Cloud Security Handbook for Architects: Practical Strategies and Solutions for Architecting Enterprise Cloud Security 9789395968997

Table of contents :
Impact on Security
Introduction
Structure
Evolution of cloud
Cloud computing journey
Cloud computing overview
Characteristics of cloud computing
Cloud types
Cloud computing service model
Cloud computing trends
Recognizing the development of cloud
Justifications for using the cloud
Analyzing the risk of cloud services
Inherent risk
Techniques to reduce the inherent risk
Cloud computing privacy concerns
Assessing your organization’s cloud maturity
Analyzing the development of cloud risk
Shadow IT and its rise
Understanding the shared responsibility paradigm
Key considerations for the upliftment of cloud security
Risk analysis
Controls on user access
Automation
Continual monitoring
Conclusion
Reference
2. Understanding the Core Principles of Cloud Security and its Importance
Introduction
Structure
Principles and concept understanding
Most restrictive
Defense in Depth
Threat actors as well as trust limits
Segregation of duties
Fail-safe
Economy of mechanism
Complete mediation
Open design
Least common mechanism
Weakest chain
Making use of the current landscape
Architectural considerations
Basic concerns
Compliance
Security control
Controls
Additional controls
Information classification
Objectives for information classification
Benefits of information classification
Concepts behind information classification
Classification criteria
Procedures for classifying information
Security awareness, training, and education
Security awareness
Instruction and learning
PKI and encryption key management
Digital certificate
Identity and access management
Identity management
Passwords
Implementing identity management solution
Access controls
Controls
Controlling access types
Mandatory access control
Discretionary access control
Non-discretionary access control
Single Sign-On (SSO)
Strategy to adopt cloud security
Enabling secure cloud migrations with a cross-platform, integrated segmentation strategy
Avoiding problems associated with complex, segregated, and bloated legacy data
Examining the danger posed by the extended attack surface of the cloud
Best practices on cloud security
Recognizing the shared responsibility model
Asking detailed security questions to your cloud provider
Installing Identity and Access Management (IAM) software
Your staff should receive training
Creating and enforcing cloud security guidelines
Protecting your endpoints
Securing data while it is moving and at rest
Utilizing technology for intrusion detection and prevention
Audits and penetration testing should be performed
Conclusion
References
3. Cloud Landscape Assessment and Choosing a Solution for Your Enterprise
Introduction
Structure
Defining organization cloud security roles and responsibilities
Deep-dive into the Shared Responsibility Model
Cloud Service Provider (CSP) responsibilities
Customer responsibilities
Core cloud team roles and responsibilities
Understanding team structures
Managing risk in the cloud
Risk Management Framework (RMF)
Cloud Service Provider (CSP) risk management process
Customer’s risk management process for cloud landscape
Monitoring and managing cloud risk
An approach towards cloud security assessment
Basic principles for cloud security assessment
Need to adopt cloud security assessment
Benefits of adopting cloud security assessment
Ideas to keep in mind before beginning your assessment
Executing cloud security assessment
Architecture overview
Internal versus internet-based enterprise assessments
Guidelines
Account management and user authentication
Vulnerability assessments for network and systems
External alone, internal only, or both
Server and workstation compliance assessment
Network and security system compliance assessment
Testing the security of web applications
Hypervisor layer assessment
Reporting and sharing the data that follows
Selecting the right cloud service provider (CSP)
Time to choose the right cloud service provider
Cloud security
Standards and accreditations
Roadmap for technologies and services
Security and data governance
Dependencies and partnerships for services
SLAs, commercials, and contracts
Performance and dependability
Provider lock-in, exit strategy, and migration support
Conclusion
References and useful information
SECTION II:
Building Blocks of Cloud Security Framework and Adoption Path
4. Cloud Security Architecture and Implementation Framework
Introduction
Structure
Cloud security architecture overview
Key elements and responsibilities of cloud architecture
Shared responsibilities in cloud security architecture
Infrastructure as a Service (IaaS)
Software as a Service (SaaS)
Platform as a Service (PaaS)
Architectural type for cloud security
Cloud security architecture building blocks
Evolution of cloud security architecture
Responsibilities of cloud security architecture
Public cloud versus private cloud
CSP versus customer
Adoption of cloud security architecture on various service models
Software as a Service (SaaS)
Infrastructure as a Service (IaaS)
Platform as a Service (PaaS)
Cloud security framework
System design
Operational excellence
Security, compliance, and privacy
Reputation
Cost management
Performance management
Adopting cloud security
Five phases of adoption
The foundational layer
The perimeter layer
Data protection
Visibility
Cloud solution
Cloud security principles
Autonomic security
Autonomic system
Autonomic protection
Autonomic healing
Evaluating the cloud security maturity model
Cloud migration
Software development for the cloud
Need to shift software to cloud
Strategy for cloud migration
Real-time challenges while migrating to cloud
Benefits of cloud migration
Approaches to cloud migration
Scenarios for cloud migration
Common cloud services centralization
Need to centralize common services
Consumer PaaS
Resources and services for development
Public facing services
Security services
Human impact
Spending money on people
Support staff
Microservices and container security
Microservices-based architecture
Securing the microservices architecture
Adopting security while designing the solution
Verifying dependencies
Adopting HTTPS for everything
Making use of identity and access tokens
Securing secrets via encryption
Knowing how to secure your cloud and cluster
Covering all of your security bases
Conclusion
References and useful information
Questions
5. Native Cloud Security Controls and Building Blocks
Introduction
Structure
Asset management and protection
Classification and identification of data
Classification level for data
Relevant regulatory or industry requirements
Cloud-based data asset management
Cloud resource tags
Data protection in the cloud
Tokenization
Encryption
Key management
Encryption on both the client and server sides
Cryptographic erasure
Enabling encryption to protect against different attacks
Tagging cloud assets
IAM on cloud
Enterprise-to-Employee (B2B) and Enterprise-to-Consumer (B2C)
Multi-Factor Authentication (MFA)
API keys and passwords
Shared credentials
Single Sign-On (SSO)
SAML and OIDC
SSO with legacy applications
Vulnerability management
Differences in traditional IT
Components that are at risk
Data access layer
Application layer
Middleware
Operating system
Virtual infrastructure
Physical infrastructure
Vulnerability scanners for networks
Cloud Service Provider (CSP) security management tools
Container scanner
Dynamic Application Security Testing (DAST)
Static Application Security Testing (SAST)
Software Composition Analysis Scanner (SCA)
Interactive Application Scanning Test (IAST)
Runtime Application Self-Protection (RASP)
Code reviews
A few tools for vulnerability management
Network security
Concepts and definitions
Whitelists and blacklists
DMZ
Proxies
SDN
Feature of the network virtualization
Encapsulation and overlay networks
Virtual Private Cloud (VPC)
Network Address Translation (NAT)
Adoption path of network security components
Encryption in motion
Segmenting the network with firewalls
Perimeter controls
Internal segmentation
Security groups
Network segmentation and firewall policies for container
Administrative access
Jump servers (or bastion hosts)
Virtual Private Network (VPN)
Site-to-site communications
Client-to-site communications
Web Application Firewall (WAF)
DDoS protection
Intrusion Detection System (IDS) and Intrusion Prevention System (IPS)
Egress traffic filtering
Data Loss Prevention (DLP)
Security incident response management
Differences from traditional IT
Privileged user access
Defensive tool logging
Cloud service logs
Operating system logs
Aggregation and log retention
Parsing the logs
Investigating and correlating the logs
Alerting and response
Incident response
Cloud forensic
Conclusion
Questions
6. Examine Regulatory Compliance and Adoption path for Cloud
Introduction
Structure
Overview and concept understanding
Frameworks for compliance
Auditing and compliance – overview and importance
CSP policy compliance
Understanding of audit objectives
Defined scope for compliance audit
Governance, Risk, and Compliance (GRC)
GRC advantages for CSPs
GRC implementation path
Compliance frameworks for cloud landscape
Industry and location-specific regulations
Payments by credit card: PCI DSS
HIPAA in healthcare
MAS-TRM in Singapore
BNM-RMiT in Malaysia
APRA Prudential Practice Guide CPG 234 in Australia
GDPR in the Europe region
Frameworks focused on security
ISO27001
NIST cybersecurity framework
Center of Internet Security (CIS) controls
CSA STAR
Cloud-Well-Architected frameworks
AWS Well-Architected framework
Google Cloud Architecture framework
Microsoft Azure Well-Architected framework
An automated approach to cloud security and compliance
All put together – automation, security, cloud, and compliance
Continuous Security Monitoring (CSM)
Creating a program for continuous security monitoring
Procedures for escalation
Operating model for cloud security monitoring
Advantages of cloud security monitoring
Best practices and recommendations
Best practices around cloud security monitoring
Best practices of cloud compliance
Disaster Recovery (DR) in cloud
Choosing the right partner for your DR strategy
Advantages of leveraging Cloud DR
Cloud DR and business continuity
Creating a disaster recovery plan based on the cloud
Risk management in the cloud ecosystem
Data security and regulatory compliance
Risk associated with technology
Risk related to operations
Risk associated with vendors
Financial risk
Cloud security assessment checklist
Step 1: Policies and procedures
Step 2: Access control
Step 3: Network
Step 4: Backup and data recovery
Step 5: Security patches and updates
Step 6: Monitoring and logging
Step 7: Data encryption
Conclusion
References
Questions
7. Creating and Enforcing Effective Security Policies
Introduction
Structure
Cloud adoption
Due diligence
Securing endpoints when accessing the cloud
Monitoring data and access to the cloud
Adopting API for data protection in the cloud
Securing cloud applications
Security and controls to protect Bring Your Own Device (BYOD)
Data backup
Training and awareness
Cloud security policy template
Shared responsibility model
Defining a thin line of responsibility
Your contribution to cloud security responsibilities
Understanding the shared responsibility model’s grey zones
A shared responsibility model in operation
Shared responsibility with the development team
Automating the shared responsibility model
DLP solution in cloud
Challenges without cloud DLP
Benefits of cloud DLP
Protecting sensitive data through encryption
Cloud encryption methods
Symmetric algorithm
Asymmetric algorithm
Best practices for encryption management in the cloud
Policy enforcement in cloud
Policy enforcement in the multi-cloud landscape
User awareness of cloud policies
Cloud security training
Important elements
Best practices around awareness and training in the cloud landscape
Employees must be educated and trained
Make your staff cloud-ready
Building an effective cybersecurity team
Putting together an effective cybersecurity team
Once your team is assembled
Conclusion
Questions
References
SECTION III:
Maturity Path
8. Leveraging Cloud-based Security Solutions for Security-as-a-Service
Introduction
Structure
Overview and concept understanding
Defining and understanding Security-as-a-Service (SECaaS)
Defining SECaaS on cloud
Risks and challenges of adopting SECaaS
A few examples of cloud SECaaS
Potential benefits and concerns you should be aware of
Potential benefits
Potential concerns
Major categories and feature sets under SECaaS
Key considerations for enterprise while selecting SECaaS
Knowing how to check out your vendors
Clarifying the roles you must play
Understanding what to outsource
Developing a risk management strategy
Anticipating a learning curve
SECaaS working principle
SECaaS framework
SECaaS framework lifecycle
Security and governance for SECaaS
Best practices around SECaaS
Conclusion
Questions
9. Cloud Security Recommendations and Best Practices
Introduction
Structure
Overview and need of the hour
Key considerations for cloud security adoption
Risk examples from the real world
Double-click on important security practices - how to adapt
Due diligence
Planning
Growth and implementation
Operations
Decommissioning
Key considerations
Restrict Access
User identification and authentication
Access rights for users
Establishing and implementing resource access policies
Key considerations
Watch and defend
Analyze monitoring from both the cloud and on-premises
Key considerations
Double-click on important security practices - what to adopt
Data protection
Secure data
Stop unauthorized access
Make sure critical data is available
Refrain from sharing deleted data
Conclusion of data protection
Application security
DevSecOps
Conclusion of Application security
Host and Compute layer
Conclusion on Host and Compute layer
Network layer
Conclusion on Network layer
Identity management
Physical and Perimeter Security
Conclusion on Physical and Perimeter security
Cloud security assessment
Conclusion and way forward
Index