Practical Cloud Security, 2nd Edition (Third Early Release)

✍ Scribed by Chris Dotson

Publisher: O'Reilly Media, Inc.
Year: 2023
Tongue: English
Leaves: 188
Edition: 2
Category: Library

No coin nor oath required. For personal study only.

✦ Synopsis

With the fast, competitive evolution of new cloud services, particularly those related to security, cloud deployment is now definitively as secure as on-premises servers, and probably even more secure. This practical book surveys current security challenges and shows security professionals, IT architects, and developers how to meet them while deploying systems to popular cloud services. You’ll find up to date, cloud specific security guidance for popular cloud platforms in the areas of cloud and data asset management, identity and access management, vulnerability management, network security, and incident response. Author Chris Dotson offers practical cloud security best practices for multivendor cloud environments whether you’re just starting to design your cloud environment or have legacy projects to secure.

✦ Table of Contents

Principles and Concepts
Least Privilege
Defense in Depth
Zero Trust
Threat Actors, Diagrams, and Trust Boundaries
Cloud Service Delivery Models
The Cloud Shared Responsibility Model
Risk Management
Conclusion
Exercises
Data Asset Management and Protection
Data Identification and Classification
Example Data Classification Levels
Relevant Industry or Regulatory Requirements
Data Asset Management in the Cloud
Tagging Cloud Resources
Protecting Data in the Cloud
Tokenization
Encryption
Confidential computing
Encryption of data at rest
Key management
Server-side and client-side encryption
Cryptographic erasure
How encryption foils different types of attacks
Disk level encryption
Platform level encryption
Application level encryption
Conclusion
Exercises
Cloud Asset Management and Protection
Differences from Traditional IT
Types of Cloud Assets
Compute Assets
Virtual machines
Containers
Native container model
“Mini-VM” container model
Container orchestration systems
Application Platform as a Service
Serverless
Storage Assets
Block storage
File storage
Object storage
Images
Cloud databases
Message queues
Configuration storage
Secrets configuration storage
Encryption key storage
Certificate storage
Source code repositories and deployment pipelines
Network Assets
Virtual private clouds and subnets
Content delivery networks
DNS records
TLS certificates
Load balancers, reverse proxies, and web application firewalls
Asset Management Pipeline
Procurement Leaks
Processing Leaks
Tooling Leaks
Findings Leaks
Tagging Cloud Assets
Conclusion
Exercises
Identity and Access Management
Differences from Traditional IT
Life Cycle for Identity and Access
Request
Approve
Create, Delete, Grant, or Revoke
Authentication
Cloud IAM Identities
Business-to-Consumer and Business-to-Employee
Multi-Factor Authentication
Passwords, Passphrases, and API Keys
Shared IDs
Federated Identity
Single Sign-On
SAML and OIDC
SSO with legacy applications
Instance Metadata and Identity Documents
Secrets Management
Authorization
Centralized Authorization
Roles
Revalidate
Putting It All Together in the Sample Application
Conclusion
Exercises
Vulnerability Management
Differences from Traditional IT
Vulnerable Areas
Data Access
Application
Middleware
Operating System
Network
Virtualized Infrastructure
Physical Infrastructure
Finding and Fixing Vulnerabilities
Network Vulnerability Scanners
Agentless Scanners and Configuration Management
Agent-Based Scanners and Configuration Management
Credentials
Deployment
Network
Least privilege
Choosing an agent-based or agentless scanner
Cloud Workload Protection Platforms
Container Scanners
Dynamic Application Scanners (DAST)
Static Application Scanners (SAST)
Software Composition Analysis Scanners (SCA)
Interactive Application Scanners (IAST)
Runtime Application Self-Protection Scanners (RASP)
Manual Code Reviews
Penetration Tests
User Reports
Example Tools for Vulnerability and Configuration Management
Risk Management Processes
Vulnerability Management Metrics
Tool Coverage
Mean Time to Remediate
Systems/Applications with Open Vulnerabilities
Percentage of False Positives
Percentage of False Negatives
Vulnerability Recurrence Rate
Change Management
Putting It All Together in the Sample Application
Conclusion
Exercises
Network Security
Differences from Traditional IT
Concepts and Definitions
Allowlists and Denylists
DMZs
Proxies
Software-Defined Networking
Network Features Virtualization
Overlay Networks and Encapsulation
Virtual Private Clouds
Network Address Translation
IPv6
Putting It All Together in the Sample Application
Encryption in Motion
Firewalls and Network Segmentation
Perimeter control
Internal segmentation
Security groups
Service endpoints
Container firewalling and network segmentation
Allowing Administrative Access
Bastion hosts
Virtual private networks (VPNs)
Site-to-site VPNs
Client-to-site VPNs
Web Application Firewalls and RASP
Anti-DDoS
Intrusion Detection and Prevention Systems
Egress Filtering
Data Loss Prevention
Conclusion
Exercises

📜 SIMILAR VOLUMES

Practical Hardware Pentesting, 2nd editi

📁 Practical Hardware Pentesting, 2nd edition (Early Release)

✍ JeanGeorges Valle 📂 Library 📅 2024 🏛 Packt Publishing 🌐 English

Practical Hardware Pentesting Second Edition is an example-driven guide that will help you plan attacks hack your embedded devices and secure the hardware infrastructure. Throughout the book you ll explore the functional and security aspects of a device and learn how a system senses and communicate

Kubernetes Best Practices: Blueprints fo

📁 Kubernetes Best Practices: Blueprints for Building Successful Applications on Kubernetes, 2nd Edition (Third Early Release)

✍ Brendan Burns, Eddie Villalba, Dave Strebel, and Lachlan Evenson 📂 Library 📅 2023 🏛 O'Reilly Media, Inc. 🌐 English

In this practical guide, four Kubernetes professionals with deep experience in distributed systems, enterprise application development, and open source will guide you through the process of building applications with this container orchestration system. They distill decades of experience from compan

Empirical Cloud Security: Practical Inte

📁 Empirical Cloud Security: Practical Intelligence to Evaluate Risks and Attacks, 2nd Edition

✍ Aditya K. Sood 📂 Library 📅 2023 🌐 English

The book discusses the security and privacy issues detected during penetration testing, security assessments, configuration reviews, malware analysis, and independent research of the cloud infrastructure and Software-as-a-Service (SaaS) applications. The book highlights hands-on technical approaches

Making Embedded Systems, 2nd Edition (Fi

📁 Making Embedded Systems, 2nd Edition (First Early Release)

✍ Elecia White 📂 Library 📅 2023 🏛 O'Reilly Media, Inc. 🌐 English

Interested in developing embedded systems? Since they don't tolerate inefficiency, these systems require a disciplined approach to programming. This easy-to-read guide helps you cultivate good development practices based on classic software design patterns and new patterns unique to embedded program

The AWK Programming Language, 2nd Editio

📁 The AWK Programming Language, 2nd Edition (Early Release)

✍ Alfred V. Aho; Brian W. Kernighan; Peter J. Weinberger 📂 Library 📅 2023 🏛 Addison-Wesley Professional 🌐 English

The goal of this book is to teach you what AWK is and how to use it effectively. AWK was created in 1977 as a simple programming language for writing short programs that manipulate text and numbers with equal ease. It was meant as a scripting language to complement and work well with Unix tools, fol

Practical Cloud Native Security with Fal

📁 Practical Cloud Native Security with Falco: Risk and Threat Detection for Containers, Kubernetes, and Cloud. Early Release

✍ Loris Degioanni, Leonardo Grasso 📂 Library 📅 2022 🏛 O'Reilly Media 🌐 English

<p><span>As more and more organizations migrate their applications to the cloud, cloud native computing has become the dominant way to approach software development and execution. In the meantime, security threats are growing more sophisticated and widespread every day. Protecting your applications