Practical Cloud Security, 2nd Edition

Read it now on the O’Reilly learning platform with a 10-day free trial.

O’Reilly members get unlimited access to books, live events, courses curated by job role, and more from O’Reilly and nearly 200 top publishers.

Book description

With rapidly changing architecture and API-driven automation, cloud platforms come with unique security challenges and opportunities. In this updated second edition, you'll examine security best practices for multivendor cloud environments, whether your company plans to move legacy on-premises projects to the cloud or build a new infrastructure from the ground up.

Developers, IT architects, and security professionals will learn cloud-specific techniques for securing popular cloud platforms such as Amazon Web Services, Microsoft Azure, and IBM Cloud. IBM Distinguished Engineer Chris Dotson shows you how to establish data asset management, identity and access management (IAM), vulnerability management, network security, and incident response in your cloud environment.

• Learn the latest threats and challenges in the cloud security space
• Manage cloud providers that store or process data or deliver administrative control
• Learn how standard principles and concepts—such as least privilege and defense in depth—apply in the cloud
• Understand the critical role played by IAM in the cloud
• Use best tactics for detecting, responding, and recovering from the most common security incidents
• Manage various types of vulnerabilities, especially those common in multicloud or hybrid cloud architectures
• Examine privileged access management in cloud environments

Publisher resources

Table of contents

1. Preface
   1. Who Should Read This Book
   2. Navigating This Book
   3. What’s New in the Second Edition
   4. Conventions Used in This Book
   5. O’Reilly Online Learning Platform
   6. How to Contact Us
   7. Acknowledgments
   1. Least Privilege
   2. Defense in Depth
   3. Zero Trust
   4. Threat Actors, Diagrams, and Trust Boundaries
   5. Cloud Service Delivery Models
   6. The Cloud Shared Responsibility Model
   7. Risk Management
   8. Conclusion
   9. Exercises
   1. Data Identification and Classification
      1. Example Data Classification Levels
      2. Relevant Industry or Regulatory Requirements
      1. Tokenization
      2. Encryption
      1. Differences from Traditional IT
      2. Types of Cloud Assets
         1. Compute Assets
         2. Storage Assets
         3. Network Assets
         1. Procurement Leaks
         2. Processing Leaks
         3. Tooling Leaks
         4. Findings Leaks
         1. Differences from Traditional IT
         2. Life Cycle for Identity and Access
         3. Request
         4. Approve
         5. Create, Delete, Grant, or Revoke
         6. Authentication
            1. Cloud IAM Identities
            2. Business-to-Consumer and Business-to-Employee
            3. Multi-Factor Authentication
            4. Passwords, Passphrases, and API Keys
            5. Shared IDs
            6. Federated Identity
            7. Single Sign-On
            8. Instance Metadata and Identity Documents
            9. Secrets Management
            1. Centralized Authorization
            2. Roles
            1. Differences from Traditional IT
            2. Vulnerable Areas
               1. Data Access
               2. Application
               3. Middleware
               4. Operating System
               5. Network
               6. Virtualized Infrastructure
               7. Physical Infrastructure
               1. Network Vulnerability Scanners
               2. Agentless Scanners and Configuration Management Systems
               3. Agent-Based Scanners and Configuration Management Systems
               4. Cloud Workload Protection Platforms
               5. Container Scanners
               6. Dynamic Application Scanners (DAST)
               7. Static Application Scanners (SAST)
               8. Software Composition Analysis Tools (SCA)
               9. Interactive Application Scanners (IAST)
               10. Runtime Application Self-Protection Scanners (RASP)
               11. Manual Code Reviews
               12. Penetration Tests
               13. User Reports
               14. Example Tools for Vulnerability and Configuration Management
               1. Tool Coverage
               2. Mean Time to Remediate
               3. Systems/Applications with Open Vulnerabilities
               4. Percentage of False Positives
               5. Percentage of False Negatives
               6. Vulnerability Recurrence Rate
               1. Differences from Traditional IT
               2. Concepts and Definitions
                  1. Zero Trust Networking
                  2. Allowlists and Denylists
                  3. DMZs
                  4. Proxies
                  5. Software-Defined Networking
                  6. Network Functions Virtualization
                  7. Overlay Networks and Encapsulation
                  8. Virtual Private Clouds
                  9. Network Address Translation
                  10. IPv6
                  1. Encryption in Motion
                  2. Firewalls and Network Segmentation
                  3. Allowing Administrative Access
                  4. Network Defense Tools
                  5. Egress Filtering
                  6. Data Loss Prevention
                  1. Differences from Traditional IT
                  2. What to Watch
                     1. Privileged User Access
                     2. Logs from Defensive Tooling
                     3. Cloud Service Logs and Metrics
                     4. Operating System Logs and Metrics
                     5. Middleware Logs
                     6. Secrets Server
                     7. Your Application
                     1. Aggregation and Retention
                     2. Parsing Logs
                     3. Searching and Correlation
                     4. Alerting and Automated Response
                     5. Security Information and Event Managers
                     6. Threat Hunting
                     1. Team
                     2. Plans
                     3. Tools
                     1. Cyber Kill Chains and MITRE ATT&CK
                     2. The OODA Loop
                     3. Cloud Forensics
                     4. Blocking Unauthorized Access
                     5. Stopping Data Exfiltration and Command and Control
                     1. Redeploying IT Systems
                     2. Notifications
                     3. Lessons Learned
                     1. Monitoring the Protective Systems
                     2. Monitoring the Application
                     3. Monitoring the Administrators
                     4. Understanding the Auditing Infrastructure
                     1. Chapter 1
                     2. Chapter 2
                     3. Chapter 3
                     4. Chapter 4
                     5. Chapter 5
                     6. Chapter 6
                     7. Chapter 7
                     Show and hide more

                     Product information

                     • Title: Practical Cloud Security, 2nd Edition
                     • Author(s): Chris Dotson
                     • Release date: October 2023
                     • Publisher(s): O'Reilly Media, Inc.
                     • ISBN: 9781098148171

                     You might also like

                     Check it out now on O’Reilly

                     Dive in for free with a 10-day trial of the O’Reilly learning platform—then explore all the other resources our members count on to build skills and solve problems every day.