With the rise of the cloud, every aspect of IT has been shaken to its core. The fundamentals for building systems are changing, and although many of the principles that underpin security still ring true, their implementation has become unrecognizable. This practical book provides recipes for AWS, Azure, and GCP to help you enhance the security of your own cloud native systems.
Based on his hard-earned experience working with some of the world's biggest enterprises and rapidly iterating startups, consultant Josh Armitage covers the trade-offs that security professionals, developers, and infrastructure gurus need to make when working with different cloud providers. Each recipe discusses these inherent compromises, as well as where clouds have similarities and where they're fundamentally different.
• Learn how the cloud provides security superior to what was achievable in an on-premises world
• Understand the principles and mental models that enable you to make optimal trade-offs as part of your solution
• Learn how to implement existing solutions that are robust and secure, and devise design solutions to new and interesting problems
• Deal with security challenges and solutions both horizontally and vertically within your business
Author(s): Josh Armitage
Edition: 1
Publisher: O'Reilly Media
Year: 2022
Language: English
Commentary: Vector PDF
Pages: 515
City: Sebastopol, CA
Tags: Cookbook; Google Cloud Platform; Amazon Web Services; Microsoft Azure; Cloud Computing; Security; Logging; Network Security; Terraform; Infrastructure as Code; User Management; Data Protection; DevSecOps
Copyright
Table of Contents
Preface
Conventions Used in This Book
Using Code Examples
O’Reilly Online Learning
How to Contact Us
Acknowledgments
Chapter 1. Security in the Modern Organization
1.1 Why Security Is Critical
1.2 What Is Meant by Cloud Native Security?
The Beginnings of the Cloud
Old Practices in the New Reality
1.3 Where Security Fits in the Modern Organization
1.4 The Purpose of Modern Security
1.5 DevSecOps
What Is DevOps?
What Is DevSecOps?
Version Control
1.6 How to Measure the Impact of Security
Time to Notify for Known Vulnerabilities
Time to Fix a Known Vulnerability
Service Impacts Incurred Through Security Vulnerabilities
Attempted Breaches Prevented
Compliance Statistics
Percentage of Changes Rejected
1.7 The Principles of Security
Least Privilege
Only as Strong as Your Weakest Link
Defense in Depth
Security Is Job Zero
Quality Is Built In
Chapter Summary
Chapter 2. Setting Up Accounts and Users
2.1 Scalable Project Structures on GCP
Problem
Solution
Discussion
Summarizing the Recipe
2.2 Scalable Account Structures on AWS
Problem
Solution
Discussion
Summarizing the Recipe
2.3 Scalable Subscription Structures on Azure
Problem
Solution
Discussion
Summarizing the Recipe
2.4 Region Locking on GCP
Problem
Solution
Discussion
2.5 Region Locking on AWS
Problem
Solution
Discussion
2.6 Region Locking on Azure
Problem
Solution
Discussion
2.7 Centralizing Users on GCP
Problem
Solution
Discussion
2.8 Centralizing Users on AWS
Problem
Solution
Discussion
2.9 Centralizing Users on Azure
Problem
Solution
Discussion
Chapter 3. Getting Security Visibility at Scale
3.1 Building a Cloud Native Security Operations Center on GCP
Problem
Solution
Discussion
Summarizing the Recipe
3.2 Building a Cloud Native Security Operations Center on AWS
Problem
Solution
Discussion
Summarizing the Recipe
3.3 Building a Cloud Native Security Operations Center on Azure
Problem
Solution
Discussion
Summarizing the Recipe
3.4 Centralizing Logs on GCP
Problem
Solution
Discussion
Summarizing the Recipe
3.5 Centralizing Logs on AWS
Problem
Solution
Discussion
Summarizing the Recipe
3.6 Centralizing Logs on Azure
Problem
Solution
Discussion
Summarizing the Recipe
3.7 Log Anomaly Alerting on GCP
Problem
Solution
Discussion
Summarizing the Recipe
3.8 Log Anomaly Alerting on AWS
Problem
Solution
Discussion
Summarizing the Recipe
3.9 Log Anomaly Alerting on Azure
Problem
Solution
Discussion
Summarizing the Recipe
3.10 Building an Infrastructure Registry on GCP
Problem
Solution
Discussion
Summarizing the Recipe
3.11 Building an Infrastructure Registry on AWS
Problem
Solution
Discussion
Summarizing the Recipe
3.12 Building an Infrastructure Registry on Azure
Problem
Solution
Discussion
Summarizing the Recipe
Chapter 4. Protecting Your Data
4.1 Encrypting Data at Rest on GCP
Problem
Solution
Discussion
Summary
4.2 Encrypting Data at Rest on AWS
Problem
Solution
Discussion
Summary
4.3 Encrypting Data at Rest on Azure
Problem
Solution
Discussion
Summary
4.4 Encrypting Data on GCP with Your Own Keys
Problem
Solution
Discussion
Summary
4.5 Encrypting Data on AWS with Your Own Keys
Problem
Solution
Discussion
Summary
4.6 Encrypting Data on Azure with Your Own Keys
Problem
Solution
Discussion
Summary
4.7 Enforcing In-Transit Data Encryption on GCP
Problem
Solution
Discussion
Summary
4.8 Enforcing In-Transit Data Encryption on AWS
Problem
Solution
Discussion
Summary
4.9 Enforcing In-Transit Data Encryption on Azure
Problem
Solution
Discussion
Summary
4.10 Preventing Data Loss on GCP
Problem
Solution
Discussion
Summary
4.11 Preventing Data Loss on AWS
Problem
Solution
Discussion
Summary
4.12 Preventing Data Loss on Azure
Problem
Solution
Discussion
Summary
Chapter 5. Secure Networking
5.1 Networking Foundations on GCP
Problem
Solution
Discussion
Summary
5.2 Networking Foundations on AWS
Problem
Solution
Discussion
Summary
5.3 Networking Foundations on Azure
Problem
Solution
Discussion
Summary
5.4 Enabling External Access on GCP
Problem
Solution
Discussion
Summary
5.5 Enabling External Access on AWS
Problem
Solution
Discussion
Summary
5.6 Enabling External Access on Azure
Problem
Solution
Discussion
Summary
5.7 Allowing Access to Internal Resources on GCP
Problem
Solution
Discussion
Summary
5.8 Allowing Access to Internal Resources on AWS
Problem
Solution
Discussion
Summary
5.9 Allowing Access to Internal Resources on Azure
Problem
Solution
Discussion
Summary
5.10 Controlling External Network Connectivity on GCP
Problem
Solution
Discussion
Summary
5.11 Controlling External Network Connectivity on AWS
Problem
Solution
Discussion
Summary
5.12 Controlling External Network Connectivity on Azure
Problem
Solution
Discussion
Summary
5.13 Private Application Access on GCP
Problem
Solution
Discussion
Summary
5.14 Private Application Access on AWS
Problem
Solution
Discussion
Summary
5.15 Private Application Access on Azure
Problem
Solution
Discussion
Summary
Chapter 6. Infrastructure as Code
6.1 Building Secure Infrastructure Defaults on GCP
Problem
Solution
Discussion
Summary
6.2 Building Secure Infrastructure Defaults on AWS
Problem
Solution
Discussion
Summary
6.3 Building Secure Infrastructure Defaults on Azure
Problem
Solution
Discussion
Summary
6.4 Functions as a Service on GCP
Problem
Solution
Discussion
Summary
6.5 Functions as a Service on AWS
Problem
Solution
Discussion
Summary
6.6 Functions as a Service on Azure
Problem
Solution
Discussion
Summary
6.7 Robust Deployment on GCP
Problem
Solution
Discussion
Summary
6.8 Robust Deployment on AWS
Problem
Solution
Discussion
Summary
6.9 Robust Deployment on Azure
Problem
Solution
Discussion
Summary
6.10 Deployment at Scale on GCP
Problem
Solution
Discussion
Summary
6.11 Deployment at Scale on AWS
Problem
Solution
Discussion
Summary
6.12 Deployment at Scale on Azure
Problem
Solution
Discussion
Summary
Chapter 7. Compliance as Code
7.1 Labeling Resources on GCP
Problem
Solution
Discussion
Summary
7.2 Tagging Resources on AWS
Problem
Solution
Discussion
Summary
7.3 Tagging Resources on Azure
Problem
Solution
Discussion
Summary
7.4 Detecting Noncompliant Infrastructure on GCP
Problem
Solution
Discussion
Summary
7.5 Detecting Noncompliant Infrastructure on AWS
Problem
Solution
Discussion
Summary
7.6 Detecting Noncompliant Infrastructure on Azure
Problem
Solution
Discussion
Summary
7.7 Preventing Noncompliant Infrastructure on GCP
Problem
Solution
Discussion
Summary
7.8 Preventing Noncompliant Infrastructure on AWS
Problem
Solution
Discussion
Summary
7.9 Preventing Noncompliant Infrastructure on Azure
Problem
Solution
Discussion
Summary
7.10 Remediating Noncompliant Infrastructure on GCP
Problem
Solution
Discussion
Summary
7.11 Remediating Noncompliant Infrastructure on AWS
Problem
Solution
Discussion
Summary
7.12 Remediating Noncompliant Infrastructure on Azure
Solution
Discussion
Summary
Chapter 8. Providing Internal Security Services
8.1 Protecting Security Assets and Controls on GCP
Problem
Solution
Discussion
Summary
8.2 Protecting Security Assets and Controls on AWS
Problem
Solution
Discussion
Summary
8.3 Protecting Security Assets and Controls on Azure
Problem
Solution
Discussion
Summary
8.4 Understanding Machine Status at Scale on GCP
Problem
Solution
Discussion
Summary
8.5 Understanding Machine Status at Scale on AWS
Problem
Solution
Discussion
Summary
8.6 Understanding Machine Status at Scale on Azure
Problem
Solution
Discussion
Summary
8.7 Patching at Scale on GCP
Problem
Solution
Discussion
Summary
8.8 Patching at Scale on AWS
Problem
Solution
Discussion
Summary
8.9 Patching at Scale on Azure
Problem
Solution
Discussion
Summary
8.10 Data Backup on GCP
Problem
Solution
Discussion
Summary
8.11 Data Backup on AWS
Problem
Solution
Discussion
Summary
8.12 Data Backup on Azure
Problem
Solution
Discussion
Summary
Chapter 9. Enabling Teams
9.1 Enabling Project Sharing on GCP
Problem
Solution
Discussion
Summary
9.2 Enabling Account Sharing on AWS
Problem
Solution
Discussion
Summary
9.3 Enabling Resource Group Sharing on Azure
Problem
Solution
Discussion
Summary
9.4 Application Security Scanning on GCP
Problem
Solution
Discussion
Summary
9.5 Application Security Scanning on AWS
Problem
Solution
Discussion
Summary
9.6 Application Security Scanning on Azure
Problem
Solution
Discussion
Summary
Chapter 10. Security in the Future
10.1 The Infinite Game
Zero Trust
Supply Chain Security
10.2 Building Capability
10.3 Building Situational Awareness
10.4 Conclusion
Chapter 11. Terraform Primer
11.1 Authenticating with GCP
11.2 Authenticating with AWS
11.3 Authenticating with Azure
Index
About the Author
