Enterprise Cloud Security and Governance

Enterprise Cloud Security and Governance

by Zeal Vora
Released December 2017
Publisher(s): Packt Publishing
ISBN: 9781788299558

Read it now on the O’Reilly learning platform with a 10-day free trial.

O’Reilly members get unlimited access to books, live events, courses curated by job role, and more from O’Reilly and nearly 200 top publishers.

Start your free trial

Book description

Build a resilient cloud architecture to tackle data disasters with ease

About This Book

  • Get a firm grip on cloud data security and governance principles, irrespective of your cloud platform
  • Filled with practical examples to ensure you secure your cloud environment efficiently
  • This step-by-step guide will teach you the techniques and methodologies of cloud data governance

Who This Book Is For

If you are a cloud security professional who wants to ensure cloud security and data governance no matter the environment, then this book is for you. A basic understanding of working on any cloud platform would be beneficial.

What You Will Learn

  • Configure your firewall and Network ACL
  • Protect your system against DDOS attacks and application-level attacks
  • Explore Cryptography and Data Security for your Cloud
  • Get to grips with the configuration management tools to automate your security tasks
  • Perform vulnerability scanning with the help of industry-standard tools
  • Get to know about Central Log Management

In Detail

Modern day businesses and enterprises are moving to the cloud simply to improve efficiency and speed, achieve flexibility and cost-effectiveness, and to get access toon-demand cloud services. However, enterprise cloud security remains a major concern for many businesses because migrating to the public cloud requires transferring control over organizational assets to the cloud provider, and there is achance those assets could be mismanaged. Therefore, as a cloud security professional, you need to be on your toes and armed with techniques to help businesses minimize the risk, and to free management from worrying about misuse of business data.

This book starts with the basics of cloud security and gives you and understanding of various policies, governance, and compliance challenges in the cloud. This will lay a strong foundation before you dive deep into understanding what it takes to design a secure network infrastructure and an architecture application using various security services in the cloud environment.

You will be able to automate security tasks such as server hardening with Ansible and perform automation services such as Monit, that will monitor other security daemons and take appropriate actions in-case those security daemons are stopped maliciously. In short, this book has everything you need to secure your cloud environment with industry-adopted best practices to develop security, highly available, and fault tolerant architecture for organizations.

Style and approach

This book follows a step-by-step, practical approach to secure your applications and data when they are located remotely.

Publisher resources

View/Submit Errata

Table of contents

  1. Preface
    1. What this book covers
    2. What you need for this book
    3. Who this book is for
    4. Conventions
    5. Reader feedback
    6. Customer support
      1. Downloading the color images of this book 
      2. Errata
      3. Piracy
      4. Questions
  2. The Fundamentals of Cloud Security
    1. Getting started
    2. Service models
      1. Software as a service
      2. Platform as a service
      3. Infrastructure as a service
    3. Deployment models
    4. Cloud security
    5. Why is cloud security considered hard?
      1. Our security posture
    6. Virtualization – cloud's best friend
      1. Understanding the ring architecture
      2. Hardware virtualization
        1. Full virtualization with binary translation
        2. Paravirtualization
        3. Hardware-assisted virtualization
      3. Distributed architecture in virtualization
    7. Enterprise virtualization with oVirt
      1. Encapsulation
      2. Point in time snapshots
      3. Isolation
      4. Risk assessment in cloud
    8. Service Level Agreement
    9. Business Continuity Planning – Disaster Recovery (BCP/DR)
      1. Business Continuity Planning
      2. Disaster Recovery
      3. Recovery Time Objective
      4. Recovery Point Objective
      5. Relation between RTO and RPO
      6. Real world use case of Disaster Recovery
      7. Use case to understand BCP/DR
    10. Policies and governance in cloud
    11. Audit challenges in the cloud
    12. Implementation challenges for controls on CSP side
    13. Vulnerability assessment and penetration testing in the cloud
      1. Use case of a hacked server
    14. Summary
  3. Defense in Depth Approach
    1. The CIA triad
      1. Confidentiality
      2. Integrity
      3. Availability
        1. A use case
        2. Understanding all three aspects
          1. The use case
    2. Introducing Defense in Depth
      1. First layer – network layer
      2. Second layer – platform layer
      3. Third layer – application layer
      4. Fourth layer – data layer
      5. Fifth layer – response layer
    3. Summary
  4. Designing Defensive Network Infrastructure
    1. Why do we need cryptography?
    2. The TCP/IP model
      1. Scenario
        1. The Network Transport Layer
        2. The Internet Protocol Layer
        3. The Transport Layer
        4. The Application Layer
    3. Firewalls
      1. How a firewall works?
      2. How does a firewall inspect packets?
        1. 3-way handshake
      3. Modes of firewall
        1. Stateful packet inspection
        2. Stateless packet inspection
      4. Architecting firewall rules
        1. The deny all and allow some approach
        2. The allow all and deny some approach
      5. Firewall justification document
        1. A sample firewall justification document
          1. Inbound rules
          2. Outbound rules
        2. Tracking firewall changes with alarms
          1. Best practices
    4. Application layer security
      1. Intrusion Prevention Systems
        1. Overview architecture of IPS
      2. IPS in a cloud environment
      3. Implementing IPS in the cloud
        1. Deep Security
          1. Anti-malware
          2. Application control
    5. The IPS functionality
      1. A real-world example
      2. Implementation
        1. Advantages that IPS will bring to a cloud environment
    6. A web application firewall
      1. Architecture
      2. Implementation
    7. Network segmentation
      1. Understanding a flat network
      2. Segmented network
      3. Network segmentation in cloud environments
      4. Segmentation in cloud environments
        1. Rule of thumb
    8. Accessing management
      1. Bastion hosts
      2. The workings of bastion hosts
      3. The workings of SSH agent forwarding
      4. Practical implementation of bastion hosts
        1. Security of bastion hosts
        2. Benefits of bastion hosts
        3. Disadvantages of bastion hosts
    9. Virtual Private Network
      1. Routes – after VPN is connected
    10. Installation of OpenVPN
      1. Security for VPN
      2. Recommended tools for VPN
    11. Approaching private hosted zones for DNS
      1. Public hosted zones
      2. Private hosted zones
        1. Challenge
        2. Solution
    12. Summary
  5. Server Hardening
    1. The basic principle of host-based security
    2. Keeping systems up-to-date
      1. The Windows update methodology
      2. The Linux update methodology
      3. Using the security functionality of YUM
      4. Approach for automatic security updates installation
      5. Developing a process to update servers regularly
      6. Knowledge base
      7. Challenges on a larger scale
    3. Partitioning and LUKS
      1. Partitioning schemes
        1. A separate partition for /boot
        2. A separate partition for /tmp
        3. A separate partition for /home
          1. Conclusion
    4. LUKS
      1. Introduction to LUKS
        1. Solution
        2. Conclusion
    5. Access control list
      1. Use case
      2. Introduction to Access Control List
        1. Set ACL
        2. Show ACL
      3. Special permissions in Linux
        1. SUID 
          1. Use case for SUID
          2. Understanding the permission associated with ping
          3. Setting a SUID bit for files
          4. Removing the SUID bit for files
        2. SETGID
          1. Associating the SGID for files
    6. SELinux
      1. Introduction to SELinux
      2. Permission sets in SELinux
      3. SELinux modes
      4. Confinement of Linux users to SELinux users
      5. Process confinement
        1. Conclusion
    7. Hardening system services and applications
      1. Hardening services
        1. Guide for hardening SSH
        2. Enable multi-factor authentication
          1. Associated configuration
        3. Changing the SSH default port
          1. Associate configuration
        4. Disabling the root login
          1. Associated configuration
          2. Conclusion
    8. Pluggable authentication modules
      1. Team Screen application
      2. File Sharing Application
      3. Understanding PAM
      4. The architecture of PAM
        1. The PAM configuration
        2. The PAM command structure
      5. Implementation scenario
        1. Forcing strong passwords 
        2. Log all user commands
          1. Conclusion
    9. System auditing with auditd
      1. Introduction to auditd
        1. Use case 1 – tracking activity of important files
          1. Use case
          2. Solution
          3. First field
        2. Use case 2 - monitoring system calls
          1. Introduction to system calls
          2. Use case
          3. Solution
          4. Conclusion
          5. Conclusion
        3. Central identity server
          1. Use Case 1
          2. Use case 2
      2. The architecture of IPA
        1. Client-server architecture
        2. User access management
        3. Best practices to follow
          1. Conclusion
      3. Single sign-on
        1. Idea solution
        2. Advantages of an SSO solution
        3. Challenges in the classic method of authentication
        4. Security Assertion Markup Language
        5. The high-level overview of working
        6. Choosing the right identity provider
        7. Building an SSO from scratch
    10. Hosted Based Intrusion Detection System
      1. Exploring OSSEC
        1. File integrity monitoring
        2. Log monitoring and active response
          1. Conclusion
    11. The hardened image approach
      1. Implementing hardening standards in scalable environments
        1. Important to remember
        2. Conclusion
    12. Summary
  6. Cryptography Network Security
    1. Introduction to cryptography
      1. Integrity
      2. Authenticity
        1. Real world scenario
      3. Non-repudiation
    2. Types of cryptography
      1. Symmetric key cryptography
        1. Stream cipher
          1. The encryption process
          2. The decryption process
        2. Advantages of stream ciphers
      2. Block cipher (AES)
        1. Padding
        2. Modes of block ciphers
    3. Message authentication codes
      1. The MAC approach
        1. The challenges with symmetric key storage
    4. Hardware security modules
      1. The challenges with HSM in on-premise
        1. A real-world scenario
          1. HSM on the cloud
        2. CloudHSM
    5. Key management service
      1. The basic working of AWS KMS
      2. Encrypting a function in KMS
      3. Decrypting a function in KMS
        1. Implementation
      4. Practical guide
        1. Configuring AWS CLI
      5. The decryption function
    6. Envelope encryption
      1. The encryption process
      2. The decryption process
        1. Implementation steps
      3. Practical implementation of envelope encryption
    7. Credential management system with KMS
      1. Implementation
      2. Best practices in key management
        1.  Rotation life cycle for encryption keys
        2. Scenario 1–a single key for all data encryption
        3. Scenario 2–multiple keys for data encryption
          1. Protecting the access keys
          2. Audit trail is important
    8. Asymmetric key encryption 
      1. The basic working
        1. Authentication with the help of an asymmetric key
    9. Digital signatures
      1. The benefits and use cases of a digital signature
    10. SSL/TLS
      1. Scenario 1 – A man-in-the-middle attack–storing credentials
      2. Scenario 2 – A man-in-the-middle attack–integrity attacks
      3. Working of SSL/TLS
        1. Client Hello
        2. Server Hello
        3. Certificate
        4. Server key exchange
        5. Server Hello done
        6. Client key exchange
        7. Change cipher spec
      4. Security related to SSL/TLS
        1. Grading TLS configuration with SSL Labs
          1. Default Settings
    11. Perfect forward secrecy
      1. Implementation of perfect forward secrecy in nginx
      2. HTTP Strict Transport Security
        1. Implementing HSTS in nginx
          1. Verifying the integrity of a certificate
    12. Online certificate status protocol
    13. OCSP stapling
      1. Challenge 1
      2. Challenge 2
        1. An ideal solution
      3. Architecture
        1. Implementing TLS termination at the ELB level
        2. Selecting cipher suites
        3. Importing certificate
    14. AWS certificate manager
      1. Use case 1
      2. Use case 2
      3. Introduction to AWS Certificate Manager
    15. Summary
  7. Automation in Security
    1. Configuration management
      1. Ansible
        1. Remote command execution
      2. The structure of the Ansible playbook
        1. Playbook for SSH hardening
        2. Running Ansible in dry mode
          1. Run and rerun and rerun
      3. Ansible mode of operations
        1. Ansible pull
    2. Attaining the desired state with Ansible pull
      1. Auditing servers with Ansible notifications
      2. The Ansible Vault
        1. Deploying the nginx Web Server
          1. Solution
      3. Ansible best practices
    3. Terraform
      1. Infrastructure migration
      2. Installing Terraform
        1. Working with Terraform
      3. Integrating Terraform with Ansible
      4. Terraform best practices
    4. AWS Lambda
      1. Cost optimization
        1. Achieving a use case through AWS Lambda
      2. Testing the Lambda function
      3. Start EC2 function
      4. Integrating the Lambda function with events
    5. Summary
  8. Vulnerability, Pentest, and Patch Management
    1. Introduction to vulnerability assessment
      1. Common Vulnerabilities and Exposures 
        1. Common Vulnerability Scoring System (CVSS)
    2. Understanding risks
      1. Determining the likelihood
      2. Defining the impact
    3. Risk mitigation
      1. A sample scan report
      2. How a vulnerability scanner works
    4. Best practices
    5. Patch management
      1. Solution 1
      2. Solution 2
      3. Solution 3
      4. Centralized patch management
        1. Architecture
          1. Installing the Spacewalk server
          2. Import the CentOS 7 repository
          3. Create activation keys
          4. Configuring clients
          5. Pushing updates to clients
    6. Organizing servers in groups
      1. Systems set manager
      2. The life cycle of patch management
      3. Important points to remember
      4. Best practices
        1. Standardize the stacks
        2. All systems must be connected to Spacewalk
        3. Develop a back out plan
        4. Push in a systematic way
          1. Rolling updates
          2. All at once
      5. Challenges
      6. Containers and patch management
    7. Introduction to Docker
      1. Setting up Docker
    8. Summary
  9. Security Logging and Monitoring
    1. Continuous security and monitoring
      1. Real world scenario
        1. Log monitoring is a must in security
        2. Key aspects of continuous security monitoring
        3. Operational considerations
        4. Understanding what is normal versus abnormal
    2. Choosing the right log monitoring tool
      1. Let's get started with logging and monitoring
        1. VPC flow logs
        2. AWS Config
          1. Configuring the AWS Config service
          2. Let's analyze the functionality
          3. Evaluating changes to resources
    3. Security Incident and Event Management
    4. Log monitoring is reactive in nature
      1. Best practices
        1. Set the right base
        2. Structure your logs
        3. Transform granular events to high level
        4. Determine whom to notify when an event occurs
    5. Summary
  10. First Responder
    1. Real world use case
      1. Use case
    2. Understanding the incident
      1. Handling the incidents
      2. Incident response plan
      3. Preparation
        1. Educate
        2. Stick to the plan
      4. Incident response process
        1. Preparation
          1. Use case
        2. Detection
          1. Use case
        3. Containment
          1. Use case
        4. Remediation
          1. Use case
        5. Recovery
          1. Use case
        6. Lessons learned
          1. Use case
      5. Insider threats
        1. Use case
      6. Early indications of insider threats
    3. Holding unexpected simulation
    4. Summary
  11. Best Practices
    1. Cloud readiness
    2. Network readiness
    3. Server readiness
    4. Bonus points
    5. Summary

Product information

  • Title: Enterprise Cloud Security and Governance
  • Author(s): Zeal Vora
  • Release date: December 2017
  • Publisher(s): Packt Publishing
  • ISBN: 9781788299558