Enterprise Cloud Security and Governance by Vora, Zeal -- Read -- Imperial Library of Trantor

Index

Title Page Copyright

Enterprise Cloud Security and Governance

Credits About the Author About the Reviewer www.PacktPub.com

Why subscribe?

Customer Feedback Preface

What this book covers What you need for this book Who this book is for Conventions Reader feedback Customer support

Downloading the color images of this book Errata Piracy Questions

The Fundamentals of Cloud Security

Getting started Service models

Software as a service Platform as a service Infrastructure as a service

Deployment models Cloud security Why is cloud security considered hard?

Our security posture

Virtualization – cloud's best friend

Understanding the ring architecture Hardware virtualization

Full virtualization with binary translation Paravirtualization Hardware-assisted virtualization

Distributed architecture in virtualization

Enterprise virtualization with oVirt

Encapsulation Point in time snapshots Isolation Risk assessment in cloud

Service Level Agreement Business Continuity Planning – Disaster Recovery (BCP/DR)

Business Continuity Planning Disaster Recovery Recovery Time Objective Recovery Point Objective Relation between RTO and RPO Real world use case of Disaster Recovery Use case to understand BCP/DR

Policies and governance in cloud Audit challenges in the cloud Implementation challenges for controls on CSP side Vulnerability assessment and penetration testing in the cloud

Use case of a hacked server

Summary

Defense in Depth Approach

The CIA triad

Confidentiality Integrity Availability

A use case Understanding all three aspects

The use case

Introducing Defense in Depth

First layer – network layer Second layer – platform layer Third layer – application layer Fourth layer – data layer Fifth layer – response layer

Summary

Designing Defensive Network Infrastructure

Why do we need cryptography? The TCP/IP model

Scenario

The Network Transport Layer The Internet Protocol Layer The Transport Layer The Application Layer

Firewalls

How a firewall works? How does a firewall inspect packets?

3-way handshake

Modes of firewall

Stateful packet inspection Stateless packet inspection

Architecting firewall rules

The deny all and allow some approach The allow all and deny some approach

Firewall justification document

A sample firewall justification document

Inbound rules Outbound rules

Tracking firewall changes with alarms

Best practices

Application layer security

Intrusion Prevention Systems

Overview architecture of IPS

IPS in a cloud environment Implementing IPS in the cloud

Deep Security

Anti-malware Application control

The IPS functionality

A real-world example Implementation

Advantages that IPS will bring to a cloud environment

A web application firewall

Architecture Implementation

Network segmentation

Understanding a flat network Segmented network Network segmentation in cloud environments Segmentation in cloud environments

Rule of thumb

Accessing management

Bastion hosts The workings of bastion hosts The workings of SSH agent forwarding Practical implementation of bastion hosts

Security of bastion hosts Benefits of bastion hosts Disadvantages of bastion hosts

Virtual Private Network

Routes – after VPN is connected

Installation of OpenVPN

Security for VPN Recommended tools for VPN

Approaching private hosted zones for DNS

Public hosted zones Private hosted zones

Challenge Solution

Summary

Server Hardening

The basic principle of host-based security Keeping systems up-to-date

The Windows update methodology The Linux update methodology Using the security functionality of YUM Approach for automatic security updates installation Developing a process to update servers regularly Knowledge base Challenges on a larger scale

Partitioning and LUKS

Partitioning schemes

A separate partition for /boot A separate partition for /tmp A separate partition for /home

Conclusion

LUKS

Introduction to LUKS

Solution Conclusion

Access control list

Use case Introduction to Access Control List

Set ACL Show ACL

Special permissions in Linux

SUID

Use case for SUID Understanding the permission associated with ping Setting a SUID bit for files Removing the SUID bit for files

SETGID

Associating the SGID for files

SELinux

Introduction to SELinux Permission sets in SELinux SELinux modes Confinement of Linux users to SELinux users Process confinement

Conclusion

Hardening system services and applications

Hardening services

Guide for hardening SSH Enable multi-factor authentication

Associated configuration

Changing the SSH default port

Associate configuration

Disabling the root login

Associated configuration Conclusion

Pluggable authentication modules

Team Screen application File Sharing Application Understanding PAM The architecture of PAM

The PAM configuration The PAM command structure

Implementation scenario

Forcing strong passwords Log all user commands

Conclusion

System auditing with auditd

Introduction to auditd

Use case 1 – tracking activity of important files

Use case Solution First field

Use case 2 - monitoring system calls

Introduction to system calls Use case Solution Conclusion Conclusion

Central identity server

Use Case 1 Use case 2

The architecture of IPA

Client-server architecture User access management Best practices to follow

Conclusion

Single sign-on

Idea solution Advantages of an SSO solution Challenges in the classic method of authentication Security Assertion Markup Language The high-level overview of working Choosing the right identity provider Building an SSO from scratch

Hosted Based Intrusion Detection System

Exploring OSSEC

File integrity monitoring Log monitoring and active response

Conclusion

The hardened image approach

Implementing hardening standards in scalable environments

Important to remember Conclusion

Summary

Cryptography Network Security

Introduction to cryptography

Integrity Authenticity

Real world scenario

Non-repudiation

Types of cryptography

Symmetric key cryptography

Stream cipher

The encryption process The decryption process

Advantages of stream ciphers

Block cipher (AES)

Padding Modes of block ciphers

Message authentication codes

The MAC approach

The challenges with symmetric key storage

Hardware security modules

The challenges with HSM in on-premise

A real-world scenario

HSM on the cloud

CloudHSM

Key management service

The basic working of AWS KMS Encrypting a function in KMS Decrypting a function in KMS

Implementation

Practical guide

Configuring AWS CLI

The decryption function

Envelope encryption

The encryption process The decryption process

Implementation steps

Practical implementation of envelope encryption

Credential management system with KMS

Implementation Best practices in key management

Rotation life cycle for encryption keys Scenario 1–a single key for all data encryption Scenario 2–multiple keys for data encryption

Protecting the access keys Audit trail is important

Asymmetric key encryption

The basic working

Authentication with the help of an asymmetric key

Digital signatures

The benefits and use cases of a digital signature

SSL/TLS

Scenario 1 – A man-in-the-middle attack–storing credentials Scenario 2 – A man-in-the-middle attack–integrity attacks Working of SSL/TLS

Client Hello Server Hello Certificate Server key exchange Server Hello done Client key exchange Change cipher spec

Security related to SSL/TLS

Grading TLS configuration with SSL Labs

Default Settings

Perfect forward secrecy

Implementation of perfect forward secrecy in nginx HTTP Strict Transport Security

Implementing HSTS in nginx

Verifying the integrity of a certificate

Online certificate status protocol OCSP stapling

Challenge 1 Challenge 2

An ideal solution

Architecture

Implementing TLS termination at the ELB level Selecting cipher suites Importing certificate

AWS certificate manager

Use case 1 Use case 2 Introduction to AWS Certificate Manager

Summary

Automation in Security

Configuration management

Ansible

Remote command execution

The structure of the Ansible playbook

Playbook for SSH hardening Running Ansible in dry mode

Run and rerun and rerun

Ansible mode of operations

Ansible pull

Attaining the desired state with Ansible pull

Auditing servers with Ansible notifications The Ansible Vault

Deploying the nginx Web Server

Solution

Ansible best practices

Terraform

Infrastructure migration Installing Terraform

Working with Terraform

Integrating Terraform with Ansible Terraform best practices

AWS Lambda

Cost optimization

Achieving a use case through AWS Lambda

Testing the Lambda function Start EC2 function Integrating the Lambda function with events

Summary

Vulnerability, Pentest, and Patch Management

Introduction to vulnerability assessment

Common Vulnerabilities and Exposures

Common Vulnerability Scoring System (CVSS)

Understanding risks

Determining the likelihood Defining the impact

Risk mitigation

A sample scan report How a vulnerability scanner works

Best practices Patch management

Solution 1 Solution 2 Solution 3 Centralized patch management

Architecture

Installing the Spacewalk server Import the CentOS 7 repository Create activation keys Configuring clients Pushing updates to clients

Organizing servers in groups

Systems set manager The life cycle of patch management Important points to remember Best practices

Standardize the stacks All systems must be connected to Spacewalk Develop a back out plan Push in a systematic way

Rolling updates All at once

Challenges Containers and patch management

Introduction to Docker

Setting up Docker

Summary

Security Logging and Monitoring

Continuous security and monitoring

Real world scenario

Log monitoring is a must in security Key aspects of continuous security monitoring Operational considerations Understanding what is normal versus abnormal

Choosing the right log monitoring tool

Let's get started with logging and monitoring

VPC flow logs AWS Config

Configuring the AWS Config service Let's analyze the functionality Evaluating changes to resources

Security Incident and Event Management Log monitoring is reactive in nature

Best practices

Set the right base Structure your logs Transform granular events to high level Determine whom to notify when an event occurs

Summary

First Responder

Real world use case

Use case

Understanding the incident

Handling the incidents Incident response plan Preparation

Educate Stick to the plan

Incident response process

Preparation

Use case

Detection

Use case

Containment

Use case

Remediation

Use case

Recovery

Use case

Lessons learned

Use case

Insider threats

Use case

Early indications of insider threats

Holding unexpected simulation Summary

Best Practices

Cloud readiness Network readiness Server readiness Bonus points Summary

← Prev
Back
Next →

← Prev
Back
Next →