book

Practical Cloud Security, 2nd Edition

by Chris Dotson

October 2023

Intermediate to advanced

230 pages

6h 47m

English

O'Reilly Media, Inc.

Book available

Read now

Unlock full access

Includes

Includes Quizzes

Who Should Read This BookNavigating This BookWhat’s New in the Second EditionConventions Used in This BookO’Reilly Online Learning PlatformHow to Contact UsAcknowledgments
Least PrivilegeDefense in DepthZero TrustThreat Actors, Diagrams, and Trust BoundariesCloud Service Delivery ModelsThe Cloud Shared Responsibility ModelRisk ManagementConclusionExercises
Data Identification and ClassificationExample Data Classification LevelsRelevant Industry or Regulatory RequirementsData Asset Management in the CloudTagging Cloud ResourcesProtecting Data in the CloudTokenizationEncryptionConclusionExercises
Differences from Traditional ITTypes of Cloud AssetsCompute AssetsStorage AssetsNetwork AssetsAsset Management PipelineProcurement LeaksProcessing LeaksTooling LeaksFindings LeaksTagging Cloud AssetsConclusionExercises
Differences from Traditional ITLife Cycle for Identity and AccessRequestApproveCreate, Delete, Grant, or RevokeAuthenticationCloud IAM IdentitiesBusiness-to-Consumer and Business-to-EmployeeMulti-Factor AuthenticationPasswords, Passphrases, and API KeysShared IDsFederated IdentitySingle Sign-OnInstance Metadata and Identity DocumentsSecrets ManagementAuthorizationCentralized AuthorizationRolesRevalidatePutting It All Together in the Sample ApplicationConclusionExercises
Differences from Traditional ITVulnerable AreasData AccessApplicationMiddlewareOperating SystemNetworkVirtualized InfrastructurePhysical InfrastructureFinding and Fixing VulnerabilitiesNetwork Vulnerability ScannersAgentless Scanners and Configuration Management SystemsAgent-Based Scanners and Configuration Management SystemsCloud Workload Protection PlatformsContainer ScannersDynamic Application Scanners (DAST)Static Application Scanners (SAST)Software Composition Analysis Tools (SCA)Interactive Application Scanners (IAST)Runtime Application Self-Protection Scanners (RASP)Manual Code ReviewsPenetration TestsUser ReportsExample Tools for Vulnerability and Configuration ManagementRisk Management ProcessesVulnerability Management MetricsTool CoverageMean Time to RemediateSystems/Applications with Open VulnerabilitiesPercentage of False PositivesPercentage of False NegativesVulnerability Recurrence RateChange ManagementPutting It All Together in the Sample ApplicationConclusionExercises
Differences from Traditional ITConcepts and DefinitionsZero Trust NetworkingAllowlists and DenylistsDMZsProxiesSoftware-Defined NetworkingNetwork Functions VirtualizationOverlay Networks and EncapsulationVirtual Private CloudsNetwork Address TranslationIPv6Network Defense in Action in the Sample ApplicationEncryption in MotionFirewalls and Network SegmentationAllowing Administrative AccessNetwork Defense ToolsEgress FilteringData Loss PreventionConclusionExercises
Differences from Traditional ITWhat to WatchPrivileged User AccessLogs from Defensive ToolingCloud Service Logs and MetricsOperating System Logs and MetricsMiddleware LogsSecrets ServerYour ApplicationHow to WatchAggregation and RetentionParsing LogsSearching and CorrelationAlerting and Automated ResponseSecurity Information and Event ManagersThreat HuntingPreparing for an IncidentTeamPlansToolsResponding to an IncidentCyber Kill Chains and MITRE ATT&CKThe OODA LoopCloud ForensicsBlocking Unauthorized AccessStopping Data Exfiltration and Command and ControlRecoveryRedeploying IT SystemsNotificationsLessons LearnedExample MetricsExample Tools for Detection, Response, and RecoveryDetection and Response in a Sample ApplicationMonitoring the Protective SystemsMonitoring the ApplicationMonitoring the AdministratorsUnderstanding the Auditing InfrastructureConclusionExercises
Chapter 1Chapter 2Chapter 3Chapter 4Chapter 5Chapter 6Chapter 7

Content preview from Practical Cloud Security, 2nd Edition

Appendix. Exercise Solutions

Here are the answers for the exercises at the end of each chapter.

Chapter 1

A, C, and D. Requiring multi-factor authentication is also a good idea, but it’s an example of the principle of defense in depth, not least privilege.
A and D. Strict firewall controls may help, but they don’t demonstrate defense in depth unless paired with another control. Trust boundaries are also important, and may be used to define controls, but are not a defense in depth control.
A, B, C, and D. Threat actors may want to do all of these things, although historically making money is by far the largest motivator. In addition, some threat actors may be motivated simply by the challenge of breaking in or enhancing their reputations in hacking circles.
A. Depending on the service delivery model, network security and operating security may be the cloud provider’s responsibility, or may not be. Data access security—choosing who gets access to the data—is almost always the consumer’s responsibility.
A and B. Most risk assessment systems use some form of likelihood and impact assessment to determine the overall risk level. Transferring a risk doesn’t determine the severity of the risk, but may be a way to deal with the risk. Your risk severity is also not directly affected by whether the attacker’s actions are legal or not, although taking illegal actions may raise the attacker’s risk of going to jail.