| Description |
1 online resource (406 pages) |
| Contents |
Cover -- Copyright -- Credits -- About the Author -- About the Reviewer -- www.PacktPub.com -- Customer Feedback -- Table of Contents -- Preface -- Chapter 1: The Fundamentals of Cloud Security -- Getting started -- Service models -- Software as a service -- Platform as a service -- Infrastructure as a service -- Deployment models -- Cloud security -- Why is cloud security considered hard? -- Our security posture -- Virtualization -- cloud's best friend -- Understanding the ring architecture -- Hardware virtualization -- Full virtualization with binary translation -- Paravirtualization -- Hardware-assisted virtualization -- Distributed architecture in virtualization -- Enterprise virtualization with oVirt -- Encapsulation -- Point in time snapshots -- Isolation -- Risk assessment in cloud -- Service Level Agreement -- Business Continuity Planning -- Disaster Recovery (BCP/DR) -- Business Continuity Planning -- Disaster Recovery -- Recovery Time Objective -- Recovery Point Objective -- Relation between RTO and RPO -- Real world use case of Disaster Recovery -- Use case to understand BCP/DR -- Policies and governance in cloud -- Audit challenges in the cloud -- Implementation challenges for controls on CSP side -- Vulnerability assessment and penetration testing in the cloud -- Use case of a hacked server -- Summary -- Chapter 2: Defense in Depth Approach -- The CIA triad -- Confidentiality -- Integrity -- Availability -- A use case -- Understanding all three aspects -- The use case -- Introducing Defense in Depth -- First layer -- network layer -- Second layer -- platform layer -- Third layer -- application layer -- Fourth layer -- data layer -- Fifth layer -- response layer -- Summary -- Chapter 3: Designing Defensive Network Infrastructure -- Why do we need cryptography? -- The TCP/IP model -- Scenario -- The Network Transport Layer |
|
The Internet Protocol Layer -- The Transport Layer -- The Application Layer -- Firewalls -- How a firewall works? -- How does a firewall inspect packets? -- 3-way handshake -- Modes of firewall -- Stateful packet inspection -- Stateless packet inspection -- Architecting firewall rules -- The deny all and allow some approach -- The allow all and deny some approach -- Firewall justification document -- A sample firewall justification document -- Inbound rules -- Outbound rules -- Tracking firewall changes with alarms -- Best practices -- Application layer security -- Intrusion Prevention Systems -- Overview architecture of IPS -- IPS in a cloud environment -- Implementing IPS in the cloud -- Deep Security -- Anti-malware -- Application control -- The IPS functionality -- A real-world example -- Implementation -- Advantages that IPS will bring to a cloud environment -- A web application firewall -- Architecture -- Implementation -- Network segmentation -- Understanding a flat network -- Segmented network -- Network segmentation in cloud environments -- Segmentation in cloud environments -- Rule of thumb -- Accessing management -- Bastion hosts -- The workings of bastion hosts -- The workings of SSH agent forwarding -- Practical implementation of bastion hosts -- Security of bastion hosts -- Benefits of bastion hosts -- Disadvantages of bastion hosts -- Virtual Private Network -- Routes -- after VPN is connected -- Installation of OpenVPN -- Security for VPN -- Recommended tools for VPN -- Approaching private hosted zones for DNS -- Public hosted zones -- Private hosted zones -- Challenge -- Solution -- Summary -- Chapter 4: Server Hardening -- The basic principle of host-based security -- Keeping systems up-to-date -- The Windows update methodology -- The Linux update methodology -- Using the security functionality of YUM |
|
Approach for automatic security updates installation -- Developing a process to update servers regularly -- Knowledge base -- Challenges on a larger scale -- Partitioning and LUKS -- Partitioning schemes -- A separate partition for /boot -- A separate partition for /tmp -- A separate partition for /home -- Conclusion -- LUKS -- Introduction to LUKS -- Solution -- Conclusion -- Access control list -- Use case -- Introduction to Access Control List -- Set ACL -- Show ACL -- Special permissions in Linux -- SUID -- Use case for SUID -- Understanding the permission associated with ping -- Setting a SUID bit for files -- Removing the SUID bit for files -- SETGID -- Associating the SGID for files -- SELinux -- Introduction to SELinux -- Permission sets in SELinux -- SELinux modes -- Confinement of Linux users to SELinux users -- Process confinement -- Conclusion -- Hardening system services and applications -- Hardening services -- Guide for hardening SSH -- Enable multi-factor authentication -- Associated configuration -- Changing the SSH default port -- Associate configuration -- Disabling the root login -- Associated configuration -- Conclusion -- Pluggable authentication modules -- Team Screen application -- File Sharing Application -- Understanding PAM -- The architecture of PAM -- The PAM configuration -- The PAM command structure -- Implementation scenario -- Forcing strong passwords -- Log all user commands -- Conclusion -- System auditing with auditd -- Introduction to auditd -- Use case 1 -- tracking activity of important files -- Use case -- Solution -- First field -- Use case 2 -- monitoring system calls -- Introduction to system calls -- Use case -- Solution -- Conclusion -- Conclusion -- Central identity server -- Use Case 1 -- Use case 2 -- The architecture of IPA -- Client-server architecture -- User access management |
|
Best practices to follow -- Conclusion -- Single sign-on -- Idea solution -- Advantages of an SSO solution -- Challenges in the classic method of authentication -- Security Assertion Markup Language -- The high-level overview of working -- Choosing the right identity provider -- Building an SSO from scratch -- Hosted Based Intrusion Detection System -- Exploring OSSEC -- File integrity monitoring -- Log monitoring and active response -- Conclusion -- The hardened image approach -- Implementing hardening standards in scalable environments -- Important to remember -- Conclusion -- Summary -- Chapter 5: Cryptography Network Security -- Introduction to cryptography -- Integrity -- Authenticity -- Real world scenario -- Non-repudiation -- Types of cryptography -- Symmetric key cryptography -- Stream cipher -- The encryption process -- The decryption process -- Advantages of stream ciphers -- Block cipher (AES) -- Padding -- Modes of block ciphers -- Message authentication codes -- The MAC approach -- The challenges with symmetric key storage -- Hardware security modules -- The challenges with HSM in on-premise -- A real-world scenario -- HSM on the cloud -- CloudHSM -- Key management service -- The basic working of AWS KMS -- Encrypting a function in KMS -- Decrypting a function in KMS -- Implementation -- Practical guide -- Configuring AWS CLI -- The decryption function -- Envelope encryption -- The encryption process -- The decryption process -- Implementation steps -- Practical implementation of envelope encryption -- Credential management system with KMS -- Implementation -- Best practices in key management -- Rotation life cycle for encryption keys -- Scenario 1-a single key for all data encryption -- Scenario 2-multiple keys for data encryption -- Protecting the access keys -- Audit trail is important -- Asymmetric key encryption |
|
The basic working -- Authentication with the help of an asymmetric key -- Digital signatures -- The benefits and use cases of a digital signature -- SSL/TLS -- Scenario 1 -- A man-in-the-middle attack-storing credentials -- Scenario 2 -- A man-in-the-middle attack-integrity attacks -- Working of SSL/TLS -- Client Hello -- Server Hello -- Certificate -- Server key exchange -- Server Hello done -- Client key exchange -- Change cipher spec -- Security related to SSL/TLS -- Grading TLS configuration with SSL Labs -- Default Settings -- Perfect forward secrecy -- Implementation of perfect forward secrecy in nginx -- HTTP Strict Transport Security -- Implementing HSTS in nginx -- Verifying the integrity of a certificate -- Online certificate status protocol -- OCSP stapling -- Challenge 1 -- Challenge 2 -- An ideal solution -- Architecture -- Implementing TLS termination at the ELB level -- Selecting cipher suites -- Importing certificate -- AWS certificate manager -- Use case 1 -- Use case 2 -- Introduction to AWS Certificate Manager -- Summary -- Chapter 6: Automation in Security -- Configuration management -- Ansible -- Remote command execution -- The structure of the Ansible playbook -- Playbook for SSH hardening -- Running Ansible in dry mode -- Run and rerun and rerun -- Ansible mode of operations -- Ansible pull -- Attaining the desired state with Ansible pull -- Auditing servers with Ansible notifications -- The Ansible Vault -- Deploying the nginx Web Server -- Solution -- Ansible best practices -- Terraform -- Infrastructure migration -- Installing Terraform -- Working with Terraform -- Integrating Terraform with Ansible -- Terraform best practices -- AWS Lambda -- Cost optimization -- Achieving a use case through AWS Lambda -- Testing the Lambda function -- Start EC2 function -- Integrating the Lambda function with events -- Summary |
| Summary |
Modern day businesses and enterprises are moving to cloud simply to improve efficiency and speed, achieve flexibility and cost-effectiveness, and for on-demand cloud services. However, enterprise cloud security remains a major concern for many businesses because migrating to the public cloud requires transferring some control over .. |
| Notes |
Print version record |
| Subject |
Cloud computing -- Security measures
|
|
Computer networks -- Security measures.
|
|
Computer networking & communications.
|
|
Cloud computing.
|
|
Computer systems back-up & data recovery.
|
|
Privacy & data protection.
|
|
Computers -- System Administration -- Disaster & Recovery.
|
|
Computers -- Internet -- Security.
|
|
Computer networks -- Security measures
|
| Form |
Electronic book
|
| Author |
Pruteanu, Adrian
|
| ISBN |
1788298519 |
|
9781788298513 |
|
