Semester 4 / Operating Systems Security /Cloud Computing

Cloud Computing

4 min read Last updated Thu Jun 04 2026 05:37:58 GMT+0000 (Coordinated Universal Time)
Open in ChatGPT Open in Claude

A form of distributed computing. Promotes availability via high-speed broadband and distributed servers. Introduces new security threats. Security responsibility is split between provider and client.

Characteristics

  • On-demand self-service
    Resources added or removed as needed.
  • Broad network access
    Accessible from mobile, desktop, and mainframe.
  • Resource pooling
    Multiple tenants share dynamically reassigned resources, invisibly.
  • Rapid elasticity
    Services scale up or down automatically.
  • Measured service
    Usage monitored and billed like a utility.

Deployment Models

Private cloud

Infrastructure operated exclusively for one organization. Full control over security setup.

Community cloud

Shared by organizations with common goals or interests. Management may be outsourced, responsibility remains with the community.

Public cloud

Operated by a provider for general public use. Client has no control over security setup.

Hybrid cloud

Two or more cloud types connected to balance loads. Most security responsibility falls on the client.

Security Responsibility

Control exists on a continuum from public to private cloud. The less control the user has, the more dependent they are on provider-enforced separation controls.

  • Public cloud
    User fully dependent on provider’s controls. Must review terms of use. Must add own protections (e.g., encryption).
  • Private cloud
    Organization controls all security settings.

Cloud security breaches commonly arise from:

  • Misconfiguration of security settings.
  • Lack of visibility into access settings and activity.
  • Problems with identity and access management (IAM).

Cloud Security Threats

Objectives remain: confidentiality, integrity, availability. Attack surface is dramatically larger than on-premises.

Data breaches

Unauthorized access to cloud-stored data. Difficult to manage due to shared resources and many ingress points. Large data volumes increase exposure.

Misconfiguration

Users often retain excess privileges. Default settings are opaque. Hackers exploit over-privileged accounts.

Account hijacking

Strong authentication not mandated by default. Decommissioning of unused accounts is often poorly controlled.

Limited visibility

No regulation requires cloud usage visibility, especially in SaaS. Unauthorized access is hard to detect.

Insecure interfaces and APIs

No standard security specification for cloud APIs. ~⅓ of cloud security incidents (5-year study) caused by insecure interfaces/APIs.

Security and Deployment Model Interaction

ModelProvider ResponsibilityClient Responsibility
PrivateVaries (may be outsourced)Full ownership and control
PublicFull setup and managementAwareness, encryption, cleanup
HybridPartialMajority

Cloud Security Management Responses

  • Data protection in transit and at rest.
  • Identity and access management (IAM) for cloud users.
  • Security management of cloud services.
  • Data management and business continuity under attack.
  • Legal compliance.

Cloud Migration Risk Analysis

Steps:

  1. Identify assets.
  2. Determine vulnerabilities.
  3. Estimate likelihood of exploitation.
  4. Compute expected loss.
  5. Survey and select new controls.
  6. Project savings.

Cloud Provider Assessment

Security criteria to evaluate:

  • Authentication, authorization, and access control options.
  • Encryption options.
  • Audit logging capabilities.
  • Incident response capabilities.
  • Reliability and uptime.

Assessment frameworks:

  • FedRAMP
    US federal cloud security program.
  • PCI DSS
    Payment card industry data security standard.
  • CSA STAR
    Cloud Security Alliance Security, Trust, Assurance, and Risk registry.

Security Benefits

  • Geographic diversity
    Data mirrored across dispersed data centers. Protection from local or natural disasters.
  • Platform and infrastructure diversity
    Different platforms have different bugs. Single attack less likely to compromise entire system. Useful for diversifying a technology stack.

Cloud-Based Security Functions

  • Email filtering
    Cloud-based filter inserted as an SMTP hop. Low overhead.
  • DDoS protection
    Cloud provider proxies traffic via DNS record update. Absorbs flood traffic with high-bandwidth infrastructure.
  • Network monitoring
    Cloud solutions reduce hardware requirements. Provides monitoring and incident response expertise.

Cloud Storage Security

Default behavior: data stored unencrypted or encrypted with a single shared key. Weak confidentiality.

Encryption approaches:

  • Per-user key generation based on password or secret.
  • TNO model
    Trust No One: provider does not hold decryption keys. Maximum confidentiality.

Data Loss Prevention

A solution that identifies and prevents unsafe sharing, transfer, or use of sensitive data. Harder in cloud than on-premises: less control over data ingress/egress points.

Strategies:

  • Route all access through a corporate VPN.
  • Install DLP agents on corporate end-user systems.
  • In IaaS: insert a DLP server as a proxy between user systems and cloud servers.

Cloud Application Security

Shared cloud infrastructure introduces attack vectors not present in dedicated deployments.

  • Attacks against shared resources
    Shared computing environments allow one vulnerable application to compromise others. Includes cryptographic side-channel attacks targeting shared-resource environments.
  • Attacks against insecure APIs
    Known broken APIs have been widely used by cloud vendors. ~⅓ of cloud incidents traced to insecure interfaces/APIs. Major vulnerabilities found in SSL libraries of providers including Amazon and PayPal.
Was this helpful?
PreviousData Mining
NextInternet of Things