Cloud Security Handbook: Find out how to effectively secure cloud environments using AWS, Azure, and GCP

✍ Scribed by Eyal Estrin

Publisher: Packt Publishing
Year: 2022
Tongue: English
Leaves: 456
Category: Library

No coin nor oath required. For personal study only.

✦ Synopsis

A comprehensive reference guide to securing the basic building blocks of cloud services, with actual examples for leveraging Azure, AWS, and GCP built-in services and capabilities

Key Features

Discover practical techniques for implementing cloud security
Learn how to secure your data and core cloud infrastructure to suit your business needs
Implement encryption, detect cloud threats and misconfiguration, and achieve compliance in the cloud

Book Description

Securing resources in the cloud is challenging, given that each provider has different mechanisms and processes. Cloud Security Handbook helps you to understand how to embed security best practices in each of the infrastructure building blocks that exist in public clouds.

This book will enable information security and cloud engineers to recognize the risks involved in public cloud and find out how to implement security controls as they design, build, and maintain environments in the cloud. You'll begin by learning about the shared responsibility model, cloud service models, and cloud deployment models, before getting to grips with the fundamentals of compute, storage, networking, identity management, encryption, and more. Next, you'll explore common threats and discover how to stay in compliance in cloud environments. As you make progress, you'll implement security in small-scale cloud environments through to production-ready large-scale environments, including hybrid clouds and multi-cloud environments. This book not only focuses on cloud services in general, but it also provides actual examples for using AWS, Azure, and GCP built-in services and capabilities.

By the end of this cloud security book, you'll have gained a solid understanding of how to implement security in cloud environments effectively.

What you will learn

Secure compute, storage, and networking services in the cloud
Get to grips with identity management in the cloud
Audit and monitor cloud services from a security point of view
Identify common threats and implement encryption solutions in cloud services
Maintain security and compliance in the cloud
Implement security in hybrid and multi-cloud environments
Design and maintain security in a large-scale cloud environment

Who this book is for

This book is for IT or information security personnel taking their first steps in the public cloud or migrating existing environments to the cloud. Cloud engineers, cloud architects, or cloud security professionals maintaining production environments in the cloud will also benefit from this book. Prior experience of deploying virtual machines, using storage services, and networking will help you to get the most out of this book.

Introduction to Cloud Security
Securing Compute Services
Securing Storage Services
Securing Network Services
Effective Strategies to Implement IAM Solutions
Monitoring and Auditing of Your Cloud Environments
Applying Encryption in Cloud Services
Understanding Common Security Threats to Cloud Computing
Handling Compliance and Regulation
Engaging with Cloud Providers
Managing Hybrid Clouds
Managing Multi-Cloud Environments
Security in Large-Scale Environments

✦ Table of Contents

Cover
Title Page
Copyright
Dedication
Contributors
Table of Contents
Preface
Section 1: Securing Infrastructure Cloud Services
Chapter 1: Introduction to Cloud Security
Technical requirements
What is a cloud service?
What are the cloud deployment models?
What are the cloud service models?
Why we need security
What is the shared responsibility model?
AWS and the shared responsibility model
Azure and the shared responsibility model
GCP and the shared responsibility model
Command-line tools
AWS CLI
Azure CLI
Google Cloud SDK
Summary
Chapter 2: Securing Compute Services
Technical requirements
Securing VMs
Securing Amazon Elastic Compute Cloud (EC2)
Securing Azure Virtual Machines
Securing Google Compute Engine (GCE) and VM instances
Securing managed database services
Securing Amazon RDS for MySQL
Securing Azure Database for MySQL
Securing Google Cloud SQL for MySQL
Securing containers
Securing Amazon Elastic Container Service (ECS)
Securing Amazon Elastic Kubernetes Service (EKS)
Securing Azure Container Instances (ACI)
Securing Azure Kubernetes Service (AKS)
Securing Google Kubernetes Engine (GKE)
Securing serverless/function as a service
Securing AWS Lambda
Securing Azure Functions
Securing Google Cloud Functions
Summary
Chapter 3: Securing Storage Services
Technical requirements
Securing object storage
Securing Amazon Simple Storage Service
Securing Azure Blob storage
Securing Google Cloud Storage
Securing block storage
Best practices for securing Amazon Elastic Block Store
Best practices for securing Azure managed disks
Best practices for securing Google Persistent Disk
Summary
Securing file storage
Securing Amazon Elastic File System
Securing Azure Files
Securing Google Filestore
Securing the CSI
Securing CSI on AWS
Securing CSI on Azure
Securing CSI on GCP
Summary
Chapter 4: Securing Networking Services
Technical requirements
Securing virtual networking
Securing Amazon Virtual Private Cloud
Securing Azure VNet
Securing Google Cloud VPC
Securing DNS services
Securing Amazon Route 53
Securing Azure DNS
Securing Google Cloud DNS
Securing CDN services
Securing Amazon CloudFront
Securing Azure CDN
Securing Google Cloud CDN
Securing VPN services
Securing AWS Site-to-Site VPN
Securing AWS Client VPN
Securing Azure VPN Gateway (Site-to-Site)
Securing Azure VPN Gateway (Point-to-Site)
Securing Google Cloud VPN
Securing DDoS protection services
Securing AWS Shield
Securing Azure DDoS Protection
Securing Google Cloud Armor
Securing WAF services
Securing AWS WAF
Securing Azure WAF
Summary
Section 2: Deep Dive into IAM, Auditing, and Encryption
Chapter 5: Effective Strategies to Implement IAM Solutions
Technical requirements
Introduction to IAM
Failing to manage identities
Securing cloud-based IAM services
Securing AWS IAM
Auditing AWS IAM
Securing Azure AD
Auditing Azure AD
Securing Google Cloud IAM
Auditing Google Cloud IAM
Securing directory services
Securing AWS Directory Service
Securing Azure Active Directory Domain Services (Azure AD DS)
Securing Google Managed Service for Microsoft AD
Configuring MFA
Summary
Chapter 6: Monitoring and Auditing Your Cloud Environments
Technical requirements
Conducting security monitoring and audit trails
Security monitoring and audit trails using AWS CloudTrail
Security monitoring using AWS Security Hub
Best practices for using AWS Security Hub
Security monitoring and audit trails using Azure Monitor
Best practices for using Azure Monitor
Security monitoring and approval process using Customer Lockbox
Best practices for using Customer Lockbox
Security monitoring and audit trail using Google Cloud Logging
Security monitoring using Google Security Command Center
Security monitoring and approval process using Access Transparency and Access Approval
Conducting threat detection and response
Using Amazon Detective for threat detection
Using Amazon GuardDuty for threat detection
Security monitoring using Microsoft Defender for Cloud
Using Azure Sentinel for threat detection
Using Azure Defender for threat detection
Using Google Security Command Center for threat detection and prevention
Conducting incident response and digital forensics
Conducting incident response in AWS
Conducting incident response in Azure
Conducting incident response in Google Cloud Platform
Summary
Chapter 7: Applying Encryption in Cloud Services
Technical requirements
Introduction to encryption
Symmetric encryption
Asymmetric encryption
Best practices for deploying KMSes
AWS Key Management Service (KMS)
AWS CloudHSM
Azure Key Vault
Azure Dedicated/Managed HSM
Google Cloud Key Management Service (KMS)
Best practices for deploying secrets management services
AWS Secrets Manager
Google Secret Manager
Best practices for using encryption in transit
IPSec
Transport Layer Security (TLS)
Best practices for using encryption at rest
Object storage encryption
Block storage encryption
Full database encryption
Row-level security
Encryption in use
AWS Nitro Enclaves
Azure Confidential Computing
Google Confidential Computing
Summary
Section 3: Threats and Compliance Management
Chapter 8: Understanding Common Security Threats to Cloud Services
Technical requirements
The MITRE ATT&CK framework
Detecting and mitigating data breaches in cloud services
Common consequences of data breaches
Best practices for detecting and mitigating data breaches in cloud environments
Common AWS services to assist in the detection and mitigation of data breaches
Common Azure services to assist in the detection and mitigation of data breaches
Common GCP services to assist in the detection and mitigation of data breaches
Detecting and mitigating misconfigurations in cloud services
Common AWS services to assist in the detection and mitigation of misconfigurations
Common Azure services to assist in the detection and mitigation of misconfigurations
Common GCP services to assist in the detection and mitigation of misconfigurations
Detecting and mitigating insufficient IAM and key management in cloud services
Common AWS services to assist in the detection and mitigation of insufficient IAM and key management
Common Azure services to assist in the detection and mitigation of insufficient IAM and key management
Common GCP services to assist in the detection and mitigation of insufficient IAM and key management
Detecting and mitigating account hijacking in cloud services
Common AWS services to assist in the detection and mitigation of account hijacking
Common Azure services to assist in the detection and mitigation of account hijacking
Common GCP services to assist in the detection and mitigation of account hijacking
Detecting and mitigating insider threats in cloud services
Common AWS services to assist in the detection and mitigation of insider threats
Common Azure services to assist in the detection and mitigation of insider threats
Common GCP services to assist in the detection and mitigation of insider threats
Detecting and mitigating insecure APIs in cloud services
Common AWS services to assist in the detection and mitigation of insecure APIs
Common Azure services to assist in the detection and mitigation of insecure APIs
Common GCP services to assist in the detection and mitigation of insecure APIs
Detecting and mitigating the abuse of cloud services
Common AWS services to assist in the detection and mitigation of the abuse of cloud services
Common Azure services to assist in the detection and mitigation of the abuse of cloud services
Common GCP services to assist in the detection and mitigation of the abuse of cloud services
Summary
Chapter 9: Handling Compliance and Regulation
Technical requirements
Compliance and the shared responsibility model
Introduction to compliance with regulatory requirements and industry best practices
How to maintain compliance in AWS
How to maintain compliance in Azure
How to maintain compliance in GCP
Summary
What are the common ISO standards related to cloud computing?
ISO/IEC 27001 standard
ISO 27017 standard
ISO 27018 standard
Summary
What is a SOC report?
Summary
What is the CSA STAR program?
STAR Level 1
STAR Level 2
Summary
What is PCI DSS?
Summary
What is the GDPR?
Summary
What is HIPAA?
Summary
Summary
Chapter 10: Engaging with Cloud Providers
Technical requirements
Choosing a cloud provider
What is the most suitable cloud service model for our needs?
Data privacy and data sovereignty
Auditing and monitoring
Migration capabilities
Authentication
Summary
What is a cloud provider questionnaire?
Summary
Tips for contracts with cloud providers
Summary
Conducting penetration testing in cloud environments
Summary
Summary
Section 4: Advanced Use of Cloud Services
Chapter 11: Managing Hybrid Clouds
Technical requirements
Hybrid cloud strategy
Cloud bursting
Backup and disaster recovery
Archive and data retention
Distributed data processing
Application modernization
Summary
Identity management over hybrid cloud environments
How to manage identity over hybrid AWS environments
How to manage identity over hybrid Azure environments
How to manage identity over GCP hybrid environments
Best practices for managing identities in hybrid environments
Summary
Network architecture for hybrid cloud environments
How to connect the on-premises environment to AWS
How to connect the on-premises environment to Azure
How to connect the on-premises environment to GCP
Summary
Storage services for hybrid cloud environments
How to connect to storage services over AWS hybrid environments
How to connect to storage services over Azure hybrid environments
How to connect to storage services over GCP hybrid environments
Summary
Compute services for hybrid cloud environments
Using compute services over AWS hybrid environments
Using compute services over Azure hybrid environments
Using compute services over GCP hybrid environments
Summary
Securing hybrid cloud environments
How to secure AWS hybrid environments
How to secure Azure hybrid environments
How to secure GCP hybrid environments
Summary
Summary
Chapter 12: Managing Multi-Cloud Environments
Technical requirements
Multi-cloud strategy
Freedom to select a cloud provider
Freedom to select your services
Reduced cost
Data sovereignty
Backup and disaster recovery
Improving reliability
Identity management
Data security
Asset management
Skills gap
Summary
Identity management over multi-cloud environments
How to manage identity in AWS over multi-cloud environments
How to manage identity in Azure over multi-cloud environments
How to manage identity in GCP over multi-cloud environments
Summary
Network architecture for multi-cloud environments
How to create network connectivity between AWS and GCP
How to create network connectivity between AWS and Azure
How to create network connectivity between Azure and GCP
Summary
Data security in multi-cloud environments
Encryption in transit
Encryption at rest
Encryption in use
Summary
Cost management in multi-cloud environments
Summary
Cloud Security Posture Management (CSPM)
Summary
Cloud Infrastructure Entitlement Management (CIEM)
Summary
Patch and configuration management in multi-cloud environments
Summary
The monitoring and auditing of multi-cloud environments
Summary
Summary
Chapter 13: Security in Large-Scale Environments
Technical requirements
Managing governance and policies at a large scale
Governance in AWS
Governance in Azure
Governance in Google Cloud
Automation using IaC
AWS CloudFormation
Azure Resource Manager (ARM) templates
Google Cloud Deployment Manager
HashiCorp Terraform
Summary
Security in large-scale cloud environments
Managing security at a large scale while working with AWS
Managing security at a large scale while working with Azure
Managing security at a large scale while working with Google Cloud
Summary
What's next?
Plan ahead
Automate
Think big
Continue learning
Index
About Packt
Other Books You May Enjoy

📜 SIMILAR VOLUMES

Cloud Security Handbook: Find out how to

📁 Cloud Security Handbook: Find out how to effectively secure cloud environments using AWS, Azure, and GCP

✍ Eyal Estrin 📂 Library 📅 2022 🏛 Packt Publishing 🌐 English

A comprehensive reference guide to securing the basic building blocks of cloud services, with actual examples for leveraging Azure, AWS, and GCP built-in services and capabilities<h4>Key Features</h4><ul><li>Discover practical techniques for implementing

Mastering Cloud Security Posture Managem

📁 Mastering Cloud Security Posture Management (CSPM): Secure multi-cloud infrastructure across AWS, Azure, and Google Cloud using proven techniques

✍ Qamar Nomani 📂 Library 📅 2024 🏛 Packt Publishing 🌐 English

Strengthen your security posture in all aspects of CSPM technology, from security infrastructure design to implementation strategies, automation, and remedial actions using operational best practices across your cloud environmentKey Features<ul><li>Choose

Mastering Cloud Security Posture Managem

📁 Mastering Cloud Security Posture Management (CSPM): Secure multi-cloud infrastructure across AWS, Azure, and Google Cloud using proven techniques

✍ Qamar Nomani 📂 Library 📅 2024 🏛 Packt Publishing 🌐 English

Mastering Cloud Security Posture Managem

📁 Mastering Cloud Security Posture Management (CSPM): Secure multi-cloud infrastructure across AWS, Azure, and Google Cloud using proven techniques

✍ Qamar Nomani 📂 Library 📅 2024 🏛 Packt Publishing 🌐 English

Security for Cloud Native Applications :

📁 Security for Cloud Native Applications : The practical guide for securing modern applications using AWS, Azure, and GCP

✍ Estrin, Eyal; 📂 Library 📅 2024 🏛 BPB Publications 🌐 English

Your practical handbook for securing cloud-native applications KEY FEATURES ● An overview of security in cloud-native applications, such as modern architectures, containers, CI/CD pipeline, and so on. ● Using automation, such as infrastructure as code and policy as code, to achieve security at scale

Building and Automating Penetration Test

📁 Building and Automating Penetration Testing Labs in the Cloud: Set up cost-effective hacking environments for learning cloud security on AWS, Azure, and GCP

✍ Joshua Arvin Lat 📂 Library 📅 2023 🏛 Packt Publishing 🌐 English

Take your penetration testing career to the next level by discovering how to set up and exploit cost-effective hacking lab environments on AWS, Azure, and GCPKey Features<ul><li>Explore strategies for managing the complexity, cost, and security of running