Practical Cloud Security

Practical Cloud Security

by Chris Dotson
Released March 2019
Publisher(s): O'Reilly Media, Inc.
ISBN: 9781492037514

Read it now on the O’Reilly learning platform with a 10-day free trial.

O’Reilly members get unlimited access to books, live events, courses curated by job role, and more from O’Reilly and nearly 200 top publishers.

Buy on Amazon
Start your free trial

Book description

With their rapidly changing architecture and API-driven automation, cloud platforms come with unique security challenges and opportunities. This hands-on book guides you through security best practices for multivendor cloud environments, whether your company plans to move legacy on-premises projects to the cloud or build a new infrastructure from the ground up.

Developers, IT architects, and security professionals will learn cloud-specific techniques for securing popular cloud platforms such as Amazon Web Services, Microsoft Azure, and IBM Cloud. Chris Dotson—an IBM senior technical staff member—shows you how to establish data asset management, identity and access management, vulnerability management, network security, and incident response in your cloud environment.

Publisher resources

View/Submit Errata

Table of contents

  1. Preface
    1. Conventions Used in This Book
    2. O’Reilly Online Learning Platform
    3. How to Contact Us
    4. Acknowledgments
  2. 1. Principles and Concepts
    1. Least Privilege
    2. Defense in Depth
    3. Threat Actors, Diagrams, and Trust Boundaries
    4. Cloud Delivery Models
    5. The Cloud Shared Responsibility Model
    6. Risk Management
  3. 2. Data Asset Management and Protection
    1. Data Identification and Classification
      1. Example Data Classification Levels
      2. Relevant Industry or Regulatory Requirements
    2. Data Asset Management in the Cloud
      1. Tagging Cloud Resources
    3. Protecting Data in the Cloud
      1. Tokenization
      2. Encryption
    4. Summary
  4. 3. Cloud Asset Management and Protection
    1. Differences from Traditional IT
    2. Types of Cloud Assets
      1. Compute Assets
      2. Storage Assets
      3. Network Assets
    3. Asset Management Pipeline
      1. Procurement Leaks
      2. Processing Leaks
      3. Tooling Leaks
      4. Findings Leaks
    4. Tagging Cloud Assets
    5. Summary
  5. 4. Identity and Access Management
    1. Differences from Traditional IT
    2. Life Cycle for Identity and Access
    3. Request
    4. Approve
    5. Create, Delete, Grant, or Revoke
    6. Authentication
      1. Cloud IAM Identities
      2. Business-to-Consumer and Business-to-Employee
      3. Multi-Factor Authentication
      4. Passwords and API Keys
      5. Shared IDs
      6. Federated Identity
      7. Single Sign-On
      8. Instance Metadata and Identity Documents
      9. Secrets Management
    7. Authorization
      1. Centralized Authorization
      2. Roles
    8. Revalidate
    9. Putting It All Together in the Sample Application
    10. Summary
  6. 5. Vulnerability Management
    1. Differences from Traditional IT
    2. Vulnerable Areas
      1. Data Access
      2. Application
      3. Middleware
      4. Operating System
      5. Network
      6. Virtualized Infrastructure
      7. Physical Infrastructure
    3. Finding and Fixing Vulnerabilities
      1. Network Vulnerability Scanners
      2. Agentless Scanners and Configuration Management
      3. Agent-Based Scanners and Configuration Management
      4. Cloud Provider Security Management Tools
      5. Container Scanners
      6. Dynamic Application Scanners (DAST)
      7. Static Application Scanners (SAST)
      8. Software Composition Analysis Scanners (SCA)
      9. Interactive Application Scanners (IAST)
      10. Runtime Application Self-Protection Scanners (RASP)
      11. Manual Code Reviews
      12. Penetration Tests
      13. User Reports
      14. Example Tools for Vulnerability and Configuration Management
    4. Risk Management Processes
    5. Vulnerability Management Metrics
      1. Tool Coverage
      2. Mean Time to Remediate
      3. Systems/Applications with Open Vulnerabilities
      4. Percentage of False Positives
      5. Percentage of False Negatives
      6. Vulnerability Recurrence Rate
    6. Change Management
    7. Putting It All Together in the Sample Application
    8. Summary
  7. 6. Network Security
    1. Differences from Traditional IT
    2. Concepts and Definitions
      1. Whitelists and Blacklists
      2. DMZs
      3. Proxies
      4. Software-Defined Networking
      5. Network Features Virtualization
      6. Overlay Networks and Encapsulation
      7. Virtual Private Clouds
      8. Network Address Translation
      9. IPv6
    3. Putting It All Together in the Sample Application
      1. Encryption in Motion
      2. Firewalls and Network Segmentation
      3. Allowing Administrative Access
      4. Web Application Firewalls and RASP
      5. Anti-DDoS
      6. Intrusion Detection and Prevention Systems
      7. Egress Filtering
      8. Data Loss Prevention
    4. Summary
  8. 7. Detecting, Responding to, and Recovering from Security Incidents
    1. Differences from Traditional IT
    2. What to Watch
      1. Privileged User Access
      2. Logs from Defensive Tooling
      3. Cloud Service Logs and Metrics
      4. Operating System Logs and Metrics
      5. Middleware Logs
      6. Secrets Server
      7. Your Application
    3. How to Watch
      1. Aggregation and Retention
      2. Parsing Logs
      3. Searching and Correlation
      4. Alerting and Automated Response
      5. Security Information and Event Managers
      6. Threat Hunting
    4. Preparing for an Incident
      1. Team
      2. Plans
      3. Tools
    5. Responding to an Incident
      1. Cyber Kill Chains
      2. The OODA Loop
      3. Cloud Forensics
      4. Blocking Unauthorized Access
      5. Stopping Data Exfiltration and Command and Control
    6. Recovery
      1. Redeploying IT Systems
      2. Notifications
      3. Lessons Learned
    7. Example Metrics
    8. Example Tools for Detection, Response, and Recovery
    9. Putting It All Together in the Sample Application
      1. Monitoring the Protective Systems
      2. Monitoring the Application
      3. Monitoring the Administrators
      4. Understanding the Auditing Infrastructure
    10. Summary
  9. Index

Product information

  • Title: Practical Cloud Security
  • Author(s): Chris Dotson
  • Release date: March 2019
  • Publisher(s): O'Reilly Media, Inc.
  • ISBN: 9781492037514