Book Image

Cloud Security Handbook

By : Eyal Estrin

Book Image

Cloud Security Handbook

By: Eyal Estrin

Overview of this book

Securing resources in the cloud is challenging, given that each provider has different mechanisms and processes. Cloud Security Handbook helps you to understand how to embed security best practices in each of the infrastructure building blocks that exist in public clouds. This book will enable information security and cloud engineers to recognize the risks involved in public cloud and find out how to implement security controls as they design, build, and maintain environments in the cloud. You'll begin by learning about the shared responsibility model, cloud service models, and cloud deployment models, before getting to grips with the fundamentals of compute, storage, networking, identity management, encryption, and more. Next, you'll explore common threats and discover how to stay in compliance in cloud environments. As you make progress, you'll implement security in small-scale cloud environments through to production-ready large-scale environments, including hybrid clouds and multi-cloud environments. This book not only focuses on cloud services in general, but it also provides actual examples for using AWS, Azure, and GCP built-in services and capabilities. By the end of this cloud security book, you'll have gained a solid understanding of how to implement security in cloud environments effectively.

Preface

Who this book is for

What this book covers

To get the most out of this book

Download the color images

Conventions used

Share your thoughts

Section 1: Securing Infrastructure Cloud Services

Section 1: Securing Infrastructure Cloud Services

Free Chapter

Chapter 1: Introduction to Cloud Security

Chapter 1: Introduction to Cloud Security

Technical requirements

What is a cloud service?

What are the cloud deployment models?

What are the cloud service models?

Why we need security

What is the shared responsibility model?

Command-line tools

Chapter 2: Securing Compute Services

Chapter 2: Securing Compute Services

Technical requirements

Securing managed database services

Securing containers

Securing serverless/function as a service

Chapter 3: Securing Storage Services

Chapter 3: Securing Storage Services

Technical requirements

Securing object storage

Securing block storage

Securing file storage

Securing the CSI

Chapter 4: Securing Networking Services

Chapter 4: Securing Networking Services

Technical requirements

Securing virtual networking

Securing DNS services

Securing CDN services

Securing VPN services

Securing DDoS protection services

Securing WAF services

Section 2: Deep Dive into IAM, Auditing, and Encryption

Section 2: Deep Dive into IAM, Auditing, and Encryption

Chapter 5: Effective Strategies to Implement IAM Solutions

Chapter 5: Effective Strategies to Implement IAM Solutions

Technical requirements

Introduction to IAM

Failing to manage identities

Securing cloud-based IAM services

Securing directory services

Configuring MFA

Chapter 6: Monitoring and Auditing Your Cloud Environments

Chapter 6: Monitoring and Auditing Your Cloud Environments

Technical requirements

Conducting security monitoring and audit trails

Conducting threat detection and response

Conducting incident response and digital forensics

Chapter 7: Applying Encryption in Cloud Services

Chapter 7: Applying Encryption in Cloud Services

Technical requirements

Introduction to encryption

Best practices for deploying KMSes

Best practices for deploying secrets management services

Best practices for using encryption in transit

Best practices for using encryption at rest

Encryption in use

Section 3: Threats and Compliance Management

Section 3: Threats and Compliance Management

Chapter 8: Understanding Common Security Threats to Cloud Services

Chapter 8: Understanding Common Security Threats to Cloud Services

Technical requirements

The MITRE ATT&CK framework

Detecting and mitigating data breaches in cloud services

Detecting and mitigating misconfigurations in cloud services

Detecting and mitigating insufficient IAM and key management in cloud services

Detecting and mitigating account hijacking in cloud services

Detecting and mitigating insider threats in cloud services

Detecting and mitigating insecure APIs in cloud services

Detecting and mitigating the abuse of cloud services

Chapter 9: Handling Compliance and Regulation

Chapter 9: Handling Compliance and Regulation

Technical requirements

Compliance and the shared responsibility model

Introduction to compliance with regulatory requirements and industry best practices

What are the common ISO standards related to cloud computing?

What is a SOC report?

What is the CSA STAR program?

What is PCI DSS?

What is the GDPR?

Chapter 10: Engaging with Cloud Providers

Chapter 10: Engaging with Cloud Providers

Technical requirements

Choosing a cloud provider

What is a cloud provider questionnaire?

Tips for contracts with cloud providers

Conducting penetration testing in cloud environments

Section 4: Advanced Use of Cloud Services

Section 4: Advanced Use of Cloud Services

Chapter 11: Managing Hybrid Clouds

Chapter 11: Managing Hybrid Clouds

Technical requirements

Hybrid cloud strategy

Identity management over hybrid cloud environments

Network architecture for hybrid cloud environments

Storage services for hybrid cloud environments

Compute services for hybrid cloud environments

Securing hybrid cloud environments

Chapter 12: Managing Multi-Cloud Environments

Chapter 12: Managing Multi-Cloud Environments

Technical requirements

Multi-cloud strategy

Identity management over multi-cloud environments

Network architecture for multi-cloud environments

Data security in multi-cloud environments

Cost management in multi-cloud environments

Cloud Security Posture Management (CSPM)

Cloud Infrastructure Entitlement Management (CIEM)

Patch and configuration management in multi-cloud environments

The monitoring and auditing of multi-cloud environments

Chapter 13:Security in Large-Scale Environments

Chapter 13:Security in Large-Scale Environments

Technical requirements

Managing governance and policies at a large scale

Automation using IaC

Security in large-scale cloud environments

Other Books You May Enjoy

Other Books You May Enjoy

Packt is searching for authors like you

Share your thoughts

Customer Reviews

5 star

0

4 star

0

3 star

0

2 star

0

1 star

0

What is the shared responsibility model?

When speaking about cloud security and cloud service models (IaaS/PaaS/SaaS), the thing that we all hear about is the shared responsibility model, which tries to draw a line between the cloud provider and the customer's responsibilities regarding security.

As you can see in the following diagram, the cloud provider is always responsible for the lower layers – from the physical security of their data centers, through networking, storage, host servers, and the virtualization layers:

Figure 1.1 – The shared responsibility model

Figure 1.1 – The shared responsibility model

Above the virtualization layer is where the responsibility begins to change.

When working with IaaS, we, as the customers, can select a pre-installed image of an operating system (with or without additional software installed inside the image), deploy our applications, and manage permissions to access our data.

When working with PaaS, we, as the customers, may have the ability to control code in a managed environment (services such as AWS Elastic Beanstalk, Azure Web Apps, and Google App Engine) and manage permissions to access our data.

When working with SaaS, we, as the customers, received a fully managed service, and all we can do is manage permissions to access our data.

In the next sections, we will look at how the various cloud providers (AWS, Azure, and GCP) look at the shared responsibility model from their own perspective.

For more information on the shared responsibility model, you can check the following link: https://tutorials4sharepoint.wordpress.com/2020/04/24/shared-responsibility-model/.

AWS and the shared responsibility model

Looking at the shared responsibility model from AWS's point of view, we can see the clear distinction between AWS's responsibility for the security of the cloud (physical hardware and the lower layers such as host servers, storage, database, and network) and the customer's responsibility for security in the cloud (everything the customer controls – operating system, data encryption, network firewall rules, and customer data). The following diagram depicts AWS and the shared responsibility model:

Figure 1.2 – AWS and the shared responsibility model

Figure 1.2 – AWS and the shared responsibility model

As a customer of AWS, reading this book will allow you to gain the essential knowledge and best practices for using common AWS services (including compute, storage, networking, authentication, and so on) in a secure way.

More information on the AWS shared responsibility model can be found at the following link: https://aws.amazon.com/blogs/industries/applying-the-aws-shared-responsibility-model-to-your-gxp-solution/.

Azure and the shared responsibility model

Looking at the shared responsibility model from Azure's point of view, we can see the distinction between Azure's responsibility for its data centers (physical layers) and the customer's responsibility at the top layers (identities, devices, and customers' data). In the middle layers (operating system, network controls, and applications) the responsibility changes between Azure and the customers, according to various service types. The following diagram depicts Azure and the shared responsibility model:

Figure 1.3 – Azure and the shared responsibility model

Figure 1.3 – Azure and the shared responsibility model

As a customer of Azure, reading this book will allow you to gain the essential knowledge and best practices for using common Azure services (including compute, storage, networking, authentication, and others) in a secure way.

More information on the Azure shared responsibility model can be found at the following link: https://docs.microsoft.com/en-us/azure/security/fundamentals/shared-responsibility.

GCP and the shared responsibility model

Looking at the shared responsibility model from GCP's point of view, we can see that Google would like to emphasize that it builds its own hardware, which enables the company to control the hardware, boot, and kernel of its platform, including the storage layer encryption, network equipment, and logging of everything that Google is responsible for.

When looking at things that the customer is responsible for we can see a lot more layers, including everything from the guest operating system, network security rules, authentication, identity, and web application security, to things such as deployment, usage, access policies, and content (customers' data). The following diagram depicts GCP and the shared responsibility model:

Figure 1.4 – GCP and the shared responsibility model

Figure 1.4 – GCP and the shared responsibility model

As a customer of GCP, reading this book will allow you to gain the essential knowledge and best practices for using common GCP services (including compute, storage, networking, authentication, and more) in a secure way.

More information about the GCP shared responsibility model can be found at the following link: https://services.google.com/fh/files/misc/google-cloud-security-foundations-guide.pdf.

As a customer, understanding the shared responsibility model allows you, at any given time, to understand which layers are under the cloud vendor's responsibility and which layers are under the customer's responsibility.