With rapidly changing architecture and API-driven automation, cloud platforms come with unique security challenges and opportunities. In this updated second edition, you'll examine security best practices for multivendor cloud environments, whether your company plans to move legacy on-premises projects to the cloud or build a new infrastructure from the ground up. Developers, IT architects, and security professionals will learn cloud-specific techniques for securing popular cloud platforms such as Amazon Web Services, Microsoft Azure, and IBM Cloud. IBM Distinguished Engineer Chris Dotson shows you how to establish data asset management, identity and access management (IAM), vulnerability management, network security, and incident response in your cloud environment. • Learn the latest threats and challenges in the cloud security space• Manage cloud providers that store or process data or deliver administrative control• Learn how standard principles and concepts--such as least privilege and defense in depth--apply in the cloud• Understand the critical role played by IAM in the cloud• Use best tactics for detecting, responding, and recovering from the most common security incidents• Manage various types of vulnerabilities, especially those common in multicloud or hybrid cloud architectures• Examine privileged access management in cloud environments This edition also covers privileged access management in cloud environments; an expanded look into applying zero trust principles; additional controls around cloud development and test environments; and up-to-date information on authentication of users and systems. Cover 1 Copyright 4 Table of Contents 5 Preface 11 Who Should Read This Book 11 Navigating This Book 12 What’s New in the Second Edition 12 Conventions Used in This Book 13 O’Reilly Online Learning Platform 14 How to Contact Us 14 Acknowledgments 15 Chapter 1. Principles and Concepts 17 Least Privilege 18 Defense in Depth 18 Zero Trust 19 Threat Actors, Diagrams, and Trust Boundaries 20 Cloud Service Delivery Models 24 The Cloud Shared Responsibility Model 24 Risk Management 28 Conclusion 29 Exercises 31 Chapter 2. Data Asset Management and Protection 33 Data Identification and Classification 33 Example Data Classification Levels 34 Relevant Industry or Regulatory Requirements 35 Data Asset Management in the Cloud 37 Tagging Cloud Resources 38 Protecting Data in the Cloud 39 Tokenization 39 Encryption 40 Conclusion 47 Exercises 49 Chapter 3. Cloud Asset Management and Protection 51 Differences from Traditional IT 51 Types of Cloud Assets 52 Compute Assets 53 Storage Assets 59 Network Assets 64 Asset Management Pipeline 65 Procurement Leaks 66 Processing Leaks 67 Tooling Leaks 68 Findings Leaks 68 Tagging Cloud Assets 68 Conclusion 70 Exercises 72 Chapter 4. Identity and Access Management 73 Differences from Traditional IT 75 Life Cycle for Identity and Access 76 Request 78 Approve 78 Create, Delete, Grant, or Revoke 79 Authentication 79 Cloud IAM Identities 79 Business-to-Consumer and Business-to-Employee 80 Multi-Factor Authentication 81 Passwords, Passphrases, and API Keys 84 Shared IDs 86 Federated Identity 87 Single Sign-On 87 Instance Metadata and Identity Documents 89 Secrets Management 91 Authorization 95 Centralized Authorization 96 Roles 97 Revalidate 98 Putting It All Together in the Sample Application 101 Conclusion 103 Exercises 105 Chapter 5. Vulnerability Management 107 Differences from Traditional IT 108 Vulnerable Areas 110 Data Access 111 Application 111 Middleware 114 Operating System 115 Network 116 Virtualized Infrastructure 116 Physical Infrastructure 116 Finding and Fixing Vulnerabilities 117 Network Vulnerability Scanners 118 Agentless Scanners and Configuration Management Systems 120 Agent-Based Scanners and Configuration Management Systems 121 Cloud Workload Protection Platforms 123 Container Scanners 123 Dynamic Application Scanners (DAST) 124 Static Application Scanners (SAST) 124 Software Composition Analysis Tools (SCA) 125 Interactive Application Scanners (IAST) 125 Runtime Application Self-Protection Scanners (RASP) 125 Manual Code Reviews 126 Penetration Tests 126 User Reports 128 Example Tools for Vulnerability and Configuration Management 128 Risk Management Processes 131 Vulnerability Management Metrics 131 Tool Coverage 132 Mean Time to Remediate 132 Systems/Applications with Open Vulnerabilities 133 Percentage of False Positives 133 Percentage of False Negatives 133 Vulnerability Recurrence Rate 134 Change Management 134 Putting It All Together in the Sample Application 135 Conclusion 139 Exercises 140 Chapter 6. Network Security 141 Differences from Traditional IT 141 Concepts and Definitions 143 Zero Trust Networking 143 Allowlists and Denylists 143 DMZs 145 Proxies 145 Software-Defined Networking 146 Network Functions Virtualization 146 Overlay Networks and Encapsulation 146 Virtual Private Clouds 147 Network Address Translation 148 IPv6 149 Network Defense in Action in the Sample Application 150 Encryption in Motion 151 Firewalls and Network Segmentation 154 Allowing Administrative Access 160 Network Defense Tools 164 Egress Filtering 168 Data Loss Prevention 171 Conclusion 172 Exercises 174 Chapter 7. Detecting, Responding to, and Recovering from Security Incidents 177 Differences from Traditional IT 178 What to Watch 179 Privileged User Access 181 Logs from Defensive Tooling 183 Cloud Service Logs and Metrics 186 Operating System Logs and Metrics 187 Middleware Logs 188 Secrets Server 188 Your Application 188 How to Watch 189 Aggregation and Retention 190 Parsing Logs 191 Searching and Correlation 192 Alerting and Automated Response 192 Security Information and Event Managers 193 Threat Hunting 195 Preparing for an Incident 195 Team 196 Plans 197 Tools 199 Responding to an Incident 201 Cyber Kill Chains and MITRE ATT&CK 201 The OODA Loop 203 Cloud Forensics 204 Blocking Unauthorized Access 205 Stopping Data Exfiltration and Command and Control 205 Recovery 205 Redeploying IT Systems 205 Notifications 206 Lessons Learned 206 Example Metrics 206 Example Tools for Detection, Response, and Recovery 207 Detection and Response in a Sample Application 208 Monitoring the Protective Systems 209 Monitoring the Application 210 Monitoring the Administrators 211 Understanding the Auditing Infrastructure 211 Conclusion 212 Exercises 214 Appendix. Exercise Solutions 215 Chapter 1 215 Chapter 2 216 Chapter 3 216 Chapter 4 217 Chapter 5 217 Chapter 6 218 Chapter 7 219 Index 221 About the Author 230 Colophon 230