"With their rapidly changing architecture and API-driven automation, cloud platforms come with unique security challenges and opportunities. This hands-on book guides you through security best practices for multivendor cloud environments, whether your company plans to move legacy on-premises projects to the cloud or build a new infrastructure from the ground up. Developers, IT architects, and security professionals will learn cloud-specific techniques for securing popular cloud platforms such as Amazon Web Services, Microsoft Azure, and IBM Cloud. Chris Dotson--an IBM senior technical staff member--shows you how to establish data asset management, identity and access management, vulnerability management, network security, and incident response in your cloud environment."--Back cover Intro Copyright Table of Contents Preface Conventions Used in This Book O'Reilly Online Learning Platform How to Contact Us Acknowledgments Chapter 1. Principles and Concepts Least Privilege Defense in Depth Threat Actors, Diagrams, and Trust Boundaries Cloud Delivery Models The Cloud Shared Responsibility Model Risk Management Chapter 2. Data Asset Management and Protection Data Identification and Classification Example Data Classification Levels Relevant Industry or Regulatory Requirements Data Asset Management in the Cloud Tagging Cloud Resources Protecting Data in the CloudTokenization Encryption Summary Chapter 3. Cloud Asset Management and Protection Differences from Traditional IT Types of Cloud Assets Compute Assets Storage Assets Network Assets Asset Management Pipeline Procurement Leaks Processing Leaks Tooling Leaks Findings Leaks Tagging Cloud Assets Summary Chapter 4. Identity and Access Management Differences from Traditional IT Life Cycle for Identity and Access Request Approve Create, Delete, Grant, or Revoke Authentication Cloud IAM Identities Business-to-Consumer and Business-to-Employee Multi-Factor AuthenticationPasswords and API Keys Shared IDs Federated Identity Single Sign-On Instance Metadata and Identity Documents Secrets Management Authorization Centralized Authorization Roles Revalidate Putting It All Together in the Sample Application Summary Chapter 5. Vulnerability Management Differences from Traditional IT Vulnerable Areas Data Access Application Middleware Operating System Network Virtualized Infrastructure Physical Infrastructure Finding and Fixing Vulnerabilities Network Vulnerability Scanners Agentless Scanners and Configuration ManagementAgent-Based Scanners and Configuration Management Cloud Provider Security Management Tools Container Scanners Dynamic Application Scanners (DAST) Static Application Scanners (SAST) Software Composition Analysis Scanners (SCA) Interactive Application Scanners (IAST) Runtime Application Self-Protection Scanners (RASP) Manual Code Reviews Penetration Tests User Reports Example Tools for Vulnerability and Configuration Management Risk Management Processes Vulnerability Management Metrics Tool Coverage Mean Time to Remediate Systems/Applications with Open VulnerabilitiesPercentage of False Positives Percentage of False Negatives Vulnerability Recurrence Rate Change Management Putting It All Together in the Sample Application Summary Chapter 6. Network Security Differences from Traditional IT Concepts and Definitions Whitelists and Blacklists DMZs Proxies Software-Defined Networking Network Features Virtualization Overlay Networks and Encapsulation Virtual Private Clouds Network Address Translation IPv6 Putting It All Together in the Sample Application Encryption in Motion This hands-on book guides you through security best practices for multivendor cloud environments, whether your company plans to move legacy on-premises projects to the cloud or build a new infrastructure from the ground up. With their rapidly changing architecture and API-driven automation, cloud platforms come with unique security challenges and opportunities. This hands-on book guides you through security best practices for multivendor cloud environments, whether your company plans to move legacy on-premises projects to the cloud or build a new infrastructure from the ground up.Developers, IT architects, and security professionals will learn cloud-specific techniques for securing popular cloud platforms such as Amazon Web Services, Microsoft Azure, and IBM Cloud. Chris Dotson-an IBM senior technical staff member-shows you how to establish data asset management, identity and access management, vulnerability management, network security, and incident response in your cloud environment.