book

Cloud Security Handbook

Name: Cloud Security Handbook
Author: Eyal Estrin
ISBN: 9781800569195

by Eyal Estrin

April 2022

Intermediate to advanced

456 pages

8h 37m

English

Packt Publishing

Read now

Unlock full access

Cloud Security Handbook
ContributorsAbout the authorAbout the reviewers
Preface
Who this book is forWhat this book coversTo get the most out of this bookDownload the color imagesConventions usedGet in touchShare your thoughts
Section 1: Securing Infrastructure Cloud Services
Chapter 1: Introduction to Cloud Security
Technical requirementsWhat is a cloud service?What are the cloud deployment models?What are the cloud service models?Why we need securityWhat is the shared responsibility model?AWS and the shared responsibility modelAzure and the shared responsibility modelGCP and the shared responsibility modelCommand-line toolsAWS CLIAzure CLIGoogle Cloud SDKSummary
Chapter 2: Securing Compute Services
Technical requirementsSecuring VMsSecuring Amazon Elastic Compute Cloud (EC2)Securing Azure Virtual MachinesSecuring Google Compute Engine (GCE) and VM instancesSecuring managed database servicesSecuring Amazon RDS for MySQLSecuring Azure Database for MySQLSecuring Google Cloud SQL for MySQLSecuring containersSecuring Amazon Elastic Container Service (ECS)Securing Amazon Elastic Kubernetes Service (EKS)Securing Azure Container Instances (ACI)Securing Azure Kubernetes Service (AKS)Securing Google Kubernetes Engine (GKE)Securing serverless/function as a serviceSecuring AWS LambdaSecuring Azure FunctionsSecuring Google Cloud FunctionsSummary
Chapter 3: Securing Storage Services
Technical requirementsSecuring object storageSecuring Amazon Simple Storage ServiceSecuring Azure Blob storageSecuring Google Cloud StorageSecuring block storageBest practices for securing Amazon Elastic Block StoreBest practices for securing Azure managed disksBest practices for securing Google Persistent DiskSummarySecuring file storageSecuring Amazon Elastic File System Securing Azure FilesSecuring Google FilestoreSecuring the CSISecuring CSI on AWSSecuring CSI on AzureSecuring CSI on GCPSummary
Chapter 4: Securing Networking Services
Technical requirementsSecuring virtual networkingSecuring Amazon Virtual Private CloudSecuring Azure VNetSecuring Google Cloud VPCSecuring DNS servicesSecuring Amazon Route 53Securing Azure DNSSecuring Google Cloud DNSSecuring CDN servicesSecuring Amazon CloudFrontSecuring Azure CDNSecuring Google Cloud CDNSecuring VPN servicesSecuring AWS Site-to-Site VPNSecuring AWS Client VPNSecuring Azure VPN Gateway (Site-to-Site)Securing Azure VPN Gateway (Point-to-Site)Securing Google Cloud VPNSecuring DDoS protection servicesSecuring AWS ShieldSecuring Azure DDoS ProtectionSecuring Google Cloud ArmorSecuring WAF servicesSecuring AWS WAFSecuring Azure WAFSummary
Section 2: Deep Dive into IAM, Auditing, and Encryption
Chapter 5: Effective Strategies to Implement IAM Solutions
Technical requirementsIntroduction to IAMFailing to manage identitiesSecuring cloud-based IAM servicesSecuring AWS IAMAuditing AWS IAMSecuring Azure ADAuditing Azure ADSecuring Google Cloud IAMAuditing Google Cloud IAMSecuring directory servicesSecuring AWS Directory ServiceSecuring Azure Active Directory Domain Services (Azure AD DS)Securing Google Managed Service for Microsoft ADConfiguring MFASummary
Chapter 6: Monitoring and Auditing Your Cloud Environments
Technical requirementsConducting security monitoring and audit trailsSecurity monitoring and audit trails using AWS CloudTrailSecurity monitoring using AWS Security HubBest practices for using AWS Security HubSecurity monitoring and audit trails using Azure MonitorBest practices for using Azure MonitorSecurity monitoring and approval process using Customer LockboxBest practices for using Customer LockboxSecurity monitoring and audit trail using Google Cloud LoggingSecurity monitoring using Google Security Command CenterSecurity monitoring and approval process using Access Transparency and Access ApprovalConducting threat detection and responseUsing Amazon Detective for threat detectionUsing Amazon GuardDuty for threat detectionSecurity monitoring using Microsoft Defender for CloudUsing Azure Sentinel for threat detectionUsing Azure Defender for threat detectionUsing Google Security Command Center for threat detection and preventionConducting incident response and digital forensicsConducting incident response in AWSConducting incident response in AzureConducting incident response in Google Cloud PlatformSummary

Chapter 7: Applying Encryption in Cloud Services
Technical requirementsIntroduction to encryptionSymmetric encryptionAsymmetric encryptionBest practices for deploying KMSesAWS Key Management Service (KMS)AWS CloudHSMAzure Key VaultAzure Dedicated/Managed HSMGoogle Cloud Key Management Service (KMS)Best practices for deploying secrets management servicesAWS Secrets ManagerGoogle Secret ManagerBest practices for using encryption in transitIPSecTransport Layer Security (TLS)Best practices for using encryption at restObject storage encryptionBlock storage encryptionFull database encryptionRow-level securityEncryption in useAWS Nitro EnclavesAzure Confidential ComputingGoogle Confidential ComputingSummary
Section 3: Threats and Compliance Management
Chapter 8: Understanding Common Security Threats to Cloud Services
Technical requirementsThe MITRE ATT&CK frameworkDetecting and mitigating data breaches in cloud servicesCommon consequences of data breachesBest practices for detecting and mitigating data breaches in cloud environmentsCommon AWS services to assist in the detection and mitigation of data breachesCommon Azure services to assist in the detection and mitigation of data breachesCommon GCP services to assist in the detection and mitigation of data breachesDetecting and mitigating misconfigurations in cloud servicesCommon AWS services to assist in the detection and mitigation of misconfigurationsCommon Azure services to assist in the detection and mitigation of misconfigurationsCommon GCP services to assist in the detection and mitigation of misconfigurationsDetecting and mitigating insufficient IAM and key management in cloud servicesCommon AWS services to assist in the detection and mitigation of insufficient IAM and key managementCommon Azure services to assist in the detection and mitigation of insufficient IAM and key managementCommon GCP services to assist in the detection and mitigation of insufficient IAM and key managementDetecting and mitigating account hijacking in cloud servicesCommon AWS services to assist in the detection and mitigation of account hijackingCommon Azure services to assist in the detection and mitigation of account hijackingCommon GCP services to assist in the detection and mitigation of account hijackingDetecting and mitigating insider threats in cloud servicesCommon AWS services to assist in the detection and mitigation of insider threatsCommon Azure services to assist in the detection and mitigation of insider threatsCommon GCP services to assist in the detection and mitigation of insider threatsDetecting and mitigating insecure APIs in cloud servicesCommon AWS services to assist in the detection and mitigation of insecure APIsCommon Azure services to assist in the detection and mitigation of insecure APIsCommon GCP services to assist in the detection and mitigation of insecure APIsDetecting and mitigating the abuse of cloud servicesCommon AWS services to assist in the detection and mitigation of the abuse of cloud servicesCommon Azure services to assist in the detection and mitigation of the abuse of cloud servicesCommon GCP services to assist in the detection and mitigation of the abuse of cloud servicesSummary
Chapter 9: Handling Compliance and Regulation
Technical requirementsCompliance and the shared responsibility modelIntroduction to compliance with regulatory requirements and industry best practicesHow to maintain compliance in AWSHow to maintain compliance in AzureHow to maintain compliance in GCPSummaryWhat are the common ISO standards related to cloud computing?ISO/IEC 27001 standardISO 27017 standardISO 27018 standardSummaryWhat is a SOC report?SummaryWhat is the CSA STAR program?STAR Level 1STAR Level 2SummaryWhat is PCI DSS?SummaryWhat is the GDPR?SummaryWhat is HIPAA?SummarySummary
Chapter 10: Engaging with Cloud Providers
Technical requirementsChoosing a cloud providerWhat is the most suitable cloud service model for our needs?Data privacy and data sovereigntyAuditing and monitoringMigration capabilitiesAuthenticationSummaryWhat is a cloud provider questionnaire?SummaryTips for contracts with cloud providersSummaryConducting penetration testing in cloud environmentsSummarySummary
Section 4: Advanced Use of Cloud Services
Chapter 11: Managing Hybrid Clouds
Technical requirementsHybrid cloud strategyCloud burstingBackup and disaster recoveryArchive and data retentionDistributed data processingApplication modernizationSummaryIdentity management over hybrid cloud environmentsHow to manage identity over hybrid AWS environmentsHow to manage identity over hybrid Azure environmentsHow to manage identity over GCP hybrid environmentsBest practices for managing identities in hybrid environmentsSummaryNetwork architecture for hybrid cloud environmentsHow to connect the on-premises environment to AWSHow to connect the on-premises environment to AzureHow to connect the on-premises environment to GCPSummaryStorage services for hybrid cloud environmentsHow to connect to storage services over AWS hybrid environmentsHow to connect to storage services over Azure hybrid environmentsHow to connect to storage services over GCP hybrid environmentsSummaryCompute services for hybrid cloud environmentsUsing compute services over AWS hybrid environmentsUsing compute services over Azure hybrid environmentsUsing compute services over GCP hybrid environmentsSummarySecuring hybrid cloud environmentsHow to secure AWS hybrid environmentsHow to secure Azure hybrid environmentsHow to secure GCP hybrid environmentsSummarySummary
Chapter 12: Managing Multi-Cloud Environments
Technical requirementsMulti-cloud strategyFreedom to select a cloud providerFreedom to select your servicesReduced costData sovereigntyBackup and disaster recoveryImproving reliabilityIdentity managementData securityAsset managementSkills gapSummaryIdentity management over multi-cloud environmentsHow to manage identity in AWS over multi-cloud environmentsHow to manage identity in Azure over multi-cloud environmentsHow to manage identity in GCP over multi-cloud environmentsSummaryNetwork architecture for multi-cloud environmentsHow to create network connectivity between AWS and GCPHow to create network connectivity between AWS and AzureHow to create network connectivity between Azure and GCPSummaryData security in multi-cloud environmentsEncryption in transitEncryption at restEncryption in useSummaryCost management in multi-cloud environmentsSummaryCloud Security Posture Management (CSPM)SummaryCloud Infrastructure Entitlement Management (CIEM) SummaryPatch and configuration management in multi-cloud environmentsSummaryThe monitoring and auditing of multi-cloud environmentsSummarySummary
Chapter 13:Security in Large-Scale Environments
Technical requirementsManaging governance and policies at a large scaleGovernance in AWSGovernance in AzureGovernance in Google CloudAutomation using IaCAWS CloudFormationAzure Resource Manager (ARM) templatesGoogle Cloud Deployment ManagerHashiCorp TerraformSummarySecurity in large-scale cloud environmentsManaging security at a large scale while working with AWSManaging security at a large scale while working with AzureManaging security at a large scale while working with Google CloudSummaryWhat's next?Plan aheadAutomateThink bigContinue learning
Why subscribe?
Other Books You May EnjoyPackt is searching for authors like youShare your thoughts

Content preview from Cloud Security Handbook

Chapter 3: Securing Storage Services

In the previous chapter, we covered compute services. After compute services, the second most common resource everyone talks about is storage – from object storage to block storage (which is also known as instance attached storage), to file storage.

We are using storage services to store our data.

The following is a list of common threats that might impact our data when it is stored in the cloud:

Unauthorized access
Data leakage
Data exfiltration
Data loss

As a best practice, we should always use the following countermeasures when storing data in the cloud:

Access-control lists (ACLs; note that each cloud provider has its own implementation) and Identity and Access Management (IAM), to restrict access ...

Become an O’Reilly member and get unlimited access to this title plus top books and audiobooks from O’Reilly and nearly 200 top publishers, thousands of courses curated by job role, 150+ live events each month,
and much more.

Read now

Unlock full access

More than 5,000 organizations count on O’Reilly

O’Reilly covers everything we've got, with content to help us build a world-class technology community, upgrade the capabilities and competencies of our teams, and improve overall team performance as well as their engagement.

Julian F.

Head of Cybersecurity

I wanted to learn C and C++, but it didn't click for me until I picked up an O'Reilly book. When I went on the O’Reilly platform, I was astonished to find all the books there, plus live events and sandboxes so you could play around with the technology.

Addison B.

Field Engineer

I’ve been on the O’Reilly platform for more than eight years. I use a couple of learning platforms, but I'm on O'Reilly more than anybody else. When you're there, you start learning. I'm never disappointed.

Amir M.

Data Platform Tech Lead

I'm always learning. So when I got on to O'Reilly, I was like a kid in a candy store. There are playlists. There are answers. There's on-demand training. It's worth its weight in gold, in terms of what it allows me to do.

Mark W.

Embedded Software Engineer

Publisher Resources

ISBN: 9781800569195

Cloud Computing

Data Engineering

Data Science

AI & ML

Programming Languages

Software Architecture

IT/Ops

Security

Design

Business

Soft Skills

Cloud Security Handbook

by Eyal Estrin

Chapter 3: Securing Storage Services

Become an O’Reilly member and get unlimited access to this title plus top books and audiobooks from O’Reilly and nearly 200 top publishers, thousands of courses curated by job role, 150+ live events each month,
and much more.