With rapidly changing architecture and API-driven automation, cloud platforms come with unique security challenges and opportunities. In this updated second edition, you'll examine security best practices for multivendor cloud environments, whether your company plans to move legacy on-premises projects to the cloud or build a new infrastructure from the ground up. Developers, IT architects, and security professionals will learn cloud-specific techniques for securing popular cloud platforms such as Amazon Web Services, Microsoft Azure, and IBM Cloud. IBM Distinguished Engineer Chris Dotson shows you how to establish data asset management, identity and access management (IAM), vulnerability management, network security, and incident response in your cloud environment. • Learn the latest threats and challenges in the cloud security space• Manage cloud providers that store or process data or deliver administrative control• Learn how standard principles and concepts--such as least privilege and defense in depth--apply in the cloud• Understand the critical role played by IAM in the cloud• Use best tactics for detecting, responding, and recovering from the most common security incidents• Manage various types of vulnerabilities, especially those common in multicloud or hybrid cloud architectures• Examine privileged access management in cloud environments This edition also covers privileged access management in cloud environments; an expanded look into applying zero trust principles; additional controls around cloud development and test environments; and up-to-date information on authentication of users and systems.

nexusstc/Practical Cloud Security: A Guide for Secure Design and Deployment/1e5fb77c4dade8e7ddd6c2a96c58b8fb.pdf

lgli/OReilly.Practical.Cloud.Security.2nd.Edition.1098148177.pdf

lgrsnf/OReilly.Practical.Cloud.Security.2nd.Edition.1098148177.pdf

zlib/Computers/Security/Chris Dotson/Practical Cloud Security: A Guide for Secure Design and Deployment, 2nd Edition_26732308.pdf

Dotson, Chris

United States, United States of America

O'Reilly Media, Sebastopol, CA, 2024

Publisher's PDF

producers:
Antenna House PDF Output Library 6.2.609 (Linux64)

{"edition":"2","isbns":["1098148177","9781098148171"],"last_page":228,"publisher":"O'Reilly Media"}

Cover 1
Copyright 4
Table of Contents 5
Preface 11
Who Should Read This Book 11
Navigating This Book 12
What’s New in the Second Edition 12
Conventions Used in This Book 13
O’Reilly Online Learning Platform 14
How to Contact Us 14
Acknowledgments 15
Chapter 1. Principles and Concepts 17
Least Privilege 18
Defense in Depth 18
Zero Trust 19
Threat Actors, Diagrams, and Trust Boundaries 20
Cloud Service Delivery Models 24
The Cloud Shared Responsibility Model 24
Risk Management 28
Conclusion 29
Exercises 31
Chapter 2. Data Asset Management and Protection 33
Data Identification and Classification 33
Example Data Classification Levels 34
Relevant Industry or Regulatory Requirements 35
Data Asset Management in the Cloud 37
Tagging Cloud Resources 38
Protecting Data in the Cloud 39
Tokenization 39
Encryption 40
Conclusion 47
Exercises 49
Chapter 3. Cloud Asset Management and Protection 51
Differences from Traditional IT 51
Types of Cloud Assets 52
Compute Assets 53
Storage Assets 59
Network Assets 64
Asset Management Pipeline 65
Procurement Leaks 66
Processing Leaks 67
Tooling Leaks 68
Findings Leaks 68
Tagging Cloud Assets 68
Conclusion 70
Exercises 72
Chapter 4. Identity and Access Management 73
Differences from Traditional IT 75
Life Cycle for Identity and Access 76
Request 78
Approve 78
Create, Delete, Grant, or Revoke 79
Authentication 79
Cloud IAM Identities 79
Business-to-Consumer and Business-to-Employee 80
Multi-Factor Authentication 81
Passwords, Passphrases, and API Keys 84
Shared IDs 86
Federated Identity 87
Single Sign-On 87
Instance Metadata and Identity Documents 89
Secrets Management 91
Authorization 95
Centralized Authorization 96
Roles 97
Revalidate 98
Putting It All Together in the Sample Application 101
Conclusion 103
Exercises 105
Chapter 5. Vulnerability Management 107
Differences from Traditional IT 108
Vulnerable Areas 110
Data Access 111
Application 111
Middleware 114
Operating System 115
Network 116
Virtualized Infrastructure 116
Physical Infrastructure 116
Finding and Fixing Vulnerabilities 117
Network Vulnerability Scanners 118
Agentless Scanners and Configuration Management Systems 120
Agent-Based Scanners and Configuration Management Systems 121
Cloud Workload Protection Platforms 123
Container Scanners 123
Dynamic Application Scanners (DAST) 124
Static Application Scanners (SAST) 124
Software Composition Analysis Tools (SCA) 125
Interactive Application Scanners (IAST) 125
Runtime Application Self-Protection Scanners (RASP) 125
Manual Code Reviews 126
Penetration Tests 126
User Reports 128
Example Tools for Vulnerability and Configuration Management 128
Risk Management Processes 131
Vulnerability Management Metrics 131
Tool Coverage 132
Mean Time to Remediate 132
Systems/Applications with Open Vulnerabilities 133
Percentage of False Positives 133
Percentage of False Negatives 133
Vulnerability Recurrence Rate 134
Change Management 134
Putting It All Together in the Sample Application 135
Conclusion 139
Exercises 140
Chapter 6. Network Security 141
Differences from Traditional IT 141
Concepts and Definitions 143
Zero Trust Networking 143
Allowlists and Denylists 143
DMZs 145
Proxies 145
Software-Defined Networking 146
Network Functions Virtualization 146
Overlay Networks and Encapsulation 146
Virtual Private Clouds 147
Network Address Translation 148
IPv6 149
Network Defense in Action in the Sample Application 150
Encryption in Motion 151
Firewalls and Network Segmentation 154
Allowing Administrative Access 160
Network Defense Tools 164
Egress Filtering 168
Data Loss Prevention 171
Conclusion 172
Exercises 174
Chapter 7. Detecting, Responding to, and
Recovering from Security Incidents 177
Differences from Traditional IT 178
What to Watch 179
Privileged User Access 181
Logs from Defensive Tooling 183
Cloud Service Logs and Metrics 186
Operating System Logs and Metrics 187
Middleware Logs 188
Secrets Server 188
Your Application 188
How to Watch 189
Aggregation and Retention 190
Parsing Logs 191
Searching and Correlation 192
Alerting and Automated Response 192
Security Information and Event Managers 193
Threat Hunting 195
Preparing for an Incident 195
Team 196
Plans 197
Tools 199
Responding to an Incident 201
Cyber Kill Chains and MITRE ATT&CK 201
The OODA Loop 203
Cloud Forensics 204
Blocking Unauthorized Access 205
Stopping Data Exfiltration and Command and Control 205
Recovery 205
Redeploying IT Systems 205
Notifications 206
Lessons Learned 206
Example Metrics 206
Example Tools for Detection, Response, and Recovery 207
Detection and Response in a Sample Application 208
Monitoring the Protective Systems 209
Monitoring the Application 210
Monitoring the Administrators 211
Understanding the Auditing Infrastructure 211
Conclusion 212
Exercises 214
Appendix. Exercise Solutions 215
Chapter 1 215
Chapter 2 216
Chapter 3 216
Chapter 4 217
Chapter 5 217
Chapter 6 218
Chapter 7 219
Index 221
About the Author 230
Colophon 230

2023-10-31