Case Study On Data Security Improvement In
SAAS In Azure And AWS Platforms
Dr. Keshao D. Kalaskar, Shipra Yadav, Pankaj Dhumane
Abstract: The cloud is rapidly becoming a common software delivery system for SaaS. As the cloud has various benefits above conventional traditional personal infrastructure, like enhanced mobility, no servicing, fewer strain of leadership, simple connectivity, and simple data sharing. There are, however, many worries about problems such as device safety, safety of communication, safety of information, privacy, latency and accessibility. Furthermore, these safety problems need to be resolved while designing and developing the Cloud SaaS implementation to guarantee legislative adherence, safety and safe atmosphere for Cloud SaaS consumers. We are exploring the security patterns for Cloud SaaS in this document. We are working on models that cover various safety elements from scheme and data security to privacy. Our objective is to create the finest safety procedures & information records that SaaS provider could make use of the floor up as a reference to the development of cloud SaaS apps. We are also providing a case study of AWS and Azure security patterns and alternatives.
Keywords: Software as a service, AWS, Cloud Security, cloud SaaS, Azure security patterns. ————————————————————
1. Introduction
Christopher Alexander first formalized the notion of models as a manner to capture and express tried and tested alternatives to persistent issues in his novel on metropolitan design and construction[1], where Christopher Alexander tried to clarify and describe prevalent repeated issues in the design and construction of actual buildings using a particular, patterned language. A century and a quarter ago, in their famous "Design Patterns: Elements of Reusable Object-Oriented Software"[2], the idea was a bit effectively introduced. Together with the initial idea of the Alexandrian model idea, these seminal computer design patterns set the seeds for semantic patterns and design. The model society has risen and extended to the areas of software security and security engineering based on their achievement. Due to its success and acceptance levels, Cloud SaaS safety model is considered to be one of the greatest significant fields to be thoroughly researched in software security. The cloud security model has been involved in reaction to growing numbers in safety assaults, unfair uses in latest centuries. Due to these, the notion of safety is rapidly changing from an that is often overlooked to a compulsory necessity for architecture. To fulfill this demand, the Cloud SaaS group needs organized data on finest safety procedures and understanding of safety to assist them in the development and development of safe procedures Cloud SaaS. There has been some research on safety patterns[ 4–14] so far, and they be likely to quote a specific security area (e.g., OWASP[11,14] concentrate only to create a safe software & how to deter internet assaults) and they will not cover many significant elements, such as isolation and management.
In addition, there will be an absence of organized & unified states best practices and understanding of safety that SaaS designer can use from the floor up as a reference for creating cloud SaaS implementation. We strive to provide a full roster of security patterns applicable to the Cloud SaaS implementation in this article. The models encompass four key fields of cloud security including device safety, safety of communication, safety of information, and privacy. In addition, we are producing a safety finest methods and safety expertise guideline [15] for Cloud SaaS developers depending on the security forms we have described. In fact, we glance and Azure's safety strategies and trace our specified trends to the alternatives provided by both suppliers of cloud services. This document is an expanded variant of the article released in the 2018 IEEE CloudTech[16]. The expansion relies on safety model alternatives and thorough debate of AWS and Azure alternatives that are missing from the released paper[16]. The document will be organized as follows. Section 2 deals with our suggested methodology for defining security patterns in the cloud. Section 3 introduces the security patterns in CloudSaaS. In each class / category, we provide a high-level safety model ranking and a full range of models. Section 4 shows the meaning and composition of the model. Also provided in this chapter are the alternatives to each safety model found in Section 3. Section 5 deals with an AWS and Azure case study. Section 6 provides associated research and in Section 7 we complete this document.
2.
Cloud
Security
Pattern
Definition
Methodology
Inside this chapter, we will describe our suggested blueprint for explaining and categorize Cloud SaaS security patterns. As shown in below Figure 1, we split the entire method into five phases: from identifying safety criteria to classifying security patterns in phase 5. Existing instructions can be used in each phase. Security and risk assessment, for instance, is performed on the basis of OWASP guidelines [11, 14].
____________________________
Dr. Keshao D. Kalaskar, Shipra Yadav, Pankaj Dhumane
Associate Professor, Dr. Ambedkar College, Chandrapur, (MH), India, [email protected]
Research Scholar, IICC, RTM Nagpur University Nagpur, (MH), India, [email protected]
2328 Figure 1. Cloud security process
2.1. Securityi Requirementsi in Cloudi SaaSi
The first phase of the method is to define the safety criteria in CloudSaaS. We are studying all feasible safety criteria spanning various elements from data security and scheme safety to communication security and privacy. Our supreme objective has always been to record all the safety criteria required to build the Cloud SaaS implementation that is safe, confident and legally compliant. With regard to legal requirements, under the scope of the GDPR, we analyze various data organizing (e.g. the role and authority of the data organizer control of personal data use)[17]. The result of this phase is a overall SaaS application security checklist for the cloud (see Table 1). These high-level safety specifications are then used in Cloud SaaS to assess safety and hazard
2.2. Security and Risk Assessment
Assessment is a process used for finding the process of security applying on cloud SAAS. The main objective of cloud security analysis the system requirement. The result of this assignment is a correctly finished record of the safety evaluation outlining any potential safety risks. This study on safety and risk assessment is then used to analyze and extract Cloud SaaS safety characteristics.
2.3. Security Features Identification
Security characteristic relates to an assault particular to safety. Various types of assaults are intended to attack scheme, assets, or customer. In attempt to deal with these assaults, distinct safety characteristics are needed. Cloud computing poses multiple types of internal safety hazards, such as denial-of-service (DoS) and virtual (DDoS) assaults, as cloud applications and facilities are provided via the Internet. Furthermore, confidence, confidentiality and protection are also significant problems, especially information is maintained. We bring the safety and risk assessment identified as the outputs to define the safety characteristics. full catalog of the safety characteristics needed.
2.4. Securityi Patterni Definitioni
The safety model description in Cloud SaaS is focused on the safety characteristics needed as described in phase 3. In traditional schemes, we also examine the current security patterns. The concept is to figure out if models can be used in the Cloud SaaS setting in another scheme. We glance at three significant model defining safety fields: communication, data and system security. To represent the structure of define pattern as a following. Security problem. Represent the prospective issue and its consequences if it is not addressed by safety execution. Cases of context and use. Identity in which background this safety problem may occur and use instances. Security option. This offers a alternative to the safety problem. Our suggested concepts of safety tactics are.
Resisting attack. the method of avoidance where the system intended should withstand any attack that may occur during the process of implementation. For instance, having a powerful entry command model and scheme is a answer for an implementation to withstand unauthorized entry.
Detecting attack. This method enables the scheme to identify attacks and respond soon as a result of the attack to minimize the danger and severe impact.
Recovery. If the device is unable to avoid attack, the quick retrieval option should be in location to minimize customer disturbance.
2.5. Securityi Patterni Classificationi
We organize and rank them into distinct classifications according to their problem domain after identifying the security patterns. For instance, safety model of communication, model of data security, or model of device safety. In particular, if they are connected in issue and background, the models are clustered together. We also identify the connection between models of switched classifications.
3. Security Patterns in Cloud SaaS
We use the methodology for model analysis described in Section 2 to identify the safety model for Cloud SaaS. We begin with the safety demands of the highest level described in Table 1. The brief overview of each necessity is provided below.
R1: protect the system component. Secure the hardware and software of the component.
The resources of the system here refer How to safeguard the assets of Cloud from excessive and costly use to guarantee financial durability and long-lasting accessibility of Cloud platform applications. Describe this pattern into five classifications based on cloud saas safety research with above-mentioned safety criteria (see Figure 2). Below is a comprehensive description of the five classifications of security patterns we recognized.
Figure 2. Cloud SaaS security pattern
1.iCompliance and Regulatoryi. Different nations have varying legislation regulating data processing and utilization; therefore, adequate information monitoring and handling is essential to guarantee regulatory compliance in information consumption if we are to create information available to distinct geographic areas (e.g., nations).
Data Citizenship. The storage of information collected from customers in Cloud SaaS is subject to legal challenges and inappropriate information processing can have severe legal consequences. A cloud-based alternative must be found by the Cloud SaaS implementation provider to achieve
Cryptographic Erasure. One of many demands in GPDR[17 ] is right to be ignored, it is essential to find a manner to reliably
Shared Responsibility Model. .Who is liable for information wasted, altered or other information mismanagement? How can a customer of handle their legal and regulatory compliance with their cloud application efficiently?
Compliant Data Transfer. Cloud data can be transmitted on the same system or on distinct systems across apps. The handling of information can therefore be subject to distinct areas. It is essential to ensure adherence with the safety and regulation of transmitted information stored at other sides.
Data Retention. Personal data processing is usually subject to more stringent command than ordinary information and the preservation of such information is governed by law. The data retention strategy differs from country to country and the implementation of such strategy must be adjusted appropriately in the Cloud SaaS application.
Data Lifecycle .Refers to a full information utilization process. It begins with the production or creation of information until it is demolished or deleted. It is essential to efficiently manage the information lifecycle in the cloud setting, particularly private data.
Intentionali Datai Remanencei. .Accidental or unlawful data deletion is one of the key problems related to data security. It is essential to address how to retrieve information when it is mistakenly deleted and how to stop unauthorized users from erasing information.
2. Identification, iAuthentication and iAuthorisation. This classification relies on customer and resource leadership safety habits. It includes all models for system resource management and customer access control in authentication and authorization.
Multi-Factor Authentication. The conventional technique of using only username and password is no longer safe with the advancement of cryptography algorithm and computing capacity. Multi-factor authentication should be used in the cloud framework to safely authenticate Cloud-based apps ' physical consumers.
Access Token. Applications can swap information in the cloud framework on the same cloud platform or on various devices. It is essential to make sure that information is from a reliable implementation. Access token is usually used to monitor access to cloud APIs by person or computer users.
Mutual Authentication Used in the cloud communication channel to create the identities of the sides.
Per-request Authentication It concerns the ongoing evidence of the user's identification when performing delicate operations.
Access Control Clearance Concerns implementation of entry and use command strategies for various authentication kinds.
3. Applying the proses for security monitoring. This classification relies on overall safety for safe Cloud SaaS implementation growth, implementation and administration.
4. Bastion Server. .
It is essential to protect information and implementation assets, and bastion server is intended to tackle these problems. It enables access to information without immediately revealing it to the Internet.
Finding the thread. .Automatic threat (or attack) identification in Cloud SaaS is essential in order to guarantee adequate operating and stronger system user experience.
denial-2330
of-service assaults to guarantee adequate business for customers.
Economic Durability.Running a cloud application is not safe, individuals running a cloud SaaS implementation are billed depending on the implementation source features including memory room and computing energy. If the intruder can render the scheme pointless to run, the funds in the cloud can be drained.
Vulnerability Management. In attempt to minimize the danger that could lead serious harm to the scheme, early identification and reaction of discovered vulnerabilities are essential.
5. Privacy and Confidentiality.
This classification is about security, security and integrity of information.
6. End-to-End Security.
Secure the communication process both end in the communication network. Computation on Encrypted Data It concerns enabling information to be handled without disclosure. Data Anonymisation. This model is about how to manage private information securely and securely while preserving adherence with regulations. How to extract personal identifiers from datasets to safeguard privacy while maintaining precious data sets for retrieval? Controlling the private information This model worries how to ensure processing of private information in accordance with the planned intent and approval of the information owner.
7 Secure Architecture this proposed system define for the security.
Virtual Network. This model is about defending end device-to-cloud SaaS communication from unnecessary Internet exposure.
Application Firewall. This pattern concentrates on how to prevent unauthorized entry and exploitation of Web API endpoints.
Management used for managing the security key. This pattern refers to the use of keys and the handling of certificates to secure information during remnants and transport.
Cloud handling. .This model is about protecting Cloud residents ' cryptographic identities while still allowing Cloud handling facilities to calculate landlord information.
Secure Auditing. This model is about offering a safe atmosphere in an working cloud scheme to audit and report security-related conduct.
4. Define the pattern structure
Usually articulated according to a certain framework as templates. We composition models with parts like "Problem," "Context," "Solution," "Related Patterns," "Consequences," "Known Use," and "References," as in GoF[2]. However, to be brief, we only current "Problem,"
"Context," and "Solution" in this document. You can find the comprehensive characteristics of all models at[ 15].
Problem is define the term of security in cloud computing environment.
Context is define as an issue is occur in which context Solution is define as proposed solution for applying the security.
4.1. Compliance and Regulatory
In this category, there are seven patterns.
1. Data Citizenship
Problem. is define the term of security in cloud computing environment.
Context. Different legal and legislative conditions and norms may require particular kinds of information to be collected physically in a specified country / legal entity in varying regional areas. EU GDPR, for instance, distinguishes between data storage and exchange within EU limits and information export and processing outside the EU.
Solution. Cloud suppliers give place marks for their facilities. The Cloud user can select the spatial place indicated by a national classification (e.g., EU-West) when installing a product. While cloud suppliers do not generally advertise their data center's precise physical position, they do provide assurances that a description of a spatial place lies within a specific legal jurisdiction. However, geographic classifications do not encompass all cloud services; large cloud settings stay at least partly location-agnostic, particularly for facilities requiring distributed infrastructure to guarantee features, such as DNS or Web Application Firewalls.
2. Cryptographic Erasurei.
Problem. How to reliably and securely erase a dataset after it has been placed in the cloud? Context. Data is often replicated and distributed across a big amount of physical systems in cloud settings, including those with large-scale distributed endpoint systems, sometimes geographically distributed. This leaves it hard, if not inevitable, to safe deletion of information in the traditional context.
3. Shared Responsibility Model.
Problem. How can a customer of cloud services handle their legal and regulatory compliance with their cloud application efficiently?
Context. One of the advantages of cloud products is to reduce the complete cost of property as well as the accountability and accountability for the operation of the cloud infrastructure.
Solution. Cloud providers provided only infrastructure-as - a-service services in the early days of the initial Cloud offering, which includes computer systems where Cloud tenants were able to install and run virtual machines. The Cloud provider took natural responsibility for infrastructure uptime, reliability, availability, and security while the locators were in charge of choosing, installing, maintaining and running the VMs and the applications installed thereon. The cloud suppliers presumed accountability for the functions of the cloud, which became a more advanced platform as a service domain.
4. Compliant Data Transfer.
Problem. How can information be transmitted in possibly distinct countries to other sides for handling while remaining in accordance with legal and legislative demands?
Contexti. Moderni SaaSi apps often consist of various APIs. For instance, an online store may concentrate its own implementation logic on the particular item catalog but may outsource normal features such as customer sign-on, sign-in, email notifications, accounting, etc
Solution. The notion of compatible information transition has been integrated into their organs by various legislation and regulations. For instance, EU GDPR allows information to be transferred to third-country information processors in accordance with the voluntary "template provisions."
Data Retention.
Problem. How lengthy is the retention of private data? Which preservation legislation regulates the information? Who is enforcing the cloud maintenance strategy?
Context. Privacy laws in different nations restrict organizations ' capacity to maintain certain kinds of private data and each nation has its own. In addition, information processing (information nationality) management in cloud situations may differ from information user management; e.g., Asian clients using European data storage place.
Solution. An instant device (or instrument) should be used to monitor the data retention period in order to prevent a possible legal breach. The information should be continuously deleted from memory when the legally permitted retention period expires. Automating this method facilitates information and application management.
5. Data Lifecycle
Problem secure the life cycle of the cloud computing process ?
Context. Data history assists in managing the information lifecycle by including metadata such as the source of the information and where it goes over moment, how it is accessed / modified and by whom. Data lineage improves exposure in the queue for information analysis and simplifies tracking mistakes home to their origins. Sharing information across apps in the cloud sense is what happens in today's linked globe. However, with false information everywhere, the data reliability is decreased
without adequate tracking and tracking the information origin and how the information was handled over moment.
Solution. All data transferred between distinct organizations across apps (devices) must be connected to (1) access and utilization support policies used to monitor access and use of data and (2) access and utilization background that records all access and utilization information at any stage in the data lifecycle.
6. iIntentional Datai Remanencei.
Problem. Howi cani information from random or malicious deletion be shielded in the cloud? Context. For inquiry or study purposes, certain kinds of information, as needed by law, must be maintained and deposited for a particular length of moment. For instance, sometime for inquiry purposes, information produced by government video camera must be collected. Data is logically segregated in the cloud framework, but not physically. If evil users are willing to get hold of information and deliberately ruin it, then the implementation or supplier of the cloud platform is safe. To tackle this data loss problem, the data recovery scheme intended for such an case should be in location.
Solution. The alternative is to develop a scheme in such a manner that, even after efforts to extract or erase it, the depiction of digital data stays. This allows information replication / redundancy to be used in the physically organized cloud scheme.
4.2. Identification, Authentication and Authorisation
To define the category as a following
1. Multi-Factor Authentication
Problem. How to authenticate physical consumers of cloud-based apps in a simple yet secure manner?
Context. Machine-based human authentication is a issue of maintaining usability and safety. The mixture of the traditional three variables that the customer understands (hidden key), something that the customer has (physical property) and something that is a distinctive feature of the customer (biometrics) provides a strong amount of safety, each of which imposes a distinct strain on the customer. Passwords have been the primary authentication factor throughout the computing history and there is a wide range of expertise leading to customers ' deficiencies in the handling of passwords. As a second authentication factor, physical tokens are often used.
2. Federation (Single Sign-On)
Problem. .What is the way to authenticate customers without having to configure the customer database safely?
Context. User identity management is often an onerous job and often takes a ton of moment when performed correctly for SaaS apps.
2332
confidentiality, particularly when federated organizations are cultural network
3. Access Token
Problem. How to monitor entry to Cloud APIs by person or device users?
Context. To attain certain safety concentrations, access to cloud API endpoints often requires to be provided on a per-use or basis. Using customer signatures immediately whenever such command concentrations are not allowed.
Solution. Access tokens are cryptographic details that are given to customers of the API, enabling them to user endpoints of the API programmatically. Access tokens allow fine-grained temporal and behavioral monitoring at the designated moment, allowing user to particular tasks only. The lifespan of tokens is readily regulated, so it is easy to automate their issuance and revocation.
4. Mutual Authentication
Problem. How to create party identification in a communication channel on the Cloud?
Context. Several physical and logical elements communicate and swap data in a cloud setting. Man-in - the-middle assaults are feasible without adequate authentication between exchanging sides.
Solution. Using bidirectional authentication to allow both parties to authenticate each other in a communication connection.
5. Secure User Onboarding
Problem.. How to safely original Cloud application user registration?
Context. When fresh unit or customer first gets entry to the scheme, the scheme must be safely embedded. We put customers, machines, information and the network at danger if it is not treated correctly.
Solution. Defines a safe onboard method for fresh computer or customer who first wishes to enter the scheme. At least the identification institution and validation must be the method.
6. Identity and Access Manager
Problem. How to handle a customer database safely and efficiently and provide features for authentication and authorization in a cloud application?
Context. In the cloud framework, in attempt to safeguard scheme and assets from unauthorized or unlawful customers, it is essential to create customer identification and also regulate entry to device assets.
Solution. The functions and access privileges of personal application users and the situations in which customers are awarded (or rejected) these rights should be defined and managed using a correct instrument.
7. Per-request Authentication
Problem. How to demonstrate the user's identities continually when performing delicate activities?
Context. the current cloud environment once the user and system resources can do whatever they want. Controlling customer activity during utilization meeting is essential in some instances of use (e.g., intelligent house, insurance) to avoid or minimize the harm that may occur as a consequence of account fraud. With ongoing command, scheme can respond to unusual user-driven or user-driven operations on moment.
Solution. The alternative is to create the smart utilization management instruments that monitor the user's utilization operations from the beginning to the finish of the application meeting. The instruments must operate in the context and be smart enough to identify any unusual activity and deter further harm to the customer if unusual activity is discovered.
8. Access Control Clearance
Problem. How can entry and use command strategies be enforced for distinct authentication kinds?
Context. Generally speaking, data access and utilization monitoring is regulated by measures that define who can do what under what circumstances. However, it is a task to ensure that the customer accepts what is described in strategy.
Solution. The main strategy implementation option is to create the that acts as the implementation of clients. PEP sends customer requests to the PDP scheme and retrieves PDP choice on entry and utilization monitoring. PEP is also accountable for implementing policies through the execution of obligations where necessary.
4.3. Secure Developmenti, Operation andi Administrationi
To define the five pattern as a following
1. Bastion Server.
Problem.. How to obtain Cloud assets without direct Internet exposure?
Context. It needs privileged entry to that network to manage a safe digital cloud network. Such protected entry creates vulnerabilities without adequate confinement.
Solution. intended and installed specifically to resist assaults. The machine usually houses a single request and to decrease the danger to the laptop, all other facilities are withdrawn or restricted. Because of its place and intent, generally includes entry from untrusted networks or pcs, it is strengthened in this way mainly.
2. Automated Threat Detection.
Problem. How to identify Cloud Internet endpoints network assaults?
system management and safety tracking and evaluation create it hard if not completely feasible.
Solution. Use the specialized manufacturing instrument or software package to detect distinct types of threats or assaults automatically. For instance, AWS DIS. In research literature such as this in[ 18,19], we can also glance at other alternatives.
3. Economic Durability.
Problem : How can cloud facilities be established and maintained in the presence of distributed denial-of-service attacks?
Context. A Denial of Service (DoS) assault is one to other surrounded by congestion and its clients are either disabled or inaccessible. And consumption of transport. This sort of assault is characterized as a sustainable financial rejection (EDoS).
Solution. The parameter Time to Live (TTL) is used to calculate the packet's ultimate lifetime within the network. Every time the packet was allowed through any router, the TTL value was decremented. The packet was dismissed when the TTL valuation became null.
4. Vulnerability Management.
Problem. How can vulnerabilities be detected and responded to?
Context. When an organization passes apps and information to the cloud, some but not all safety responsibilities will be shifted to the cloud supplier. Most cloud suppliers are accountable for ensuring their (such as physical data center safety), while cloud users are accountable for their cloud platform apps and information. Thus, a main task for a safety specialist when designing and deploying implementation in Cloud is to maintain that atmosphere safe from vulnerabilities that could be used by attackers to access organizational apps and information.
Solution. A instrument (e.g. Nessus) can be used in Cloud to search for software faults to search for vulnerabilities. In event a fault is identified, software overhaul bundle is essential.
4.4. Privacyi and Confidentialityi
There are four typye in this
1. End-to-End Securityi
Problem. How to transmit a signal between two sides so that all elements of the cloud communication channel are secured by its confidentiality?
Context. Data moves through various communication lines in a cloud setting and is deposited in various levels that could be physically distributed and regulated by distinct organizations. In addition, which is a issue in circumstances where there is a need for high safety promises for transit and remainder information.
Solution. The cryptographic encryption used for securing the data on the server. Information encryption in the client and server site.
2. Computation on Encrypted Data
Problem.how to improve the security on the cloud server without located the server information ?
Context. however, in order to use Cloud beyond simply storing encrypted information, the buttons must be created accessible to the cloud provider to decrypt information before computing on it. This presents a safety problem in risk designs where cloud is all but fully supported.
Solution. Using a completely homomorphic that enables complex handling even though the information has been encrypted and could not be seen by customers.
3 Processing Purpose Control
Problem. How can information be used or handled in accordance with its planned initial intent?
Context. Construction of a cloud-based implementation for collecting and handling delicate personal and private data (e.g., health care scheme) presents many difficulties. The issues vary from safety to legal elements; one of the problems to be addressed is to guarantee that information exchanged within the network between distinct stakeholders is used in accordance with their specified intent, Or is used in accordance with the law, stated intention and customer permission in any other scheme with which they communicate.
Solution. To monitor the use of information, accurate information utilization management instruments are needed. Usage monitoring instrument enables users not only to monitor and implement information use, but also to track and monitor its use.
3.1 Secure Architecture
Pattern define as a seven category.
1. Virtual Network
Problem How to attach Cloudi applicationi architecturei elements without revealing them to the Internet unnecessarily?
Context. Cloud applications are often made up of government endpoints (APIs or internet frontidoors) iand iback-endi infrastructurei. To decrease the top of the assault, the back-end infrastructure must be rendered accessible from the outside world.
Solution. Cloud applications are often made up of government endpoints It is also possible to consider the alternatives suggested in the literature such as that in[ 21].
2. Web Application Firewall
2334
Context. Applications in the cloud reveal endpoints of API. These endpoints are frequently subjected to the Internet and are susceptible to various assaults as such.
Solution. To regulate incoming and outgoings data to and from endpoints, the web address firewall should be used.
3. Securei Elementi
Problem. How to safely provide IoT device identification and heavily safeguard it?
Context. It is hard to protect cryptographic mysteries to identify computers to the cloud core using integrated setups that hold mysteries on flash drives using conventional file systems. Multiple sub routes are available that can be used to obtain hidden codes and other delicate data.
Solution. Using a distinctive identification, any IoT safety approach should be based on PKI. Things can be authenticated when they arrive internet with a distinctive powerful computer identification, ensuring safe it can be immediately introduced into today's IoT ecosystem and readily integrated with other IoT safety systems parts. It is also possible to consider other alternatives suggested in the literature such as the one in[ 22].
4. Secure Cold Storage
Problem. How can you safely and cost-effectively safeguard the accessibility of big quantities of information?
Context. Consumers of cloud computing services often have a legal or statutory duty to maintain certain information for a predefined quantity of moment before deletion is permitted, otherwise it is no longer or rarely used. Such information, when placed in the internet database processing facility, not only imposes excessive strain on the expenditure, but also raises the footprint of weakness.
Solution. Most cloud service systems offer a cold storage choice where information can be momentarily or continuously saved. However, to guarantee data confidentiality and honesty, information placed.
5. Certificate and Key Manager
Problem. How can records and keys be safely and efficiently created, supplied and revoked to secure information at remainder and in service?
Context. Cryptographic content, such as private / public important combinations and hidden binary numbers, has a well-defined lifespan in correctly run cloud devices. However, dozens of records and buttons could already exist in easy schemes that involve continuous leadership.
Solution. It is important to renew the certificate and cryptographic key to minimize the risk that may arise from repeated use of the old key. The diploma and main update strategy should be either digitally or automatically. They provide both a key management device and license on most cloud service devices, allowing users to embrace
either handbook or instant main replacement. Users can also use / configure their own license and important.
6. Hardwarei Securityi Modulei
Problem. How best to safeguard Cloud residents ' cryptographic identities it is allowing this infrastructure to calculate tenant information Context. Public and personal cryptography is used by cloud suppliers to safeguard their tenant information in service and remainder. However, the cloud infrastructure requires entry to plaintext information in order to be prepared to easily calculate the data.
Solution. Use physical computation tool for powerful encryption that protects and handles electronic signatures and offers cryptoprocessing.
7. Secure Auditing
Problem. How can security related behavior be recorded and reported in an working cloud scheme?
Context. Given a pay-per-use company system, audits are essential for cloud-based organizations. A thorough audit program can ensure an organization's economic .
Solution. Security Audit Guidelines described the significant measures or assignments to be performed in order to systematically review and monitor the safety best practices of cloud assets. AWS Security Audit Guideline, for instance, offers measures to check application security setup varying from customer credential to identity management and leadership.
In Section 5, we address the alternatives for our specified safety trends in depth in AWS and Microsoft Azure. The concept is to link every specified model to AWS .
Special note:
We generated an formal safety model manual and guidance for CloudSaaS. Each model is depicted by an icon (see Figure 3) and accompanied by documents that provide a comprehensive overview of the model and its associated answer. All papers are stored on a web page and can be found at[ 23].
Figure 3. Represent the pattern icon define category [15].
6. Relatedi Worki
and authorization, and overlook some other safety problems that they do not believe are important, such as resource management. We concentrate on all safety elements in Cloud SaaS in our job. We address information and scheme safety and privacy, which is usually ignored due to its difficulty.
Yoder iand iBarcalow[76] provided a set of seven application security patterns, dealing with safety elements of authentication and authorisation. In the initial stages of computer design, the writers are driven by the normal absence of safety view and try to fix this issue by offering layout rules that facilitate the subsequent implementation of safety information. Some models are more defined on the structural stage, suggested by the writers, The writers also provide a language of model identifying relationships between the security patterns submitted. The researchers suggested in this article the overall models applicable to software applications and not specifically to CloudSaaS.
Braga et al.[70] created a model vocabulary "Tropyc," composed of nine design patterns "for cryptographic software," focusing on confidentiality, honesty and non-repudiation safety elements A "Generic Object-Oriented Cryptographic Architecture" was first implemented by the writers, a straightforward scheme of two model groups depicting two parties They developed four fundamental models based on this basis and addressed four "well-established cryptographic goals" including secure digital signature leadership and confidential. Except for our work where we tackle all elements of information and scheme safety to privacy, this article discusses only a tiny part of safety problems and most significantly .
Romanosky[71] defines eighti securityi patternsi for companies, seeking to address issues such as information validity and information property.
Communication with third parties, safe information distribution and knowledge of their own vulnerabilities and risks. Using a short type that provides encouragement and issue reports, accompanied by a characterization of the powers controlling the issue and a suggested approach with implications, the author uses a sequence of issues and responses to provide instruction in the creation and implementation of prudent security policies in a company.
A catalog of 30 models was released by Kienzle et al.[77]. They created one of the first efforts at ranking of security patterns, separating 16 "organizational" models from 14 "functional" models. The organizational models define architecture and layout aspects of safe scheme components, offering ingredients for safety mechanism execution. They address safety elements such as identification and authorisation, internet database meeting governance, travel and remainder information encoding, sandboxing and implementation of the need-to-know concept, the rule and safe operation. near to ours, but the distinction is that writers are working on overall securityi
patterns for software and not for cloud. Although there are similarities and prevalent safety problems, there are more
and particular safety problems in cloud application relative to non-cloud applications, such as financial durability.
Schumacher et al.[78]'s novel on security patterns reflects a culmination of the job that has been accomplished to present and a isynthesis ofi thei personal attempts only its big of writers, but the overall society of security patterns[72,73]. This big range displays around 70 motifs, categorized using well-developed taxonomic model components: In relation to being a model database, this paper involves four descriptive sections that explain the model method in particular, an outline of safety principles accompanied by an analysis of the background ,the overall information system with a comprehensive documentation on security patterns, but not for CloudSaaS.
Eduardo iFernandez-Buglionii show his self catalog of
isecurity ipatterns[79], integrating and systematizing his own earlier publications. The research allows comprehensive use of UML part, category and cooperation diagrams, similar in organization and quantity but definitely distinct in ranking, model designations and their introduction Patterns are categorized according to their utilization fields: identification leadership, authentication, access control, process leadership (working scheme),safe OS design and iadministration,
inetworking, internet facilities and cryptography of web services. In the job of Eduardo, there are many lacking security patterns, like, similar to prior job. In addition, these models are not specifically described for CloudSaaS.
Oracle's technicali reporti[80] on "Securing SaaS at Scale" shows some of iCloud SaaSi ' safety issues, safety andi enforcement, customer governance and tracking, and information iresidency end regulation. Conversely, study provides make highest level debate and overall debate on the issues. In addition, there are no alternatives to the problems mentioned in the study. Additionally, the study does not discuss other safety problems, such as safe growth, implementation and administration, and Cloud SaaS safe architecture. In this journal, they distinguish their work from our work.
Remark: So far. We have made an attempt to study, define and document security patterns for CloudSaaS. Only 6 of the 8 most appropriate articles described in this chapter [70,71,76–79] Work on overall hardware (non-cloud implementation) safety models and only 2 articles[ 12,80] discuss cloud-based implementation safety models. The writers in the 2 articles, however, do not contain all of Cloud's needed security patterns relative to our work. We provide wealthier models in our work and address more safety elements.
5. Case study: Solutions in AWS and Azure
2336 5.1. AWS
As shown in Figure 4, most of the alternatives needed to tackle our specified security patterns can be found in AWS. We provide a brief overview of these alternatives in this work.
1. Compliance and Regulatory. AWS offers various instruments to promote data processing and governance of regulatory compliance.
Data Citizenship. AWS provides place labels method to manage customer entry geographically, recognized as geo limitation or geoblocking., which is capable of limiting web entry depending on nations from which entry applications originate. CloudFront enables data entry if the application comes from a whitelist of authorized nations and prevents entry if the application comes from a blacklist of prohibited nations.
Cryptographic Erasure. AWS offers a tool to manage the cryptographic keys used in AWS, recognized as KMS[26 ]. KMS enables users to generate and handle buttons and regulate encryption utilization across a broad spectrum of AWS facilities and in apps.
Shared Responsibility Model. .AWS offers various facilities and instruments for information and scheme security. Some facilities or instruments are free of charge and others are not. Using it is up to the customer or not. The AWS primary obligation is to guarantee the Cloud platform's accessibility and fundamental safety.
Compliant Data Transfer. As with information citizenship, the geo-restriction instrument can be used to monitor information flow across geographic limits.
Data Retention.AWS also offers various types of data storage and backup tools that can be used to safeguard information against random deletion and intentional information assaults. DynamoDB[27], for instance, is an AWS database system that offers configurable storage (for instance, users can specify their own backup strategy).
Data Lifecycle. Define user specified policy Instrument can be used to monitor information flow across geographic limits.
Intentional Data Remanence. AWS offers recovery facilities to all their database systems and storages to guarantee that information stays even after efforts to delete or extract it. For example, in case of intentional or unintentional deletion of data, DynamoDB backup service provides user tools to define their own backup policy to protect data.
2. Identificationi, Authenticationi andi Authorisationi. AWS offers a full range of instruments to promote safe device and user recognition, encryption and permission using AWS platform.
Multi-factori Authenticationi. .AWS offers customers with various authentication instruments and implementation
APIs. AWS for instance, instrument that can be check for showing purpose customer and implementation APIi. Cognitoi promotes both normal usernamei authentication and code
Access Token. used to authenticate users or API applications. SSO allows connections to various AWS records and company apps simple to handle internally.
Mutual Authentication AWS customer VPN[32 ] provides mutual authentication to execute authentication between client and server using records produced from AWS record manager.
Secure Useri on-boardingi. .AWS boarding service customer[33 ] offers security of material from unauthorized use by merging Secure Packager and Digital Rights Management (DRM) Encoder Key Exchange (SPEKE)[33 ].
Identify and Access Manager. AWS IAM[34 ] is a tool used to handle AWS facilities and assets in a secure manner. With IAM, AWS customers and organizations can be created and managed. We can also grant permissions to permit or reject entry to AWS funds by the user.
Per-request Authentication. .AWS offers a system called ' Signing and Authenticating REST Requests'[35 ] to permit or reject entry or procedure depending on the requester's identification. For instance, the right to create buckets is assigned to a group of users while another group has the right to create objects in a bucket.
Access Control Clearance. AWS offers various instruments and facilities to handle access to information and scheme assets in a secure manner. Some of them are IAM and Cognito for authentication and customer governance and AWS CloudWatch[36 ] for customer and resource tracking.
3. ecure Developmenti, Operationi and
Administrationi.
Bastion server. The bastion of AWS[37 ] is intended specifically to resist assaults. Its aim is to provide connections from an internal network, such as the Internet, to a private network and to minimize the possibility of future attacks invasion.
Automated threat detection. AWS GuardDuty [ 38 ] is a risk tracking company that tracks malice and unlicensed behavior in order to safeguard AWS records, workloads and resources continually.
Durable Availability. Some instruments and facilities such as CloudWatch and WAF are in location to guarantee excellent operation and the accessibility of AWS applications [ 39 ]. WAF works as a firewall to protect the request against enemy assaults. CloudWatch offers safe client and assets control.
avoid attackers from losing funds (e.g. computer services).
Vulnerability Management. Certain third-party software instruments can be used to identify an application software vulnerability implemented on the AWS system. AlienVault USM [40] is one of them
Figure 4. represent the azure security .
4. Privacy and Confidentiality. WAS offers some privacy and confidentiality security facilities and instruments. However, AWS has not yet resolved some of the demands. SaaS developers need to create their own alternatives to tackle them, such as information anonymization, encrypted information computation and application intent monitoring.
End-to-end Security. AWS offers facilities to ensure the exchange of information between various organizations The manager of the AWS certificate[41 ] is a company that enables easy provision, administration, and implementation, inner linked assets, of government and private SSL / TLS certificates.
Computation on Encrypted Data. AWS platform is not yet accessible for computing encrypted information.
Data Anonymisation. .The automatic anonymization option on the AWS platform is not yet available.
Processing purpose control. There is not yet a solution for processing information control distributed on the AWS platform.
5. iSecure Architecturei. A set of safe instruments andi servicesi for architecture are provided in AWSi.
Virtual Network. .AWS Private Virtual Cloud[ 42] is a service which allows users to provide logically remote AWS cloud areas where users can use their specified virtual network for AWS resources. Users can monitor their virtual network environment fully, including IP address range, sub-network building and network gateway and routing tables setup.
Web Application Firewall. AWS WAF[39 ] is the firewall of a web application that prevents web applications from common web exploitations that can influence server accessibility.
Secure Element. An easy way to safely integrate, track and handle IoT devils on a scale is provided by AWS IoT Device Management[43 ]. With these instruments, users can separately and in community log their linked equipment and
handle permissions readily, so that after loading systems can stay safe.
Secure Cold Storage. It can be shorter than a narrower one to retrieve information from the big database. It is essential to save rare access information in a distinct memory in order to preserve a rapid information recovery period. AWS provides Glacier [ 44 ] processing services for processing of information that are rarely used or accessed.
Certificate and Key Manager. AWS offers two cryptographic key management facilities and a TLS / SSL card. AWS Key Manager enables the customer to generate, deliver, and handle the cryptographic keys, whilst TLS / SSL records can be provided and managed by a record manager[41 ].
Hardware Security Module. AWS CloudHSM[45 ] is a cloud-based security module for hardware that enables users to create encryption keys or configure their own encryption key for AWS apps and facilities.
Secure Auditing. In order to promote and help the client (or AWS client) in the assessment of AWS service's capacity to satisfy the data security goals and safety control required by its particular manufacturing and governing body, AWS released its Security Checklist
5.2. Azure
Azure offers the majority of alternatives to tackle Section 4 security patterns similar to AWS.mappings of specified safety models and accessible alternatives in Azure. In this chapter, we provide a brief overview of Azure alternatives for the specified safety models.
1. Compliance and regulatory. Various Azure instruments and facilities may be used to assist the handling and governance of legislative adherence. Each method is described below.
Data Citizenship. The service can be used in geographical terms to restrict data access and use to the Azure Front Door (AFD) [ 47 ]. The front door web firews implementation (WAF) software enables users to set a strategy using personal entry laws to allow or reject access to a particular endpoint route from certain nations.
Cryptographic Erasure User can handle their cryptographic key safely, such as deleting or deleting the key by using Azure Key [ 48 ]. Other facilities are included, such as the handling of records, certificates and the storage of documents backed up with ihardware.
Shared Responsibilityi Model. Like iAWS, Azurei provides various facilities and instruments for information and scheme security. All facilities and instruments are not safe, however. The customer is responsible for using them. Azure's legal obligation is to make the cloud platform accessible and secure.
2338
Data Retention. Azure has various types of information processing and retrieval instruments (e.g. blob memory, file processing and panel processing) that may safeguard information, such as Azure Cosmos DB[48 ], a shared multi-model application system, from random deletion and intentional assaults.
Data Lifecycle. Azure Blob Storage Management [50] can be used to monitor the lifecycle of Azure information. This company provides a comprehensive, regulatory strategy which allows users to monitor information after its formation, use until the finish of their life cycle.
2. iIdentification, Authenticationi and Authorisationi. A variety of instruments in Azure are accessible for safe detection, encryption and authorisation of Azure desktop customers, apps and hardware.
Multi-factor Authentication. Azure's effective folder offers a client and information entry command facilities set, including multi-factor authentication[52]. Azure utilizes two-step checking composed in the username and password procedure as well as an extra technique of authentication (e.g. evidence of ownership).
Federation (single sign-on)i. enables users to automatically log in when they are attached to the network on their commercial computers[ 53]. Users need no password to sign up to Azure AD when AD Single Signups are available, particularly when consumers have various Cloud profiles. This function facilitates connection to cloud-based apps.
Access Token. Access tokens [ 54 ] from Azure Active directory enables users to create an Azure-protected access toen that can be used for the secure call-up of APIs.
Mutual Authentication. The Azure application service[55 ] offers the reciprocal authentication of Azure apps and assets to be used to limit entry.
Secure User on-boarding. Azure Security Center[56 ] comprises a series of safety facilities designed to protect network embedded apps, assets and hardware. Safe on-boarding is used to safely access non-Azure on-board network equipment.
Identity and Access Manager. In Azure, Azure IAM can protect the identities of users and applications[ 57]. This system protects customers, apps, and information from fraudulent login efforts and protects certificates with risk-based access controls and the strong authentication technique (such as authentication of two variables). This company also supports user security.
Per-request Authentication. The REST API Authentication [ 58 ] and azure API Management allows the user to generate the access token needed to call the Azure APIs
7. Conclusions
Security patterns have passed through their full "hype cycle"[81] and are now deemed advanced studied standpoint of model identification and implementation. New fields and specializations, such as security patterns
resulting, are constantly coming into the concentrate of scientists. We provide a full roster of models and their alternatives for the cloud computing setting, and there is no effort to fully explore and record them to the finest of our understanding so far. concentrating on security patterns; it is changes for cover chosen subjects such as verification, authorization or danger and overlook different safety problems and it has do not believe are important, such as assets and management of operations and governance Furthermore, and what distinguishes our job in this document from prior job is that we generate an formal safety best practices and information provider can use from the floor up as a guideline for creating cloud SaaS implementation. The research of AWS and Azure safety alternatives is another input that also separates our job from prior job. The primary objective is to match each model to the this technique alternatives.
It is supreme safety alternatives are accessible in AWS and Azure, some surviving problems still need to be resolved, such as handling intent monitoring and efficient information lifecycle governance in a dispersed setting These problems will be our potential job. We also intend to include Google Cloud alternatives in the paperwork of our security patterns.
References
[1] Alexander, C.; Ishikawa, S.; Silverstein, M. A Pattern Language: Towns, Buildings, Construction; Oxford University Press: Oxford, UK, 1977.
[2] Gamma, E.; Helm, R.; Johnson, R.; Vlissides, J. Design Patterns: Elements of Object-Oriented Software; Addison-Wesley: Boston, MA, USA, 1994.
[3] Buschmann, F.; Meunier, R.; Rohnert, H.; Sommerlad, P.; Stal, M. Pattern-Oriented Software Architecture: A System of Patterns; Wiley & Sons: Hoboken, NJ, USA, 1996.
[4] Schumacher, M. 2003. Security Engineering with Patterns: Origins, Theoretical Models, and New Applications; Springer: Berlin/Heidelberg, Germany, 2003.
[5] Bunke, M.; Koschke, R.; Sohr, K. Organizing security patterns related to security and pattern recognition requirements. Int. J. Adv. Secur. 2012, 5, 46–67. [6] Bunke, M. Software-security patterns: degree of
maturity. In Proceedings of the 20th European Conference on Pattern Languages of Programs, Bavarian Kloster Irsee, Germany, 8–12 July 2015. [7] Blakley, B.; Heath, C. The Open Group Security Forum.
Security Design Patterns; 2004. Available online: https://publications.opengroup.org/g044 (accessed on 29 March 2019).
[8] Fernandez, E.B.; Monge, R. A security reference architecture for Cloud systems. In Proceedings of the WICSA 2014 Companion Volume, Sydney, Australia, 7–11 April 2014; p. 3.
[9] Fernandez, E.B.; Monge, R.; Hashizume, K. Two patterns for Cloud computing: Secure virtual machine image repository and Cloud policy management point. In Proceedings of the 20th Conference on Pattern Languages of Programs, Monticello, IL, 23–26 October 2013; p. 15.
Science, University of Illinois at Urbana-Champaign: 2006. Available online: https://munawarhafiz.com/ research/patterns/secpatclassify.pdf (accessed on 29 March 2019).
[11]Web Application Security Guidance. Available online: https://www.owasp.org/index.php/Web_
Application_Security_Guidance (accessed on 29 March 2019).
[12]Langer, T.; Pohls, H.C.; Ghernaouti, S. Selected Cloud Security Patterns to Improve End User Security and Privacy in Public Clouds. Privacy Technologies and Policy. APF 2016. Lecture Notes in Computer Science; Springer: Cham, Switzerland, 2016; Volume 9857. [13]Eduardo B. Fernandez, Nobukazu Yoshioka, and
Hironori Washizaki. Patterns for security and privacy in Cloud ecosystems. In Proceedings of the IEEE 2nd Workshop on Evolving Security and Privacy Requirements Engineering (ESPRE), Ottawa, ON, Canada, 25 August 2015.
[14]OWASP Cloud Security Project. Available online: https://www.owasp.org/index.php/OWASP_Cloud_ Security_Project (accessed on 29 March 2019).
[15]Detailed Pattern Structure. Available online:
http://www.sirris.be.s3-website-eu-west-1.amazonaws.com/ (accessed on 29 March 2019). [16]Spasic, B.; Rath, A.; Thiran, P.; Boucart, N. Security
Pattern for Cloud SaaS: from system and data security to privacy. In Proceedings of the 4th IEEE International Conference on Cloud Computing Technologies and Applications, Brussels, Belgium, 26–28 November 2018.
[17]General Data Protection Regulation (GDPR). Available online: https://ec.europa.eu/info/law/law-topic/ data-protection_en (accessed on 29 March 2019).
[18]Achbarou, O.; Kiram, M.A.E.; Bouanani, S.E. Securing Cloud Computing from Different Attacks Using Intrusion Detection Systems. Int. J. Interact. Multimed. Artif. Intell. 2017, 4, 61–64.
[19]Subramaniam, T.K.; Deepa, B. Security attack issues and mitigation techniques in Cloud computing environments. Int. J. UbiComp (IJU) 2016, 7, doi:10.5121/iju.2016.7101.
[20]SGX. Available online: https://software.intel.com/en- us/blogs/2018/11/08/microsoft-azure-confidential-computing-with-intel-sgx (accessed on 29 March 2019). [21]Taherizadeh, S.; Stankovski, V.; Grobelnik, M. A Capillary Computing Architecture for Dynamic Internet of Things: Orchestration of Microservices from Edge Devices to Fog and Cloud Providers. Sensors 2018, 18, 2938.
[22]Ondiege, B.; Clarke, M.; Mapp, G. Exploring a new security framework for remote patient monitoring devices. Computers 2017, 6, 11.
[23]AWS CloudFront Geo Restriction. Available online: https://docs.aws.amazon.com/AmazonCloudFront/ latest/DeveloperGuide/georestrictions.html#georestricti ons-Cloudfront (accessed on 29 March 2019).
[24]Google Cloud. Available online: https://Cloud.google.com(accessed on 29 March 2019). [25]Third Party Geo Restriction. Available online: https://docs.aws.amazon.com/AmazonCloudFront/lates t/ DeveloperGuide/georestrictions.html#georestrictions-geolocation-service (accessed on 29 March 2019).
[26]AWS KMS. Available online: https://aws.amazon.com/kms/ (accessed on 29 March 2019).
[27]AWS DynamoDB. Available online: https://aws.amazon.com/dynamodb/ (accessed on 29 March 2019).
[28]AWS Data Lifecycle Manager. Available online: https://docs.aws.amazon.com/dlm/latest/APIReference/ Welcome.html (accessed on 29 March 2019).
[29]AWS Cognito. Available online: https://aws.amazon.com/cognito/ (accessed on 29 March 2019).
[30]AWS SSO. Available online: https://aws.amazon.com/single-sign-on/ (accessed on 29 March 2019).
[31]AWS SSO. Available online: https://docs.aws.amazon.com/STS/latest/APIReference /Welcome.html (accessed on 29 March 2019).
[32]AWS Client VPN. Available online: https://docs.aws.amazon.com/vpn/latest/clientvpn-admin/ authentication-authrization.html (accessed on 29 March 2019).
[33]AWS Customer on Boarding Service. Available online: https://docs.aws.amazon.com/speke/latest/
documentation/customer-onboarding.html (accessed on 29 March 2019).
[34]AWS IAM. Available online: https://aws.amazon.com/iam/ (accessed on 29 March 2019).
[35]AWS Signing and Authenticating REST Requests. Available online: https://docs.aws.amazon.com/ AmazonS3/latest/dev/RESTAuthentication.html
(accessed on 29 March 2019).
[36]AWS CloudWatch. Available online: https://aws.amazon.com/Cloudwatch/ (accessed on 29 March 2019).
[37]AWS Bastion Host. Available online: https://aws.amazon.com/blogs/security/controlling- network-access-to-ec2-instances-using-a-bastion-server/ (accessed on 29 March 2019).
[38]AWS GuardDuty. Available online: https://aws.amazon.com/guardduty/ (accessed on 29 March 2019).
[39]AWS WAF. Available online: https://aws.amazon.com/waf/ (accessed on 29 March 2019).
[40]AlienVault USM. Available online: https://www.alienvault.com (accessed on 29 March 2019).
[41]AWS Certificate Manager. Available online: https://aws.amazon.com/certificate-manager/
(accessed on 29 March 2019).
[42]AWS Virtual Private Cloud. Available online: https://aws.amazon.com/vpc/ (accessed on 29 March 2019).
[43]AWS IoT Device Management. Available online: https://aws.amazon.com/iot-device-management/ (accessed on 29 March 2019).
![Figure 3. Represent the pattern icon define category [15].](https://thumb-us.123doks.com/thumbv2/123dok_us/8625251.1414959/8.612.366.538.537.656/figure-represent-pattern-icon-define-category.webp){kind=icon}
