UNIT-3

ACCESS CONTROL AND IDENTITY MANAGEMENT

UNIT 3 1
 UNIT-3
ACCESS CONTROL AND IDENTITY MANAGEMENT
Access control requirements for Cloud infrastructure - User Identification - Authentication
andAuthorization - Roles-based Access Control - Multi-factor authentication - Single Sign-on,
IdentityFederation - Identity providers and service consumers - Storage and network access
control options- OS Hardening and minimization - Verified and measured boot - Intruder
Detection and prevention
3.1 ACCESS CONTROL REQUIREMENTS FOR CLOUD INFRASTRUCTURE
Access control requirements for cloud infrastructure refer to the measures and policies that
are implemented to ensure secure and authorized access to resources and data within a cloud
computing environment.
Access control is a critical security measure for cloud infrastructure. It helps to ensure that only
authorized users have access to sensitive data and resources.
* Role-based access control (RBAC): RBAC assigns permissions to users based on their roles
within theorganization.
*Identity and access management (IAM): IAM provides a central repository for user identities
and permissions.
* Multi-factor authentication (MFA) MFA adds an additional layer of security byrequiring users
to provide multiple pieces of information, such as a username, password and code from a mobile
device, before they can access a system.
Here are some key access control requirements for cloud infrastructure:
1. Authentication : Users and entities should be required to authenticate themselves before
accessing cloud resources.
2. Authorization: Once authenticated, users should only be granted access to the specific
resources and actions they are authorized to use.
3. Least privilege: Users should be granted the minimum level of privileges necessary to perform
their tasks.
4. Segregation of duties: Sensitive operations or actions should require multiple individuals or
roles to authorize and execute them.
5. Audit trails and logging: Comprehensive logging should be in place to record user activities,
access attempts and system events.
6. Encryption: Data should be encrypted both in transit and at rest to protect it from unauthorized
access

UNIT 3 2
7. Network security: Cloud infrastructure should have robust network security controls in place,
including firewalls, intrusion detection and prevention systems(IDS/IPS), and virtual private
networks (VPNs) to protect against unauthorized network access and attacks.
8. Continuous monitoring: Ongoing monitoring of access control mechanisms, user activities
and system logs is essential to detect and respond to any security incidents or anomalies promptly.
9. Compliance and regulations: Cloud infrastructure should adhere to relevant industry
standards, regulations and compliance requirements to ensure data privacy security and integrity.
10. Incident response: A well-defined incident response plan should be in place to address
security breaches, including procedures for containment, investigation and recovery.

3.2 USER IDENTIFICATION

User identification is a fundamental aspect of access control requirements in cloud infrastructure.
It involves verifying and establishing the identity of individuals or entities seeking access to cloud
resources.
To achieve user identification, various authentication methods and mechanisms are employed.
These methods may include:
1. Username and password: Users provide a unique username or email address and a
corresponding password to authenticate themselves.
2. Biometrics: Biometric authentication involves using unique biological characteristics of
individuals, such as fingerprints, iris scans, or facial recognition, to verify their identity.
3. Two-Factor Authentication (2FA) or Multi-Factor Authentication (MFA): In addition to a
username and password, users are required to provide an additional piece of information, such as a
One-Time Password (OTP) sent to their registered mobile device, a smart card, or a biometric
scan, to authenticate their identity.
4. Public Key Infrastructure (PKI): PKI involves the use of digital certificates and
cryptographic keys to verify the authenticity and integrity of user identities.
5. Single Sign-On (SSO): SSO allows users to authenticate themselves once and then access
multiplecloud resources without having to enter their username and password for each resource.

3.3 AUTHENTICATION AND AUTHORIZATION

Authentication and authorization are two essential components of access control
requirements for cloud infrastructure. They work together to ensure that users are properly

UNIT 3 3
identified, verified and granted appropriate access privileges to the cloud resources.

Authentication: Authentication is the process of verifying the identity of individuals or entities

attempting to access the cloud infrastructure. It confirms that the user is who they claim to be
before granting access.
1. Username and password: Users provide a unique username or email address along with a
corresponding password.
2. Biometrics: Biometric authentication uses unique biological characteristics, like fingerprints,
iris scans, or facial recognition, to verify the user's identity.
3. Two-Factor Authentication (2FA) or Multi-Factor Authentication (MFA) This involves
combining multiple authentication factors, such as something the user knows (password),
something they have (OTP sent to a mobile device), or something they are (biometric scan), to
strengthen the authentication process.
4 Public Key Infrastructure (PKI): PKI utilizes digital certificates and cryptographic keys to
verify the authenticity and integrity of user identities.

Authorization: Authorization is the process of granting or denying access privileges to

authenticated users based on their roles, permissions and privileges within the cloud infrastructure.
Some key aspects of authorization include :
1. Role assignment: Users are assigned specific roles based on their job responsibilities and
access requirements.
2. Permission assignment: Roles are associated with specific permissions or access rights that
define what actions or resources the user can access.
3. Least privilege principle: Users are granted the minimum necessary privileges required to
perform their tasks, reducing the risk of unauthorized access or misuse of resources.
4. Access policies: Access control policies are defined to determine which users of roles can
access particular resources or perform specific operations
By implementing authentication and authorization effectively, cloud infrastructure ensures that
only authenticated and authorized users can access the resources they need, reducing the risk of
unauthorized access, data breaches, or malicious activities within the cloud environment.
How authentication and authorization are used together for access control? Authentication and
authorization work together to provide effective access control in cloud infrastructure. Here's how

UNIT 3 4
they are used in conjunction:

1. User authentication: Authentication is the first step in access control. When a user attempts to
access the cloud infrastructure, they provide their credentials (username and password, for
example) or undergo a biometric scan. The authentication process verifies the user's identity and
ensures that they are who they claim to be.
2. Authorization check: Once the user's identity is authenticated, the system performsan
authorization check. This involves determining what actions or resources the useris allowed to
access based on their authenticated identity, roles and permissions
3. Role-Based Access Control (RBAC): RBAC is a commonly used authorization framework. It
assigns specific roles to users based on their job responsibilities or organizational hierarchy. Each
role is associated with a set of permissions that define what actions and resources the user can
access. During the authorization check, the system references the user's assigned role to determine
their access privileges.
4. Access policies: Access policies define the rules and conditions that govern access control.
These policies specify which users or roles are allowed or denied access to specific resources or
perform certain operations. The authorization check enforces these policies to determine if the
user's requested access is permitted or denied.
5. Least privilege principle: The principle of least privilege is a security best practice where
users are granted the minimum necessary privileges required to perform their tasks. The
authorization process ensures that users only have access to the resources and actions that align
with their assigned roles and permissions. This helps mitigate the risk of unauthorized access or
misuse of resources.
By combining authentication and authorization, access control ensures that only
authenticated users are granted access and that their access privileges are appropriate and aligned
with their roles and permissions. This layered approach significantly enhances the security and
integrity of cloud infrastructure by preventing unauthorized users from accessing sensitive
resources and protecting against potential data breaches or malicious activities.

3.4 ROLE-BASED ACCESS CONTROL (RBAC)

Role-Based Access Control (RBAC) is a widely used access control model in cloud

UNIT 3 5
infrastructure that provides a structured approach to managing user access privileges. RBAC
assigns roles to users based on their job responsibilities and these roles define their permissions
and access rights within the cloud environment.
• Role-Based Access Control (RBAC) is an access control model widely used in cloud
infrastructure.

RBAC assigns roles to users based on their job responsibilities, defining their permissions
and access rights within the cloud environment.
• Roles represent various job functions, such as administrator, developer, or analyst.
• Permissions are associated with each role and define the actions or operations users can perform.
RBAC follows the principle of least privilege, granting users the minimum necessary
permissions required for their tasks.
 Role assignments can be done manually or automatically based on user attributes.
 RBAC supports hierarchical relationships between roles, allowing for inheritance of
permissions.
 RBAC simplifies access control administration and maintenance by centralizing role
management.
 RBAC enhances auditing and compliance monitoring by providing a clear structure for
tracking user activities.
 By implementing RBAC, organizations can improve security, streamline user management
and maintain compliance within their cloud infrastructure.

What are the four types of role-based access control In cloud Infrastructure ?
In cloud infrastructure, there are four commonly recognized types or levels of Role-Based Access
Control (RBAC) that can be implemented
1. Basic RBAC : Basic RBAC is the foundational level of RBAC implementation. It involves
assigning reles to users based on their job responsibilities or functional roles within the
organization. Each role is associated with a predefined set of permissions that determine the
actions and resources the user can access.
2. Hierarchical RBAC : Hierarchical RBAC builds upon the basic RBAC model by introducing a
hierarchical structure to roles. Roles are organized in a hierarchical manner, where higher-level
roles inherit permissions from lower-level roles. This inheritance, simplifies the management of
access control by reducing the need to assign permissions to each individual role separately.
3. Constrained RBAC : Constrained RBAC, also known as Static Separation of Duties (SSD),
focuses on enforcing separation of duties within the access control model. It aims to prevent
conflicts of interest and minimize the risk of fraudulent or malicious activities by imposing

UNIT 3 6
restrictions on role assignments.
4. Parameterized RBAC : Parameterized RBAC extends RBAC with the concept of constraints
based on additional parameters or attributes. In addition to role assignments, parameterized RBAC
considers factors such as time, location, er environmental conditions when granting access. It
allows for dynamic access control decisions based on contextual information.
These four types of RBAC models offer varying levels of complexity and flexibility in
managing access control in cloud infrastructure. The choice of the RBAC model depends on the
specific requirements, organizational structure and level of granularity needed for access control
management within the cloud environment.

3.5 MULTI-FACTOR AUTHENTICATION (MFA)

Multi-factor authentication (MFA), also known as two-factor authentication (2FA) or
multi-step verification, is a security mechanism that requires users to provide multiple forms of
authentication to verify their identity.
It adds an extra layer of protection to the authentication process by combining two or more
independent factors, typically from the following categories:
1. Knowledge factor: This factor involves something the user knows, such as a password, PIN, or
answers to security questions.
2. Possession factor: This factor involves something the user possesses, such as a physical token,
smart card, or mobile device.
3. Inherence factor: This factor involves something inherent to the user, such as biometric traits
like a fingerprint, facial recognition, or voice recognition
The purpose of using multi-factor authentication is to strengthen the security of user
accounts or systems by mitigating the risks associated with single-factor authentication (eg,
passwords alone).
Why is multi-factor authentication in access control necessary?
Multi-factor authentication (MFA) in access control is necessary because it significantly
strengthens security by adding an extra layer of authentication, protecting against password
compromises, meeting compliance requirements and reducing the risk of unauthorized access C to
sensitive systems and data.
Multi-Factor Authentication (MFA) in access control is necessary for several important
1. Enhanced security: MFA significantly strengthens security by adding an extra layer of
authentication beyond just a password. It mitigates the risk of unauthorized access in case
passwords are compromised through data breaches, phishing attacks, or weak password practices.
With MFA, even if an attacker manages to obtain the password, they would still need the

UNIT 3 7
additional factor(s) to gain access.
2. Protection against credential theft: Passwords are susceptible to being stolen, guessed, or
cracked. MFA provides an additional layer of defense against credential theft. Even if an attacker
obtains a user's password, they would still need access to the second factor (such as a physical
token or a unique code) to successfully authenticate.
3. Compliance requirements: Many industries and regulatory frameworks require or recommend
the use of MFA to meet security and compliance standards. Organizations that handle sensitive
data, such as Personally Identifiable Information (PII), financial records, or healthcare data, are
often mandated to implement MFA as part of their security controls.
4. Protecting high-value targets: MFA is particularly crucial for protecting high- value targets,
such as privileged user accounts or accounts with administrative access. These accounts have
elevated privileges and control over critical systems and data. MFA ensures that unauthorized
individuals cannot gain access to these accounts, reducing the risk of unauthorized changes, data
breaches, or malicious activities.
5. User awareness and accountability: MFA promotes user awareness and accountability for
protecting their accounts. By requiring additional factors, users become more conscious of the
security of their credentials and are less likely to reuse weak passwords or fall victim to phishing
attacks. MFA also establishes a clear audit trail, making it easier to track and attribute actions to
specific individuals, enhancing accountability and deterrence.
6. Increasing sophistication of attacks: Cybersecurity threats continue to evolve, with attackers
constantly finding new ways to breach security measures. Passwords alone are increasingly
inadequate to protect against these sophisticated attacks. MFA provides a more robust defense by
combining multiple factors, making it significantly more difficult for attackers to bypass.
What are the best practices for setting up multi-factor authentication?
When setting up multi-factor authentication (MFA), it is important to follow these best practices
to ensure its effectiveness and usability:
1. Enable MFA for all users: Implement MFA for all users, including employees, administrators
and customers accessing sensitive systems or data. This helps protect against unauthorized access
across the board.
2. Choose strong factors: Select strong and diverse authentication factors, such as one-time
passwords (OTPs), biometrics (fingerprint, face recognition), hardware tokens, or mobile apps.
Each factor should provide a high level of security and be resistant to phishing attacks or
replication.
3. Use multiple factors: Utilize multiple factors for authentication to enhance security.
Implementing two or more factors (e.g., password + OTP) provides a higher level of assurance

UNIT 3 8
and reduces the risk of a single factor being compromised.
4. Educate users: Educate users about the importance of MFA and how to set it up correctly.
Provide clear instructions and guidance on enabling MFA, including choosing strong factors,
securing devices and handling authentication prompts or codes.
5. Simplify user experience: Optimize the user experience by using user-friendly MFA methods.
Consider options like push notifications, biometric authentication on mobile devices, or
authentication apps that generate OTPs. Balancing security and usability is crucial to ensure users
adopt and properly use MFA.
6. Monitor and detect anomalles: Implement monitoring systems to identify and alert on any
suspicious activities related to MFA. Look for failed authentication attempts, repeated OTP
requests, or unusual patterns that could indicate potential attacks or unauthorized access attempts.
7. Regularly review and update MFA Periodically review and update the MPA settings and factors
available to users. Stay current with the latest MFA technologies and industry best practices to
ensure the strongest security measures are in place.
8. Consider adaptive MFA: Explore adaptive MFA solutions that can dynamically adjust the
authentication requirements based on risk factors such as user behavior, device characteristics, or
network conditions. This allows for a more seamless user experience while still maintaining robust
security.
9. Implement MFA for remote access: Ensure MFA is enforced for remote access to sensitive
systems or data. Remote access is often targeted by attackers and MFA provides an additional
layer of protection against unauthorized entry.
10. Test and validate MFA setup: Perform regular testing and validation of the MFA setup to
ensure it functions correctly. Test different scenarios and factors to verify that users can
successfully authenticate and access the necessary resources By following these best practices,
organizations can establish a strong and effective multi- factor authentication setup that enhances
security while maintaining a user-friendly experience.

3.6 SINGLE SIGN-ON

 SSO is a security feature that allows users to log in to multiple applications using a single
set of credentials. This can help to improve security by reducing the number of passwords
that users need to remember and manage.
 SSO can be implemented in a variety of ways, but most SSO solutions use a central
identity provider (IdP) to authenticate users. When a user logs in to an application that
supports SSO, the IdP authenticates the user and then issues a token that the application
can use to verify the user's identity.

UNIT 3 9
  SSO can be a valuable security feature for organizations of all sizes. It can help to improve
security, reduce password fatigue make it easier for users to access the application they
need.

The login process typically follows these steps:

[Link] user visits the application or website they want to access, which is referred to as the service
provider.
2 .The service provider sends a token to the SSO system, also known as the identity provider, as
part of a request to authenticate the user. This token contains some information about the user,
such as their email address
3. The identity provider first checks to see whether the user has already been authenticated. If this
is the case, the user will be granted access to the service provider application and step 5 will be
skipped
4. If the user has not yet logged in, they will be prompted to do so by providing the credentials
required by the identity provider. This could be a username and password, or it could include
another form of authentication like a One-Time Password (OTP)
5. Once the identity provider has validated the credentials provided, it will send a token back to
the service provider confirming a successful authentication.
6. This token is passed through the user's browser to the service provider.
7. The token received by the service provider is validated according to the trust relationship that
was established between the service provider and the identity provider during initial configuration.
8. The user is granted access to the service provider.
When the user tries to access a different website, the new website would have to have a similar
trust relationship configured with the SSO solution and the authentication flow would. follow the
same steps.

3.7 IDENTITY FEDERATION

Identity federation is an integral part of identity management that allows organizations to securely
share and validate user identity information across different systems, domains, or organizations. It
enables users to access resources and services seamlessly without the need for separate user
accounts in each domain.
In the context of identity management, here is how identity federation fits in:
1. Central Identity Provider (IdP): In identity management, there is typically a central IdP that
serves as the authoritative source of user identities and authentication. The IdP manages user
accounts, authentication policies and access controls.
2. Trust relationships: The IdP establishes trust relationships with other organizations or

UNIT 3 10
domains, known as Service Providers (SPs). This trust is established through the exchange of
metadata, certificates, or federation agreements. The SPs trust the ldp to authenticate users and
provide identity information.
3. User authentication: When a user attempts to access a resource or service in an SP, they are
redirected to the IdP for authentication. The IdP authenticates the user using its own authentication
mechanisms or by federating with other trusted identity providers.
4. Security assertion issuance: Upon successful user authentication, the IdP generates a security
assertion, typically in the form of a token such as a SAML token or an OAuth token. This token
contains information about the user's identity and authentication status
5. Security assertion delivery to SP: The user is redirected back to the SP and the security
assertion is securely delivered to the SP.
6. SP validation: The SP validates the security assertion to ensure its authenticity and integrity. It
verifies the digital signature or uses other mechanisms to ensure that the security assertion was
issued by a trusted IdP and has not been tampered with.
7. User access granted: If the security assertion is valid, the SP grants the user access to the
requested resource or service, The user is considered authenticated and authorized based on the
information provided in the security assertion. By leveraging identity federation in identity
management, organizations can achieve several benefits, including
 Single Sign-On (SSO): Users can access multiple systems and applications with a single
set of credentials, enhancing user convenience and productivity.
 Centralized user management: Organizations can centrally manage user accounts, access
controls and authentication policies, simplifying administration and reducing duplication.
 Enhanced security: Identity federation allows for the enforcement of consistent security
policies, strong authentication methods and centralized monitoring an

Auditing
Collaboration and interoperability: Organizations can securely share resources and
collaborate with external partners or service providers while maintaining control over access and
data.
Overall, identity federation plays a vital role in identity management by enabling seamless
and secure user access across diverse systems and organizations, improving user experiences, and
streamlining administrative processes.
Identity federation is a valuable tool for organizations of all sizes. It can help to improve
security, reduce costs and increase user productivity.
Here are some examples of how Identity federation is used in practice:

UNIT 3 11
  A university might use identity federation to allow students to access library resources,
online courses and other services using their student ID credentials.
 A company might use identity federation to allow employees to access internal
applications, such as the HR system and the payroll system, using their corporate
credentials.
 A government agency might use identity federation to allow citizens to access online

services, such as tax filing and benefits enrollment, using their government ID credentials.

3.8 IDENTITY PROVIDERS AND SERVICE CONSUMERS

Identity federation standards establish two operational roles within identity and access
management (IAM) and federated networks: The identity provider (ldP) and the Service Provider
(SP). The IdP is responsible for authenticating the user and supplying the SP with the necessary
identity information to authorize access to the services and resources required for the user's tasks.
Through identity federation, both providers establish a trusted relationship, enabling the SP
to grant access to resources by utilizing the identity information supplied by the IdP. This
collaboration ensures that users can access the resources they need while maintaining security and
efficient management of identities across federated networks.
Advantages of entity Providers (as)
1. Central identity management lips allow for centralized management of be audition policies
and access control. This simplifies administration wit races the need for managing separate user
coins in each service consumer.
2. Single Sign-On (SSO) Ps enables users to authenticate once and gain access allows service
consumers without the need for repeated authentication.
3 Consistent security policies IdP's enforce consistent security policies multiple service
consumers. This ensures that authentication mechanisms’, password policies and other security
measures are uniformly applied, reducing the vulnerabilities.
4 Enhanced security: Idl's can support robust authentication methods, such as Multi- Factor
Authentication (MFA), to strengthen security. exchange of identity information. This allows for
seamless access to resources and services across .They can also implement security measures like
account lockouts, session management and identity federation protocols to mitigate risks.
5 Federated identity and collaboration: Idl's facilitate secure collaboration between
organizations by establishing trust relationships and enabling the different domains or
organizations.

UNIT 3 12
Disadvantages of Identity Providers (IdPs):
Single point of failures: If the Id experiences an outage or security breach, it can result in a
complete loss of access to all associated service consumers. Organizations must ensure robust
redundancy and security measures to mitigate this risk
Dependency on external IdPs: When relying on external IdP's, organizations are dependent on
their availability, reliability and security practices. Any issues with the idP can impact user access
to services.
How does identity providers and service consumers works?
Identity providers (IdP's) and service consumers work together to enable secure and seamless
access to resources and services. Here is an overview of how they interact

1. User initiates access: A user attempts to access a resource or service provided by a service
consumer. This could be a web application, a cloud service, or any other system that requires user
authentication.
2. Service consumer request: The service consumer recognizes that the user needs to be
authenticated and sends a request to the identity provider associated with the user's identity.
3. Redirect to identity provider: The service consumer redirects the user to the C identity
provider, indicating the requested service and providing any necessary information for
authentication.
4. User authentication: The user arrives at the identity provider and is prompted to authenticate.
The identity provider verifies the user's credentials, such as username and password, or may
require additional authentication factors like multi-factor authentication.

3.9 STORAGE AND NETWORK ACCESS CONTROL OPTIONS

Storage and network access control options are essential components of securing
infrastructure in cloud environments. They help organizations protect their data, control access to
resources and maintain a secure network environment. Here are some common storage and
network access control options:
Storage Access Control:
1. Access Control Lists (ACLS): ACLs are a basic form of access control that define permissions
on storage resources, such as files and directories. They specify which users or groups have read,
write, or execute permissions, allowing organizations to control access at a granular level.
2. Role-Based Access Control (RBAC): RBAC assigns specific roles to users or groups, granting
them predefined permissions based on their role. This approach simplifies access management by
associating permissions with job functions or responsibilities rather than individual users.

UNIT 3 13
3. Encryption: Encrypting data at rest ensures that even if unauthorized access occurs, the data
remains unreadable. Organizations can use encryption techniques such as disk encryption, file-
level encryption, or database encryption to protect sensitive information stored in cloud storage.
4. Data Loss Prevention (DLP): DLP solutions help prevent unauthorized access or leakage of
sensitive data by monitoring and blocking data transfers that violate predefined policies. These
solutions can scan stored data for sensitive information and apply policies to prevent data
breaches.
Storage options
Direct-Attached Storage (DAS) is a traditional storage option where storage devices are
connected directly to servers. DAS is easy to set up and manage, but it can be expensive and
inflexible.
Network-Attached Storage (NAS) is a file-based storage option where storage devices are
connected to a network. NAS is scalable and easy to use, but it can be less secure than other
storage options.
Storage Area Network (SAN) is a block-based storage option where storage devices are
connected to a dedicated network, SAN is highly scalable and secure, but it can be expensive and
complex to set up and manage.
Network Access Control:
1. Firewalls: Firewalls are a fundamental security measure that filters network traffic based on
predefined rules. They control access to and from networks, allowing organizations to define and
enforce policies that permit or block specific types of traffic based on IP addresses, port numbers,
or protocols.
2. Virtual Private Networks (VPNs): VPNs establish secure connections over publicnetworkcs,
enabling remote users to access private networks securely. VPNs encrypt data traffic, protecting it
from unauthorized interception and providing secure remote access to resources.
3. Network segmentation: Network segmentation involves dividing a network into smaller,
isolated segments to limit the potential impact of security breaches. By separating network
resources and applying access controls between segments, organizations can reduce the risk of
lateral movement and contain potential threats.
4. Intrusion Detection and Prevention Systems (IDPS): IDPS solutions monitor network traffic,
detect potential security threats and respond to them in real-time. They can identify and block
malicious activities, including unauthorized access attempts, network-based attacks and suspicious
behavior patterns.
5. Network Access Control (NAC): NAC solutions ensure that only authorized devices and users
can access the network. They enforce policies that require devices to meet specific security

UNIT 3 14
standards, such as having up-to-date antivirus software or being compliant with configuration
requirements before granting network access.
Network access control options
 Firewalls are devices that filter network traffic and prevent unauthorized access to a
network. Firewalls can be hardware-based or software-based and they can be implemented
at the network perimeter or at individual devices.
 Virtual Private Networks (VPNs) create a secure tunnel between two or more devices over
a public network. VPNs can be used to allow remote users to access a corporate network
securely, or to connect two or more networks together securely.
 Intrusion Detection Systems (IDSs) monitor network traffic for suspicious activity. IDSs
can be used to detect unauthorized access, attempts, malware infections and other security
threats.
 Intrusion Prevention Systems (IPSs) can detect and prevent suspicious activity on a
network. IPSs can be used to block unauthorized access attempts, malware infections, and
other security threats.

It is important for organizations to implement a combination of storage and network access

control options to create a layered security approach. These measures work together to enforce
access restrictions, protect data integrity and safeguard network resources from unauthorized
access or malicious activities.
Here are some additional things when choosing storage and network access control options:
 Cost: Storage and network access control options can range in price from a few hundred
dollars to tens of thousands of dollars. You need to choose options that fit your budget.
 Performance: Storage and network access control options can have a significant impact
on the performance of your network. You need to choose options that can handle he
amount of traffic and data that your network will be handling.
 Scalability: Your storage and network access control options need to be scalable so that
you can easily add more storage or network capacity as your needs grow.
 Security: Your storage and network access control options need to be secure to protect
your data from unauthorized access. You need to choose options that have strong security
features and that are regularly updated with security patches.

3.10 OS HARDENING AND MINIMIZATION

OS hardening and minimization are security practices that focus on reducing the attack
surface and strengthening the security posture of an Operating System (OS). They involve
implementing various security measures to protect the OS from vulnerabilities and unauthorized
access.

UNIT 3 15
 OS hardening is the process of making your operating system more secure by removing
unnecessary services and applications, disabling unnecessary ports and protocols and configuring
security settings correctly. OS minimization is the process of reducing the attack surface of your
operating system by removing unnecessary software and features.
1 .Hardening the OS:
 Patch management: Regularly apply security patches and updates to fix known
vulnerabilities in the OS.
 Disable unnecessary services: Disable or remove unnecessary services and daemons that
are not required for the system's operation to minimize potential attack vectors.
 User account management: Enforce strong password policies, limit administrative
privileges and disable or remove default or unused user accounts.
 File and directory permissions: Configure file and directory permissions to restrict
unauthorized access to sensitive system files and directories.
 Disable or secure remote access: Disable or secure remote access services such as Remote
Desktop Protocol (RDP) or SSH to prevent unauthorized remote connections.
 Firewall configuration Configure and enable a firewall to filter incoming and outgoing
network traffic and block unauthorized access attempts.
 Logging and monitoring: Enable and configure logging mechanisms to track system events
and detect potential security incidents.
 System auditing: Implement auditing mechanisms to monitor system activities, including
file access, user logins and privilege escalations.

2. OS Minimization:
 Remove unnecessary software and packages: Uninstall or disable unnecessary software,
packages, or components to reduce the attack surface and minimize potential
vulnerabilities.
 Disable unused protsents and services Disable or deactivats med network protocols and
services to reduce the exposure to potential exploits.
 Secure configuration settings: Configure OS settings to enforce secure configurations
such as dishling auto-run functionality, enabling strong encryption algorithm, or enabling
Data Execution Prevention (DEP) where applicable.
 Least privilege principle: Follow the principle of least privilege, granting users and
processes only the minimum privileges required to perform their tasks. >Application
whitelisting: Implement application whitelisting to allow only authorized and trusted
applications to run on the system, reducing the risk of malware execution

UNIT 3 16
  OS hardening and minimization practices help mitigate the risk of attacks, unauthorized
access and the exploitation of vulnerabilities in the operating system. They enhance the
security of the system, protect sensitive data and contribute to overall defense-in-depth
strategies. It is important to regularly review and update the hardening measures to address
new threats and vulnerabilities.

Here are some of the benefits of OS hardening and minimization:

 Reduced attack surface: By removing unnecessary services, applications and features,
you can reduce the number of potential vulnerabilities that attackers can exploit.
 Improved security: By configuring security settings correctly and disabling unnecessary
ports and protocols you can make it more difficult for attackers to gain access to your
systems.
 Increased performance: By removing unnecessary software and festures, you can free up
resources on your systems, which can improve performance.

3.11 VERIFIED AND MEASURED BOOT

Verified boot and measured boot are two security features that help to protect cloud-based
systems from malware and other attacks.
Measured boot goes a step further by creating a cryptographic hash of all the software that
is loaded during the boot process. This hash is then stored in a secure area of the system, such as a
Trusted Platform Module (TPM). If the hash changes at any point during the boot process, it is a
sign that the system has been compromised.
Both verified boot and measured boot are important security mechanisms that can help
protect the system from attack. However, they are not perfect. Verified boot can be bypassed if the
attacker has physical access to the system. Measured boot can be bypassed if the attackers able to
compromise the TPM Verified boot and measured boot are security features implemented in
modem operating systems to enhance the integrity and security of the boot process. Here is a brief
explanation of each
1. Verified Boot:
 Verified boot ensures that only trusted and authorized software components are executed
during the boot process
 The boot process starts with a root of trust, typically a secure boot firmware or hardware
component, which verifies the digital signatures of the bootloader and subsequent
components.
 Each component in the boot chain is cryptographically signed and their signatures are
verified against trusted keys stored securely in the system.

UNIT 3 17
  If a component fails the verification process, the boot process is halted and the system is
not allowed to proceed, preventing the execution of potentially malicious or tampered
software.
 Verified boot helps protect against bootloader attacks, rootkits, and other malware that
might attempt to modify the boot process to gain unauthorized access or compromise
system integrity.

2. Measured Boot:
 Measured boot provides a mechanism to measure and store integrity measurements of the
boot process at different stages.
 As each component in the boot chain is loaded and executed, its integrity is measured and
recorded in a secure location known as a Trusted Platform Module (TPM) or a similar
hardware-based security module.
 The integrity measurements, known as boot measurements or PCRs (Platform
Configuration Registers), create a secure log of the boot process.
 The recorded measurements can later be used for integrity attestation, where they are
compared against a trusted baseline to ensure the system has not been compromised.
 Measured Boot helps detect and identify any unauthorized modifications to the boot
process, providing a mechanism for verifying the system's integrity and identifying
potential security breaches

3.12 INTRUDER DETECTION AND PREVENTION SYSTEMS

Intruder detection and prevention systems (IDPS) play a crucial role in cloud security by
monitoring network traffic, identifying potential security threats and taking preventive measures to
mitigate them
Intruder detection and prevention (IDP) is a security measure that helps to protect cloud-
based systems from unauthorized access and malicious activity. IDP systems can be used to detect
and block a variety of threats, including:
 Malware: IDP systems can detect malware by looking for known signatures of malware
files or by analyzing network traffic for suspicious patterns.
 Denial of Service (DoS) attacks: IDP systems can help to prevent DoS attacks by
monitoring network traffic for patterns that indicate an attack is underway.
 Data breaches: IDP systems can help to detect data breaches by monitoring network
traffic for suspicious patterns, such as large amounts of data being transferred to an
unauthorized location.

IDP systems can be implemented in a variety of ways, including:

UNIT 3 18
  Network-based IDP: Network-based IDP systems are deployed on the network and
monitor all traffic that passes through the network.
 Host-based IDP: Host-based IDP systems are installed on individual hosts and monitor
traffic that passes to and from the host.
 Cloud-based IDP: Cloud-based IDP systems are hosted in the cloud and protect multiple
cloud-based systems.

Here is an overview of how IDPS works in cloud security:

1. Intrusion Detection System (IDS):
 IDS monitors network traffic and analyzes it for suspicious activities, anomalies, or known
attack patterns.
 It uses various techniques such as signature-based detection, anomaly detection and
behavioral analysis to identify potential intrusions.
 IDS generates alerts or notifications when it detects suspicious activity, enabling security
teams to investigate and respond to potential threats.

2. Intrusion Prevention System (IPS):

 IPS builds upon the functionality of IDS by not only detecting intrusions but also
 actively taking preventive actions to block or mitigate them.
 When an intrusion is detected, IPS can automatically block network traffic from the
suspicious source, drop or modify packets, or implement other proactive measures to
prevent the attack from succeeding
 IPS can work in inline mode, actively inspecting and filtering network traffic, or in passive
mode, where it detects and alerts, but does not actively block traffic.

3. Cloud-specific Considerations:
 Cloud-based IDPS solutions are designed to secure cloud environments and address the
unique challenges associated with cloud security.
 They provide scalability and flexibility to handle the dynamic nature of cloud
environments, supporting elastic scaling and the ability to monitor multiple virtual
machines or instances.
 Cloud IDPS can integrate with cloud service provider's APIs, enabling the collection of
security logs, network flow data and other relevant information for analysis.
 They can leverage cloud-specific threat intelligence and security feeds to stay updated with
the latest threats targeting cloud environments.

UNIT 3 19
  Cloud IDPS may also offer centralized management and reporting capabilities, allowing
security teams to monitor and manage multiple cloud instances or regions from a single
interface.

4. Response and Mitigation:

 When an intrusion is detected, IDPS can trigger various response mechanisms such
as blocking the source IP, terminating the connection, or generating an alert for
further investigation.
 IDPS can also log relevant information about the incident, which can aid in
forensic analysis and incident response efforts.
 Advanced IDPS solutions may incorporate machine learning and Al techniques to
improve detection accuracy and reduce false positives.
 Intrusion detection and prevention in cloud security help organizations proactively
identify and respond to potential threats, reducing the risk of unauthorized access,
data breaches and service disruptions. By monitoring network traffic, detecting
intrusions and taking preventive actions, IDPS plays a vital role in maintaining the
security and integrity of cloud environments.

2 Mark Questions
1. Define secure cloud interfaces.
2. How does SSO work?
3. List the types of IDS?
4. Differentiate OS Hardening and OS Minimization.
Big Questions
1. Give the brief explanation in Role Based Access Control.
2. Explain Single Sign On.
3. Briefly explain Identify Providers and Service Consumers
4. Explain multi factor authentication with an example.

UNIT 3 20