Cloud Security in Middleware Architecture

1.1 Cloud computing categories

Basically four main categories of cloud computing in practice and they are as follows:

1.1.1 Public cloud services, by public cloud provider

Public cloud services are the services provided by the public cloud providers, are SaaS, IaaS, and PaaS.

In public cloud type all the computing resources are available for the public use via internet [2]. All the resources may be varied depending upon the services providers but all include storage, applications or virtual machines. It provides the resource sharing and processing power distribution that is difficult to achieve by an organisation on its individual capacity.

Some public cloud services are free to use for all the users and some services are restricted to selected individuals or organisations. The use of resources are available to rest of users by paying the charges or subscriptions that vary one to another. That will save the huge amount of money of an organisation that want higher processing speed without setting its own setup (Figure 1).

While cloud services are used by public, security becomes the major concern and that need to be addressed properly. To address the security concern we needed the experienced staff and set of methods and protocols those can deal with security. Strict policies and procedures have to deployed to protect data from other different intended users.

1.1.3 Private cloud services, managed by a public cloud provider

The for the individual customers that can be operated by third party.

• Operated by internal staff — The cloud services are managed and maintained by data centre internal staff as per the individual customer requirement in a virtual environment they control.

• The computing will be dedicated to the individual business of individual entity. This can be setup by cloud providers on the customer premises.

• By deploying cloud services it enhanced the control given to the individual business organisation.

• It is a type of virtual private cloud that can be set as at the customer unit or by virtual environment (Figure 2).

1.2 Comparison between public, private and hybrid cloud

A private cloud, also known as a corporate cloud, is either provided by a service provider or built on-site at a company’s data centre. In either case, since the services are earmarked for particular users only, the private cloud appears to provide more protection.

As resource demand increases, a hybrid cloud environment extends a stable private cloud to a public cloud. This model enables businesses to remain compliant while still taking advantage of public resources. Organisations that use hybrid cloud will get the most out of their internal resources without causing a resource overload if demand spikes unexpectedly [6].

To access the applications and services from online computer is a key benefit of public cloud services. We can use the critical or complex applications virtually because the computer performs little to no computation.

To ensure smooth and fast disaster recovery, a service provider can store replicated files across multiple data centres. Public cloud platform also ensure the data safely from outside world that considered secure from the majority of threats. Public clouds can be configured differently:

1.2.3 Infrastructure as a service (IaaS)

Infrastructure as a service (IaaS) is a business model under which a company outsources the entire data centre to a cloud provider. The provider manages the virtualization of the environment and hosts. Cloud adoption is made easier with IaaS. Purchasing and repairing hardware on-site is also more expensive than using the device (Figure 3).

2.1 On-premise SaaS vs. PaaS vs. IaaS

Clouds were once all white fluffy stuff in the sky, and the IT services are restored at on-premise. Almost all of the applications and processes can now be run on the Cloud platform.

• IaaS: Cloud services as per use and pay option for various services like storage and virtualization.

• PaaS: Various tools in place of hardware and software that are available with cloud providers.

• SaaS: software’s that we can use with the help of third party using cloud platform.

• On-premise: The software and services are going to be installed within the organisation (Figure 4).

Most of the companies are using the combination of all three computing models, and few of the organisations are hiring the developers for PaaS-based applications.

Google Apps, Salesforce, Dropbox, MailChamp, ZenDesk, DocuSign, Slack, Hubspot are the examples of IaaS.

AWS Elastic, Windows Azure, Force.com, OpenShift, Apache Stratos, are the examples of PaaS Cloud Services.

AWS EC2, Google Compute Engine, Digital Ocean, are the examples of SaaS cloud services.

Customers are responsible for protecting their data and monitoring who has access to it in all forms of public cloud services. Cloud storage data protection is critical to effectively implementing and reaping the advantages of cloud computing. Organisations considering common SaaS services such as Microsoft Office 365 or Salesforce should think about how they’ll handle their shared responsibility for cloud data security. IaaS providers such as Amazon Web Services (AWS) and Microsoft Azure need a more systematic strategy that begins with data [8].

2.2 Cloud security architecture- Consumer’s perspective

Cloud services come in a variety of flavours, including SaaS, PaaS, and IaaS (SPI), using the public, private, and hybrid operating models. The issue and solutions pertaining to Cloud security depends on the patterns. The defined architecture should be aligned with all the issues, and security controls built into the cloud architecture.

So, when designing applications for computing models, what architectural requirement and resources needed for cloud application development and their disposal. In this post, I’ll go over how to build “adequate” protection into your IaaS and PaaS applications [9].

2.3 Cloud security model

Let us start with the operational model for cloud protection. In public cloud protection obligations are shared between the cloud service providers and cloud users, while the customer manages all the activities in a private cloud. The shared infrastructure, like routers, is the responsibility of cloud service providers.

Within a cloud service, the figure below depicts the layers that are protected by the provider versus the client (Figure 5).

It’s important to do a difference review on cloud service capabilities before signing up with a provider. This exercise should assess the cloud platform’s maturity, accountability, and compliance with enterprise security requirements (such as ISO 27001) as well as regulatory standards like PCI DSS, HIPAA, and SOX. Application migration can be sped up with the use of cloud security maturity models.

The following the security measures are used to ensure the proper safety of the cloud services.

• Security policies, compliance and practices: Industry standard frameworks such as ISO 27001, SS 16, and the CSA Cloud controls matrix should be demonstrated by the cloud service provider. Controls approved by the vendor should meet the enterprise data protection standard’s control requirements. The scope of controls should be reported when cloud services are approved for ISO 27001 or SSAE 16 [10].

• Cloud Security architecture: As per the enterprise norm, the cloud service provider should report security architectural information that either support or impede security management. For example, the virtualization architecture that ensures tenant isolation should be made public.

• Automation – Providers can adopt the security automation by publishing API’s that used to allow the users to access the logs, privileges and other security threats.

• Governance and Security Management: The customer’s governance and security management obligations should be specifically defined in comparison to those of the cloud provider.

2.4 Cloud mitigation and security threats

Is cloud computing making the application more vulnerable to security threats? What are the most pressing emerging threats? What are the traditional risks that have been exacerbated or muted? Answers are contingent on the implementation and operating models used by cloud services. The threats will be like data leakage, misconfiguration of services, weakness of VM, attacks via API and failure of VM. The problems can be resolved by making Hardening of VM, incorporating encryption, authentication with security automation, etc. [11].

Threats to service availability, information confidentiality and honesty, must be factored into the design.

2.5 Threat to cloud service availability

DDoS attacks or misconfiguration errors by cloud service providers or customers can interrupt cloud services (SaaS, PaaS, IaaS). These errors have the ability to spread across the cloud, disrupting the network, processes, and storage that are used to host cloud applications. Cloud systems should be designed to survive disturbances to shared resources in order to achieve continuous availability. Applications that were designed to withstand faults within an area, on the other hand, were largely unaffected by the outage and remained accessible to users. As a design philosophy, assume that something will go wrong in the cloud and plan accordingly. Physical hardware failure as well as service interruption within a geographic area should not be a problem for applications.

2.6 Cloud architecture- security services

As a first step, architects should learn about the security features that cloud platforms have (PaaS, IaaS). The framework for integrating protection into cloud services is depicted in the diagram (Figure 6).

Offerings and capabilities in terms of security continue to change and differ between cloud providers. As a result, you’ll sometimes find that security features like key management and data encryption aren’t available. For example, encrypting security objects and keys escrowed to a key management service requires an AES 128 bit encryption service. For such applications that rely on internal resources, a “hybrid cloud” deployment architecture pattern may be the only viable choice. Single Sign-On is another common use case (SSO). If it is a federation architecture using SAML 1.1 or 2.0 provided by the cloud service provider, SSO deployed within an organisation may not be extensible to cloud applications.

The following are best practices used in cloud security to mitigate risks to cloud services:

2.7 Cloud security principles

The product development culture, emerging technology implementation, IT service delivery models, technology policy, and investments made in the field of security tools and capabilities all show that each company has a different level of risk tolerance. When a company’s business unit chooses to use SaaS for business purposes, the technology architecture changes. The security architecture should also be consistent with the technology architecture and principles. An enterprise technology architect should understand and configure the following cloud security concepts [12]:

• Cloud-based services should adhere to the concept of least privilege.

• Using firewalls and container – isolation between different protection zones should be ensured. Cloud firewall policies should adhere to data sensitivity-based trust zone isolation requirements.

• End-to-end transport level encryption (SSL, TLS, IPSEC) can be used by applications to protect data in transit between cloud and business applications.

• Authentication and authorization should be delegated to trusted security providers by applications. SAML 2.0 can be used to support single sign-on.

• Enterprise standard VM images can be used to deploy applications in a trusted zone.

• When implementing a virtual private cloud, industry standard VPN protocols including SSL, SSH, etc.

• Using an API, cloud security monitoring can be combined with existing security tools and services.

2.8 Cloud security architecture patterns

Cloud security risks can be mitigated by designing effective security controls that secure the CIA of information in the cloud. The vendor, the enterprise, or a third-party provider can provide security controls as a service (Security-as-a-Service). The point of security controls (safeguards) – technologies and processes – is usually where security architectural trends are expressed [13].

Security architecture trends act as a compass, allowing developers to move applications to the cloud faster while minimising security risks. Furthermore, cloud security architecture trends should emphasise the trust boundary between different cloud services and components. Normal interfaces and protection protocols (SSL, TLS, IPSEC, LDAPS, and so on) should also be highlighted in these patterns.

Finally, the patterns can be used to build security checklists that can be automated using configuration management software such as puppet.

For each of the security resources consumed by the cloud application, trends should highlight the following attributes (but not limited to):

• Logical place – in-house, third-party cloud, native to cloud service The service’s efficiency, availability, firewall policy, and governance can all be affected by its venue.

• Protocol(s) – Which protocol(s) is/are used to call the service? For e.g., for service requests, REST with X.509 certificates.

• Service feature – What is the service’s purpose?

• Input/output – What are the security service’s inputs, including monitoring methods and outputs? Input = XML doc and Output = XML doc with encrypted attributes, for example.

• Overview of the security control – What security controls does the security service provide? For instance, information confidentiality at rest, user authentication, and device authentication.

2.8.2 Application based security services

Identification, authentication, access enforcement, system identification, cryptographic services, and key management can all be handled by the cloud service provider, the corporate data centre, or a combination of the two (Figure 7).

User registration, authentication, account provisioning, policy compliance, logging, auditing, and metering are all examples of typical cloud access control use cases illustrated in this pattern. It focuses on the actors who communicate with cloud, in-house (enterprise), and third-party hosted services:

2.9 Identifications of security services

• An authentication service that allows users to log in via an enterprise portal (Local AuthN UI) and is usually provided via the SAML protocol. A cloud session store stores the authenticated session state.

• The account and profile provisioning service facilitates the development of new accounts and user profiles, usually through the use of SPML (Service Provisioning Markup Language).

• The cloud policy admin service is used to manage policies that control which cloud services end users have access to. Cloud service owners (enterprises) can use this service to perform administrative tasks, while end users can request access to cloud services. The cloud policy store is where cloud policies are held.

• The logging and auditing service can be used for two purposes. The first is cloud-based event reporting, which includes security events, and the second is auditing. This service can be accessed using Cloud Audit protocols and APIs.

• The metering programme keeps track of how much cloud resources are being used. This service can be used for chargebacks as well as billing reconciliation by finance departments.

2.10 Identity security services in the Enterprise

• Domain registration UI is a user interface for registering, managing, and provisioning new cloud services. The cloud providers implement authentication and authorization.

• End users produce usage reports using the cloud usage reporting UI.

• A cloud provisioning service is used to make cloud resources accessible (compute, storage, network, application services).

2.11 Third party identification of security services

Identity services provided by a third party and hosted at their location are used by cloud applications. Third-party users who need access to cloud infrastructure to conduct business functions on behalf of the company may get help from services. Backup and device control, for example. The third-party provider is in charge of user authentication, provisioning and access enforcement.

3.1 Data breaches

The effects of data breaches will include the following:

• Impact on customer or partner credibility and confidence

• Loss of intellectual property (IP) to rivals, which could have an effect on the release of goods.

• Regulatory ramifications that could lead to financial loss.

• Brand effect, which may result in a decrease in market value due to the factors mentioned above.

• Legislative and contractual obligations.

• Expenses incurred as a result of incident response and forensics

3.2 Improper change management

This is one of the most popular cloud challenges. In 2017, a misconfigured AWS Simple Storage Service (S3) cloud storage bucket exposed 123 million American households’ detailed and private data. Experian, a credit bureau, owned the data collection, which it sold to Alteryx, an online marketing and data analytics firm. Such occurrences have the potential to be catastrophic.

3.3 Poor architecture and mechanism

Organisations all over the world are moving parts of their IT infrastructure to public clouds. The introduction of sufficient security infrastructure to withstand cyberattacks is one of the most difficult challenges during this transition. Unfortunately, many businesses are still baffled by this operation. Another contributing factor is a lack of awareness of the shared security obligation model.

3.4 Improper identification and key management

Multiple improvements to standard internal system management procedures related to identity and access management are introduced by cloud computing (IAM). These aren’t even brand-new problems. Rather, when dealing with the cloud, they are more serious concerns because cloud computing has a significant effect on identity, certificate, and access management.

3.5 Threats within the organisation

The employee within the organisation can be a threat by using the sensitive data in their personal use or sharing the confidential data with others.

3.6 Wrong interfaces and API

Customers can manage and communicate with cloud services through a series of software user interfaces (UIs) and APIs exposed by cloud computing providers. The security and availability of general cloud services are also reliant on these APIs’ security. APIs that aren’t well-designed can lead to misuse or, worse, a data breach. APIs that have been broken, leaked, or compromised have resulted in significant data breaches.

4.1 Access to the cloud service

Direct access to the cloud service is needed for a full view of cloud data. An application programming interface (API) access to the cloud service is used by cloud security solutions to achieve this. It is possible to access data using an API link:

• Where does your data go in the cloud?

• Who is making use of cloud data?

• The positions of consumers of cloud service access.

• With whom do cloud users share data?

• The location of cloud data.

• The location from which cloud data is accessed and downloaded, as well as the user.

4.2 Cloud data control

Need to apply the controls that best suit the organisations demands. These safeguards include:

• Classification — As data is generated in the cloud, classify it on multiple levels, such as confidential, controlled, or public. Data may be prohibited from entering or exiting the cloud service after it has been classified.

• Implement a cloud data loss prevention (DLP) solution to protect data from unauthorised access and automatically disable access and data transport when suspicious behaviour is detected.

• Manage collaboration controls in the cloud service, such as reducing file and folder permissions for specific users to editor or viewer, deleting permissions, and revoking shared links. Ensure the cloud data should be encrypted from unauthorised users.

4.3 Compliance standards and policies

The policies and standards should be updated and expanded as per the current and forthcoming threats.

• Risk assessment — Re-evaluate and upgrade risk assessments to incorporate cloud services. Identify and mitigate the risks posed by cloud environments and providers. To speed up the evaluation process, risk databases for cloud providers are available.

• Application regulatory requirements like PCI, HIPAA, Sarbanes-Oxley, etc. and its assessment.

4.4 Cloud security importance

According to news reports, one out of every four businesses that use public cloud services has had data stolen by a malicious actor. An additional one out of every five people has had an advanced assault on their public cloud infrastructure. According to the same survey, 83 percent of businesses said they store confidential data in the cloud. With 97 percent of businesses using cloud services today, it’s critical that everyone assesses their cloud security and establishes a data-protection strategy.

McAfee’s cloud protection helps businesses grow faster by allowing them complete visibility and control over their data in the cloud. Find out more about McAfee’s cloud protection technologies.

Cloud MVISION

The enterprise’s multi-cloud protection platform. Create a single protection policy that can be used through SaaS, PaaS, IaaS, Containers, and the Web. Accelerate cloud adoption by simplifying security for a distributed workforce.

Unified Cloud Edge (UCE) is a component of MVISION Cloud that integrates data security from devices, the network, and the cloud to make SASE architecture adoption easier.

Platform for Cloud-Native Application Security (CNAPP).

CNAPP, which is part of MVISION Cloud, audits and secures the entire IaaS/PaaS stack, including containers and private clouds.