Virtualization Security in Cloud Computing Part-I

Recent years have seen great advancements in both cloud computing and virtualization. On one hand there is the ability to pool various resources to provide software-as-a-service, infrastructure-as-a-service and platform-as-a-service. At its most basic, this is what describes cloud computing. On the other hand, we have virtual machines that provide agility, flexibility, and scalability to the cloud resources by allowing the vendors to copy, move, and manipulate their VMs at will. The term virtual machine essentially describes sharing the resources of one single physical computer into various computers within itself. VMware and virtual box are very commonly used virtual systems on desktops. Cloud computing effectively stands for many computers pretending to be one computing environment. Obviously, cloud computing would have many virtualized systems to maximize resources.

Cloud Computing – Download Free EBooks and Whitepapers
Java – Download Free EBooks and Whitepapers
Windows – Download Free EBooks and Whitepapers

Keeping this information in mind, we can now look into the security issues that arise within a cloud-computing scenario. As more and more organizations follow the “Into the Cloud” concept, malicious hackers keep finding ways to get their hands on valuable information by manipulating safeguards and breaching the security layers (if any) of cloud environments. One issue is that the cloud-computing scenario is not as transparent as it claims to be. The service user has no clue about how his information is processed and stored. In addition, the service user cannot directly control the flow of data/information storage and processing. The service provider usually is not aware of the details of the service running on his or her environment. Thus, possible attacks on the cloud-computing environment can be classified in to:

  1. Resource attacks: These kinds of attacks include manipulating the available resources into mounting a large-scale botnet attack. These kinds of attacks target either cloud providers or service providers.
  2. Data attacks: These kinds of attacks include unauthorized modification of sensitive data at nodes, or performing configuration changes to enable a sniffing attack via a specific device etc. These attacks are focused on cloud providers, service providers, and also on service users.
  3. Denial of Service attacks: The creation of a new virtual machine is not a difficult task, and thus, creating rogue VMs and allocating huge spaces for them can lead to a Denial of Service attack for service providers when they opt to create a new VM on the cloud. This kind of attack is generally called virtual machine sprawling.
  4. Backdoor: Another threat on a virtual environment empowered by cloud computing is the use of backdoor VMs that leak sensitive information and can destroy data privacy.
  5. Having virtual machines would indirectly allow anyone with access to the host disk files of the VM to take a snapshot or illegal copy of the whole System. This can lead to corporate espionage and piracy of legitimate products.

Virtualization Security in Cloud Computing Part-II

Virtualization Security in Cloud Computing Part-III

[Guest Blog]

Shathabheesha is a security researcher for InfoSec Institute. InfoSec Institute is an IT security certification company that offers popular VMware boot camp training.


Lombardi F, Di Pietro R – Secure virtualization for cloud computing, 2010

LDAP and Cloud:

Extending LDAP to cloud:

SAS 70 and Cloud Computing

The Statement on Auditing Standards No. 70 (SAS 70) has become the ubiquitous auditing report by which all cloud computing service providers are judged.  So how did this financial auditing report become the standard by which we examine cloud service providers?  How much can we trust this report as a true representation of the security controls in place?

Cloud Computing – Download Free EBooks and Whitepapers
Java – Download Free EBooks and Whitepapers
Windows – Download Free EBooks and Whitepapers

SAS 70 was originally titled “Reports on the Processing of Transactions by Service Organizations” but was changed by Statement on Auditing Standards No. 88 to “Service Organizations”. The guidance contained in SAS 70 is effective for all service auditors’ reports dated after March 31, 1993.

There are two types of service auditor reports.

Type I Type II
v      Reports on controls placed in operation (as of a point in time)v      Looks at the design of controls- not operating effectivenessv      Considered for information purposes onlyv      Not considered a significant use for purposes of reliance by user auditors/organizationsv      Most often performed only in the first year a client has a SAS 70 v      Reports on controls placed in operation and tests of operating effectiveness(for a period of time, generally not less than 6 months)v      Differentiating factor: Includes Tests of Operating Effectivenessv      More comprehensivev      Requires more internal and external effortv      Identifies instances of non-compliancev      More emphasis on evidential matter

The rise of cloud computing pushed companies to search for a method to validate these new types of services.  Publicly traded companies that had to be compliant with SOX were already familiar with the SAS 70.  It was a natural evolution to adapt the report to auditing cloud computing service providers even though it was not originally intended for this purpose. Amazon Web Services & SAS70 Type II audit procedures

Amazon Web Services’ controls are evaluated every six months by an independent auditor in accordance with Statement on Auditing Standards No. 70 (SAS70) Type II audit procedures. The report includes the firm’s opinion and results of their evaluation of the design and operational effectiveness of our most important internal control areas, which are operational performance and security to safeguard customer data. The SAS70 Type II report as well as the processes explained in this document, applies to all geographic regions within the AWS infrastructure.

AWS’ SAS70 Type II Control Objectives

Security Organization Controls provide reasonable assurance that there is a clear information security policy that is communicated throughout the organization to users.
Amazon Employee Lifecycle Controls provide reasonable assurance that procedures have been established so that Amazon employee user accounts are added, modified and deleted in a timely manner and reviewed on a periodic basis to reduce the risk of unauthorized / inappropriate access.
Logical Security Controls provide reasonable assurance that unauthorized internal and external access to data is appropriately restricted and access to customer data is appropriately segregated from other customers.
Secure Data Handling Controls provide reasonable assurance that data handling between the customer’s point of initiation to an AWS storage location is secured and mapped accurately
Physical Security Controls provide reasonable assurance that physical access to Amazon’s operations building and the data centers is restricted to authorized personnel.
Environmental Safeguards Controls provide reasonable assurance that procedures exist to minimize the effect of a malfunction or physical disaster to the computer and data center facilities.
Change Management Controls provide reasonable assurance that changes (including emergency / non-routine and configuration) to existing IT resources are logged, authorized, tested, approved and documented.
Data Integrity, Availability and Redundancy Controls provide reasonable assurance that data integrity is maintained through all phases including transmission, storage and processing.
Incident Handling Controls provide reasonable assurance that system incidents are recorded, analyzed, and resolved in a timely manner.

Limitations of SAS 70 Ø      It is not as robust as other security frameworks, such as ISO 27000 or the NIST 800 series. Ø      ISO 27000 or the NIST 800 series take a broader approach to information security by reviewing the entire program from a risk management perspective.  In contrast, the SAS 70 is focused primarily on security controls and procedures surrounding the data center and financial implications. Ø      The SAS 70 report can be misleading to the casual observer as it only focuses on controls and procedures that are agreed upon before the audit by the auditor and the company being audited. Cloud & SAS 70 The Type I report only requires the auditor to make an opinion on the effectiveness of the controls in place at the time of the audit.  The Type II report takes this a step further by requiring the auditor to test the controls as well as document his opinion on their effectiveness. The SAS 70 report is focused on accurate financial reporting so the auditors involved are typically from CPA firms.  A CPA firm possesses the education, training and experience to audit financial controls and may even have insight into other types of controls.  However, the question becomes should a CPA be validating information security controls?  If the auditor does not possess expertise in information security, it will be very difficult to provide much insight into the effectiveness of the controls.  There will be technical areas that will get overlooked just as a CISSP would not recognize inaccuracies in a financial audit. Of the many regulations touching upon information technology with which organizations must comply, few were written with Cloud Computing in mind. Auditors and assessors may not be familiar with Cloud Computing generally or with a given cloud service in particular. That being the case, it falls upon the cloud customer to recognize:

Ø      Regulatory applicability for the use of a given cloud service Ø      Division of compliance responsibilities between cloud provider and cloud customer Ø      Cloud provider’s ability to produce evidence needed for compliance Ø      Cloud customer’s role in bridging the gap between cloud provider and auditor/assessor

Should an organization interested in purchasing cloud related services even bother requesting this report from a prospective provider?  The SAS 70 can still be useful if the provider has tested more than the minimum number of controls; however, a vendor that provides a SAS 70 will most likely only be focused on areas of strength.  A vendor that does not provide a SAS 70 may or may not be serious about information security and protecting your data. Recommendations are Right to Audit clause, involvement of Legal Personnel and Cloud Aware Auditors, Compliance to ISO/IEC 27001/27002,SAS 70 Type II, Evidence of Compliance, Identification of impact of Regulations on Infrastructure, Policy & Procedures, Information Security Reference: Related articles

Cloud Governance

Cloud Governance
Cloud Computing – Download Free EBooks and Whitepapers
Java – Download Free EBooks and Whitepapers
Windows – Download Free EBooks and Whitepapers

Governance • Governance is about deciding and prioritizing what things to do, while Management is about how to do them in an optimal manner. • Corporate governance: set of processes, customs, policies, laws, and institutions affecting the way a corporation is directed, administered or controlled. • IT Governance: Subset discipline of Corporate Governance focused on information technology • Cloud governance: Subset discipline of IT Governance which involves applying policies to the use of cloud services.

IT Governance of Cloud Computing• For Cloud Computing to be effectively used by enterprises, Convergence, Governance and Standardization are required in the following areas and for the reasons described below: – Security – Interoperability: DMTF – Interoperable Clouds – Portability – Metering and Billing – Provisioning , Performance and Scalability

Use Cases & Cloud Governance Hosted HR module in ERP capability to Support Expanded Sales and Marketing Efforts PaaS to Build Custom Business Application / Service Utilization of Datacenter Resources and Server Consolidation Basic IT Infrastructure to drive Business ModelScaling a Custom-built Application for universal use by the Industry To Integrate Internal Private Cloud With Public CSPs / Private Data Cloud Supported by a Public Cloud Resources Distributed Data Model for a Real-time, Event-driven Architecture Business Model Integrate Business Offices to Enable Sharing and Collaboration

Tutorial- Application Development on from 30 day Free Trial

Application Development on is a cloud computing platform as a service offering from Salesforce, the first of its kind allowing developers to build multi-tenant applications that are hosted on their servers as a service.

Cloud Computing – Download Free EBooks and Whitepapers
Java – Download Free EBooks and Whitepapers
Windows – Download Free EBooks and Whitepapers

Features of

The multitenant architecture of consists of the following features:

•Shared infrastructure. Every customer (or tenant) of shares the same infrastructure. You are assigned a logical environment within the infrastructure.

•Single version There is only one version of the platform in production. The same platform is used to deliver applications of all sizes and shapes, used by 1 to 100,000 users.

•Continuous, zero-cost improvements When is upgraded to include new features or bug fixes, the upgrade is enabled in every customer’s logical environment with zero to minimal effort required.

•Infrastructure Explosure is targeted toward corporate application developers and independent software vendors. Unlike the other PaaS offerings, it does not expose developers directly to its own infrastructure

•Integration with other Technologies: integrates with other technologies using open standards such as SOAP and REST, the programming languages and metadata representations used to build applications are proprietary to

•Relational Database
–To store and manage the business data. Data is stores in the objects.
•Application Services
–logging, transaction processing, validation
•Declarative Meta-Data
–Customized configured simple XML and documented schema’s
•Programming Languages
–Apex - Infrastructure, Application and Operational Services
The layers of technologies and services make up the platform. - Application Architecture - How it works? – How it works?

30 day free trial doesn’t provide Workflow support else we can create full featured application. In Trial, we can create a Visualforce page but cannot enable Sites for our organization nor register our domain name and expose the Visualforce page we created as a public product catalog on the Web.

Workflow Support is available in One App: Start with one custom app- for your organization only. - 30 day Free Trial – 30 day Free Trial

Related articles

Project and Portfolio Management on Private Cloud

PPM deployment on cloud (PPM as a Service) results into faster deployments, Subscription based Pricing, Access to important information on the go and availability. With different use cases deployment model may differ but most of the cloud benefits remain same with the model specific benefits as per need.

Cloud Computing – Download Free EBooks and Whitepapers
Java – Download Free EBooks and Whitepapers
Windows – Download Free EBooks and Whitepapers

Public clouds come with the challenges in terms of Security & Compliance, Data Loss – No High Availability Fail Over and Fraud & Spammers. Storing highly sensitive project data on Public clouds not only creates security threat to data but single point failure also. Thus the basic requirements of the PPM deployment on Private Cloud use case are Governance, Security, Interoperability and SLAs since data and processes are managed within the organization without the restrictions of network bandwidth, security exposures and legal requirements that using public cloud services might entail.


Benefits of Cloud enablement for Manufacturing Industry

Benefits of Cloud enablement for Manufacturing

  • On demand version of ERP
  • High availability – To keep running all operations without failure
  • Functionality and flexibility at much lower cost due to pay per use model
  • Lower operational costs
  • Faster time to market, Quicker deployment and Easy to Use
  • Scope of innovation due to increased focus on business rather than resource management and affordability due to lower cost and flexible payment model
  • Better collaboration and information sharing which provides visibility into every aspect of supply chain
  • Analytics-Access to the necessary information to inform decision making
  • Easy upgrades
  • Visibility to the vendors operations (purchase orders) in its own IT landscape – Hybrid Cloud to connect vendors and suppliers.
  • Cloud computing, Mobilizing of IT applications, will help to collect real-time data from potentially any asset along the value chain.

Disadvantages of Cloud enablement for Manufacturing

  • Security, reliability and customization
  • Compliance to industry standards for security and provide adequate service-level agreements in manufacturing industry
  • Customization challenges: Same instance of cloud computing software is shared among customers


Cloud Computing – Download Free EBooks and Whitepapers
Java – Download Free EBooks and Whitepapers
Windows – Download Free EBooks and Whitepapers

Application Security on Cloud

Application Security on Cloud-The cloud model has motivated industry and academia to adopt cloud computing to host a wide spectrum of applications ranging from high computationally intensive applications down to light weight services.

Developers and IT departments are being told they need to move applications to the cloud and are often left on their own to navigate the challenges related to developing and managing the security of applications in those environments.

What’s more important and elemental is to examine if the web application being used is more vulnerable because of the way it was built, and then deployed in the cloud – versus focusing on cloud security risks from an environmental or infrastructure perspective.

Lack of visibility with respect to resources in cloud computing can create a number of security and compliance issues. Security questions can span from whether information transferred between systems in the cloud is safe, to what type of data is best stored in the cloud, to how do I control who accesses my data?

In addition to the usual challenges of developing secure IT systems, cloud computing presents an added level of risk because essential services are often outsourced to a third party. Cloud computing shifts control over data and operations from premise to their cloud providers. The security problem becomes more complicated under the cloud model as new dimensions have entered into the problem scope related to the model architecture, multi-tenancy, elasticity, and layers dependency stack. Cloud computing is available in SPI model stack which is SaaS, PaaS, IaaS and each presents different levels of responsibility for security management.

Cloud Computing security is fundamentally about three goals/objectives:

CIA - Confidentiality Integrity and Availability

CIA – Confidentiality Integrity and Availability

  • Confidentiality (C): Confidentiality refers to keeping data private.
  • Integrity (I): Integrity is a degree confidence that the data in the cloud is what is supposed to be there, and is protected against accidental or intentional alteration without authorization.
  • Availability (A): It refers to availability of Information.

How different is this from application security in the traditional enterprise/non-cloud environment? Of course, with the cloud you have the additional aspect of shared or outsourced environment.

Traditional security or transport layer security is performed at the physical, link, Network and transport layer, commonly known as layers 1-4. There are a number of technologies used to secure these layers such as FWs, intrusion detection/prevention, encryption, anti-virus etc.. This security is ok, when an application is inward facing, typically used on an organizations intranet that can only be access by internal employees and possibly business partners, depending on how that security is set up, such as a federation.

When an application is outward facing or being put in a cloud solution, message layer security performed at the session, presentation and application layers (layers 5-7) in addition to traditional security should be required. End to end solution meaning that access control and payload are secured from the requester to requestee.

While it is true that traditional application security issues still apply in the cloud, and that you still need to take advantage of established processes associated with requirements, design, and implementation and testing, organizations can’t simply repackage what they know about application security. Applications in the cloud require special care. IT teams can’t be content to use mitigation techniques only at the network or operating system level anymore.

It’s imperative to understand the inherent (and non-storied) threats facing applications in virtualized environments. Common vulnerabilities associated with multi-tenancy and cloud provider services, like identity and access management, must be examined from both a security and compliance perspective.

Organizations lose control over physical network or computing systems, even local storage for debugging and logging is remote. Additionally, auditors may be concerned about the fact that the cloud provider has access to sensitive data at rest and in transit.

Inherent threats are not only present in the virtualized deployment environment, but also in the way applications for the cloud are developed in the first place. Consider the choices many architects and designers are forced to make when it comes to developing and deploying applications in the cloud. Because they are now in a position where they are relying on external controls put in place by the provider, they may feel comfortable taking short cuts when it comes to building in application security features.

“Cloud security is not bad, it is just different”. It seems that what we hear a lot is the word “uncertainty“which can be translated into actual meaning “I don’t know how?”.

As opposed to traditional internal application infrastructures, in the cloud the trust boundary shrinks down to encompassing only the application itself, with all the users and related storage, database and identity management systems becoming “external” to that application. In this situation, “trust no one” takes on great significance to the IT organization. With all these external sources wanting access to the application, how do you know what request is legitimate? How can we make up the lack of trust? It boils down to establishing an additional layer of security controls. Organizations must encrypt all sensitive data stored or transmitted and treat all environmental inputs as untrusted in order to protect assets from attackers and the cloud provider itself.

Best practices aimed at building protection must be incorporated into the development process to minimize risks. How can you help applications become more secure? It starts with a seatbelt – in the form of application level security controls that can be built into application code or implemented by the cloud services provider itself.

Examples of these controls can include encryption at rest, encryption in transit, point-to-point and message contents, auditing and logging, or authentication and authorization.

In an IaaS environment, it may not be an option to have the provider manages these controls.

Using PaaS APIs to establish these controls, for example, is that in most cases the service provider has tested and debugged the API to speed time to market for the application.

In SaaS environments offer no choice to the developer, as the SaaS provider will be totally in control of how data is secured and identity managed.

Each environment, IaaS, PaaS or SaaS, requires its own checklist to ensure the applications are ready for prime time.

Security testing must be done at the application level, not the environmental level. Threat modeling and design phases need to take additional cloud environmental risks into account. And, implementation needs to use cloud security aware coding patterns in order to effectively eliminate vulnerability classes such as Cross-Site Scripting (XSS) and SQL Injections. Standards such as OWASP Top 10 and CWE/SANS Top 25 are still applicable for testing IaaS and PaaS applications, and many SaaS extensions.

The following security measures represent cloud security areas to be concerned about.

Security Areas in Cloud Computing

Security Areas in Cloud Computing

  • Build and maintain a secure cloud infrastructure.

Ø Implement N/W security

Ø Implement virtualization security

Ø Ensure physical security

  • Ensure confidential data protection.
  • Implement strong access and identity management.

We need to understand over here:

“The service model may adjust the defined roles & responsibilities in collaborative information security governance and risk management (based on the respective scope of control for user and provider).”

“The deployment model may define accountability and expectations (based on risk assessment).”


CSA Guidelines

Cloud Computing – Download Free EBooks and Whitepapers
Java – Download Free EBooks and Whitepapers
Windows – Download Free EBooks and Whitepapers