can be rapidly provisioned and released with minimal management effort or service provider interaction.

Amazon Web Services (AWS),

Google Cloud,

Oracle,

VMware,

Microsoft Azure

Cloud Providers (5)

Cost efficiency,

Scalability,

Enhanced Collaboration and Accessibility,

Security and Reliability,

Automatic Software Updates,

Environmental Sustainability

Benefits of Cloud Computing (6)

Cost efficiency

Reduces capital expenditure by avoiding heavy investment in hardware and data centers.

Pay-as-you-go,

Reduced Maintenance,

Lower Entry Barrier

Cost efficiency (3)

Scalability

Resources can be scaled up or down dynamically based on demand.

Vertical Scaling,

Horizontal Scaling,

Elasticity

Scalability (3)

Enhanced Collaboration and Accessibility

Data and applications can be accessed globally with an internet connection.

Remote work,

Device Independence,

Version Control

Enhanced Collaboration and Accessibility (3)

Security and Reliability

Cloud providers typically invest more in security infrastructure than most individual companies can afford.

Data Encryption,

Redundancy,

Disaster Recovery

Security and Reliability (3)

Automatic Software Updates

Cloud-based applications automatically refresh and update themselves.

Security Patches,

Feature Access

Automatic Software Updates (2)

Environmental Sustainability

Cloud computing is generally more “green” than traditional on-site data centers.

Resource Efficiency,

Reduced Carbon Footprint

Environmental Sustainability (2)

On-demand self-service,

Broad network access,

Resource pooling,

Rapid elasticity,

Measured service

Core Characteristics of Cloud Services (5)

On-demand self-service

• User control and automation.

• Users provision resources automatically without human intervention.

Autonomy,

Speed

On-demand self-service (2)

Broad network access

• Connectivity from any device/location.

• Resources are accessible via various devices such as mobile phones, tablets, and laptops

Ubiquity,

Multi-device support

Broad network access (2)

Resource pooling

• Efficiency through shared hardware.

• Multi-tenant model where resources are shared but isolated among users.

Shared Infra,

Location Independence

Resource pooling (2)

Rapid elasticity

• Flexibility to handle workload changes.

• Automatic scaling of resources to meet workload changes.

Dynamic Adjustment,

Infinite Scalability

Rapid elasticity (2)

Measured service

• Transparency and pay-per-use billing.

• Monitoring and reporting of resource usage for transparency and cost management.

Transparency,

Utility Pricing

Measured service (2)

Public Cloud,

Private Cloud,

Hybrid Cloud,

Community Cloud,

Types of Clouds (4)

Public Cloud

• Shared infrastructure accessible over the Internet to many customers.

• Examples

  • AWS,

  • Google Cloud,

  • Azure.

• Ownership:

  • Third-party provider

• Tenancy:

  • Multi-tenant (Resources are shared with other organizations)

• Cost:

  • Low; Pay-as-you-go model with no hardware investment

• Best for:

  • Startups, web applications, and non-sensitive data processing.

Private Cloud

• Dedicated to a single organization, either on-premises or hosted externally.

• Can be hosted on-premises or externally managed by third parties.

• Ownership:

  • The organization itself or a specialized provider.

• Tenancy:

  • Single-tenant (Dedicated Resources)

• Cost:

  • High; requires significant investment in hardware and specialized staff.

• Best for:

  • Government agencies, financial institutions, or large enterprises with strict security and regulatory requirements.

Hybrid Cloud

• Combination of public and private clouds allowing data and app sharing between them.

• Often employed in Custom enterprise solutions

• Structure:

  • Uses a private cloud for sensitive, core workloads and a public cloud for “cloud bursting” (handling of sudden spikes in traffic).

• Flexibility:

  • Provides the most control, allowing organizations to keep critical assets is secure environment while utilizing the cost-effectiveness of the public cloud when needed.

• Best for:

  • Organizations with fluctuating workloads or those transitioning from on-premise systems to the cloud.

Community Cloud

• Shared by several organizations with similar requirements such as security or compliance.

• Used by groups such as government agencies to meet specific regulatory demands while reducing costs.

• Ownership:

  • Managed and operated by the member organizations or a third party.

• Tenancy:

  • Multi-tenant, but restricted to a specific group.

• Cost:

  • Shared among the community members, making it cheaper than a full private cloud.

• Best for:

  • Healthcare organizations sharing patient data, or educational institutions collaborating on research projects.

On-premises,

Off-premises,

Fog Computing,

Edge Computing

Cloud Locations (4)

On-premises

• Cloud infrastructure within an organization’s physical data center;

• maximum control but high capital and operational costs.

Off-premises

• Hosted by third-party providers;

• offers scalability and cost savings but less physical control.

Fog Computing

Processing data closer to IoT devices at the network edge to reduce latency (e.g., smart traffic lights).

Edge Computing

Distributed computation near data source to optimize real-time applications such as manufacturing or autonomous vehicles.

Thin clients,

Transit gateways,

Serverless infrastructure

Cloud Architecture Components (3)

Thin clients

Low-performance computing devices that rely on a server to perform most of its processing tasks.

Transit gateways

A network transit hub that interconnects virtual private clouds (VPC) and on-premises networks.

Serverless infrastructure

An architecture where the cloud provider manages the setup, capacity planning, and server management, allowing developers to focus solely on the individual functions of their applications.

Software as a Service (SaaS),

Platform as a Service (PaaS),

Infrastructure as a Service (IaaS),

Everything-as-a-Service (XaaS)

Cloud Service Models (4)

Software as a Service (SaaS)

Software distribution model where applications are hosted by a third-party provider and made available to customers over the internet.

Platform as a Service (PaaS)

Offers hardware and software tools over the internet, typically those needed for application development.

Infrastructure as a Service (IaaS)

Provides virtualized computing resource: over the internet, offering complete control over the computing infrastructure.

Everything-as-a-Service (XaaS)

A collective term that refers to the delivery of anything as a service through cloud computing.

Efficient resource use,

Cost management,

Automation,

Performance monitoring,

Optimal service management

How to Properly Handle Cloud:

Cloud Management & Optimization Techniques (5)

Efficient resource use

Resource allocation, autoscaling (e.g., AWS autoscaling), and right-sizing to avoid overprovisioning and reduce cost.

Cost management

Tracking spending and optimizing service usage to identify savings.

Automation

Automating backups, scaling, and updates to reduce errors and operational load.

Performance monitoring

Continuous monitoring to detect and resolve issues proactively.

Optimal service management

Managing Service Level Agreements (SLAs), security, budgets, and compliance through portals (e.g., Microsoft Azure).

Cloud Security

• It is the practice of protecting cloud-based data, applications, and infrastructure from threats through policies, controls, and technologies such as access management, encryption, and monitoring.

• It ensures confidentiality, integrity, and availability across deployment models like public, private, and hybrid clouds.

Secure Web Gateways (SWG),

Cloud Access Security Brokers (CASB),

Secure Access Service Edge (SASE)

Cloud Security Mechanisms (3)

Secure Web Gateways (SWG)

Filter unwanted software, malware, and unauthorized web access.

Cloud Access Security Brokers (CASB)

Enforce security policies between users and cloud providers, including authentication, encryption, and threat protection.

Secure Access Service Edge (SASE)

Combines network security functions (like SD-WAN, firewall-as-a-service) into cloud-delivered services for secure, dynamic access.

Unauthorized Access,

Insecure APIs,

System Vulnerabilities,

Exposed Secrets

Cloud Security Challenges (4)

Unauthorized Access

• Description

  • Gaining access without permission

• Implications

  • Data breach, resource misuse

• Preventive Measures

  • Multi-factor authentication, strict access control

Insecure APIs

• Description

  • Vulnerable APIs exposed to attacks

• Implications

  • Data exposure, DoS attacks

• Preventive Measures

  • Secure coding, encryption, rate limiting, audits

System Vulnerabilities

• Description

  • Flaws allowing malware, data corruption

• Implications

  • System compromise

• Preventive Measures

  • Regular patching, vulnerability scanning, ethical hacking

Exposed Secrets

• Description

  • Exposure of credentials and keys

• Implications

  • Security breaches

• Preventive Measures

  • Secret management tools (HashiCorp Vault, AWS Secrets Manager)

Virtualization

is the creation of software-based versions of computing resources, such as servers, storage, or networks, allowing multiple virtual instances to run on a single physical machine.

Virtual Machines (VMs),

Hypervisors,

Containers,

Virtual Desktop Infrastructure (VDI)

Virtualization Types (4)

Virtual Machines (VMs)

Software emulations of physical computers, isolated and secure.

Type 1 (bare-metal),

Type 2 (hosted)

Hypervisors (2)

Type 1 (bare-metal)

• Runs directly on hardware

• (e.g., VMware ESXi, Microsoft Hyper-V).

Type 2 (hosted)

• Runs on top of an OS

• (e.g., VMware Workstation, Oracle VirtualBox).

Containers

• Lightweight OS-level virtualization for running multiple workloads on a single OS (e.g., Docker).

• Faster and more resource-efficient than VMs.

Virtual Desktop Infrastructure (VDI)

Centralized desktop hosting delivered to users remotely (e.g., Citrix XenDesktop).

Resource Optimization,

Flexibility and Agility,

Cost Reduction

Advantages of Virtualization (3)

Resource Optimization

Dynamic allocation maximizes hardware usage and lowers costs.

Flexibility and Agility

Quick deployment, testing, and scaling without affecting physical infrastructure.

Cost Reduction

Fewer physical servers, lower power, cooling, and space requirements.

Infrastructure as Code (IaC) and Software-Defined Networking

• Managing infrastructure through code for automation, consistency, and reduced human error.

• Tools

  • Terraform,

  • Ansible,

  • AWS CloudFormation

Software-Defined Networking (SDN),

Software-Defined WAN (SD-WAN),

Software-Defined Visibility (SDV)

Infrastructure as Code (IaC) and Software-Defined Networking (3)

Software-Defined Networking (SDN)

Programmatic network management to improve performance and flexibility (e.g., Cisco ACI).

Software-Defined WAN (SD-WAN)

Optimizes wide-area network connectivity, improving bandwidth and resilience (e.g., VMware SD-WAN).

Software-Defined Visibility (SDV)

Enhanced network monitoring and analytics for security and performance (e.g., Gigamon).

VM Escape,

Insecure APIs,

Snapshot/Image Flaws,

Hyperjacking

Virtualization Specific Vulnerabilities (4)

VM Escape

• Description

  • Attacker breaks out of VM to host or other VMs

• Impact

  • Full host compromise

Insecure APIs

• Description

  • APIs allowing unauthorized control

• Impact

  • Manipulation of virtual environment

Snapshot/Image Flaws

• Description

  • Sensitive data exposed in VM snapshots

• Impact

  • Data leakage

Hyperjacking

• Description

  • Rogue hypervisor installed to control host

• Impact

  • Complete system takeover

Segmentation, isolation,

IDS/IPS,

access controls,

patch management,

VM sprawl,

Encryption,

regular security audits, compliance

Virtualization Security Strategies (7)

1. _____ and _____ (micro-segmentation).

2. Deploy intrusion detection and prevention systems (_____).

3. Strong _____ with multi-factor authentication.

4. Regular _____ (hypervisor, OS, apps).

5. Monitoring and managing _____; decommission unused VMs.

6. _____ of data at rest and in transit.

7. Conduct _____ and _____ assessments.