Practical Cloud Security
by Chris Dotson
Copyright © 2019 Chris Dotson. All rights reserved. Printed in the United States of America.
Published by O'Reilly Media, Inc., 1005 Gravenstein Highway North, Sebastopol, CA 95472.
O'Reilly books may be purchased for educational, business, or sales promotional use. Online editions are
also available for most titles (http://oreilly.com). For more information, contact our corporate/institutional sales department: 800-998-9938 or corporate@oreilly.com.
Acquisitions Editor: Rachel Roumeliotis
Developmental Editors: Andy Oram and Nikki
McDonald
Production Editor: Nan Barber
Copyeditor: Rachel Head
March 2019: First Edition
Revision History for the First Edition
2019-03-01: First Release
Proofreader: Amanda Kersey
Indexer: Judith McConville
Interior Designer: David Futato
Cover Designer: Karen Montgomery
Illustrator: Rebecca Demarest
See http://oreilly.com/catalog/errata.csp?isbn=9781492037514 for release details.
The O'Reilly logo is a registered trademark of O'Reilly Media, Inc. Practical Cloud Security, the cover
image, and related trade dress are trademarks of O'Reilly Media, Inc.
The views expressed in this work are those of the author, and do not represent the publisher's views.
While the publisher and the author have used good faith efforts to ensure that the information and instructions contained in this work are accurate, the publisher and the author disclaim all responsibility for errors or omissions, including without limitation responsibility for damages resulting from the use of or reliance on this work. Use of the information and instructions contained in this work is at your own risk. If any code samples or other technology this work contains or describes is subject to open source licenses or the intellectual property rights of others, it is your responsibility to ensure that your use thereof complies with such licenses and/or rights.
978-1-492-03751-4
[LSI]
Table of Contents
Preface. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . ix
1. Principles and Concepts. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1
Least Privilege
Defense in Depth
Threat Actors, Diagrams, and Trust Boundaries
Cloud Delivery Models
The Cloud Shared Responsibility Model
Risk Management
1
2266
10
2. Data Asset Management and Protection. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13
Data Identification and Classification
Example Data Classification Levels
Relevant Industry or Regulatory Requirements
Data Asset Management in the Cloud
Tagging Cloud Resources
Protecting Data in the Cloud
Tokenization
Encryption
Summary
13
14 15 17 18 19 19 20 26
3. Cloud Asset Management and Protection. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 29
Differences from Traditional IT
Types of Cloud Assets
Compute Assets
Storage Assets
Network Assets
Asset Management Pipeline
29
30 31 37 41 42
iii
Procurement Leaks
Processing Leaks
Tooling Leaks Findings Leaks
Tagging Cloud Assets
Summary
43
44 45 45 46 48
4. Identity and Access Management. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 49
Differences from Traditional IT
Life Cycle for Identity and Access
Request Approve
Create, Delete, Grant, or Revoke
Authentication
Cloud IAM Identities
Business-to-Consumer and Business-to-Employee
Multi-Factor Authentication
Passwords and API Keys
Shared IDs
Federated Identity
Single Sign-On
Instance Metadata and Identity Documents
Secrets Management
Authorization
Centralized Authorization
Roles
Revalidate
Putting It All Together in the Sample Application
Summary
51
52 53 54 54 55 55 56 57 59 61 61 61 63 64 68 69 70 71 72 75
5. Vulnerability Management. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 77
Differences from Traditional IT
Vulnerable Areas
Data Access Application Middleware
Operating System
Network
Virtualized Infrastructure
Physical Infrastructure
Finding and Fixing Vulnerabilities
Network Vulnerability Scanners
78
80 80 81 82 84 84 85 85 85 87
iv | Table of Contents
Agentless Scanners and Configuration Management
Agent-Based Scanners and Configuration Management
Cloud Provider Security Management Tools
Container Scanners
Dynamic Application Scanners (DAST)
Static Application Scanners (SAST)
Software Composition Analysis Scanners (SCA)
Interactive Application Scanners (IAST)
Runtime Application Self-Protection Scanners (RASP)
Manual Code Reviews
Penetration Tests
User Reports
Example Tools for Vulnerability and Configuration Management
Risk Management Processes
Vulnerability Management Metrics
Tool Coverage
Mean Time to Remediate
Systems/Applications with Open Vulnerabilities
Percentage of False Positives Percentage of False Negatives Vulnerability Recurrence Rate
Change Management
Putting It All Together in the Sample Application
Summary
88
89 91 91 92 92 93 93 93 94 94 95 95 98 98 99 99 99
100 100 100 101 102 106
6. Network Security. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 109
Differences from Traditional IT
Concepts and Definitions
Whitelists and Blacklists
DMZs Proxies
Software-Defined Networking
Network Features Virtualization
Overlay Networks and Encapsulation
Virtual Private Clouds
Network Address Translation
IPv6
Putting It All Together in the Sample Application
Encryption in Motion
Firewalls and Network Segmentation
Allowing Administrative Access
Web Application Firewalls and RASP
Table of Contents
109
111 111 112 112 113 113 113 114 115 116 116 118 121 126 130
| v
Anti-DDoS
Intrusion Detection and Prevention Systems
Egress Filtering
Data Loss Prevention
Summary
132
133 134 136 137
7. Detecting, Responding to, and Recovering from Security Incidents. . . . . . . . . . . . . . . 139
Differences from Traditional IT
What to Watch
Privileged User Access
Logs from Defensive Tooling
Cloud Service Logs and Metrics
Operating System Logs and Metrics
Middleware Logs
Secrets Server
Your Application
How to Watch
Aggregation and Retention
Parsing Logs
Searching and Correlation
Alerting and Automated Response
Security Information and Event Managers
Threat Hunting
Preparing for an Incident
Team Plans Tools
Responding to an Incident
Cyber Kill Chains The OODA Loop
Cloud Forensics
Blocking Unauthorized Access
Stopping Data Exfiltration and Command and Control
Recovery
Redeploying IT Systems
Notifications
Lessons Learned
Example Metrics
Example Tools for Detection, Response, and Recovery
Putting It All Together in the Sample Application
Monitoring the Protective Systems
Monitoring the Application
140
141 142 144 147 148 148 149 149 149 150 151 152 152 153 155 155 156 157 159 160 161 162 163 164 164 164 164 165 165 165 166 166 168 169
vi | Table of Contents
Monitoring the Administrators 169
Understanding the Auditing Infrastructure 170
Summary 171
Index. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 173
Table of Contents | vii
Preface
As the title states, this book is a practical guide to securing your cloud environments.
In almost all organizations, security has to fight for time and funding, and it often takes a back seat to implementing features and functions. Focusing on the "best bang for the buck," security-wise, is important.
This book is intended to help you get the most important security controls for your
most important assets in place quickly and correctly, whether you're a security profes‐ sional who is somewhat new to the cloud, or an architect or developer with security responsibilities. From that solid base, you can continue to build and mature your controls.
While many of the security controls and principles are similar in cloud and on-
premises environments, there are some important practical differences. For that rea‐ son, a few of the recommendations for practical cloud security may be surprising to those with an on-premises security background. While there are certainly legitimate differences of opinion among security professionals in almost any area of informa‐ tion security, the recommendations in this book stem from years of experience in securing cloud environments, and they are informed by some of the latest develop‐ ments in cloud computing offerings.
The first few chapters deal with understanding your responsibilities in the cloud and
how they differ from in on-premises environments, as well as understanding what assets you have, what the most likely threats are to those assets, and some protections for them.
The next chapters of the book provide practical guidance, in priority order, of the
most important security controls that you should consider first:
• Identity and access management
• Vulnerability management
ix
• Network controls
The final chapter deals with how to detect when something's wrong and deal with it.
It's a good idea to read this chapter before something actually goes wrong!
Do you need to get any certifications or attestations for your environment, like PCI
certification or a SOC 2 report? If so, you'll need to watch out for a few specific pit‐ falls, which will be noted. You'll also need to make sure you're aware of any applicable regulations—for example, if you're handling PHI (protected health information) in the United States, or if you're handling personal information for EU citizens, regard‐ less of where your application is hosted.
Conventions Used in This Book
The following typographical conventions are used in this book:
Italic
Indicates new terms, URLs, email addresses, filenames, and file extensions.
Constant width
Used for program listings, as well as within paragraphs to refer to program ele‐
ments such as variable or function names, databases, data types, environment variables, statements, and keywords.
Do'stlaringiz bilan baham: |