Practical Cloud Security

Download 1,76 Mb.

bet	1/9
Sana	31.12.2021
Hajmi	1,76 Mb.
	#252860

1 2 3 4 5 6 7 8 9

by Chris Dotson

Published by O'Reilly Media, Inc., 1005 Gravenstein Highway North, Sebastopol, CA 95472.

O'Reilly books may be purchased for educational, business, or sales promotional use. Online editions are

also available for most titles (http://oreilly.com). For more information, contact our corporate/institutional sales department: 800-998-9938 or corporate@oreilly.com.

Acquisitions Editor: Rachel Roumeliotis

Developmental Editors: Andy Oram and Nikki

McDonald

Production Editor: Nan Barber

Copyeditor: Rachel Head
March 2019: First Edition
Revision History for the First Edition

2019-03-01: First Release
Proofreader: Amanda Kersey

Indexer: Judith McConville

Interior Designer: David Futato

Cover Designer: Karen Montgomery

Illustrator: Rebecca Demarest

See http://oreilly.com/catalog/errata.csp?isbn=9781492037514 for release details.

The O'Reilly logo is a registered trademark of O'Reilly Media, Inc. Practical Cloud Security, the cover

image, and related trade dress are trademarks of O'Reilly Media, Inc.

The views expressed in this work are those of the author, and do not represent the publisher's views.

While the publisher and the author have used good faith efforts to ensure that the information and instructions contained in this work are accurate, the publisher and the author disclaim all responsibility for errors or omissions, including without limitation responsibility for damages resulting from the use of or reliance on this work. Use of the information and instructions contained in this work is at your own risk. If any code samples or other technology this work contains or describes is subject to open source licenses or the intellectual property rights of others, it is your responsibility to ensure that your use thereof complies with such licenses and/or rights.

978-1-492-03751-4

[LSI]

Table of Contents

Preface. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . ix

1. Principles and Concepts. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1

Least Privilege

Defense in Depth

Threat Actors, Diagrams, and Trust Boundaries

Cloud Delivery Models

The Cloud Shared Responsibility Model

Risk Management

2266

2. Data Asset Management and Protection. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13

Data Identification and Classification

Example Data Classification Levels

Relevant Industry or Regulatory Requirements

Data Asset Management in the Cloud

Tagging Cloud Resources

Protecting Data in the Cloud

Tokenization

Encryption

Summary

14 15 17 18 19 19 20 26

3. Cloud Asset Management and Protection. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 29

Differences from Traditional IT

Types of Cloud Assets

Compute Assets

Storage Assets

Network Assets

Asset Management Pipeline

30 31 37 41 42

iii

Procurement Leaks

Processing Leaks

Tooling Leaks Findings Leaks

Tagging Cloud Assets

Summary

44 45 45 46 48

4. Identity and Access Management. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 49

Differences from Traditional IT

Life Cycle for Identity and Access

Request Approve

Create, Delete, Grant, or Revoke

Authentication

Cloud IAM Identities

Business-to-Consumer and Business-to-Employee

Multi-Factor Authentication

Passwords and API Keys

Shared IDs

Federated Identity

Single Sign-On

Instance Metadata and Identity Documents

Secrets Management

Authorization

Centralized Authorization

Roles

Revalidate

Putting It All Together in the Sample Application

Summary

52 53 54 54 55 55 56 57 59 61 61 61 63 64 68 69 70 71 72 75

5. Vulnerability Management. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 77

Differences from Traditional IT

Vulnerable Areas

Data Access Application Middleware

Operating System

Network

Virtualized Infrastructure

Physical Infrastructure

Finding and Fixing Vulnerabilities

Network Vulnerability Scanners

80 80 81 82 84 84 85 85 85 87

iv | Table of Contents

Agentless Scanners and Configuration Management

Agent-Based Scanners and Configuration Management

Cloud Provider Security Management Tools

Container Scanners

Dynamic Application Scanners (DAST)

Static Application Scanners (SAST)

Software Composition Analysis Scanners (SCA)

Interactive Application Scanners (IAST)

Runtime Application Self-Protection Scanners (RASP)

Manual Code Reviews

Penetration Tests

User Reports

Example Tools for Vulnerability and Configuration Management

Risk Management Processes

Vulnerability Management Metrics

Tool Coverage

Mean Time to Remediate

Systems/Applications with Open Vulnerabilities

Percentage of False Positives Percentage of False Negatives Vulnerability Recurrence Rate

Change Management

Putting It All Together in the Sample Application

Summary

89 91 91 92 92 93 93 93 94 94 95 95 98 98 99 99 99

100 100 100 101 102 106

6. Network Security. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 109

Differences from Traditional IT

Concepts and Definitions

Whitelists and Blacklists

DMZs Proxies

Software-Defined Networking

Network Features Virtualization

Overlay Networks and Encapsulation

Virtual Private Clouds

Network Address Translation

IPv6

Putting It All Together in the Sample Application

Encryption in Motion

Firewalls and Network Segmentation

Allowing Administrative Access

Web Application Firewalls and RASP

Table of Contents

109

111 111 112 112 113 113 113 114 115 116 116 118 121 126 130

| v

Anti-DDoS

Intrusion Detection and Prevention Systems

Egress Filtering

Data Loss Prevention

Summary

132

133 134 136 137

7. Detecting, Responding to, and Recovering from Security Incidents. . . . . . . . . . . . . . . 139

Differences from Traditional IT

What to Watch

Privileged User Access

Logs from Defensive Tooling

Cloud Service Logs and Metrics

Operating System Logs and Metrics

Middleware Logs

Secrets Server

Your Application

How to Watch

Aggregation and Retention

Parsing Logs

Searching and Correlation

Alerting and Automated Response

Security Information and Event Managers

Threat Hunting

Preparing for an Incident

Team Plans Tools

Responding to an Incident

Cyber Kill Chains The OODA Loop

Cloud Forensics

Blocking Unauthorized Access

Stopping Data Exfiltration and Command and Control

Recovery

Redeploying IT Systems

Notifications

Lessons Learned

Example Metrics

Example Tools for Detection, Response, and Recovery

Putting It All Together in the Sample Application

Monitoring the Protective Systems

Monitoring the Application

140

141 142 144 147 148 148 149 149 149 150 151 152 152 153 155 155 156 157 159 160 161 162 163 164 164 164 164 165 165 165 166 166 168 169

vi | Table of Contents

Monitoring the Administrators 169

Understanding the Auditing Infrastructure 170

Summary 171
Index. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 173

Table of Contents | vii

Preface

As the title states, this book is a practical guide to securing your cloud environments.

In almost all organizations, security has to fight for time and funding, and it often takes a back seat to implementing features and functions. Focusing on the "best bang for the buck," security-wise, is important.

This book is intended to help you get the most important security controls for your

most important assets in place quickly and correctly, whether you're a security profes‐ sional who is somewhat new to the cloud, or an architect or developer with security responsibilities. From that solid base, you can continue to build and mature your controls.

While many of the security controls and principles are similar in cloud and on-

premises environments, there are some important practical differences. For that rea‐ son, a few of the recommendations for practical cloud security may be surprising to those with an on-premises security background. While there are certainly legitimate differences of opinion among security professionals in almost any area of informa‐ tion security, the recommendations in this book stem from years of experience in securing cloud environments, and they are informed by some of the latest develop‐ ments in cloud computing offerings.

The first few chapters deal with understanding your responsibilities in the cloud and

how they differ from in on-premises environments, as well as understanding what assets you have, what the most likely threats are to those assets, and some protections for them.

The next chapters of the book provide practical guidance, in priority order, of the

most important security controls that you should consider first:
• Identity and access management

• Vulnerability management

ix

• Network controls
The final chapter deals with how to detect when something's wrong and deal with it.

It's a good idea to read this chapter before something actually goes wrong!

Do you need to get any certifications or attestations for your environment, like PCI

certification or a SOC 2 report? If so, you'll need to watch out for a few specific pit‐ falls, which will be noted. You'll also need to make sure you're aware of any applicable regulations—for example, if you're handling PHI (protected health information) in the United States, or if you're handling personal information for EU citizens, regard‐ less of where your application is hosted.

Conventions Used in This Book

The following typographical conventions are used in this book:

Italic

Indicates new terms, URLs, email addresses, filenames, and file extensions.

Constant width

Used for program listings, as well as within paragraphs to refer to program ele‐

ments such as variable or function names, databases, data types, environment variables, statements, and keywords.

Download 1,76 Mb.

Do'stlaringiz bilan baham:

1 2 3 4 5 6 7 8 9