Book Image

Enterprise Cloud Security and Governance

By : Zeal Vora
Book Image

Enterprise Cloud Security and Governance

By: Zeal Vora

Overview of this book

Modern day businesses and enterprises are moving to the Cloud, to improve efficiency and speed, achieve flexibility and cost effectiveness, and for on-demand Cloud services. However, enterprise Cloud security remains a major concern because migrating to the public Cloud requires transferring some control over organizational assets to the Cloud provider. There are chances these assets can be mismanaged and therefore, as a Cloud security professional, you need to be armed with techniques to help businesses minimize the risks and misuse of business data. The book starts with the basics of Cloud security and offers an understanding of various policies, governance, and compliance challenges in Cloud. This helps you build a strong foundation before you dive deep into understanding what it takes to design a secured network infrastructure and a well-architected application using various security services in the Cloud environment. Automating security tasks, such as Server Hardening with Ansible, and other automation services, such as Monit, will monitor other security daemons and take the necessary action in case these security daemons are stopped maliciously. In short, this book has everything you need to secure your Cloud environment with. It is your ticket to obtain industry-adopted best practices for developing a secure, highly available, and fault-tolerant architecture for organizations.

Related Content you might be interested in

Current Title:

Small book image
Enterprise Cloud Security and Governance
Zeal Vora
Dec, 2017 | 410 pages
No titles found
Table of Contents (11 chapters)
Preface
Preface
What this book covers
What you need for this book
Who this book is for
Conventions
Reader feedback
Customer support
Free Chapter
1
The Fundamentals of Cloud Security
The Fundamentals of Cloud Security
Getting started
Service models
Deployment models
Cloud security
Why is cloud security considered hard?
Virtualization – cloud's best friend
Enterprise virtualization with oVirt
Service Level Agreement
Business Continuity Planning – Disaster Recovery (BCP/DR)
Policies and governance in cloud
Audit challenges in the cloud
Implementation challenges for controls on CSP side
Vulnerability assessment and penetration testing in the cloud
Summary
2
Defense in Depth Approach
Defense in Depth Approach
The CIA triad
Introducing Defense in Depth
Summary
3
Designing Defensive Network Infrastructure
Designing Defensive Network Infrastructure
Why do we need cryptography?
The TCP/IP model
Firewalls
Application layer security
The IPS functionality
A web application firewall
Network segmentation
Accessing management
Virtual Private Network
Installation of OpenVPN
Approaching private hosted zones for DNS
Summary
4
Server Hardening
Server Hardening
The basic principle of host-based security
Keeping systems up-to-date
Partitioning and LUKS
LUKS
Access control list
SELinux
Hardening system services and applications
Pluggable authentication modules
System auditing with auditd
Hosted Based Intrusion Detection System
The hardened image approach
Summary
5
Cryptography Network Security
Cryptography Network Security
Introduction to cryptography
Types of cryptography
Message authentication codes
Hardware security modules
Key management service
Envelope encryption
Credential management system with KMS
Asymmetric key encryption
Digital signatures
SSL/TLS
Perfect forward secrecy
Online certificate status protocol
OCSP stapling
AWS certificate manager
Summary
6
Automation in Security
Automation in Security
Configuration management
Attaining the desired state with Ansible pull
Terraform
AWS Lambda
Summary
7
Vulnerability, Pentest, and Patch Management
Vulnerability, Pentest, and Patch Management
Introduction to vulnerability assessment
Understanding risks
Risk mitigation
Best practices
Patch management
Organizing servers in groups
Introduction to Docker
Summary
8
Security Logging and Monitoring
Security Logging and Monitoring
Continuous security and monitoring
Choosing the right log monitoring tool
Security Incident and Event Management
Log monitoring is reactive in nature
Summary
9
First Responder
First Responder
Real world use case
Understanding the incident
Holding unexpected simulation
Summary
10
Best Practices
Best Practices
Cloud readiness
Network readiness
Server readiness
Bonus points
Summary

Service models

There are three major service models in the cloud computing environment, and depending on the use case of the organization, one of them is generally chosen:

  • Software as a service (SaaS)
  • Platform as a service (PaaS)
  • Infrastructure as a service (IaaS)

Let's spend some time understanding each of these service models which will in turn help us decide the ideal one for our requirements. Depending on the service models that we choose, the security implementation varies considerably.

Software as a service

In its simplest terms, SaaS means a hosted application on the internet. A SaaS provider will provide the application on their servers that consumers will be able to use.

The entirety of installing, managing, security, and troubleshooting related to the application is the responsibility of the SaaS provider.

One of the disadvantages of the SaaS-based approach is that if the SaaS provider needs downtime for any reason, then the organizations using the application have no choice but to wait, which leads to less productivity.

For example, Google Docs is a famous SaaS service. We use Google Docs (similar to Microsoft Word) and Google Sheets (similar to Microsoft Excel) online.

Microsoft Word is also ported to the cloud through a service called Office 365. We can access Word, Excel, and PowerPoint all from a browser.

The following is an example of PowerPoint that is available online as a part of the Office 365 suite, where you can run various software, such as Word, Excel, and PowerPoint from your browser without installation:

Platform as a service

In a PaaS-based offering, the provider will allow consumers to host their own application onto their cloud infrastructure.

The PaaS provider, in turn, handles the backend support of the programming languages, libraries, and associated tools that allow a consumer to upload and manage their application. The consumer does not have to worry about underlying servers, OS, networks, and platform security as they're handled by the PaaS provider.

However, the hosted application's security and configuration is still the responsibility of the customer.

Google App Engine, which is part of the Google Cloud Platform, is one famous example. All we have to do is to upload our code and all backend stuff will be managed by them. However, if the code itself is vulnerable, then it is the responsibility of the customer and not the PaaS provider:

Infrastructure as a service

In IaaS, the hosting provider will host the virtual machine (VM) on behalf of the consumer at their end.

The consumer, with just a few clicks on the resources that are needed (RAM, CPU, and network), will be provided a server on the cloud.

The consumer does not control the underlying infrastructure, such as virtualization software, physical security, and hardware. It is the cloud provider's responsibility to handle the reliability of hardware and virtualization software used and the physical security of the servers, and the client is responsible for the VM configuration and its associated security:

For example, as shown in the previous figure, Amazon EC2 is one of the well-known examples for IaaS. Clients can launch an EC2 instance with customized configurations, such as operating systems, associated resources (CPU, RAM, and network), IP addresses, and even the firewall rules (security groups).

Previous Section
End of Section 3
Next Section