Book Image

Cloud Security Handbook

By : Eyal Estrin
Book Image

Cloud Security Handbook

By: Eyal Estrin

Overview of this book

Securing resources in the cloud is challenging, given that each provider has different mechanisms and processes. Cloud Security Handbook helps you to understand how to embed security best practices in each of the infrastructure building blocks that exist in public clouds. This book will enable information security and cloud engineers to recognize the risks involved in public cloud and find out how to implement security controls as they design, build, and maintain environments in the cloud. You'll begin by learning about the shared responsibility model, cloud service models, and cloud deployment models, before getting to grips with the fundamentals of compute, storage, networking, identity management, encryption, and more. Next, you'll explore common threats and discover how to stay in compliance in cloud environments. As you make progress, you'll implement security in small-scale cloud environments through to production-ready large-scale environments, including hybrid clouds and multi-cloud environments. This book not only focuses on cloud services in general, but it also provides actual examples for using AWS, Azure, and GCP built-in services and capabilities. By the end of this cloud security book, you'll have gained a solid understanding of how to implement security in cloud environments effectively.

Related Content you might be interested in

Current Title:

Small book image
Cloud Security Handbook
Eyal Estrin
Apr, 2022 | 456 pages
Small book image
Mastering AWS Security
Albert Anthony
Oct, 2017 | 252 pages
Small book image
AWS: Security Best Practices on AWS
Albert Anthony
Mar, 2018 | 118 pages
Small book image
Official Google Cloud Certified Professional Cloud Security Engineer Exam Guide
Prashant Kulkarni | Ankush Chowdhary
Aug, 2023 | 496 pages
Table of Contents (19 chapters)
Preface
Preface
Who this book is for
What this book covers
To get the most out of this book
Download the color images
Conventions used
Get in touch
Share your thoughts
1
Section 1: Securing Infrastructure Cloud Services
Section 1: Securing Infrastructure Cloud Services
Free Chapter
2
Chapter 1: Introduction to Cloud Security
Chapter 1: Introduction to Cloud Security
Technical requirements
What is a cloud service?
What are the cloud deployment models?
What are the cloud service models?
Why we need security
What is the shared responsibility model?
Command-line tools
Summary
3
Chapter 2: Securing Compute Services
Chapter 2: Securing Compute Services
Technical requirements
Securing VMs
Securing managed database services
Securing containers
Securing serverless/function as a service
Summary
4
Chapter 3: Securing Storage Services
Chapter 3: Securing Storage Services
Technical requirements
Securing object storage
Securing block storage
Securing file storage
Securing the CSI
Summary
5
Chapter 4: Securing Networking Services
Chapter 4: Securing Networking Services
Technical requirements
Securing virtual networking
Securing DNS services
Securing CDN services
Securing VPN services
Securing DDoS protection services
Securing WAF services
Summary
6
Section 2: Deep Dive into IAM, Auditing, and Encryption
Section 2: Deep Dive into IAM, Auditing, and Encryption
7
Chapter 5: Effective Strategies to Implement IAM Solutions
Chapter 5: Effective Strategies to Implement IAM Solutions
Technical requirements
Introduction to IAM
Failing to manage identities
Securing cloud-based IAM services
Securing directory services
Configuring MFA
Summary
8
Chapter 6: Monitoring and Auditing Your Cloud Environments
Chapter 6: Monitoring and Auditing Your Cloud Environments
Technical requirements
Conducting security monitoring and audit trails
Conducting threat detection and response
Conducting incident response and digital forensics
Summary
9
Chapter 7: Applying Encryption in Cloud Services
Chapter 7: Applying Encryption in Cloud Services
Technical requirements
Introduction to encryption
Best practices for deploying KMSes
Best practices for deploying secrets management services
Best practices for using encryption in transit
Best practices for using encryption at rest
Encryption in use
Summary
10
Section 3: Threats and Compliance Management
Section 3: Threats and Compliance Management
11
Chapter 8: Understanding Common Security Threats to Cloud Services
Chapter 8: Understanding Common Security Threats to Cloud Services
Technical requirements
The MITRE ATT&CK framework
Detecting and mitigating data breaches in cloud services
Detecting and mitigating misconfigurations in cloud services
Detecting and mitigating insufficient IAM and key management in cloud services
Detecting and mitigating account hijacking in cloud services
Detecting and mitigating insider threats in cloud services
Detecting and mitigating insecure APIs in cloud services
Detecting and mitigating the abuse of cloud services
Summary
12
Chapter 9: Handling Compliance and Regulation
Chapter 9: Handling Compliance and Regulation
Technical requirements
Compliance and the shared responsibility model
Introduction to compliance with regulatory requirements and industry best practices
What are the common ISO standards related to cloud computing?
What is a SOC report?
What is the CSA STAR program?
What is PCI DSS?
What is the GDPR?
What is HIPAA?
Summary
13
Chapter 10: Engaging with Cloud Providers
Chapter 10: Engaging with Cloud Providers
Technical requirements
Choosing a cloud provider
What is a cloud provider questionnaire?
Tips for contracts with cloud providers
Conducting penetration testing in cloud environments
Summary
14
Section 4: Advanced Use of Cloud Services
Section 4: Advanced Use of Cloud Services
15
Chapter 11: Managing Hybrid Clouds
Chapter 11: Managing Hybrid Clouds
Technical requirements
Hybrid cloud strategy
Identity management over hybrid cloud environments
Network architecture for hybrid cloud environments
Storage services for hybrid cloud environments
Compute services for hybrid cloud environments
Securing hybrid cloud environments
Summary
16
Chapter 12: Managing Multi-Cloud Environments
Chapter 12: Managing Multi-Cloud Environments
Technical requirements
Multi-cloud strategy
Identity management over multi-cloud environments
Network architecture for multi-cloud environments
Data security in multi-cloud environments
Cost management in multi-cloud environments
Cloud Security Posture Management (CSPM)
Cloud Infrastructure Entitlement Management (CIEM)
Patch and configuration management in multi-cloud environments
The monitoring and auditing of multi-cloud environments
Summary
17
Chapter 13:Security in Large-Scale Environments
Chapter 13:Security in Large-Scale Environments
Technical requirements
Managing governance and policies at a large scale
Automation using IaC
Security in large-scale cloud environments
Summary
What's next?
Why subscribe?
18
Other Books You May Enjoy
Other Books You May Enjoy
Packt is searching for authors like you
Share your thoughts

Best practices for using encryption at rest

The idea behind encryption at rest is to protect data once it has been saved into storage or a database or has been accessed by an untrusted third party.

Object storage encryption

When you're encrypting object storage, each file (or object) is encrypted separately.

Encryption/decryption process

The following workflow explains the process of extracting an encrypted object from object storage:

  • The DEK is stored near the object itself, and the object metadata specifies which encryption key version to use.
  • The entire DEK is wrapped with a KEK.
  • The KEK is stored inside a key-managed service.
  • When a request for accessing an object is made, the authorized service (or application) sends a request to the key managed service to locate the KEK and to decrypt the specific DEK.
  • The decrypted DEK is sent via a TLS/SSL channel from the KMS to the object storage. The object itself is decrypted using the decrypted...
Previous Section
End of Section 7
Next Section