With the fast, competitive evolution of new cloud services, particularly those related to security, cloud deployment is now definitively as secure as on-premises servers, and probably even more secure. This practical book surveys current security challenges and shows security professionals, IT architects, and developers how to meet them while deploying systems to popular cloud services. You’ll find up to date, cloud specific security guidance for popular cloud platforms in the areas of cloud and data asset management, identity and access management, vulnerability management, network security, and incident response. Author Chris Dotson offers practical cloud security best practices for multivendor cloud environments whether you’re just starting to design your cloud environment or have legacy projects to secure.
Author(s): Chris Dotson
Edition: 2
Publisher: O'Reilly Media, Inc.
Year: 2023
Language: English
Pages: 188
1. Principles and Concepts
Least Privilege
Defense in Depth
Zero Trust
Threat Actors, Diagrams, and Trust Boundaries
Cloud Service Delivery Models
The Cloud Shared Responsibility Model
Risk Management
Conclusion
Exercises
2. Data Asset Management and Protection
Data Identification and Classification
Example Data Classification Levels
Relevant Industry or Regulatory Requirements
Data Asset Management in the Cloud
Tagging Cloud Resources
Protecting Data in the Cloud
Tokenization
Encryption
Confidential computing
Encryption of data at rest
Key management
Server-side and client-side encryption
Cryptographic erasure
How encryption foils different types of attacks
Disk level encryption
Platform level encryption
Application level encryption
Conclusion
Exercises
3. Cloud Asset Management and Protection
Differences from Traditional IT
Types of Cloud Assets
Compute Assets
Virtual machines
Containers
Native container model
“Mini-VM” container model
Container orchestration systems
Application Platform as a Service
Serverless
Storage Assets
Block storage
File storage
Object storage
Images
Cloud databases
Message queues
Configuration storage
Secrets configuration storage
Encryption key storage
Certificate storage
Source code repositories and deployment pipelines
Network Assets
Virtual private clouds and subnets
Content delivery networks
DNS records
TLS certificates
Load balancers, reverse proxies, and web application firewalls
Asset Management Pipeline
Procurement Leaks
Processing Leaks
Tooling Leaks
Findings Leaks
Tagging Cloud Assets
Conclusion
Exercises
4. Identity and Access Management
Differences from Traditional IT
Life Cycle for Identity and Access
Request
Approve
Create, Delete, Grant, or Revoke
Authentication
Cloud IAM Identities
Business-to-Consumer and Business-to-Employee
Multi-Factor Authentication
Passwords, Passphrases, and API Keys
Shared IDs
Federated Identity
Single Sign-On
SAML and OIDC
SSO with legacy applications
Instance Metadata and Identity Documents
Secrets Management
Authorization
Centralized Authorization
Roles
Revalidate
Putting It All Together in the Sample Application
Conclusion
Exercises
5. Vulnerability Management
Differences from Traditional IT
Vulnerable Areas
Data Access
Application
Middleware
Operating System
Network
Virtualized Infrastructure
Physical Infrastructure
Finding and Fixing Vulnerabilities
Network Vulnerability Scanners
Agentless Scanners and Configuration Management
Agent-Based Scanners and Configuration Management
Credentials
Deployment
Network
Least privilege
Choosing an agent-based or agentless scanner
Cloud Workload Protection Platforms
Container Scanners
Dynamic Application Scanners (DAST)
Static Application Scanners (SAST)
Software Composition Analysis Scanners (SCA)
Interactive Application Scanners (IAST)
Runtime Application Self-Protection Scanners (RASP)
Manual Code Reviews
Penetration Tests
User Reports
Example Tools for Vulnerability and Configuration Management
Risk Management Processes
Vulnerability Management Metrics
Tool Coverage
Mean Time to Remediate
Systems/Applications with Open Vulnerabilities
Percentage of False Positives
Percentage of False Negatives
Vulnerability Recurrence Rate
Change Management
Putting It All Together in the Sample Application
Conclusion
Exercises
6. Network Security
Differences from Traditional IT
Concepts and Definitions
Allowlists and Denylists
DMZs
Proxies
Software-Defined Networking
Network Features Virtualization
Overlay Networks and Encapsulation
Virtual Private Clouds
Network Address Translation
IPv6
Putting It All Together in the Sample Application
Encryption in Motion
Firewalls and Network Segmentation
Perimeter control
Internal segmentation
Security groups
Service endpoints
Container firewalling and network segmentation
Allowing Administrative Access
Bastion hosts
Virtual private networks (VPNs)
Site-to-site VPNs
Client-to-site VPNs
Web Application Firewalls and RASP
Anti-DDoS
Intrusion Detection and Prevention Systems
Egress Filtering
Data Loss Prevention
Conclusion
Exercises