|
| Security Reference Model | NIST’s ( National Institute of Standards and Technology Security Reference Architecture |
| NIST’s | First Security Reference Model used by United States. |
| NIST’s services models | SaaS, PaaS, or IaaS |
| NIST’s deployment models | Public, Private, Hybrid, or Community |
| Focus on | on specific standards for each service level. |
The cloud computing reference model groups the cloud computing functions and activities into five logical layers and three cross-layer functions.
Cloud Computing Layers
| Physical Layer | Executes requests generated at its Layer entities are Compute, network devices and storage devices. |
| Virtual Layer | It contains virtual resources (software, hardware) |
| Control Layer | It is used to control / modify / maintain the configurations (resource configuration, pools and resource). |
| Service Orchestration Layer | It executes automated tasks provided by workflows. |
| Service Layer | It makes user to interact with cloud resources. |
Cross-layer function
| Business continuity | It provides services availability and downtime. |
| Security | It provides administrative mechanisms (security policies, personnel policies and standard procedures) and Technical mechanisms (firewall, IDPS, antivirus). |
| Service Management | It provides portfolio management and service management. |
NIST (National Institute of Standards and Technology) Security framework
It provides 5 things / tasks in it. They were
| Identify | Business, assests mgmt, risks(assessment and strategy) |
| Protect | Control, train, security, maintenance and technology. |
| Detect | Anomalies, security, detect and communicate |
| Respond | Planning response, analysis, mitigation and improve. |
| recover | Planning, improve and communicate. |
Security Issues
| S.No | Security Issues | Details |
| 1 | Data Breaches | It is the release of confidential data to unsecure environment. So organization’s security measures are required to to protect data on cloud. Normally it is low. |
| 2 | Hijacking of Accounts | Attackers login to employees’ account remotely to access/ manipulate data stored on the cloud. Hijacking methods include scripting bugs and reused. |
| 3 | Insider Threat | He is a authorized person to access organization’s services and he can misuse it. Insider Threats difficult to detect. |
| 4 | Malware Injection | These are scripts which are Injection into cloud services and eavesdrop, information compromise and steal data. |
| 5 | Cloud Services Abuse | Unlimited hosting space can be easily used by the hackers and users to host the malware scripts. |
| 6 | Insecure APIs | Application Programming Interfaces (API) are used by user some time if they are insecure then it has security risks. |
| 7 | Denial of Service Attacks | It is a attack where the attempt to access a website/ servers unavailable to legitimate users by the hackers. |
| 8 | Insufficient Due Diligence | It is organization security risk when cloud migration happens where anticipated services don’t match customer’s expectation. |
| 9 | Shared Vulnerabilities | Client is only the responsible one for his data but not the provider in the shared environment. |
| 10 | Data Loss | Provider is responsible for the backup and recovery related procedures in case of data loss. |
| 11 | Privacy identity management | Provider is responsible for access control to information and computing resources using identity management system. Identity management system uses the concept of biometric / federation / login authentication. |
| 12 | Physical security | Provider is responsible for securing the physical hardware (servers, routers, cables etc.) against unauthorized access, theft, fires, floods etc. |
| 13 | Personnel security | Cloud services provider provides options to users in setting the security programs and training. |
| 14 | Privacy | Provider is responsible for allows only authorized users have access to data. |
Home Back