Book Image

Enterprise Cloud Security and Governance

By : Zeal Vora
Book Image

Enterprise Cloud Security and Governance

By: Zeal Vora

Overview of this book

Modern day businesses and enterprises are moving to the Cloud, to improve efficiency and speed, achieve flexibility and cost effectiveness, and for on-demand Cloud services. However, enterprise Cloud security remains a major concern because migrating to the public Cloud requires transferring some control over organizational assets to the Cloud provider. There are chances these assets can be mismanaged and therefore, as a Cloud security professional, you need to be armed with techniques to help businesses minimize the risks and misuse of business data. The book starts with the basics of Cloud security and offers an understanding of various policies, governance, and compliance challenges in Cloud. This helps you build a strong foundation before you dive deep into understanding what it takes to design a secured network infrastructure and a well-architected application using various security services in the Cloud environment. Automating security tasks, such as Server Hardening with Ansible, and other automation services, such as Monit, will monitor other security daemons and take the necessary action in case these security daemons are stopped maliciously. In short, this book has everything you need to secure your Cloud environment with. It is your ticket to obtain industry-adopted best practices for developing a secure, highly available, and fault-tolerant architecture for organizations.

Related Content you might be interested in

Current Title:

Small book image
Enterprise Cloud Security and Governance
Zeal Vora
Dec, 2017 | 410 pages
No titles found
Table of Contents (11 chapters)
Preface
Preface
What this book covers
What you need for this book
Who this book is for
Conventions
Reader feedback
Customer support
Free Chapter
1
The Fundamentals of Cloud Security
The Fundamentals of Cloud Security
Getting started
Service models
Deployment models
Cloud security
Why is cloud security considered hard?
Virtualization – cloud's best friend
Enterprise virtualization with oVirt
Service Level Agreement
Business Continuity Planning – Disaster Recovery (BCP/DR)
Policies and governance in cloud
Audit challenges in the cloud
Implementation challenges for controls on CSP side
Vulnerability assessment and penetration testing in the cloud
Summary
2
Defense in Depth Approach
Defense in Depth Approach
The CIA triad
Introducing Defense in Depth
Summary
3
Designing Defensive Network Infrastructure
Designing Defensive Network Infrastructure
Why do we need cryptography?
The TCP/IP model
Firewalls
Application layer security
The IPS functionality
A web application firewall
Network segmentation
Accessing management
Virtual Private Network
Installation of OpenVPN
Approaching private hosted zones for DNS
Summary
4
Server Hardening
Server Hardening
The basic principle of host-based security
Keeping systems up-to-date
Partitioning and LUKS
LUKS
Access control list
SELinux
Hardening system services and applications
Pluggable authentication modules
System auditing with auditd
Hosted Based Intrusion Detection System
The hardened image approach
Summary
5
Cryptography Network Security
Cryptography Network Security
Introduction to cryptography
Types of cryptography
Message authentication codes
Hardware security modules
Key management service
Envelope encryption
Credential management system with KMS
Asymmetric key encryption
Digital signatures
SSL/TLS
Perfect forward secrecy
Online certificate status protocol
OCSP stapling
AWS certificate manager
Summary
6
Automation in Security
Automation in Security
Configuration management
Attaining the desired state with Ansible pull
Terraform
AWS Lambda
Summary
7
Vulnerability, Pentest, and Patch Management
Vulnerability, Pentest, and Patch Management
Introduction to vulnerability assessment
Understanding risks
Risk mitigation
Best practices
Patch management
Organizing servers in groups
Introduction to Docker
Summary
8
Security Logging and Monitoring
Security Logging and Monitoring
Continuous security and monitoring
Choosing the right log monitoring tool
Security Incident and Event Management
Log monitoring is reactive in nature
Summary
9
First Responder
First Responder
Real world use case
Understanding the incident
Holding unexpected simulation
Summary
10
Best Practices
Best Practices
Cloud readiness
Network readiness
Server readiness
Bonus points
Summary

Policies and governance in cloud

Governance is basically a set of rules and policies through which an organization is directed and controlled so that it is focused towards its goals.

As an overview, if the management is about running the business, governance is about seeing that it runs properly. Before we move further, we need to understand it with a few use cases; otherwise, it will just remain theoretical concepts.

Let's understand this with an example. Small Corp. has started to deal with delivery services. There are three deliveries that are currently pending. Let's look into the management and governance perspective:

  • Management:
    • Matt will pick up the first and second deliveries at 8 am and deliver them by 11 am
    • Alen will pick up the third deliver it by afternoon 3 pm and deliver by 7 pm
  • Governance:
    • Are all the deliveries being delivered on time?
    • Is everything being done is perfect as per as legal and regulatory laws?

When we speak about information security governance, the board members of the organization should be briefed about it and should:

  • Be informed about the current information security readiness in organization
  • Set direction to add policies and strategies, and to make sure that security is a part of new policies
  • Provide resources for security efforts
  • Obtain assurance from internal as well as external auditors
  • Assign management responsibilities

Let's look into some of the real-world use cases that may be part.

In one of the organizations that I have worked with, although the security posture was good, the board members used to stress and get the audit done by external auditors. So, the external auditors used to come and check every control. Their firewall admin used to sit with our firewall admin and look into individual rules and so on.

All that the board members wanted to hear from the external auditor was: all OK or bad?

When we speak about briefing board members or the CEO about information security governance, it is important to speak their language.

Let's say, a firewall admin cannot say that there are advanced persistent threats and for this, we need next-generation firewalls. They might fire him even though he might be the best firewall admin in the organization.

Thus, the representative must speak their language, and thus CISO, CIO, or others should represent the current security threats, current preparedness level, and future plans for which the board can approve new budgets and discuss further:

  • It is the responsibility of the senior executives to respond to the concerns raised by the information security expert
  • In order to effectively exercise enterprise governance, the board and senior executives must have a clear vision of what is expected from the information security program
  • IT security governance is different from that of IT security management as security management is more focused on how to mitigate the risks associated to security, and governance is more concerned about who in the organization is authorized and responsible for making decisions:

Governance

Management

Overseeing the operations

Deals with the implementation aspect

Making policies

Enforcing policies

Allocating the resources

Utilizing of the resources

Strategic

Tactical
  • Nowadays, increased corporate governance requirements have caused organizations to look into their internal controls more closely to ensure that the required controls are in place and are operating effectively.

Let's understand this with an example. John is a new CISO and has joined Medium Corp.. After joining, John realized that most things that the organization had been doing were incomplete. At the end of the year, when the auditor came, more than half of the things didn't work, backups were failing, audit trails were not being recorded across many servers, and so on.

So, John decided to implement the NIST Cybersecurity Framework, and as an overview, if you follow the industry standards frameworks such as NIST, you can be sure that your organization is in great shape with respect to security.

Previous Section
End of Section 11
Next Section