49,19 €
Mehr erfahren.
- Herausgeber: Packt Publishing
- Kategorie: Fachliteratur
- Sprache: Englisch
This book, updated to include the latest research and developments in cloud security, is essential for security professionals, DevOps engineers, penetration testers, cloud security engineers, and cloud software developers. It offers practical approaches to securing cloud infrastructure and applications against threats, attacks, and data breaches. The content is refined for better accessibility and engagement, providing a comprehensive guide to cloud security.
The course starts with fundamental cloud security concepts and progresses to hands-on assessment techniques based on real-world case studies. It covers cloud architecture, IAM for authentication and authorization, network security, database and storage security, cryptography controls, secure code review, and monitoring and logging. The practical strategies for assessing security and privacy are crucial for building a robust cloud infrastructure.
The journey concludes with advanced topics such as privacy in the cloud, identifying security flaws and attacks, and understanding the impact of malicious code. New case studies reveal how threat actors exploit cloud environments, offering preventative measures to enhance cloud security. This structured approach ensures a thorough understanding and practical application of cloud security principles.
Das E-Book können Sie in Legimi-Apps oder einer beliebigen App lesen, die das folgende Format unterstützen:
Seitenzahl: 511
Veröffentlichungsjahr: 2024
Ähnliche
EMPIRICALCLOUD SECURITY
LICENSE, DISCLAIMER OF LIABILITY, AND LIMITED WARRANTY
By purchasing or using this book (the “Work”), you agree that this license grants permission to use the contents contained herein, but does not give you the right of ownership to any of the textual content in the book or ownership to any of the information or products contained in it. This license does not permit uploading of the Work onto the Internet or on a network (of any kind) without the written consent of the Publisher. Duplication or dissemination of any text, code, simulations, images, etc. contained herein is limited to and subject to licensing terms for the respective products, and permission must be obtained from the Publisher or the owner of the content, etc., in order to reproduce or network any portion of the textual material (in any media) that is contained in the Work.
MERCURY LEARNINGAND INFORMATION (“MLI” or “the Publisher”) and anyone involved in the creation, writing, production, accompanying algorithms, code, or computer programs (“the software”), and any accompanying Web site or software of the Work, cannot and do not warrant the performance or results that might be obtained by using the contents of the Work. The author, developers, and the Publisher have used their best efforts to ensure the accuracy and functionality of the textual material and/or programs contained in this package; we, however, make no warranty of any kind, express or implied, regarding the performance of these contents or programs. The Work is sold “as is” without warranty (except for defective materials used in manufacturing the book or due to faulty workmanship).
The author, developers, and the publisher of any accompanying content, and anyone involved in the composition, production, and manufacturing of this work will not be liable for damages of any kind arising out of the use of (or the inability to use) the algorithms, source code, computer programs, or textual material contained in this publication. This includes, but is not limited to, loss of revenue or profit, or other incidental, physical, or consequential damages arising out of the use of this Work.
The sole remedy in the event of a claim of any kind is expressly limited to replacement of the book and only at the discretion of the Publisher. The use of “implied warranty” and certain “exclusions” vary from state to state, and might not apply to the purchaser of this product.
EMPIRICALCLOUD SECURITY
Practical Intelligence toEvaluate Risks and Attacks
ADITYA K. SOOD
Copyright ©2021 by MERCURY LEARNING AND INFORMATION LLC. All rights reserved.
This publication, portions of it, or any accompanying software may not be reproduced in any way, stored in a retrieval system of any type, or transmitted by any means, media, electronic display or mechanical display, including, but not limited to, photocopy, recording, Internet postings, or scanning, without prior permission in writing from the publisher.
Publisher: David Pallai
MERCURY LEARNINGAND INFORMATION
22841 Quicksilver Drive
Dulles, VA 20166
www.merclearning.com
800-232-0223
Aditya K. Sood. Empirical Cloud Security: Practical Intelligence to Evaluate Risks and Attacks.
ISBN: 978-1-68392-685-6
The publisher recognizes and respects all marks used by companies, manufacturers, and developers as a means to distinguish their products. All brand names and product names mentioned in this book are trademarks or service marks of their respective companies. Any omission or misuse (of any kind) of service marks or trademarks, etc. is not an attempt to infringe on the property of others.
Library of Congress Control Number: 2021934304212223321 This book is printed on acid-free paper in the United States of America.
Our titles are available for adoption, license, or bulk purchase by institutions, corporations, etc.For additional information, please contact the Customer Service Dept. at 800-232-0223(toll free).
All of our titles are available in digital format at academiccourseware.com and other digital vendors. The sole obligation of MERCURY LEARNING AND INFORMATION to the purchaser is to replace the book, based on defective materials or faulty workmanship, but not based on the operation or functionality of the product.
I would like to dedicate this book to my family,my wonderful wife, Roshni K Sood, and my son,Divye K Sood, for providing continuous support tocomplete this book. I am also indebted to my parents,my brother, my sister, and my mentor.
CONTENTS
Chapter 1 Cloud Architecture and Security Fundamentals
Understanding Cloud Virtualization
Cloud Computing Models
Comparing Virtualization and Cloud Computing
Containerization in the Cloud
Components of Containerized Applications
Serverless Computing in the Cloud
Components of Serverless Applications
The Characteristics of VMs, Containers, and Serverless Compu-ting
Embedding Security in the DevOps Model
Understanding Cloud Security Pillars
Cloud Security Testing and Assessment Methodologies
References
Chapter 2 IAM for Authentication and Authorization: Security Assessment
Understanding Identity and Access Management Policies
IAM Policy Types and Elements
IAM Policy Variables and Identifiers
Managed and Inline Policy Characterization
IAM Users, Groups, and Roles
Trust Relationships and Cross-Account Access
IAM Access Policy Examples
IAM Access Permission Policy
IAM Resource-based Policy
Role Trust Policy
Identity and Resource Policies: Security Misconfigurations
Confused Deputy Problems
Over-Permissive Role Trust Policy
Guessable Identifiers in Role Trust Policy
Privilege Escalation via an Unrestricted IAM Resource
Insecure Policies for Serverless Functions
Unrestricted Access to Serverless Functions
Serverless Functions with Administrative Privileges
Serverless Function Untrusted Cross-Account Access
Unrestricted Access to the VPC Endpoints
Insecure Configuration in Passing IAM Roles to Services
Uploading Unencrypted Objects to Storage Buckets Without Ownership
Misconfigured Origin Access Identity for CDN Distribution
Authentication and Authorization Controls Review
Multi Factor Authentication (MFA)
User Credential Rotation
Password Policy Configuration
Administrative or Root Privileges
SSH Access Keys for Cloud Instances
Unused Accounts, Credentials, and Resources
API Gateway Client-Side Certificates for Authenticity
Key Management Service (KMS) Customer Master Keys
Users Authentication from Approved IP Addresses and Locations
Recommendations
Automation Scripts for Security Testing
MFA Check (mfa_check.sh)
IAM Users Administrator Privileges Analysis (iam_users_admin_root_privileges.sh )
IAM Users SSH Keys Analysis (iam_users_ssh_keys_check.sh)
References
Chapter 3 Cloud Infrastructure: Network Security Assessment
Network Security: Threats and Flaws
Why Perform a Network Security Assessment?
Understanding Security Groups and Network Access Control Lists
Understanding VPC Peering
Security Misconfigurations in SGs and NACLs
Unrestricted Egress Traffic via SGs Outbound Rules
Unrestricted Egress Traffic via NACLs Outbound Rules
Insecure NACL Rule Ordering
Over-Permissive Ingress Rules
Cloud Network Infrastructure: Practical Security Issues
Insecure Configuration of Virtual Private Clouds
Public IP Assignment for Cloud Instances in Subnets
Over-Permissive Routing Table Entries
Lateral Movement via VPC Peering
Insecure Bastion Hosts Implementation
Outbound Connectivity to the Internet
Missing Malware Protection and File Integrity Monitoring (FIM)
Password-Based Authentication for the Bastion SSH Ser-vice
Insecure Cloud VPN Configuration
Insecure and Obsolete SSL/TLS Encryption Support for OpenVPN
Unrestricted VPN Web Client and Administrator Inter-face
Exposed Remote Management SSH Service on VPN Host
IPSec and Internet Key Exchange (IKE) Assessment
Reviewing Deployment Schemes for Load Balancers
Application Load Balancer Listener Security
Network Load Balancer Listener Security
Insecure Implementation of Network Security Resiliency Ser-vices
Universal WAF not Configured
Non-Integration of WAF with a Cloud API Gateway
Non-Integration of WAF with CDN
Missing DDoS Protection with Critical Cloud Services
Exposed Cloud Network Services: Case Studies
AWS Credential Leakage via Directory Indexing
OpenSSH Service Leaking OS Information
OpenSSH Service Authentication Type Enumeration
OpenSSH Service with Weak Encryption Ciphers
RDP Services with Insecure TLS Configurations
Portmapper Service Abuse for Reflective DDoS Attacks
Information Disclosure via NTP Service
Leaked REST API Interfaces via Unsecured Software
Unauthorized Operations via Unsecured Cloud Data Flow Server
Information Disclosure via Container Monitoring Software In-terfaces
Credential Leakage via Unrestricted Automation Server In-terfaces
Data Disclosure via Search Cluster Visualization Interfaces
Insecure DNS Servers Prone to Multiple Attacks
Recommendations
References
Chapter 4 Database and Storage Services: Security Assessment
Database Cloud Deployments
Deploying Databases as Cloud Services
Databases Running on Virtual Machines
Containerized Databases
Cloud Databases
Cloud Databases: Practical Security Issues
Verifying Authentication State of Cloud Database
Database Point-in Time Recovery Backups Not Enabled
Database Active Backups and Snapshots Not Encrypted
Database Updates Not Configured
Database Backup Retention Time Period Not Set
Database Delete Protection Not Configured
Cloud Storage Services
Cloud Storage Services: Practical Security Issues
Security Posture Check for Storage Buckets
Unencrypted Storage Volumes, Snapshots, and Filesystems
Unrestricted Access to Backup Snapshots
Automating Attack Testing Against Cloud Databases and Storage Services
Unsecured Databases and Storage Service Deployments: Case Studies
Publicly Exposed Storage Buckets
Unsecured Redis Instances with Passwordless Access
Penetrating the Exposed MySQL RDS Instances
Data Destruction via Unsecured Memcached Interfaces
Privilege Access Verification of Exposed CouchDB Interfaces
Keyspace Access and Dumping Credentials for Exposed Cassandra Interfaces
Data Exfiltration via Search Queries on Exposed Elastic-search Interface
Dropping Databases on Unsecured MongoDB Instances
Exploiting Unpatched Vulnerabilities in Database Instances: Case Studies
Privilege Escalation and Remote Command Execution in CouchDB
Reverse Shell via Remote Code Execution on Elastic-search/Kibana
Remote Code Execution via JMX/RMI in Cassandra
Recommendations
References
Chapter 5 Design and Analysis of Cryptography Controls: Security Assessment
Understanding Data Security in the Cloud
Cryptographic Techniques for Data Security
Data Protection Using Server-Side Encryption (SSE)
Client-Side Data Encryption Using SDKs
Data Protection Using Transport Layer Encryption
Cryptographic Code: Application Development and Opera-tions
Crypto Secret Storage and Management
Data Security: Cryptographic Verification and Assessment
Machine Image Encryption Test
File System Encryption Test
Storage Volumes and Snapshots Encryption Test
Storage Buckets Encryption Test
Storage Buckets Transport Encryption Policy Test
TLS Support for Data Migration Endpoints Test
Encryption for Cloud Clusters
Node-to-Node Encryption for Cloud Clusters
Encryption for Cloud Streaming Services
Encryption for Cloud Notification Services
Encryption for Cloud Queue Services
Cryptographic Library Verification and Vulnerability Assess-ment
TLS Certificate Assessment of Cloud Endpoints
TLS Security Check of Cloud Endpoints
Hard-Coded Secrets in the Cloud Infrastructure
Hard-Coded AES Encryption Key in the Lambda Function
Hard-Coded Credentials in a Docker Container Image
Hard-Coded Jenkins Credentials in a CloudFormation Template
Cryptographic Secret Storage in the Cloud
Recommendations for Applied Cryptography Practice
References
Chapter 6 Cloud Applications: Secure Code Review
Why Perform a Secure Code Review?
Introduction to Security Frameworks
Application Code Security: Case Studies
Insecure Logging
Exceptions Not Logged for Analysis
Data Leaks From Logs Storing Sensitive Information
Insecure File Operations and Handling
File Uploading with Insecure Bucket Permissions
Insecure File Downloading from Storage Buckets
File Uploading to Storage Buckets Without Server-side Encryption
File Uploading to Storage Buckets Without Client-Side Encryption
Insecure Input Validations and Code Injections
Server-Side Request Forgery
Function Event Data Injections
Cloud Database NoSQL Query Injections
Loading Environment Variables without Security Valida-tion
HTTP Rest API Input Validation using API Gateway
CORS Origin Header Server-Side Verification and Valida-tion
Insecure Application Secrets Storage
Hard-Coded Credentials in Automation Code
Leaking Secrets in the Console Logs via the Lambda Function
Insecure Configuration
Content-Security-Policy Misconfiguration
Use of Outdated Software Packages and Libraries
Obsolete SDKs Used for Development
Code Auditing and Review Using Automated Tools
Recommendations
References
Chapter 7 Cloud Monitoring and Logging: Security Assessment
Understanding Cloud Logging and Monitoring
Log Management Lifecycle
Log Publishing and Processing Models
Categorization of Log Types
Enumerating Logging Levels
Logging and Monitoring: Security Assessment
Event Trails Verification for Cloud Management Accounts
Cloud Services Logging: Configuration Review
ELB and ALB Access Logs
Storage Buckets Security for Archived Logs
API Gateway Execution and Access Logs
VPC Network Traffic Logs
Cloud Database Audit Logs
Cloud Serverless Functions Log Streams
Log Policies via Cloud Formation Templates
Transmitting Cloud Software Logs Over Unencrypted Chan-nels
Sensitive Data Leakage in Cloud Event Logs
Case Studies: Exposed Cloud Logging Infrastructure
Scanning Web Interfaces for Exposed Logging Software
Leaking Logging Configurations for Microservice Software
Unrestricted Web Interface for the VPN Syslog Server
Exposed Elasticsearch Indices Leaking Nginx Access Logs
Exposed Automation Server Leaks Application Build Logs
Sensitive Data Exposure via Logs in Storage Buckets
Unrestricted Cluster Interface Leaking Executor and Jobs Logs
Recommendations
References
Chapter 8 Privacy in the Cloud
Understanding Data Classification
Data Privacy by Design Framework
Learning Data Flow Modeling
Data Leakage and Exposure Assessment
Privacy Compliance and Laws
EU General Data Protection Regulation (GDPR)
California Consumer Privacy Act (CCPA)
A Primer of Data Leakage Case Studies
Sensitive Documents Exposure via Cloud Storage Buckets
Data Exfiltration via Infected Cloud VM Instances
Exposed SSH Keys via Unsecured Cloud VM Instances
Environment Mapping via Exposed Database Web Interfac-es
Data Leakage via Exposed Access Logs
Data Leakage via Application Execution Logs
PII Leakage via Exposed Cloud Instance API Interfaces
Stolen Data: Public Advertisements for Monetization
Recommendations
References
Chapter 9 Cloud Security and Pri-vacy: Flaws, Attacks, and Impact Assessments
Understanding the Basics of Security Flaws, Threats, and At-tacks
Understanding the Threat Actors
Security Threats in the Cloud Environment and Infrastructure
Security Flaws in Cloud Virtualization
Security Flaws in Containers
Virtualization and Containerization Attacks
Security Flaws in Cloud Applications
Application-Level Attacks
Security Flaws in Operating Systems
OS-Level Attacks
Security Flaws in Cloud Access Management and Services
Network-Level Attacks
Security Flaws in the Code Development Platform
Hybrid Attacks via Social Engineering and Malicious Code
Security Impact Assessment
Privacy Impact Assessment
Secure Cloud Design Review Benchmarks
Recommendations
References
Chapter 10 Malicious Code in the Cloud
Malicious Code Infections in the Cloud
Malicious Code Distribution: A Drive-By Download Attack Mod-el
Hosting Malicious Code in Cloud Storage Services
Abusing a Storage Service’s Inherent Functionality
Distributing Malicious IoT Bot Binaries
Hosting Scareware for Social Engineering
Distributing Malicious Packed Windows Executables
Compromised Cloud Database Instances
Ransomware Infections in Elasticsearch Instances
Ransomware Infections in MongoDB Instances
Elasticsearch Data Destruction via Malicious Bots
Malicious Code Redirecting Visitors to Phishing Webpages
Deployments of Command and Control Panels
Malicious Domains Using Cloud Instances to Spread Mal-ware
Cloud Instances Running Cryptominers via Cron Jobs
Indirect Attacks on Target Cloud Infrastructure
Cloud Account Credential Stealing via Phishing
Unauthorized Operations via Man-in-the-Browser Attack
Exfiltrating Cloud CLI Stored Credentials
Exfiltrating Synchronization Token via Man-in-the-Cloud At-tacks
Infecting Virtual Machines and Containers
Exploiting Vulnerabilities in Network Services
Exposed and Misconfigured Containers
Injecting Code in Container Images
Unsecured API Endpoints
Stealthy Execution of Malicious Code in VMs
Deploying Unpatched Software
Malicious Code Injection via Vulnerable Applications
References
Chapter 11 Threat Intelligence and Malware Protection in the Cloud
Threat Intelligence
Threat Intelligence in the Cloud
Threat Intelligence Classification
Threat Intelligence Frameworks
DNI Cyber Threat Framework
MITRE ATT & CK Framework
Conceptual View of a Threat Intelligence Platform
Understanding Indicators of Compromise and Attack
Indicators of Compromise and Attack Types
Indicators of Compromise and Attack Data Specification and Exchange Formats
Indicators of Compromise and Attack Policies
Implementing Cloud Threat Intelligence Platforms
Using AWS Services for Data Collection and Threat Intelli-gence
Enterprise Security Tools for Data Collection and Threat In-telligence
Open-Source Frameworks for Data Collection and Threat In-telligence
Hybrid Approach to Collecting and Visualizing Intelligence
Cloud Honeypot Deployment for Data Collection
Threat Intelligence: Use Cases Based on Security Controls
Scanning Storage Buckets for Potential Infections
Detecting Brute-Force Attacks Against Exposed SSH/RDP Services
Scanning Cloud Instances for Potential Virus Infections
Understanding Malware Protection
Malware Detection
Malware Prevention
Techniques, Tactics, and Procedures
References
Conclusion
Appendix A List of Serverless Computing Services
Appendix B List of Serverless Frameworks
Appendix C List of SaaS, PaaS, IaaS, and FaaS Providers
Appendix D List of Containerized Services and Open Source Software
Appendix E List of Critical RDP Vulnerabilities
Appendix F List of Network Tools and Scripts
Appendix G List of Databases De-fault TCP/UDP Ports
Appendix H List of Database As-sessment Tools, Commands, and Scripts
Appendix I List of CouchDB API Commands and Resources
Appendix J List of CQLSH Cas-sandra Database SQL Queries
Appendix K List of Elasticsearch Queries
Appendix L AWS Services CLI Commands
Appendix M List of Vault and Se-cret Managers
Appendix N List of TLS Security Vulnerabilities for Assessment
Appendix O List of Cloud Logging and Monitoring Services
Index
PREFACE
The world is rapidly transitioning from traditional data centers to running workloads in the cloud, enabling greater flexibility, scalability, and mobility. Indeed, cloud technologies are here to stay and will play a pivotal role in defining the direction of digital transformation and processing data at an unprecedented scale to address the needs of an ever-evolving and growing digital sphere. Because data is now the new global currency, cloud technologies will also be increasingly targeted by threat actors. Considering that, securing the cloud has become the most critical task in ensuring data confidentiality, availability, and integrity. That’s why I wrote this book –to share the latest methodologies, strategies, and best practices for securing the cloud infrastructure and applications and ultimately minimizing data and business continuity risks.
Managing and securing the cloud infrastructure and applications over the past 13 years, I have seen firsthand the problems that arise when cloud security is not approached top-down. Experience has taught me that it is essential to take a holistic approach to cloud security and to follow a defense-in-depth strategy including both proactive and reactive security approaches to mitigate security threats and risks. I have compiled in this book all of the practical knowledge I have gained with the goal of helping you conduct an efficient assessment of the deployed security controls in your cloud environments.
Who Should Read This Book
This book is intended for security and risk assessment professionals, DevOps engineers, penetration testers, cloud security engineers, and cloud software developers who are interested in learning practical approaches to cloud security. I assume that you understand the basics of cloud infrastructure, and that you are familiar with DevOps practices in which applications are developed and deployed with security, reliability, and agility baked in.
What You Will Learn
You will learn practical strategies for assessing the security and privacy of your cloud infrastructure and applications. This is not an introduction to cloud security; rather this is a hands-on guide for security practitioners with real-world case studies. By the end of this book, you will know how to:
systematically assess the security posture of your cloud environments.
determine where your environments are most vulnerable to threats.
deploy robust security and privacy controls in the cloud.
enhance your cloud security at scale.
This book is authored to serve the purpose on how to make your cloud infrastructure secure to combat threats and attacks and prevent data breaches.
Technology, Tools, and Techniques You Need to Understand
To get the most out of this book, you need a basic understanding of cloud infrastructure and application development, plus security and privacy assessment techniques and the relevant tools. I recommend the understanding of the following concepts to ensure that you have a solid foundation of prerequisite knowledge:
Knowledge of cloud environments, such as Amazon Web Services (AWS), Google Cloud (GC), and Microsoft Azure Cloud (MAC), to help you to efficiently grasp the concepts. Every cloud environment supports the Command Line Interface (CLI) tool to interface with all the inherent cloud components and services. For example, Amazon cloud has “aws,” Microsoft Azure has “az,” and Google Cloud provides “gcloud” CLI tools. To ensure consistency while discussing the security assessment concepts, the security and privacy controls are assessed against AWS cloud primarily, so “aws” CLI is used often in this book. Hands-on knowledge of these CLI tools is expected. However, as part of the real-world case studies, other cloud environments are targeted as well.
Knowledge of a wide variety of security assessment techniques, such as penetration testing, source code review, configuration review, vulnerability assessment, threat hunting, malware analysis, and risk assessment. All these techniques and approaches can be categorized under the security assessment methodologies such as blackbox, whitebox, and graybox. A basic understanding of these methodologies and techniques is required to assess the security posture of the cloud environments.
Understanding the basics of data privacy in the cloud, including the latest compliance standards such as the General Data Protection Regulation (GDPR) and California Consumer Protection Act (CCPA).
When you read the chapters, you will notice that I use a number of inherent command line tools to discuss the real-world case studies, the IP addresses and domain names, including potentially sensitive information, are masked for the cloud instances and hosts. Please note that the “XXX-YYY”, [Date Masked], and other patterns used to mask the information. In many cases, the output from the tools and commands is truncated to only discuss relevant and contextual information related to the concepts presented.
Navigating This Book
The book encompasses a number of chapters dedicated to specific security assessments of different cloud components. You can also read the individual chapters as needed. The chapters are designed with a granular framework, starting with the security concepts followed by hands-on assessment techniques based on real-world studies and concluding with recommendations including best practices. However, I strongly believe that that knowledge you gain from the book is directly applicable to the cloud environments you manage and operate.
Although every chapter is dedicated to specific security controls, the book as a whole is authored with a well-structured theme. The book consists of key cloud security topics:
Chapter 1 covers cloud architecture and security fundamentals.
Chapter 2 highlights the authentication and authorization security issues in the cloud.
Chapter 3 focuses on the network security assessment of the cloud components.
Chapter 4 highlights the database and storage services security and assessment.
Chapter 5 discusses the security risks and assessment of cryptographic controls.
Chapter 6 covers the insecure coding practices in cloud application development.
Chapter 7 highlights the assessment of controls related to continuous monitoring and logging in the cloud.
Chapter 8 unveils the concepts of implementing data privacy in the cloud and assessment of associated controls.
Chapter 9 enables you to conduct security and risk assessments to analyze the risk and impacts associated with different resources in the cloud infrastructure.
Chapter 10 presents the case studies revealing how threat actors abuse and exploit cloud environments to spread malware.
Chapter 11 focuses on the threat intelligence and malware protection strategies that you can opt to detect and subvert attacks.
The book takes a completely holistic approach to security and elaborates on why it is important to implement security controls at every layer of the cloud infrastructure to build a multi-layer defense. The book is authored on the premise of “Trust but Verify,” which holds that you must assess the security controls after implementation to unearth gaps and flaws that threat actors can exploit to conduct nefarious and unauthorized operations. The book can serve as a reference guide that enables you to mitigate security risks and threats in cloud environments by adopting a robust and empirical approach to cloud security and privacy.
To help you learn and grasp the concepts, I structured the book in a uniform manner. As the book focuses on practical assessment of cloud security, I reference all the tools and commands in the references section and appendices with additional information. This helps you to explore more context presented in the individual chapter, including the usage of tools.
More important, the book empowers readers to understand technical security concepts in-depth and how to assess the security and risk posture of their cloud infrastructure. The intelligence shared in this book enables security practitioners and engineers to secure their organization’s cloud infrastructure using both proactive and reactive approaches to security.
I hope you will enjoy reading this book to gain practical knowledge and apply the same to enhance the security posture of your cloud environment.
Aditya K. SoodMarch 2021
ACKNOWLEDGMENTS
I have deep respect for all the members of the cloud security and privacy community who work day and night to contribute to the cause of making the cloud secure and enabling data privacy at scale. I’d like to thank all the technical reviewers who provided valuable feedback that helped nurture this book to completion.
I would also like to acknowledge all the efforts made by Jeannie Warner, CISSP and Martin Johnson for reviewing the technical content and providing suggestions to help improve the book.
ABOUT THE AUTHOR
Aditya K. Sood (PhD) is a cybersecurity advisor, practitioner, researcher, and consultant. With more than 13 years of experience, he provides strategic leadership in the field of information security, covering products and infrastructure. He is experienced in helping businesses achieve their goals by making security a salable business trait. Dr. Sood is well-versed in designing algorithms by harnessing security intelligence and data science. During his career, he has worked with cross-functional teams, management, and customers to create the best-of-breed information security experience.
Dr. Sood has research interests in cloud security, IoT security, malware automation and analysis, application security, and secure software design. He has worked on projects pertaining to product/appliance security, networks, mobile, and Web applications while serving Fortune 500 clients utilizing IOActive and KPMG. His papers have appeared in magazines and journals, including IEEE, Elsevier, Crosstalk, ISACA, Virus Bulletin, and USENIX. His work has been featured in media outlets, including the Associated Press, Fox News, The Register, Guardian, Business Insider, and CBC. He has been an active speaker at industry conferences and presented at Blackhat, DEFCON, HackInTheBox, RSA, Virus Bulletin, and OWASP. Dr. Sood obtained his PhD from Michigan State University in Computer Science. Dr. Sood is also the author of Targeted Cyber Attacks, a book published by Syngress.
He has held positions as the Senior Director of Threat Research and Security Strategy, Head (Director) of Cloud Security, Chief Architect of Cloud Threat Labs, Lead Architect and Researcher, and Senior Consultant while working for companies such as F5 Networks, Symantec, Blue Coat, Elastica, IOActive, Coseinc, and KPMG.
CHAPTER 1
CLOUD ARCHITECTURE ANDSECURITY FUNDAMENTALS
Chapter Objectives
Understanding Cloud Virtualization
Cloud Computing Models
Comparing Virtualization and Cloud Computing
Containerization in the CloudComponents of Containerized Applications
Serverless Computing in the CloudComponents of Serverless Applications
The Characteristics of VMs, Containers, and Serverless Computing
Embedding Security in the DevOps Model
Understanding Cloud Security Pillars
Cloud Security Testing and Assessment Methodologies
References
In this chapter, you will learn the basic concepts of cloud computing: virtualization, computing models, containerization, and the cloud security pillars. Understanding these fundamentals is critical to accurately assess and design security and privacy controls. You will also gain knowledge regarding the different techniques related to the security assessment of cloud infrastructure and applications.
Understanding Cloud Virtualization
Virtualization1 is a technology designed to share and utilize a physical instance of an infrastructural resource such as desktop, server, storage, or operating system (OS) to create multiple simulated environments. This necessitates the use of a hypervisor, which is a virtualization software program that enables hardware to host multiple Virtual Machines (VMs). Hypervisors have the ability to allocate physical machine resources to VMs in a dynamic manner. In other words, you can name the physical systems as hosts and VMs as guests. In addition, hypervisors are categorized as either a
Type 1 Hypervisor – a bare-metal hypervisor that runs on the physical hardware of the host machine.
Type 2 Hypervisor – a hosted hypervisor that runs on the top of the existing OS.
A Virtual Machine Manager (VMM) is a unified management and intuitive hypervisor software program that handles the orchestration of multiple VMs. You can install VMMs in multiple ways – refer to Table 1-1 for different types of virtualization techniques.
Types of Virtualization
Virtualization
Description
Pros
Cons
Server Virtualization
Deploy VMM on the server.
Divide the single physical server into multiple virtual servers for resource sharing.
Efficient and reliable backup and recovery.
Supports IT operations automation and infrastructure scaling.
Significant upfront costs.
May not support proprietary business applications.
Lower security and data protection due to sharing of physical hardware.
Hardware Virtualization
Install the VMM directly on the hardware system.
VM hypervisor manages the memory, processor, and related hardware resources.
Reduces the maintenance overhead.
High delivery speed and rate of return with quality of information.
Requires explicit support in the host Central Processing Unit (CPU).
Limits scalability and efficiency due to CPU overhead.
Minimizes the set of changes required in the guest OS.
Risk of data damage due to deletion as data storage occurs in one system.
OS Virtualization
Install VMM on the OS.
Perform assessments and test applications with multiple simulated environments.
Multiple VMs operate independently and support different OS.
Limited impact of malfunctions as crash impacts only specific VM.
VMs migration between different servers is easy due to portability.
Significant system administrative overhead to maintain, secure and update OS.
Heavy file system consumption due to duplicate files.
Heavy consumption of system resources, such as RAM and CPU, impacts performance.
Storage Virtualization
Abstract the physical storage into a pool of network storage devices to define a centralized storage that multiple VMs can use.
Implement backup and storage in a virtualized environment.
Network Attached Storage (NAS) accesses the data as files whereas Storage Attached Network (SAN) stores data at the block level.
Streamline and non-disruptive data migration between storage devices and components.
Efficient utilization through pooling, migration, and provisioning services using shared pool of storage.
Centralized management of scattered storage devices across networks using concept of monolithic storage.
Vendor support and interoperability with specific software components.
Risks associated with metadata - losing metadata can impact the recovery of actual data due non-availability of mapping information.
Complex deployment scheme, including time-consuming recovery procedures from corrupted backups.
These are the principal examples for the different types of virtualization models.
Cloud Computing Models
Cloud computing2 refers to the deployment of multiple workloads in a scalable manner to serve on-demand system requirements and network resources. Building a centralized pool of resources (including the management layer) is essential to handle the infrastructure, applications, platforms, and data. To reduce human intervention, you need to construct an automation layer to dynamically manage the resource allocation within the pool. You can opt for different models of cloud computing based on the requirements to host various types of products. For the discussion of cloud computing (service) models, let’s use the NIST3 standard:
Software-as-a-Service (SaaS)
Platform-as-a-Service (PaaS)
Infrastructure-as-Service (IaaS)
Apart from the primary cloud computing models, you can also opt for the Function-as-a-Service (FaaS)4 model, which focuses more on the function rather than the infrastructure to execute code based on events.
To evaluate these cloud computing models, you need to examine the shared responsibility model for each to get complete clarity on the roles and responsibilities between users (cloud service customers) and vendors (cloud service providers). Based on the client and provider relationship, you should obtain clarity on the roles and responsibilities for implementing various cloud computing models and their corresponding security controls. See Table 1-2 for a responsibility matrix showing the characteristics (roles and responsibilities) mapped to different cloud computing models.
Cloud Computing Models - Responsibility Matrix
Characteristics: Roles and Responsibilities
IaaS
PaaS
FaaS
SaaS
Computing Function
Client
Client
Client
Provider
Hosted Applications
Client
Client
Provider
Provider
Data Store
Client
Client
Provider
Provider
Runtime
Client
Provider
Provider
Provider
Middleware
Client
Provider
Provider
Provider
Operating System
Client
Provider
Provider
Provider
Virtualization
Provider
Provider
Provider
Provider
Servers
Provider
Provider
Provider
Provider
Storage Resources
Provider
Provider
Provider
Provider
Networking Resources
Provider
Provider
Provider
Provider
At this point, the importance of a shared responsibility model cannot be understated. The reason is that the cloud computing responsibility matrix helps to determine the management of different types of security controls by you (client) and the cloud provider. In the real world, many enterprises support various cloud computing models as part of their business models. See Table 1-3 for a list of cloud computing providers.
Example of Different Cloud Computing Providers in the Real World
Cloud Computing Models
Cloud Providers
SaaS
Antenna SoftwareCloud9 Analytics, CVM Solutions, Exoprise Systems, Gageln, Host Analytics, Knowledge Tree, LiveOps, Reval, Taleo, NetSuite, Google Apps, Microsoft 365, Salesforce.com, Rackspace, IBM, and Joyent.
PaaS
Amazon AWS, Google Cloud, Microsoft Azure, SAP, SalesForce, Intuit, Netsuite, IBM, WorkXpress, and Joyent.
IaaS
Amazon AWS, Google Cloud, Microsoft Azure, Elastic Compute Cloud, Rackspace, Bluelock, CSC, GoGrid, IBM, OpenStack, Rackspace, Savvis, VMware, Terremark, Citrix, Joyent, and BluePoint.
FaaS
AWS Lambda, Google Cloud Functions, Microsoft Azure Functions, and IBM Cloud Functions.
With this familiarity for cloud computing models and the shared responsibility matrix, let’s analyze the differences between virtualization and cloud computing in the next section.
Comparing Virtualization and Cloud Computing
There is often confusion between the terms “virtualization” and “cloud computing.” To clarify, virtualization is one of several enabling technologies used to provide cloud computing services. Let’s examine some technological differences:
Virtualization delivers secure and isolated simulated environments using one physical system, whereas cloud environments are based on utilizing a pool of resources for on-demand use.
Virtualization is a technology, whereas cloud computing is an environment or a methodology. Cloud computing inherits the “You pay for what you need and use” consumption model.
Capital Expenditure (CAPEX) cost is high and Operating Expenses (OPEX) are low in virtualization, whereas in cloud computing, private cloud has a low CAPEX / high OPEX and for the public cloud, it is a high OPEX / low CAPEX.
Virtualization is a scale-up (adding more power to the existing machine) concept, whereas the premise of cloud computing is to scale-out (i.e., increase resources by adding more machines to share the processing power and memory workloads).
The goal of virtualization is to construct a single tenant, whereas a cloud environment target is to achieve multiple tenants.
For workloads, virtualization is stateful in nature whereas cloud environments (public and private) are stateless.
For configuration, virtualization uses image-based provisioning (clone VM images to install the OS on the host), whereas cloud environments use template-based provisioning (i.e., the template defines the steps to install the OS on the host).
Virtualization aims to improve hardware utilization and consolidate the server resources, while cloud computing delivers infrastructure scaling and resource allocation via pools in an automated manner.
Despite these differences in technology and usage, virtualization and cloud computing are interdependent. For instance, you use virtualization technology to build cloud environments in which resource allocation occurs in an automated manner from pooled resources. In addition, the management layer has administrative control over the infrastructure resources, platform, application, and data. In other words, you inherit controls from the virtualization technology to orchestrate cloud environments.
Containerization in the Cloud
Containerization5 is an operating system virtualization that builds and encapsulates software code, including dependencies, as a package that you deploy uniformly across any cloud infrastructure. Containerization speeds up the application development process and makes it more secure by eliminating single points of failure. It also enables you to handle the problem of porting code effectively from one infrastructure to another. It is easy to execute code independently on multiple clouds because the container package is independent of the host OS. Containerization eliminates the problem of cross-infrastructure code management for building a code package with the application code and associated libraries required for code execution. See Table 1-4 for more information on the characteristics of containers.
Characteristics of Containers
Containers Characteristics
Description
Portability
Develop the application code one time and run multiple times.
Lightweight and Efficient
Uses OS kernel and not the complete OS. Containers are smaller in size, require less start-up time.
Single Executable Package
Allow packaging of application code including libraries and dependencies into one software bundle.
Isolation
Execute in a dedicated process space. Multiple containers can run on single OS.
Improved Security
Reduce the risk of transmission of malicious code between containers and host invasion.
Fault Isolation
Minimal impact on adjacent containers if fault occurs in one specific container.
Easy Operational Management
Allow automation of install, scale, and management of containerized workloads and services.
After you understand the characteristics of containers that enable the building and execution of packaged code, the next step is to become familiar with the components of containerized applications.
Components of Containerized Applications
Understanding the basic components and structure of containerized applications is necessary for you to plan and conduct security assessments, which effectively unearth weaknesses and flaws in the packaged code. To understand basic components of the containerized application, see Table 1-5. Moreover, if you want to design containerized applications, knowledge about the internal components is a must.
Components of Containerized Applications
Component
Description
Container Host
The system software that executes containerized processes. It is a host running on VM or an instance in the cloud.
Registry Server
A registry server is a file server that stores container repositories. Containers push and pull repositories from the registry server via the connection interface set-up with a domain name system (DNS) designation and port number.
Container Image
A container image is an executable package comprising application code, runtime executables, libraries, and dependencies. Images when executed in the container engine become active containers.
Container Engine/ Runtime
A container engine processes the container image as per the commands defined in user requests. These requests pull images from repositories and execute them to launch containers. The engine has an embedded runtime component that provides functionality such as setting up security policies, rules, mount points, and metadata, including communication channels with the kernels needed to start containers.
Container Orchestrator
A container orchestrator supports development, QA, and production environments for continuous testing. A container orchestrator schedules workloads dynamically, including the provision of standardized application definition files.
Namespace
A namespace is a design followed to separate groups of repositories. A namespace can be a username, group name, or a logical name that share container images.
Kernel Namespace
A kernel namespace is a design followed to provide containers with dedicated OS features, such as mount points, network interfaces, process identifiers, and user identifiers.
Tags
Tags support the mapping of the different versions of the latest or best container images in the repositories. Tags allow labeling of the images when the builder generates new repositories.
Repositories
A container repository that stores different versions of container images.
Graph Driver
A graph driver maps stored images in the repositories to a local storage.
At this point, you should have a good understanding of containerization technology, including the components of containerized applications.
Serverless Computing in the Cloud
Serverless computing architecture allows you to perform lightweight cloud operations. The term “serverless” highlights that you (as developer or operator) do not need to invest time in the management of servers. The cloud provider Infrastructure-as-a-Service (IaaS) platform handles the allocation of machine resources in a dynamic manner. In this way, you can build and run applications (or services) without worrying about the management of the servers. See Table 1-6 to learn more about the characteristics of the serverless6 computing model.
Characteristics of Serverless Computing Model
Characteristic
Description
Stateless
No persistent storage of associated resources on the disk and re-using the same in the next set of invocations (synchronous, asynchronous, and polling) if defined in the same function handler. However, you can externalize the resources outside the function handler to re-use them in next invocations.
Ephemeral
Task execution is time-specific and purpose-driven. Once the task completes, the resources are set free.
Inheritance
Applications use the functionality that IaaS provides by directly importing the resources in stateless functions.
Scalable
Multiple instances can execute stateless functions in parallel.
Event-Trigger
Invoke functions via defined tasks, e.g., trigger the functions via a definitive event.
FaaS
A function (code or business logic) executes in the cloud environment using dynamically allocated resources.
Agility
Provides fast development, better resources, and structured services to provide a robust software development practice.
Dependency
Uses the functions imported from third-party services to directly hook into the environment.
Using the characteristics of the serverless computing model, let’s review some interesting points related to serverless applications:
IaaS platforms dynamically manage the provisioning of servers and resources to run serverless applications.
Serverless applications run in stateless containers configured for a single invocation.
Serverless applications are event-driven in nature and use a combination of third-party infrastructure services, application client logic, and Remote Procedure Calls (RPCs) packages hosted in the cloud.
You can include the Function-as-a-Service (FaaS) under the broad category of serverless computing.
Components of Serverless Applications
To build serverless applications, you need multiple components (See Table 1-7), such as a client-end application, a web server, a serverless function, and security tokens.
Components of Serverless Applications
Component
Details
Client-end Application
User interface of the application written in modern Web scripting languages, such as JavaScript, Vue, AngularJ, and React.
Web Server
Cloud services providing support for Web servers to host the application.
Serverless Function
Defining serverless function to implement a Function-as-a-Service (FaaS) model to execute tasks in a scalable manner.
Security Tokens
Security tokens generated by the cloud service to support authentication for the time period defined before token expiration.
Database Service
Dynamic storage service supporting database operations by storing and processing data.
Authentication Service
A cloud authentication service offers centralized access control policies that enforce the security requirements for applications. Most often, these include some form of security assurance markup language (SAML)-based challenge.
User Authorization Service
User authorization service is the mechanism to determine application access levels and users’ privileges related to system resources including functions, data, services, and features. Authorization services can add or revoke rivileges.
You can build and design serverless applications in a fast and scalable manner with increased agility and low cost. No need to worry about managing the infrastructure if you opt for serverless computing.
The Characteristics of VMs, Containers, and Serverless Computing
The comparative analysis matrix is presented in Table 1-8 which enables you to understand the pros and cons of each computing model.
Comparison between VMs, Containers, and Serverless Computing
Characteristics / Features
VMs
Containers
Serverless Computing
Virtualization / Abstraction Layer
Hardware
Operating System
Runtime
Deployment
Application Machine Image (AMI)
Container File
Code
Scalability Unit
Virtual Machine Instances
Container Instances
Event Concurrency
Processing
Multi-threaded
Multi-threaded
Single-threaded
Task Execution
Multi-tasking
Single-tasking
Single-tasking
Isolation
Entire OS Isolation
Namespaces and Groups
Function Execution
Deployment Time
Seconds to minutes
Milliseconds to seconds
Milliseconds
State
Stateful or Stateless
Stateful or Stateless
Stateless
Understanding the different characteristics or features of VMs, containers, and serverless computing helps you determine their effectiveness in associated cloud environments in real time, and provides a basis for understanding and implementing the right security for your DevOps environment.
Embedding Security in the DevOps Model
When managing cloud applications and infrastructure in an agile environment, you want to enforce security at both the development and the operations layer. To shorten the Software Development Life Cycle (SDLC), you should integrate the code development and IT operations in a Continuous Integration (CI) and Continuous Delivery (CD) process. A continuous integration of development, delivery, and security results in higher quality applications. DevOps7 serves as the CI/CD process for agile software development. The complete DevOps lifecycle management revolves around the coordination of multiple DevOps phases, including code development, integration, testing, monitoring, feedback, deployment, and operations.
As you construct applications, you must fulfill both functional and non-functional requirements (NFRs). Functional requirements are business-driven, and summarize what the application should do. NFRs define the holistic system attributes, such as security, reliability, performance, and ability to scale. NFRs are often the constraints or restrictions on the design of the system or application. Consider then that NFRs are represented in the “Sec” when combined with each form of DevOps. To introduce security into DevOps, you should embed associated controls into the life cycle. Table 1-9 highlights how you can embed security into DevOps using three different models – DevOpsSec8, DevSecOps9, and SecDevOps10.
Embedding Security in DevOps Models
Mechanism
Details
Development Lifecycle
Operations
DevOpsSec
Inject security after discrete development, deployment, and operations activities. The idea is to handle security issues as discovered.
Non-inclusion of security in the development lifecycle.
Non-inclusion of security in the supported operations.
DevSecOps
Inject security functions after the code development, as per the requirements.
Non-inclusion of security in the development lifecycle.
Light-weight approach to implement security controls during operations.
SecDevOps
Inclusion of security functions (best practices) directly in the Continuous Integration (CI) and Continuous Development (CD) pipeline.
Inclusion of security in the development lifecycle.
Inclusion of security functions during operations with priority.
At this point, you should have a firm grasp on how to design and deploy security controls in the DevOps model in an iterative manner to operate with secure agile development practices.
Understanding Cloud Security Pillars
As we have covered the different cloud computing models, such as IaaS, PaaS, and SaaS, in an earlier section, it is now important for you to understand the guidelines to implement security at different components of the cloud architecture. To do so, let’s look into a basic model of cloud security. See Figure 1-1 for initiating the thought process to dissect security in the cloud.
Figure 1-1
A basic cloud security model based on controls implementation
Following the above model, you can build the security controls required to prevent attacks originating from both external and internal environments. To do so, it is paramount to grasp the details of different components in the cloud environment based on a defense-in-depth (DiD) strategy. When we say a defense-in-depth strategy, what we mean is to dissect the cloud environment into multiple components, and then define the necessary list of security controls for each component at a granular level. For example, multiple layers of security need to protect data in the cloud. For that, you need to ensure the data-at-rest and data-in-transit security controls are in place to prevent attacks against data at rest or in transit by implementing encryption strategies. You also implement Data Leakage Prevention (DLP) control to detect sensitive data leakage in traffic. In addition, you also restrict the network traffic by implementing security groups and Access Control Lists (ACLs) / NACLs. The firewall at the network’s perimeter only allows specific protocol traffic to pass through. The Intrusion Detection System (IDS) and Intrusion Prevention System (IPS) detects and prevents by conducting deep inspection of network traffic. All these layers highlight the DiD mechanism.
This definitive approach to embedding security throughout the function of the application and system infrastructure helps build multiple layers of security in your cloud environment. See Figure 1-2 for different cloud security pillars defined by each component in the cloud environment.
Figure 1-2
Security pillars for different components in the cloud environment
The cloud security pillars highlight areas where you need to deploy security controls in your environment. For any cloud computing model, such as IaaS, PaaS, FaaS, and SaaS, the architect should build cloud security pillars that deliver a defense-in-depth strategy. Security is a continuous process and not a one-time task. To understand cloud security pillars, see Table 1-10. You must ensure that cloud security pillars remain intact by building robust security controls into each component of the cloud environment.
Applying Security Guidelines at Various Components of Cloud Infrastructure
Cloud Security
Details
Application Security
Implement robust controls at the development layer to secure the cloud applications. Enable the processes to implement static testing and secure coding guidelines to subvert attacks at the code layer by identifying and eradicating vulnerable code.
Data Security
Verify that the data remains secure and resistant to leakage. Enable effective data management processes to preserve data integrity and confidentiality.
Middleware Security
Make sure that the middleware solutions used in the cloud environment as part of application deployment and development remain secure. Secure the middleware software that acts as a bridge among the operating system and database and cloud applications. Always use the latest stable version of middleware and deploy patches for known vulnerabilities.
Network Security
Validate that the cloud computing resources configured in the network remain secure with strong access controls. This secures critical resources by preventing and restricting unauthorized traffic and managing privileges in authorization.
Operating System Security
Ensure the operating system configured on the Virtual Machines (VMs) or containers remains secure and is not prone to exploitation due to vulnerabilities. Harden the OS with strong security controls, including a uniform patch management process.
Infrastructure Security
Make certain that virtualized infrastructure (guest, host, and hypervisor, VMM) remains free from vulnerabilities and security flaws. Implement security controls in the underlying infrastructure for containers and serverless functions. Make sure to protect VM instances.
Database Security
Verify that the databases configured in the cloud remain secure to prevent any unauthorized access. Only authorized users or strictly controlled service accounts should have programmatic access to active data stored in the databases for various operations.
Storage Resources Security
Secure the storage services and resources configured in the cloud environment to ensure no access or data transmission without authorization.
Physical Security
Make certain that the physical data centers remain secured, with access restrictions in place for unauthorized persons (employees or others). For cloud deployments, you will rely on the providers’ 3rd party attestations.
User Security
Verify that all kinds of the users’ access (local or remote) to the cloud environment remains restricted with strong authentication and authorization. Controlling and auditing your access lists is part of many security guidelines and governance mandates.
Continuous Security Monitoring
Monitor (logging, alerting) the cloud resources on a continuous basis to analyze threats originating from external attackers, malicious insiders, erroneous employees, and automated malicious code.
We will discuss using the cloud security model and associated pillars to build and design security models at a granular level to secure components in the cloud environment in future chapters.
Cloud Security Testing and Assessment Methodologies
Let’s discuss the different types of security testing and assessment methodologies used to unearth security flaws and threats present in cloud applications and infrastructure. The nature of testing and assessment methodologies depends on the level of information you have regarding your cloud environment. For example, either you have zero, partial, or complete knowledge (information) about the cloud environment before you start the assessment. See Table 1-11 to understand the different security assessment approaches. Based on the level of information available, you build assessment models and conduct testing appropriate to each level of knowledge.
Security Assessment and Testing Approaches
Security Assessment Approach
Details
Black Box Testing
Internal knowledge and details of the application and infrastructure is not known. It is also called a “Closed Box” testing and assessment.
White Box Testing
Internal knowledge and details of the application and infrastructure is known. It is also called a “Clear Box” testing and assessment.
Gray Box Testing
Hybrid approach based on the black box testing and white box testing in which details of the applications and infrastructure are partially known.
Gartner also introduced three different categories of Application Security Testing (AST)11:
Static Application Assessment Testing (SAST):
Method: analyze source code, byte code, and binaries to detect security vulnerabilities at the design and development level based on the concept of an inside-out approach to detecting security issues.
Security vulnerability remediation cost: low as you can fix the issues in the very early stages of SDLC.
Security assessment approach type: White Box Testing.
Software Composition Analysis (SCA) testing, which determines the current patch levels of most standard frameworks and third-party libraries used in development.
Dynamic Application Security Testing (DAST):
Method: analyze applications in the production or running state to detect security vulnerabilities.
Security vulnerability remediation costs: higher than SAST because the security fixes occur after the completion of SDLC process.
Security assessment approach type: Black Box Testing.
Interactive Application Security Testing (IAST):
Method: hybrid of SAST and DAST.
Approach: utilizes instrumentation approach based on the deployments of agents and sensors to detect security vulnerabilities on a continuous basis.
Security vulnerability remediation cost: high because vulnerability detection occurs during runtime on a continuous basis.
Security assessment approach type: Grey Box Testing.
Now we’ll analyze the different techniques to evaluate risk in cloud environments by assessing security flaws in various cloud components. See Table 1-12 for a variety of techniques which you can apply to conduct practical assessment of cloud applications and infrastructure.
Security and Privacy Assessments and Testing Techniques
Assessment Techniques
Details
When to Apply?
Secure Architecture and Application Design Review
Review the design of the network architecture and applications before actual deployment and code development. Proactive technique to potentially eradicate security flaws in the initial stages of architecture implementation and code development. The target is to build safeguards at the early stages of the Software Development Lifecycle (SDLC) to secure systems and data.
Opt for this technique at the earlier stages of software development and network design to build a list of security controls that you should enforce during the implementation phase. The secure design helps you to build secure infrastructure to avoid complexities later on.
Network Penetration Testing
Conduct network level attacks against infrastructure in a controlled manner to evaluate the effectiveness of implemented security controls by exploiting network services and exposed resources.
Opt for this technique when you need to conduct an exploitation of external and internal networks to compromise the systems without having knowledge about the network.
Software Vulnerability Assessment
Assess vulnerabilities in the deployed software (OS, third-party libraries) to determine the risk, severity, and impact of those vulnerabilities. Use a proactive approach to ensure that software is free from vulnerabilities with the application of the latest stable patches.
Opt for this technique when you need to assess vulnerabilities present in the software, especially when there is no requirement for conducting application penetration testing. You detect the vulnerabilities, assess the impacts, and fix them.
Code Review
Conduct a review of developed code to check for security issues related to code errors, memory allocations, resource access, authentication and authorization, insecure configuration, and credential leakages. The target is to fix the code in a proactive manner to ensure resistance to exploitation when deployed in the production environment. Use manual and static code review practices.
Opt for this technique when you need to analyze the vulnerabilities existing in the source code at the development stage.
Configuration Review
Verify software configuration in the environment to assess the state of security features. The target is to verify that the security attributes of software are correctly configured to enable protections against attacks.
Opt for this technique when you need to deploy software or activate network and system services to eradicate security issues that occur due to a bad configuration. Any new change in the environment must be reviewed from a security point of view.
Web Application Security Assessment
Discover vulnerabilities in Web applications to assess security weaknesses and flaws. An effective Web security assessment comprises the execution of manual and automated attacks in a dynamic manner against Web applications hosted on servers. Ideal in staging or user acceptance testing, the goal is to fix vulnerabilities before the deployment of Web applications in production environments.
Opt for this technique when you need to detect and fix security issues in the Web applications. You test the Web application against known and unknown attacks to assess impacts. This lets you fix security issues before the deployment of Web applications in the production environment - however, if there is limited/no testing done during development on a legacy system, you must conduct the Web application security assessment at least once in production.
Threat Modeling
Think about which threats are most relevant for your application and/or industry, enumerate risks, and suggest security mitigations at the design phase of application development and network infrastructure. This risk-based approach helps to design robust security controls to subvert threats and build secure systems.
Opt for this technique to model threats throughout the SDLC process to ensure proposed security controls are efficient to subvert attacks by different threat actors. The threat modeling allows you to understand how the threat actors can target applications and network so that you obtain visibility into potential risks and impacts.
Security Risk Assessments
Process to conduct assessment of implemented security controls (safeguards) to identify risk in your organization, running technologies and associated processes to determine security weaknesses.
Opt for this technique when you introduce new systems, processes, and services in the environment to assess the security issues, and to understand how it can impact the environment and associated risks.
Privacy Risk Assessments
Process to evaluate potential risks associated with the customer data and sensitive assets to assess the state of privacy controls designed in the risk assessment plan.
Opt for this technique when you need to understand how the existing and newly deployed systems and processes impact the data privacy and how you need to evaluate the risks to take actions accordingly. Recommended for certain privacy regulations by industry.
Breach and Attack Simulation (BAS)
Simulation-based approach to detect and exploit security issues in a controlled manner. With agents running on systems, conduct automated attack execution to assess the network security, host security, malware detection, and data leakage prevention capabilities.
Opt for this technique when you need to implement an automated approach for the continuous assessment of the security posture in your environment to regularly check for threats and risks. Manual intervention is the minimum, as agents running on systems perform the tasks.
With the security testing approaches and techniques discussed above, you can decide which fulfills your organizational needs. You may prefer some over others, depending on whether you are building DevOps from the concept stage versus retrofitting security controls onto a legacy development lifecycle. Work with your engineering and IT leads to determine the ones that fit your requirements to assess the risk and impacts, as well as the data privacy or regulatory compliance needs.
In this chapter, we reviewed the basic components of cloud architecture, including cloud computing models, virtualization, and containerized and serverless applications. You also learned about implementing security controls in various DevOps models. This knowledge allows you to build cloud technologies for effectively understanding and mitigating the associated security flaws.
We also defined and investigated various testing and assessment approaches to reveal potential security flaws in the applications and infrastructure. When you read the other chapters in this book, you will see the practical uses and scenarios for these approaches and techniques in real-world cloud deployments.
References
Virtualization Technologies and Cloud Security: advantages, issues, and perspectives, https://arxiv.org/pdf/1807.11016.pdf
A Break in the Clouds: Towards a Cloud Definition, http://ccr.sigcomm.org/online/files/p50-v39n1l-vaqueroA.pdf
The NIST Definition of Cloud Computing, https://nvlpubs.nist.gov/nistpubs/Legacy/SP/nistspecialpublication800-145.pdf
What is Function-as-a-Service (FaaS), https://www.cloudflare.com/learning/serverless/glossary/function-as-a-service-faas/
The State-of-the-Art in Container Technologies: Application, Orchestration and Security, https://www.cse.msstate.edu/wp-content/uploads/2020/02/j5.pdf
The Rise of Serverless Computing, https://dl.acm.org/doi/pdf/10.1145/3368454?download=true
What is DevOps? A Systematic Mapping Study on Definitions and Practices, https://dl.acm.org/doi/pdf/10.1145/2962695.2962707?download=true
O’Reilly DevOpsSec Book, https://www.oreilly.com/library/view/devopssec/9781491971413/
DoD Enterprise DevOpsSec Design, https://dodcio.defense.gov/Portals/0/Documents/DoD Enterprise DevSecOps Reference Design v1.0_Public Release.pdf
Continuous Iterative Development and Deployment Practice, https://resources.sei.cmu.edu/asset_files/Presentation/2018_017_001_528895.pdf
Application Security Testing, https://www.gartner.com/reviews/market/application-security-testing
CHAPTER 2
IAM FOR AUTHENTICATION ANDAUTHORIZATION: SECURITY ASSESSMENT
Chapter Objectives
Understanding Identity and Access Management Policies
IAM Policy Types and Elements
IAM Policy Variables and Identifiers
Managed and Inline Policy Characterization
IAM Users, Groups, and Roles
Trust Relationships and Cross-Account Access
IAM Access Policy Examples
IAM Access Permission Policy
IAM Resource-based Policy
Role Trust Policy
Identity and Resource Policies:Security Misconfigurations
Confused Deputy Problems
Over-Permissive Role Trust Policy
Guessable Identifiers in Role Trust Policy
Privilege Escalation via an Unrestricted IAM Resource
Insecure Policies for Serverless Functions
Unrestricted Access to Serverless Functions
Serverless Functions with Administrative Privileges
Serverless Function Untrusted Cross-Account Access
Unrestricted Access to the VPC Endpoints
Insecure Configuration in Passing IAM Roles to Services
Uploading Unencrypted Objects to Storage Buckets Without Ownership
