Cargando…
Enterprise Cloud Security and Governance : Efficiently set data protection and privacy principles.
Modern day businesses and enterprises are moving to cloud simply to improve efficiency and speed, achieve flexibility and cost-effectiveness, and for on-demand cloud services. However, enterprise cloud security remains a major concern for many businesses because migrating to the public cloud require...
| Clasificación: | Libro Electrónico |
|---|---|
| Autor principal: | |
| Otros Autores: | |
| Formato: | Electrónico eBook |
| Idioma: | Inglés |
| Publicado: |
Birmingham :
Packt Publishing,
2017.
|
| Temas: | |
| Acceso en línea: | Texto completo |
Tabla de Contenidos:
- Cover
- Copyright
- Credits
- About the Author
- About the Reviewer
- www.PacktPub.com
- Customer Feedback
- Table of Contents
- Preface
- Chapter 1: The Fundamentals of Cloud Security
- Getting started
- Service models
- Software as a service
- Platform as a service
- Infrastructure as a service
- Deployment models
- Cloud security
- Why is cloud security considered hard?
- Our security posture
- Virtualization
- cloud's best friend
- Understanding the ring architecture
- Hardware virtualization
- Full virtualization with binary translation
- Paravirtualization
- Hardware-assisted virtualization
- Distributed architecture in virtualization
- Enterprise virtualization with oVirt
- Encapsulation
- Point in time snapshots
- Isolation
- Risk assessment in cloud
- Service Level Agreement
- Business Continuity Planning
- Disaster Recovery (BCP/DR)
- Business Continuity Planning
- Disaster Recovery
- Recovery Time Objective
- Recovery Point Objective
- Relation between RTO and RPO
- Real world use case of Disaster Recovery
- Use case to understand BCP/DR
- Policies and governance in cloud
- Audit challenges in the cloud
- Implementation challenges for controls on CSP side
- Vulnerability assessment and penetration testing in the cloud
- Use case of a hacked server
- Summary
- Chapter 2: Defense in Depth Approach
- The CIA triad
- Confidentiality
- Integrity
- Availability
- A use case
- Understanding all three aspects
- The use case
- Introducing Defense in Depth
- First layer
- network layer
- Second layer
- platform layer
- Third layer
- application layer
- Fourth layer
- data layer
- Fifth layer
- response layer
- Summary
- Chapter 3: Designing Defensive Network Infrastructure
- Why do we need cryptography?
- The TCP/IP model
- Scenario
- The Network Transport Layer.
- The Internet Protocol Layer
- The Transport Layer
- The Application Layer
- Firewalls
- How a firewall works?
- How does a firewall inspect packets?
- 3-way handshake
- Modes of firewall
- Stateful packet inspection
- Stateless packet inspection
- Architecting firewall rules
- The deny all and allow some approach
- The allow all and deny some approach
- Firewall justification document
- A sample firewall justification document
- Inbound rules
- Outbound rules
- Tracking firewall changes with alarms
- Best practices
- Application layer security
- Intrusion Prevention Systems
- Overview architecture of IPS
- IPS in a cloud environment
- Implementing IPS in the cloud
- Deep Security
- Anti-malware
- Application control
- The IPS functionality
- A real-world example
- Implementation
- Advantages that IPS will bring to a cloud environment
- A web application firewall
- Architecture
- Implementation
- Network segmentation
- Understanding a flat network
- Segmented network
- Network segmentation in cloud environments
- Segmentation in cloud environments
- Rule of thumb
- Accessing management
- Bastion hosts
- The workings of bastion hosts
- The workings of SSH agent forwarding
- Practical implementation of bastion hosts
- Security of bastion hosts
- Benefits of bastion hosts
- Disadvantages of bastion hosts
- Virtual Private Network
- Routes
- after VPN is connected
- Installation of OpenVPN
- Security for VPN
- Recommended tools for VPN
- Approaching private hosted zones for DNS
- Public hosted zones
- Private hosted zones
- Challenge
- Solution
- Summary
- Chapter 4: Server Hardening
- The basic principle of host-based security
- Keeping systems up-to-date
- The Windows update methodology
- The Linux update methodology
- Using the security functionality of YUM.
- Approach for automatic security updates installation
- Developing a process to update servers regularly
- Knowledge base
- Challenges on a larger scale
- Partitioning and LUKS
- Partitioning schemes
- A separate partition for /boot
- A separate partition for /tmp
- A separate partition for /home
- Conclusion
- LUKS
- Introduction to LUKS
- Solution
- Conclusion
- Access control list
- Use case
- Introduction to Access Control List
- Set ACL
- Show ACL
- Special permissions in Linux
- SUID
- Use case for SUID
- Understanding the permission associated with ping
- Setting a SUID bit for files
- Removing the SUID bit for files
- SETGID
- Associating the SGID for files
- SELinux
- Introduction to SELinux
- Permission sets in SELinux
- SELinux modes
- Confinement of Linux users to SELinux users
- Process confinement
- Conclusion
- Hardening system services and applications
- Hardening services
- Guide for hardening SSH
- Enable multi-factor authentication
- Associated configuration
- Changing the SSH default port
- Associate configuration
- Disabling the root login
- Associated configuration
- Conclusion
- Pluggable authentication modules
- Team Screen application
- File Sharing Application
- Understanding PAM
- The architecture of PAM
- The PAM configuration
- The PAM command structure
- Implementation scenario
- Forcing strong passwords
- Log all user commands
- Conclusion
- System auditing with auditd
- Introduction to auditd
- Use case 1
- tracking activity of important files
- Use case
- Solution
- First field
- Use case 2
- monitoring system calls
- Introduction to system calls
- Use case
- Solution
- Conclusion
- Conclusion
- Central identity server
- Use Case 1
- Use case 2
- The architecture of IPA
- Client-server architecture
- User access management.
- Best practices to follow
- Conclusion
- Single sign-on
- Idea solution
- Advantages of an SSO solution
- Challenges in the classic method of authentication
- Security Assertion Markup Language
- The high-level overview of working
- Choosing the right identity provider
- Building an SSO from scratch
- Hosted Based Intrusion Detection System
- Exploring OSSEC
- File integrity monitoring
- Log monitoring and active response
- Conclusion
- The hardened image approach
- Implementing hardening standards in scalable environments
- Important to remember
- Conclusion
- Summary
- Chapter 5: Cryptography Network Security
- Introduction to cryptography
- Integrity
- Authenticity
- Real world scenario
- Non-repudiation
- Types of cryptography
- Symmetric key cryptography
- Stream cipher
- The encryption process
- The decryption process
- Advantages of stream ciphers
- Block cipher (AES)
- Padding
- Modes of block ciphers
- Message authentication codes
- The MAC approach
- The challenges with symmetric key storage
- Hardware security modules
- The challenges with HSM in on-premise
- A real-world scenario
- HSM on the cloud
- CloudHSM
- Key management service
- The basic working of AWS KMS
- Encrypting a function in KMS
- Decrypting a function in KMS
- Implementation
- Practical guide
- Configuring AWS CLI
- The decryption function
- Envelope encryption
- The encryption process
- The decryption process
- Implementation steps
- Practical implementation of envelope encryption
- Credential management system with KMS
- Implementation
- Best practices in key management
- Rotation life cycle for encryption keys
- Scenario 1-a single key for all data encryption
- Scenario 2-multiple keys for data encryption
- Protecting the access keys
- Audit trail is important
- Asymmetric key encryption.
- The basic working
- Authentication with the help of an asymmetric key
- Digital signatures
- The benefits and use cases of a digital signature
- SSL/TLS
- Scenario 1
- A man-in-the-middle attack-storing credentials
- Scenario 2
- A man-in-the-middle attack-integrity attacks
- Working of SSL/TLS
- Client Hello
- Server Hello
- Certificate
- Server key exchange
- Server Hello done
- Client key exchange
- Change cipher spec
- Security related to SSL/TLS
- Grading TLS configuration with SSL Labs
- Default Settings
- Perfect forward secrecy
- Implementation of perfect forward secrecy in nginx
- HTTP Strict Transport Security
- Implementing HSTS in nginx
- Verifying the integrity of a certificate
- Online certificate status protocol
- OCSP stapling
- Challenge 1
- Challenge 2
- An ideal solution
- Architecture
- Implementing TLS termination at the ELB level
- Selecting cipher suites
- Importing certificate
- AWS certificate manager
- Use case 1
- Use case 2
- Introduction to AWS Certificate Manager
- Summary
- Chapter 6: Automation in Security
- Configuration management
- Ansible
- Remote command execution
- The structure of the Ansible playbook
- Playbook for SSH hardening
- Running Ansible in dry mode
- Run and rerun and rerun
- Ansible mode of operations
- Ansible pull
- Attaining the desired state with Ansible pull
- Auditing servers with Ansible notifications
- The Ansible Vault
- Deploying the nginx Web Server
- Solution
- Ansible best practices
- Terraform
- Infrastructure migration
- Installing Terraform
- Working with Terraform
- Integrating Terraform with Ansible
- Terraform best practices
- AWS Lambda
- Cost optimization
- Achieving a use case through AWS Lambda
- Testing the Lambda function
- Start EC2 function
- Integrating the Lambda function with events
- Summary.