Cloud Security Handbook

Cloud Security Handbook

by Eyal Estrin
Released April 2022
Publisher(s): Packt Publishing
ISBN: 9781800569195

Read it now on the O’Reilly learning platform with a 10-day free trial.

O’Reilly members get unlimited access to books, live events, courses curated by job role, and more from O’Reilly and nearly 200 top publishers.

Start your free trial

Book description

A comprehensive reference guide to securing the basic building blocks of cloud services, with actual examples for leveraging Azure, AWS, and GCP built-in services and capabilities

Key Features

  • Discover practical techniques for implementing cloud security
  • Learn how to secure your data and core cloud infrastructure to suit your business needs
  • Implement encryption, detect cloud threats and misconfiguration, and achieve compliance in the cloud

Book Description

Securing resources in the cloud is challenging, given that each provider has different mechanisms and processes. Cloud Security Handbook helps you to understand how to embed security best practices in each of the infrastructure building blocks that exist in public clouds.

This book will enable information security and cloud engineers to recognize the risks involved in public cloud and find out how to implement security controls as they design, build, and maintain environments in the cloud. You'll begin by learning about the shared responsibility model, cloud service models, and cloud deployment models, before getting to grips with the fundamentals of compute, storage, networking, identity management, encryption, and more. Next, you'll explore common threats and discover how to stay in compliance in cloud environments. As you make progress, you'll implement security in small-scale cloud environments through to production-ready large-scale environments, including hybrid clouds and multi-cloud environments. This book not only focuses on cloud services in general, but it also provides actual examples for using AWS, Azure, and GCP built-in services and capabilities.

By the end of this cloud security book, you'll have gained a solid understanding of how to implement security in cloud environments effectively.

What you will learn

  • Secure compute, storage, and networking services in the cloud
  • Get to grips with identity management in the cloud
  • Audit and monitor cloud services from a security point of view
  • Identify common threats and implement encryption solutions in cloud services
  • Maintain security and compliance in the cloud
  • Implement security in hybrid and multi-cloud environments
  • Design and maintain security in a large-scale cloud environment

Who this book is for

This book is for IT or information security personnel taking their first steps in the public cloud or migrating existing environments to the cloud. Cloud engineers, cloud architects, or cloud security professionals maintaining production environments in the cloud will also benefit from this book. Prior experience of deploying virtual machines, using storage services, and networking will help you to get the most out of this book.

Table of contents

  1. Cloud Security Handbook
  2. Contributors
  3. About the author
  4. About the reviewers
  5. Preface
    1. Who this book is for
    2. What this book covers
    3. To get the most out of this book
    4. Download the color images
    5. Conventions used
    6. Get in touch
    7. Share your thoughts
  6. Section 1: Securing Infrastructure Cloud Services
  7. Chapter 1: Introduction to Cloud Security
    1. Technical requirements
    2. What is a cloud service?
    3. What are the cloud deployment models?
    4. What are the cloud service models?
    5. Why we need security
    6. What is the shared responsibility model?
      1. AWS and the shared responsibility model
      2. Azure and the shared responsibility model
      3. GCP and the shared responsibility model
    7. Command-line tools
      1. AWS CLI
      2. Azure CLI
      3. Google Cloud SDK
    8. Summary
  8. Chapter 2: Securing Compute Services
    1. Technical requirements
    2. Securing VMs
      1. Securing Amazon Elastic Compute Cloud (EC2)
      2. Securing Azure Virtual Machines
      3. Securing Google Compute Engine (GCE) and VM instances
    3. Securing managed database services
      1. Securing Amazon RDS for MySQL
      2. Securing Azure Database for MySQL
      3. Securing Google Cloud SQL for MySQL
    4. Securing containers
      1. Securing Amazon Elastic Container Service (ECS)
      2. Securing Amazon Elastic Kubernetes Service (EKS)
      3. Securing Azure Container Instances (ACI)
      4. Securing Azure Kubernetes Service (AKS)
      5. Securing Google Kubernetes Engine (GKE)
    5. Securing serverless/function as a service
      1. Securing AWS Lambda
      2. Securing Azure Functions
      3. Securing Google Cloud Functions
    6. Summary
  9. Chapter 3: Securing Storage Services
    1. Technical requirements
    2. Securing object storage
      1. Securing Amazon Simple Storage Service
      2. Securing Azure Blob storage
      3. Securing Google Cloud Storage
    3. Securing block storage
      1. Best practices for securing Amazon Elastic Block Store
      2. Best practices for securing Azure managed disks
      3. Best practices for securing Google Persistent Disk
      4. Summary
    4. Securing file storage
      1. Securing Amazon Elastic File System
      2. Securing Azure Files
      3. Securing Google Filestore
    5. Securing the CSI
      1. Securing CSI on AWS
      2. Securing CSI on Azure
      3. Securing CSI on GCP
    6. Summary
  10. Chapter 4: Securing Networking Services
    1. Technical requirements
    2. Securing virtual networking
      1. Securing Amazon Virtual Private Cloud
      2. Securing Azure VNet
      3. Securing Google Cloud VPC
    3. Securing DNS services
      1. Securing Amazon Route 53
      2. Securing Azure DNS
      3. Securing Google Cloud DNS
    4. Securing CDN services
      1. Securing Amazon CloudFront
      2. Securing Azure CDN
      3. Securing Google Cloud CDN
    5. Securing VPN services
      1. Securing AWS Site-to-Site VPN
      2. Securing AWS Client VPN
      3. Securing Azure VPN Gateway (Site-to-Site)
      4. Securing Azure VPN Gateway (Point-to-Site)
      5. Securing Google Cloud VPN
    6. Securing DDoS protection services
      1. Securing AWS Shield
      2. Securing Azure DDoS Protection
      3. Securing Google Cloud Armor
    7. Securing WAF services
      1. Securing AWS WAF
      2. Securing Azure WAF
    8. Summary
  11. Section 2: Deep Dive into IAM, Auditing, and Encryption
  12. Chapter 5: Effective Strategies to Implement IAM Solutions
    1. Technical requirements
    2. Introduction to IAM
    3. Failing to manage identities
    4. Securing cloud-based IAM services
      1. Securing AWS IAM
      2. Auditing AWS IAM
      3. Securing Azure AD
      4. Auditing Azure AD
      5. Securing Google Cloud IAM
      6. Auditing Google Cloud IAM
    5. Securing directory services
      1. Securing AWS Directory Service
      2. Securing Azure Active Directory Domain Services (Azure AD DS)
      3. Securing Google Managed Service for Microsoft AD
    6. Configuring MFA
    7. Summary
  13. Chapter 6: Monitoring and Auditing Your Cloud Environments
    1. Technical requirements
    2. Conducting security monitoring and audit trails
      1. Security monitoring and audit trails using AWS CloudTrail
      2. Security monitoring using AWS Security Hub
      3. Best practices for using AWS Security Hub
      4. Security monitoring and audit trails using Azure Monitor
      5. Best practices for using Azure Monitor
      6. Security monitoring and approval process using Customer Lockbox
      7. Best practices for using Customer Lockbox
      8. Security monitoring and audit trail using Google Cloud Logging
      9. Security monitoring using Google Security Command Center
      10. Security monitoring and approval process using Access Transparency and Access Approval
    3. Conducting threat detection and response
      1. Using Amazon Detective for threat detection
      2. Using Amazon GuardDuty for threat detection
      3. Security monitoring using Microsoft Defender for Cloud
      4. Using Azure Sentinel for threat detection
      5. Using Azure Defender for threat detection
      6. Using Google Security Command Center for threat detection and prevention
    4. Conducting incident response and digital forensics
      1. Conducting incident response in AWS
      2. Conducting incident response in Azure
      3. Conducting incident response in Google Cloud Platform
    5. Summary
  14. Chapter 7: Applying Encryption in Cloud Services
    1. Technical requirements
    2. Introduction to encryption
      1. Symmetric encryption
      2. Asymmetric encryption
    3. Best practices for deploying KMSes
      1. AWS Key Management Service (KMS)
      2. AWS CloudHSM
      3. Azure Key Vault
      4. Azure Dedicated/Managed HSM
      5. Google Cloud Key Management Service (KMS)
    4. Best practices for deploying secrets management services
      1. AWS Secrets Manager
      2. Google Secret Manager
    5. Best practices for using encryption in transit
      1. IPSec
      2. Transport Layer Security (TLS)
    6. Best practices for using encryption at rest
      1. Object storage encryption
      2. Block storage encryption
      3. Full database encryption
      4. Row-level security
    7. Encryption in use
      1. AWS Nitro Enclaves
      2. Azure Confidential Computing
      3. Google Confidential Computing
    8. Summary
  15. Section 3: Threats and Compliance Management
  16. Chapter 8: Understanding Common Security Threats to Cloud Services
    1. Technical requirements
    2. The MITRE ATT&CK framework
    3. Detecting and mitigating data breaches in cloud services
      1. Common consequences of data breaches
      2. Best practices for detecting and mitigating data breaches in cloud environments
      3. Common AWS services to assist in the detection and mitigation of data breaches
      4. Common Azure services to assist in the detection and mitigation of data breaches
      5. Common GCP services to assist in the detection and mitigation of data breaches
    4. Detecting and mitigating misconfigurations in cloud services
      1. Common AWS services to assist in the detection and mitigation of misconfigurations
      2. Common Azure services to assist in the detection and mitigation of misconfigurations
      3. Common GCP services to assist in the detection and mitigation of misconfigurations
    5. Detecting and mitigating insufficient IAM and key management in cloud services
      1. Common AWS services to assist in the detection and mitigation of insufficient IAM and key management
      2. Common Azure services to assist in the detection and mitigation of insufficient IAM and key management
      3. Common GCP services to assist in the detection and mitigation of insufficient IAM and key management
    6. Detecting and mitigating account hijacking in cloud services
      1. Common AWS services to assist in the detection and mitigation of account hijacking
      2. Common Azure services to assist in the detection and mitigation of account hijacking
      3. Common GCP services to assist in the detection and mitigation of account hijacking
    7. Detecting and mitigating insider threats in cloud services
      1. Common AWS services to assist in the detection and mitigation of insider threats
      2. Common Azure services to assist in the detection and mitigation of insider threats
      3. Common GCP services to assist in the detection and mitigation of insider threats
    8. Detecting and mitigating insecure APIs in cloud services
      1. Common AWS services to assist in the detection and mitigation of insecure APIs
      2. Common Azure services to assist in the detection and mitigation of insecure APIs
      3. Common GCP services to assist in the detection and mitigation of insecure APIs
    9. Detecting and mitigating the abuse of cloud services
      1. Common AWS services to assist in the detection and mitigation of the abuse of cloud services
      2. Common Azure services to assist in the detection and mitigation of the abuse of cloud services
      3. Common GCP services to assist in the detection and mitigation of the abuse of cloud services
    10. Summary
  17. Chapter 9: Handling Compliance and Regulation
    1. Technical requirements
    2. Compliance and the shared responsibility model
    3. Introduction to compliance with regulatory requirements and industry best practices
      1. How to maintain compliance in AWS
      2. How to maintain compliance in Azure
      3. How to maintain compliance in GCP
      4. Summary
    4. What are the common ISO standards related to cloud computing?
      1. ISO/IEC 27001 standard
      2. ISO 27017 standard
      3. ISO 27018 standard
      4. Summary
    5. What is a SOC report?
      1. Summary
    6. What is the CSA STAR program?
      1. STAR Level 1
      2. STAR Level 2
      3. Summary
    7. What is PCI DSS?
      1. Summary
    8. What is the GDPR?
      1. Summary
    9. What is HIPAA?
      1. Summary
    10. Summary
  18. Chapter 10: Engaging with Cloud Providers
    1. Technical requirements
    2. Choosing a cloud provider
      1. What is the most suitable cloud service model for our needs?
      2. Data privacy and data sovereignty
      3. Auditing and monitoring
      4. Migration capabilities
      5. Authentication
      6. Summary
    3. What is a cloud provider questionnaire?
      1. Summary
    4. Tips for contracts with cloud providers
      1. Summary
    5. Conducting penetration testing in cloud environments
      1. Summary
    6. Summary
  19. Section 4: Advanced Use of Cloud Services
  20. Chapter 11: Managing Hybrid Clouds
    1. Technical requirements
    2. Hybrid cloud strategy
      1. Cloud bursting
      2. Backup and disaster recovery
      3. Archive and data retention
      4. Distributed data processing
      5. Application modernization
      6. Summary
    3. Identity management over hybrid cloud environments
      1. How to manage identity over hybrid AWS environments
      2. How to manage identity over hybrid Azure environments
      3. How to manage identity over GCP hybrid environments
      4. Best practices for managing identities in hybrid environments
      5. Summary
    4. Network architecture for hybrid cloud environments
      1. How to connect the on-premises environment to AWS
      2. How to connect the on-premises environment to Azure
      3. How to connect the on-premises environment to GCP
      4. Summary
    5. Storage services for hybrid cloud environments
      1. How to connect to storage services over AWS hybrid environments
      2. How to connect to storage services over Azure hybrid environments
      3. How to connect to storage services over GCP hybrid environments
      4. Summary
    6. Compute services for hybrid cloud environments
      1. Using compute services over AWS hybrid environments
      2. Using compute services over Azure hybrid environments
      3. Using compute services over GCP hybrid environments
      4. Summary
    7. Securing hybrid cloud environments
      1. How to secure AWS hybrid environments
      2. How to secure Azure hybrid environments
      3. How to secure GCP hybrid environments
      4. Summary
    8. Summary
  21. Chapter 12: Managing Multi-Cloud Environments
    1. Technical requirements
    2. Multi-cloud strategy
      1. Freedom to select a cloud provider
      2. Freedom to select your services
      3. Reduced cost
      4. Data sovereignty
      5. Backup and disaster recovery
      6. Improving reliability
      7. Identity management
      8. Data security
      9. Asset management
      10. Skills gap
      11. Summary
    3. Identity management over multi-cloud environments
      1. How to manage identity in AWS over multi-cloud environments
      2. How to manage identity in Azure over multi-cloud environments
      3. How to manage identity in GCP over multi-cloud environments
      4. Summary
    4. Network architecture for multi-cloud environments
      1. How to create network connectivity between AWS and GCP
      2. How to create network connectivity between AWS and Azure
      3. How to create network connectivity between Azure and GCP
      4. Summary
    5. Data security in multi-cloud environments
      1. Encryption in transit
      2. Encryption at rest
      3. Encryption in use
      4. Summary
    6. Cost management in multi-cloud environments
      1. Summary
    7. Cloud Security Posture Management (CSPM)
      1. Summary
    8. Cloud Infrastructure Entitlement Management (CIEM)
      1. Summary
    9. Patch and configuration management in multi-cloud environments
      1. Summary
    10. The monitoring and auditing of multi-cloud environments
      1. Summary
    11. Summary
  22. Chapter 13:Security in Large-Scale Environments
    1. Technical requirements
    2. Managing governance and policies at a large scale
      1. Governance in AWS
      2. Governance in Azure
      3. Governance in Google Cloud
    3. Automation using IaC
      1. AWS CloudFormation
      2. Azure Resource Manager (ARM) templates
      3. Google Cloud Deployment Manager
      4. HashiCorp Terraform
      5. Summary
    4. Security in large-scale cloud environments
      1. Managing security at a large scale while working with AWS
      2. Managing security at a large scale while working with Azure
      3. Managing security at a large scale while working with Google Cloud
    5. Summary
    6. What's next?
      1. Plan ahead
      2. Automate
      3. Think big
      4. Continue learning
    7. Why subscribe?
  23. Other Books You May Enjoy
    1. Packt is searching for authors like you
    2. Share your thoughts

Product information

  • Title: Cloud Security Handbook
  • Author(s): Eyal Estrin
  • Release date: April 2022
  • Publisher(s): Packt Publishing
  • ISBN: 9781800569195