Intro
Copyright
Table of Contents
Preface
Conventions Used in This Book
O'Reilly Online Learning Platform
How to Contact Us
Acknowledgments
Chapter 1. Principles and Concepts
Least Privilege
Defense in Depth
Threat Actors, Diagrams, and Trust Boundaries
Cloud Delivery Models
The Cloud Shared Responsibility Model
Risk Management
Chapter 2. Data Asset Management and Protection
Data Identification and Classification
Example Data Classification Levels
Relevant Industry or Regulatory Requirements
Data Asset Management in the Cloud
Tagging Cloud Resources Protecting Data in the CloudTokenization
Encryption
Summary
Chapter 3. Cloud Asset Management and Protection
Differences from Traditional IT
Types of Cloud Assets
Compute Assets
Storage Assets
Network Assets
Asset Management Pipeline
Procurement Leaks
Processing Leaks
Tooling Leaks
Findings Leaks
Tagging Cloud Assets
Summary
Chapter 4. Identity and Access Management
Differences from Traditional IT
Life Cycle for Identity and Access
Request
Approve
Create, Delete, Grant, or Revoke
Authentication
Cloud IAM Identities
Business-to-Consumer and Business-to-Employee Multi-Factor AuthenticationPasswords and API Keys
Shared IDs
Federated Identity
Single Sign-On
Instance Metadata and Identity Documents
Secrets Management
Authorization
Centralized Authorization
Roles
Revalidate
Putting It All Together in the Sample Application
Summary
Chapter 5. Vulnerability Management
Differences from Traditional IT
Vulnerable Areas
Data Access
Application
Middleware
Operating System
Network
Virtualized Infrastructure
Physical Infrastructure
Finding and Fixing Vulnerabilities
Network Vulnerability Scanners Agentless Scanners and Configuration ManagementAgent-Based Scanners and Configuration Management
Cloud Provider Security Management Tools
Container Scanners
Dynamic Application Scanners (DAST)
Static Application Scanners (SAST)
Software Composition Analysis Scanners (SCA)
Interactive Application Scanners (IAST)
Runtime Application Self-Protection Scanners (RASP)
Manual Code Reviews
Penetration Tests
User Reports
Example Tools for Vulnerability and Configuration Management
Risk Management Processes
Vulnerability Management Metrics
Tool Coverage
Mean Time to Remediate Systems/Applications with Open VulnerabilitiesPercentage of False Positives
Percentage of False Negatives
Vulnerability Recurrence Rate
Change Management
Putting It All Together in the Sample Application
Summary
Chapter 6. Network Security
Differences from Traditional IT
Concepts and Definitions
Whitelists and Blacklists
DMZs
Proxies
Software-Defined Networking
Network Features Virtualization
Overlay Networks and Encapsulation
Virtual Private Clouds
Network Address Translation
IPv6
Putting It All Together in the Sample Application
Encryption in Motion
