Enterprise cloud security and governance : efficiently set data protection and privacy principles / Zeal Vora.

Format:

Book

Author/Creator:

Vora, Zeal, author.

Language:

English

Subjects (All):

Cloud computing--Security measures.

Cloud computing.

Computer networks--Security measures.

Computer networks.

Physical Description:

1 online resource (387 pages) : illustrations

Edition:

1st edition

Place of Publication:

Birmingham, England : Packt Publishing, 2017.

System Details:

text file

Biography/History:

Vora Zeal: Zeal Vora works as a DevSecOps Engineer primarily in the area of Defensive Security. He spends his days protecting and implementing security controls to help mitigate attacks both on the Cloud and servers. He is actively involved in security consultation, helping various startups which have been breached to overcome the breach and start again with a secure infrastructure.

Summary:

Build a resilient cloud architecture to tackle data disasters with ease About This Book Get a firm grip on cloud data security and governance principles, irrespective of your cloud platform Filled with practical examples to ensure you secure your cloud environment efficiently This step-by-step guide will teach you the techniques and methodologies of cloud data governance Who This Book Is For If you are a cloud security professional who wants to ensure cloud security and data governance no matter the environment, then this book is for you. A basic understanding of working on any cloud platform would be beneficial. What You Will Learn Configure your firewall and Network ACL Protect your system against DDOS attacks and application-level attacks Explore Cryptography and Data Security for your Cloud Get to grips with the configuration management tools to automate your security tasks Perform vulnerability scanning with the help of industry-standard tools Get to know about Central Log Management In Detail Modern day businesses and enterprises are moving to the cloud simply to improve efficiency and speed, achieve flexibility and cost-effectiveness, and to get access toon-demand cloud services. However, enterprise cloud security remains a major concern for many businesses because migrating to the public cloud requires transferring control over organizational assets to the cloud provider, and there is achance those assets could be mismanaged. Therefore, as a cloud security professional, you need to be on your toes and armed with techniques to help businesses minimize the risk, and to free management from worrying about misuse of business data. This book starts with the basics of cloud security and gives you and understanding of various policies, governance, and compliance challenges in the cloud. This will lay a strong foundation before you dive deep into understanding what it takes to design a secure network infrastructure and an architecture application using various security services in the cloud environment. You will be able to automate security tasks such as server hardening with Ansible and perform automation services such as Monit, that will monitor other security daemons and take appropriate actions in-case those security daemons are stopped maliciously. In short, this book has everything you need to secure your cloud environment with industry-adopted best practices to develop security, highly available, and fault tolerant architecture for orga...

Contents:

Cover

Copyright

Credits

About the Author

About the Reviewer

www.PacktPub.com

Customer Feedback

Table of Contents

Preface

Chapter 1: The Fundamentals of Cloud Security

Getting started

Service models

Software as a service

Platform as a service

Infrastructure as a service

Deployment models

Cloud security

Why is cloud security considered hard?

Our security posture

Virtualization - cloud's best friend

Understanding the ring architecture

Hardware virtualization

Full virtualization with binary translation

Paravirtualization

Hardware-assisted virtualization

Distributed architecture in virtualization

Enterprise virtualization with oVirt

Encapsulation

Point in time snapshots

Isolation

Risk assessment in cloud

Service Level Agreement

Business Continuity Planning - Disaster Recovery (BCP/DR)

Business Continuity Planning

Disaster Recovery

Recovery Time Objective

Recovery Point Objective

Relation between RTO and RPO

Real world use case of Disaster Recovery

Use case to understand BCP/DR

Policies and governance in cloud

Audit challenges in the cloud

Implementation challenges for controls on CSP side

Vulnerability assessment and penetration testing in the cloud

Use case of a hacked server

Summary

Chapter 2: Defense in Depth Approach

The CIA triad

Confidentiality

Integrity

Availability

A use case

Understanding all three aspects

The use case

Introducing Defense in Depth

First layer - network layer

Second layer - platform layer

Third layer - application layer

Fourth layer - data layer

Fifth layer - response layer

Chapter 3: Designing Defensive Network Infrastructure

Why do we need cryptography?

The TCP/IP model

Scenario

The Network Transport Layer.

The Internet Protocol Layer

The Transport Layer

The Application Layer

Firewalls

How a firewall works?

How does a firewall inspect packets?

3-way handshake

Modes of firewall

Stateful packet inspection

Stateless packet inspection

Architecting firewall rules

The deny all and allow some approach

The allow all and deny some approach

Firewall justification document

A sample firewall justification document

Inbound rules

Outbound rules

Tracking firewall changes with alarms

Best practices

Application layer security

Intrusion Prevention Systems

Overview architecture of IPS

IPS in a cloud environment

Implementing IPS in the cloud

Deep Security

Anti-malware

Application control

The IPS functionality

A real-world example

Implementation

Advantages that IPS will bring to a cloud environment

A web application firewall

Architecture

Network segmentation

Understanding a flat network

Segmented network

Network segmentation in cloud environments

Segmentation in cloud environments

Rule of thumb

Accessing management

Bastion hosts

The workings of bastion hosts

The workings of SSH agent forwarding

Practical implementation of bastion hosts

Security of bastion hosts

Benefits of bastion hosts

Disadvantages of bastion hosts

Virtual Private Network

Routes - after VPN is connected

Installation of OpenVPN

Security for VPN

Recommended tools for VPN

Approaching private hosted zones for DNS

Public hosted zones

Private hosted zones

Challenge

Solution

Chapter 4: Server Hardening

The basic principle of host-based security

Keeping systems up-to-date

The Windows update methodology

The Linux update methodology

Using the security functionality of YUM.

Approach for automatic security updates installation

Developing a process to update servers regularly

Knowledge base

Challenges on a larger scale

Partitioning and LUKS

Partitioning schemes

A separate partition for /boot

A separate partition for /tmp

A separate partition for /home

Conclusion

LUKS

Introduction to LUKS

Access control list

Use case

Introduction to Access Control List

Set ACL

Show ACL

Special permissions in Linux

SUID

Use case for SUID

Understanding the permission associated with ping

Setting a SUID bit for files

Removing the SUID bit for files

SETGID

Associating the SGID for files

SELinux

Introduction to SELinux

Permission sets in SELinux

SELinux modes

Confinement of Linux users to SELinux users

Process confinement

Hardening system services and applications

Hardening services

Guide for hardening SSH

Enable multi-factor authentication

Associated configuration

Changing the SSH default port

Associate configuration

Disabling the root login

Pluggable authentication modules

Team Screen application

File Sharing Application

Understanding PAM

The architecture of PAM

The PAM configuration

The PAM command structure

Implementation scenario

Forcing strong passwords

Log all user commands

System auditing with auditd

Introduction to auditd

Use case 1 - tracking activity of important files

First field

Use case 2 - monitoring system calls

Introduction to system calls

Central identity server

Use Case 1

Use case 2

The architecture of IPA

Client-server architecture

User access management.

Best practices to follow

Single sign-on

Idea solution

Advantages of an SSO solution

Challenges in the classic method of authentication

Security Assertion Markup Language

The high-level overview of working

Choosing the right identity provider

Building an SSO from scratch

Hosted Based Intrusion Detection System

Exploring OSSEC

File integrity monitoring

Log monitoring and active response

The hardened image approach

Implementing hardening standards in scalable environments

Important to remember

Chapter 5: Cryptography Network Security

Introduction to cryptography

Authenticity

Real world scenario

Non-repudiation

Types of cryptography

Symmetric key cryptography

Stream cipher

The encryption process

The decryption process

Advantages of stream ciphers

Block cipher (AES)

Padding

Modes of block ciphers

Message authentication codes

The MAC approach

The challenges with symmetric key storage

Hardware security modules

The challenges with HSM in on-premise

A real-world scenario

HSM on the cloud

CloudHSM

Key management service

The basic working of AWS KMS

Encrypting a function in KMS

Decrypting a function in KMS

Practical guide

Configuring AWS CLI

The decryption function

Envelope encryption

Implementation steps

Practical implementation of envelope encryption

Credential management system with KMS

Best practices in key management

Rotation life cycle for encryption keys

Scenario 1-a single key for all data encryption

Scenario 2-multiple keys for data encryption

Protecting the access keys

Audit trail is important

Asymmetric key encryption.

The basic working

Authentication with the help of an asymmetric key

Digital signatures

The benefits and use cases of a digital signature

SSL/TLS

Scenario 1 - A man-in-the-middle attack-storing credentials

Scenario 2 - A man-in-the-middle attack-integrity attacks

Working of SSL/TLS

Client Hello

Server Hello

Certificate

Server key exchange

Server Hello done

Client key exchange

Change cipher spec

Security related to SSL/TLS

Grading TLS configuration with SSL Labs

Default Settings

Perfect forward secrecy

Implementation of perfect forward secrecy in nginx

HTTP Strict Transport Security

Implementing HSTS in nginx

Verifying the integrity of a certificate

Online certificate status protocol

OCSP stapling

Challenge 1

Challenge 2

An ideal solution

Implementing TLS termination at the ELB level

Selecting cipher suites

Importing certificate

AWS certificate manager

Use case 1

Introduction to AWS Certificate Manager

Chapter 6: Automation in Security

Configuration management

Ansible

Remote command execution

The structure of the Ansible playbook

Playbook for SSH hardening

Running Ansible in dry mode

Run and rerun and rerun

Ansible mode of operations

Ansible pull

Attaining the desired state with Ansible pull

Auditing servers with Ansible notifications

The Ansible Vault

Deploying the nginx Web Server

Ansible best practices

Terraform

Infrastructure migration

Installing Terraform

Working with Terraform

Integrating Terraform with Ansible

Terraform best practices

AWS Lambda

Cost optimization

Achieving a use case through AWS Lambda

Testing the Lambda function

Start EC2 function

Integrating the Lambda function with events

Summary.

Chapter 7: Vulnerability, Pentest, and Patch Management.

Notes:

Includes index.

Description based on online resource; title from PDF title page (EBC, viewed February 6, 2018).

OCLC:

1020496765