book

Practical Cloud Security, 2nd Edition

by Chris Dotson

October 2023

Intermediate to advanced

230 pages

6h 47m

English

O'Reilly Media, Inc.

Book available

Read now

Unlock full access

Includes

Includes Quizzes

Who Should Read This BookNavigating This BookWhat’s New in the Second EditionConventions Used in This BookO’Reilly Online Learning PlatformHow to Contact UsAcknowledgments
Least PrivilegeDefense in DepthZero TrustThreat Actors, Diagrams, and Trust BoundariesCloud Service Delivery ModelsThe Cloud Shared Responsibility ModelRisk ManagementConclusionExercises
Data Identification and ClassificationExample Data Classification LevelsRelevant Industry or Regulatory RequirementsData Asset Management in the CloudTagging Cloud ResourcesProtecting Data in the CloudTokenizationEncryptionConclusionExercises
Differences from Traditional ITTypes of Cloud AssetsCompute AssetsStorage AssetsNetwork AssetsAsset Management PipelineProcurement LeaksProcessing LeaksTooling LeaksFindings LeaksTagging Cloud AssetsConclusionExercises
Differences from Traditional ITLife Cycle for Identity and AccessRequestApproveCreate, Delete, Grant, or RevokeAuthenticationCloud IAM IdentitiesBusiness-to-Consumer and Business-to-EmployeeMulti-Factor AuthenticationPasswords, Passphrases, and API KeysShared IDsFederated IdentitySingle Sign-OnInstance Metadata and Identity DocumentsSecrets ManagementAuthorizationCentralized AuthorizationRolesRevalidatePutting It All Together in the Sample ApplicationConclusionExercises
Differences from Traditional ITVulnerable AreasData AccessApplicationMiddlewareOperating SystemNetworkVirtualized InfrastructurePhysical InfrastructureFinding and Fixing VulnerabilitiesNetwork Vulnerability ScannersAgentless Scanners and Configuration Management SystemsAgent-Based Scanners and Configuration Management SystemsCloud Workload Protection PlatformsContainer ScannersDynamic Application Scanners (DAST)Static Application Scanners (SAST)Software Composition Analysis Tools (SCA)Interactive Application Scanners (IAST)Runtime Application Self-Protection Scanners (RASP)Manual Code ReviewsPenetration TestsUser ReportsExample Tools for Vulnerability and Configuration ManagementRisk Management ProcessesVulnerability Management MetricsTool CoverageMean Time to RemediateSystems/Applications with Open VulnerabilitiesPercentage of False PositivesPercentage of False NegativesVulnerability Recurrence RateChange ManagementPutting It All Together in the Sample ApplicationConclusionExercises
Differences from Traditional ITConcepts and DefinitionsZero Trust NetworkingAllowlists and DenylistsDMZsProxiesSoftware-Defined NetworkingNetwork Functions VirtualizationOverlay Networks and EncapsulationVirtual Private CloudsNetwork Address TranslationIPv6Network Defense in Action in the Sample ApplicationEncryption in MotionFirewalls and Network SegmentationAllowing Administrative AccessNetwork Defense ToolsEgress FilteringData Loss PreventionConclusionExercises
Differences from Traditional ITWhat to WatchPrivileged User AccessLogs from Defensive ToolingCloud Service Logs and MetricsOperating System Logs and MetricsMiddleware LogsSecrets ServerYour ApplicationHow to WatchAggregation and RetentionParsing LogsSearching and CorrelationAlerting and Automated ResponseSecurity Information and Event ManagersThreat HuntingPreparing for an IncidentTeamPlansToolsResponding to an IncidentCyber Kill Chains and MITRE ATT&CKThe OODA LoopCloud ForensicsBlocking Unauthorized AccessStopping Data Exfiltration and Command and ControlRecoveryRedeploying IT SystemsNotificationsLessons LearnedExample MetricsExample Tools for Detection, Response, and RecoveryDetection and Response in a Sample ApplicationMonitoring the Protective SystemsMonitoring the ApplicationMonitoring the AdministratorsUnderstanding the Auditing InfrastructureConclusionExercises
Chapter 1Chapter 2Chapter 3Chapter 4Chapter 5Chapter 6Chapter 7

Content preview from Practical Cloud Security, 2nd Edition

Chapter 1. Principles and Concepts

Yes, this is a practical guide, but we do need to cover a few cloud-relevant security principles and concepts at a high level before we dive into the practical bits. If you’re a seasoned security professional, but new to the cloud, you may want to skim down to “The Cloud Shared Responsibility Model”.

The reason for covering these principles and concepts first is because they are used implicitly throughout the rest of the book when I discuss designing and implementing security controls to stop attackers. Conceptual gaps and misunderstandings in security can cause lots of issues. For example:

If you’re not familiar with least privilege, you may understand authorization for cloud services well, but still grant too much access to people or automation in your cloud account or on a cloud database with sensitive information.
If you’re not familiar with defense in depth, then having multiple layers of authentication, network access control, or encryption may not seem useful.
If you don’t know a little about threat modeling—the likely motivations of attackers, and the trust boundaries of the system that you’re designing—you may be spending time and effort protecting the wrong things.
If you don’t understand the cloud service delivery models and the shared responsibility model, you may spend time worrying about risks that are your cloud provider’s responsibility and miss risks that are your responsibility to address.
If you don’t know a little ...

Become an O’Reilly member and get unlimited access to this title plus top books and audiobooks from O’Reilly and nearly 200 top publishers, thousands of courses curated by job role, 150+ live events each month,
and much more.

Start your free trial

Publisher Resources

ISBN: 9781098148164Errata Page

Practical Cloud Security, 2nd Edition

by Chris Dotson

Chapter 1. Principles and Concepts

Become an O’Reilly member and get unlimited access to this title plus top books and audiobooks from O’Reilly and nearly 200 top publishers, thousands of courses curated by job role, 150+ live events each month,
and much more.

You might also like