O'Reilly logo

Stay ahead with the world's most comprehensive technology and business learning platform.

With Safari, you learn the way you learn best. Get unlimited access to videos, live online training, learning paths, books, tutorials, and more.

Start Free Trial

No credit card required

Practical Cloud Security

Book Description

With Early Release ebooks, you get books in their earliest form—the author's raw and unedited content as he or she writes—so you can take advantage of these technologies long before the official release of these titles. You'll also receive updates when significant changes are made, new chapters are available, and the final ebook bundle is released.

With their rapidly changing infrastructure and API-driven automation, cloud platforms come with their own unique security challenges and opportunities. Whether your company is just getting started with the cloud, or is moving legacy on-premises projects there, this practical book guides you through security best practices for multi-vendor cloud environments.

Author Chris Dotson—executive security architect in the IBM Watson and Cloud Platform organization—takes developers, IT architects, and security professionals through cloud-specific techniques to help you secure popular cloud platforms such as Amazon Web Services, Microsoft Azure, and IBM Cloud. You’ll learn how to establish data asset management, identity and access management, vulnerability management, network security, and incident response in your cloud environment.

You’ll explore:

  • Data asset management through inventory, classification, and protection techniques such as cryptography and tokenization
  • The shared responsibility model for defining which security tasks belong to you and which belong to the service provider
  • How asset and access management work on cloud versus traditional data centers
  • Methods for providing a comprehensive and automated vulnerability management program on cloud
  • Software defined networking and web application firewalls for delivering cloud-based network security
  • Tools and techniques to help you detect, respond to, and recover from cloud-based security incidents

Table of Contents

  1. 1. Principles and Concepts
    1. Least Privilege
    2. Defense in Depth
    3. Threat Actors, Diagrams, and Trust Boundaries
    4. Cloud Delivery Models
    5. The Cloud Shared Responsibility Model
    6. Risk Management
  2. 2. Data Asset Management and Protection
    1. Data Identification and Classification
      1. Example Data Classification Levels
      2. Relevant Industry or Regulatory Requirements
    2. Data Asset Management in Cloud
      1. Tagging Cloud Resources
    3. Protecting Data in the Cloud
      1. Tokenization
      2. Encryption
      3. How encryption foils different types of attacks
    4. Summary
  3. 3. Cloud Asset Management and Protection
    1. Differences from Traditional IT
    2. Types of Cloud Assets
      1. Compute assets
      2. Storage assets
      3. Network assets
    3. Asset Management Pipeline
      1. Procurement leaks
      2. Processing leaks
      3. Downstream leaks
      4. Findings leaks
    4. Tagging Cloud Assets
    5. Summary
  4. 4. Identity and Access Management
    1. Differences from Traditional IT
    2. Life cycle for identity and access
    3. Request
    4. Approve
    5. Create, Delete, Grant, or Revoke
    6. Authentication
      1. Cloud IAM Identities
      2. Business-to-Customer and Business-to-Employee
      3. Multi-Factor Authentication
      4. Passwords and API keys
      5. Shared IDs
      6. Federated Identity
      7. Single Sign On
      8. Instance Metadata and Identity Documents
      9. Secrets Management
    7. Authorization
      1. Centralized Authorization
      2. Roles
    8. Revalidate
    9. Putting it all together in the Sample Application
    10. Summary
  5. 5. Vulnerability Management
    1. Differences from Traditional IT
    2. Vulnerable areas
      1. Data Access
      2. Application
      3. Middleware
      4. Operating System
      5. Network
      6. Virtualized Infrastructure
      7. Physical Infrastructure
    3. Finding and Fixing Vulnerabilities
      1. Network vulnerability scanners
      2. Agentless scanners and configuration management
      3. Agent-based scanners and configuration management
      4. Cloud provider security management tools
      5. Container scanners
      6. Dynamic application scanners (DAST)
      7. Static code scanners (SAST)
      8. Software Composition Analysis (SCA)
      9. Interactive code scanners (IAST)
      10. Runtime application self-protection (RASP)
      11. Manual code reviews
      12. Penetration tests
      13. User reports
      14. Example tools for vulnerability and configuration management
    4. Risk Management Processes
    5. Vulnerability Management Metrics
      1. Tool coverage
      2. Mean time to remediate
      3. Systems/applications with open vulnerabilities
      4. Percentage of false positives
      5. Percentage of false negatives
      6. Vulnerability recurrence rate
    6. Change Management
    7. Putting It All Together in a Sample Application
    8. Summary
  6. 6. Network Security
    1. Differences from Traditional IT
    2. Concepts and Definitions
      1. Whitelists and Blacklists
      2. DMZ
      3. Proxies
      4. Software Defined Networking (SDN)
      5. Network Features Virtualization (NFV) or Virtual Network Functions (VNFs)
      6. Overlay Networks and Encapsulation
      7. Virtual Private Cloud (VPC)
      8. Network Address Translation (NAT)
      9. IPv6
    3. Example application
    4. Cloud Network Controls
      1. Encryption in Motion
      2. Firewalls and Network Segmentation
      3. Allowing Administrative Access
      4. Bastion Hosts
      5. Web Application Firewalls and RASP
      6. Anti-DDoS
      7. Intrusion detection and prevention systems
      8. Egress Filtering
      9. Data Loss Prevention
    5. Summary