29,99 €
Mehr erfahren.
- Herausgeber: Packt Publishing
- Kategorie: Fachliteratur
- Sprache: Englisch
This book will help you secure your cloud infrastructure confidently with cloud security posture management (CSPM) through expert guidance that’ll enable you to implement CSPM effectively, ensuring an optimal security posture across multi-cloud infrastructures.
The book begins by unraveling the fundamentals of cloud security, debunking myths about the shared responsibility model, and introducing key concepts such as defense-in-depth, the Zero Trust model, and compliance. Next, you’ll explore CSPM's core components, tools, selection criteria, deployment strategies, and environment settings, which will be followed by chapters on onboarding cloud accounts, dashboard customization, cloud assets inventory, configuration risks, and cyber threat hunting.
As you progress, you’ll get to grips with operational practices, vulnerability and patch management, compliance benchmarks, and security alerts. You’ll also gain insights into cloud workload protection platforms (CWPPs). The concluding chapters focus on Infrastructure as Code (IaC) scanning, DevSecOps, and workflow automation, providing a thorough understanding of securing multi-cloud environments.
By the end of this book, you’ll have honed the skills to make informed decisions and contribute effectively at every level, from strategic planning to day-to-day operations.
Das E-Book können Sie in Legimi-Apps oder einer beliebigen App lesen, die das folgende Format unterstützen:
Seitenzahl: 772
Veröffentlichungsjahr: 2024
Ähnliche
Mastering Cloud Security Posture Management (CSPM)
Secure multi-cloud infrastructure across AWS, Azure, and Google Cloud using proven techniques
Qamar Nomani
BIRMINGHAM—MUMBAI
Mastering Cloud Security Posture Management (CSPM)
Copyright © 2024 Packt Publishing
All rights reserved. No part of this book may be reproduced, stored in a retrieval system, or transmitted in any form or by any means, without the prior written permission of the publisher, except in the case of brief quotations embedded in critical articles or reviews.
Every effort has been made in the preparation of this book to ensure the accuracy of the information presented. However, the information contained in this book is sold without warranty, either express or implied. Neither the author, nor Packt Publishing or its dealers and distributors, will be held liable for any damages caused or alleged to have been caused directly or indirectly by this book.
Packt Publishing has endeavored to provide trademark information about all of the companies and products mentioned in this book by the appropriate use of capitals. However, Packt Publishing cannot guarantee the accuracy of this information.
Group Product Manager: Preet Ahuja
Publishing Product Manager: Prachi Sawant
Book Project Manager: Uma Devi
Senior Editor: Sayali Pingale
Technical Editor: Nithik Cheruvakodan
Copy Editor: Safis Editing
Proofreader: Safis Editing
Indexer: Rekha Nair
Production Designer: Shankar Kalbhor
Marketing Coordinator: Rohan Dobhal
First published: January 2024
Production reference: 1100124
Published by
Packt Publishing Ltd.
Grosvenor House
11 St Paul’s Square
Birmingham
B3 1RB, UK
ISBN 978-1-83763-840-6
www.packtpub.com
To my wife, Lubna. Thank you for your patience, your kindness, and your friendship. Most of all, for your unwavering support in the new country and throughout. I couldn’t have asked for more. This book is dedicated to you with deepest gratitude and love.
Foreword
As a fellow cyber practitioner, friend, and former colleague, I am honored to introduce this pivotal book by Qamar Nomani, a remarkable cybersecurity architect and previously an integral part of the product security team I led at Sophos. Qamar’s expertise was instrumental in securing the cloud infrastructure that supported our extensive cloud product portfolio, which safeguarded over 500,000 customers worldwide. When it comes to high-stake cloud environments, he knows what to do.
This book is a treasure trove of insights for cloud security professionals. It meticulously unpacks the complex landscape of Cloud Security Posture Management (CSPM), offering practical strategies, techniques, and best practices for securing multi-cloud infrastructures. Its comprehensive content spans from fundamental cloud security concepts to advanced topics such as CSPM tool selection and implementation, vulnerability and compliance management, and future trends in cloud security.
What sets this book apart is Qamar’s hands-on experience and deep understanding of real-world challenges in cloud security. He skillfully bridges the gap between theoretical knowledge and practical application, making this book a must-read for cybersecurity managers, security leads, cloud security architects, and professionals at all levels. By incorporating vendor-neutral perspectives, Qamar ensures that the content is educational and highly applicable in diverse cloud environments.
Reading this book will empower you to improve your organization’s security posture, ensure compliance, and stay abreast of the ever-evolving cloud security landscape. It is an essential guide for anyone committed to mastering cloud security and shaping the future of this critical domain.
Julie Davila
Technology and Cyber Security Practitioner
I have had the privilege of working with Qamar Nomani, an esteemed cybersecurity expert who draws from his extensive experience securing cloud environments to guide readers on an illuminating journey of CSPM.
As cloud computing has become ubiquitous, its convenience and flexibility have also introduced new vulnerabilities that many organizations are ill-equipped to address. With sensitive data and vital applications migrated to the cloud, a robust and proactive security strategy is essential to safeguard these critical assets.
This definitive guide equips cybersecurity managers, cloud architects, and DevOps engineers with the practical knowledge to comprehend the unique threats posed by the cloud landscape and implement robust CSPM tools and solutions to minimize risk exposure.
Methodically organized in four parts, this book establishes the CSPM fundamentals, evaluates leading products against pertinent criteria, supplies technical deployment blueprints tailored for organizations of varying sizes, and provides actionable direction on inventorying cloud assets, harnessing infrastructure-as-code, configuring policies-as-code, and integrating security across the development life cycle.
The chapters provide detailed CSPM product evaluation criteria, security capability features, and technical deployment designs that are appropriate for organizations of any size. They cover a practical framework for onboarding cloud accounts and containers, discovering cloud asset and inventory management, and infrastructure-as-code examples.
Most importantly, this book will be super helpful for cloud security administrators and security engineers in configuring security policies as code and enabling the CSPM configurations and deployment architecture. For DevOps and DevSecOps practitioners charged with enabling continuous compliance, this book covers policy as code automation blueprints and remediation workflows that accelerate integrating security across the development life cycle.
With insightful analysis of the evolving threat landscape and innovative approaches to cloud security controls, this definitive guide provides indispensable direction to advanced cloud security.
I’m confident this book will establish itself as vital reading for anyone serious about protecting critical assets residing in the cloud.
Rehman Khan
Security Architecture and Engineering Executive, CISSP, and CCSP
Contributors
About the author
Qamar Nomani is a cybersecurity expert and Microsoft Certified Trainer (MCT). He is currently working as a cloud security architect for one of the world’s leading mobility companies from their Paris office. With over 10 years of experience as an IT professional in various domains, his expertise lies in security architecting and design for multi-cloud infrastructure. With his passion for solving complex problems, Qamar has worked for security product companies, financial institutions, and automotive companies with their security teams, helping to achieve top-notch industry-standard security practices for multi-cloud environments.
Along with his master’s degree in computer applications from Jamia Millia Islamia, New Delhi, Qamar also holds several cloud security certifications. Being an avid learner and a passionate technology trainer, he has trained thousands of professionals across the globe on cloud security topics. Qamar is an active member of various cybersecurity communities and forums and often gets invited to universities and NGOs to speak about cybersecurity awareness and career guidance topics. In his free time, Qamar writes articles on Infortified (https://infortified.com), his personal tech blog, and a bi-weekly LinkedIn newsletter (https://www.linkedin.com/newsletters/7050538814062108672/)
Journey of writing a book has fulfilled a lifelong dream, and only through the immersive experience did I realize the depth and comprehensiveness of this endeavor. This book is a testament to the collaborative efforts and unwavering support of many individuals, each playing a vital role in bringing it to life. My heartfelt thanks go out to those who contributed to this project, and I express immense gratitude for their invaluable support.
My heartfelt appreciation to my family, with a special mention to my father and brother Neyaz Nomani. Their unwavering support for my education, even in the face of very limited resources, touches me deeply and means the world to me.
I express my heartfelt gratitude to all my teachers and professors, with a special acknowledgment to my high school gurus, Mr. Alam Sir and the late Mr. Khusru Alam Sir for being not only guiding lights but also being my godfathers, playing a pivotal role in supporting me during my transition from the village to the city for further studies.
Special thanks to friends, colleagues, managers, mentors, and dedicated cloud security professionals. Your groundbreaking research has paved the way for a deeper understanding of CSPM. This book stands on the shoulders of giants, and I'm grateful for the collective wisdom of the cybersecurity community.
I would also like to thank the team at Packt Publishing, whose commitment to excellence and passion for disseminating knowledge have made this project a reality. Their expertise and support have been indispensable in giving this book life.
Finally, heartfelt thanks to readers joining this educational journey. Your interest in cloud security fuels my commitment to contributing to the dynamic field of cybersecurity.
Thank you to everyone who has played a role, big or small, in making this book possible. Your contributions are deeply appreciated.
With gratitude and lots of love,
Qamar Nomani
About the reviewers
Rahul Gupta is a distinguished authority and expert in the field of cybersecurity. He brings a wealth of knowledge and experience to the world of cybersecurity, privacy, and compliance. With over 15 years at the forefront of protecting organizations from digital threats, Rahul has cemented his reputation as a trailblazer in the domain of InfoSec leaders. Throughout his career, Rahul has held pivotal roles in a diverse array of industries, ranging from Fortune 500 companies to cutting-edge start-ups. With a strong academic background and many industry certifications, including CISSP, Rahul has contributed extensively to the cybersecurity community and is very passionate about shaping the future of cybersecurity strategies and products.
Manas Mondal is a principal cloud architect with 29 years of experience, and specializes in app layouts, app migration, modernization of apps, ERP migration, and advanced analytics.
With substantial transformation experiences in both technology and business, Manas is a result-oriented, purpose-driven, problem-solving leadership personality. He has expertise in Software Engineering, Enterprise Architecture, Cloud Transformation, Application Disposition, CTO Strategy, ERP modernization, and Fast Data Engineering.
Table of Contents
Preface
Part 1: CSPM Fundamentals
1
Cloud Security Fundamentals
Technical requirements
What is cloud computing?
Cloud computing service model
What is cloud security?
Security concerns with the public cloud
The shared responsibility model
Division of responsibility
Defense in depth
Defense in depth guiding principle
The CIA triad
Confidentiality
Integrity
Availability
Why is it important to maintain confidentiality, integrity, and availability?
How do organizations ensure confidentiality, integrity, and availability?
The three pillars of cybersecurity – people, process, and technology
The Zero Trust model
Zero Trust guiding principles
The six foundational pillars
Compliance concepts
Cryptography
Encryption
The Cloud Adoption Framework
Landing zone concepts
Summary
Further reading
2
Understanding CSPM and the Threat Landscape
What is CSPM?
Threat landscape and the importance of CSPM tools
Key capabilities and core components of CSPM
How do CSPM tools work?
Common cloud misconfigurations and their causes
Why do misconfigurations occur?
Best practices to safeguard from misconfiguration
Are CSPM tools enough to protect the cloud environment?
What are other cloud security technologies and tools?
Summary
Further reading
3
CSPM Tools and Features
Technical requirements
Understanding CSPM tools
Cloud provider native CSPM tool
Third-party CSPM tool
Agent-based versus agentless CSPM solutions
Open source CSPM tools
Understanding the Gartner Magic Quadrant
Gartner Peer Insights
Gartner Review
Examples of CSPM tools
Cloud provider-native CSPM tools
Third-party CSPM tools
Open source CSPM tools
Summary
Further reading
4
CSPM Tool Selection
Structured thought to choose the right CSPM tool
1. Understand your organization’s cloud security needs
2. Identify the CSPM features you need
3. Evaluate the CSPM vendor
4. Consider the ease of use
5. Look for automation capabilities
6. Evaluate pricing and licensing
Vendor selection process checklists for CSPM
POC for CSPM tools
What is the key outcome of the CSPM tool’s POC?
Summary
Further reading
Part 2: CSPM Deployment Aspects
5
Deploying the CSPM Tool
Deployment model overview
Key considerations for effective deployment
The SaaS/cloud-based deployment model
On-premises deployments
Hybrid deployment
Leveraging managed service provider (MSP) support
Different deployment methodologies
Agent-based deployment
API-based deployment
Proxy-based deployment
Tool deployment best practices
Summary
Further reading
6
Onboarding Cloud Accounts
Key considerations and steps involved
Account onboarding key considerations
Steps for successful onboarding
Best practices for onboarding of cloud accounts
Account onboarding steps
Onboarding AWS accounts
Onboarding Azure accounts
Onboarding GCP accounts
Onboarding other clouds
Onboarding roadblocks and mitigation best practices
Roadblock #1 – Lack of necessary permissions
Roadblock #2 – Complex cloud environments
Roadblock #3 – Resistance to change
Roadblock #4 – Policy complexity
Roadblock #5 – Alert fatigue
Roadblock #6 – Integration complexity
Roadblock #7 – Monitoring and alerting configuration
Roadblock #8 – Data privacy and security
Roadblock #9 – Compliance variability
Roadblock #10 – Scalability
Offboarding cloud accounts
Importance of offboarding cloud accounts from CSPM
Process for offboarding cloud accounts from CSPM
Summary
Further reading
7
Onboarding Containers
Containerization overview and its benefits
Benefits of containerization
Understanding container security challenges
How does CSPM address these unique security challenges?
Onboarding containers to CSPM tools
Understanding Microsoft Defender for Containers features
Defender for Containers architecture diagram
Enabling Microsoft Defender for Containers for Kubernetes clusters
Onboarding roadblocks and mitigation tips
Latest trends and advancements in container security
Summary
Further reading
8
Exploring Environment Settings
Environment settings overview
Managing users and permissions
User management
User group management
Built-in user roles
Managing API tokens
Key challenges in permission management
Best practices to overcome permission-related challenges
CSPM integrations with other tools
SSO integration
Ticketing system integration
Collaboration and communication (notifications) integrations
Reporting and analytics integration
Monitoring (SIEM/SOAR) tool integration
Storage integrations
Key integration challenges
Best practices to overcome integration challenges
Setting up an effective reporting environment
Activity logging
User activities
System activities
Security events
Challenges in activity logging
Best practices for activity logging
Summary
Further reading
Part 3: Security Posture Enhancement
9
Exploring Cloud Asset Inventory
Understanding the cloud asset inventory landscape
Cloud assets overview
Cloud asset classification
Tagging concepts and asset classification
Key challenges in asset inventory management
Best practices for asset inventory management
Other tools and techniques for asset management
Summary
Further reading
10
Reviewing CSPM Dashboards
Reviewing general dashboard types
Risk dashboards
Compliance dashboards
Inventory dashboards
Identity dashboards
Network security dashboards
Vulnerability dashboards
Alerts and incident dashboards
Custom dashboards
Exporting dashboards
Best practices for effectively using CSPM dashboards
Summary
Further reading
11
Major Configuration Risks
Workload misconfigurations overview
Malware, misconfigurations, and vulnerabilities and their correlations
The risks associated with malware and its vulnerabilities
Identity misconfigurations
Network security misconfigurations
Lateral movement misconfigurations
Data protection misconfigurations
Suspicious and malicious activities
Best practices and lessons learned
Best practices to mitigate network security misconfigurations
Lesson learned and its implementation
Summary
Further reading
12
Investigating Threats with Query Explorers and KQL
Query explorer and attack paths overview
Understanding the security explorer mechanism
The importance of the security explorer in threat hunting
Building queries with Cloud Security Explorer
Exploring built-in query templates
KQL basics
KQL statement structure
KQL practice environment
Built-in KQL in the query explorer
Custom queries in the query explorer
Best practices for effective investigation
Lessons learned from threat investigation
Summary
Further reading
13
Vulnerability and Patch Management
Vulnerability and patch management overview
Important terminologies
Effective strategies to prioritize vulnerabilities
Effective vulnerability management and CSPM tools
Cloud vulnerabilities and CSPM tool relevance in the hybrid cloud
Effective patch management and CSPM tools
The importance of timely and efficient patch management
Effective patch management process
How patch management and CSPM can work best together
CTI and vulnerability management
What is CTI and its key aspects?
The role of CTI in vulnerability and patch management
CTI integration/feeds into CSPM tools
Example use case
Case studies and real-world examples
Operational challenges
Summary
Further reading
14
Compliance Management and Governance
Compliance management and governance overview
Compliance management
Governance
Compliance versus governance – Distinctions and interconnections
Why are compliance and governance crucial in cloud security?
Regulatory frameworks and compliance standards
GDPR
HIPAA
SOC 2
Federal Risk and Authorization Management Program
California Consumer Privacy Act
California Privacy Rights Act
Personal Data Protection Act
Federal Information Security Management Act
ISO 27001
PCI DSS
NIST Cybersecurity Framework
Cloud Security Alliance Cloud Controls Matrix
Center for Internet Security benchmark controls
Cloud governance frameworks
AWS WAF
MCSB
Adapting cloud governance to the organization’s need
Global versus regional compliance considerations
Use cases, scenarios, and examples
Use case #1 – Data protection and privacy
Use case #2 – Incident reporting and notification
Use case #3 – Compliance audits
Challenges, CSPM roles, and future trends
Challenges in compliance and governance
CSPM’s role in effective compliance management and governance
Future trends in compliance and governance
Summary
15
Security Alerts and Monitoring
Security alerts and monitoring overview
Real-world scenarios illustrating the consequences of inadequate monitoring
Distinguishing between security alerts, incidents, and anomalies
Common categories of security alerts
Building an effective alerting strategy
Setting clear security objectives and risk thresholds
Defining alerting criteria tailored to your organization’s needs
Avoiding alert fatigue – Best practices in alert tuning and prioritization
Leveraging cloud-native monitoring solutions
Can CSPM tools be used as cloud-native monitoring solutions?
Third-party SIEM solutions
Automated incident response
Compliance and auditing through monitoring
Meeting compliance requirements through continuous monitoring
Demonstrating CSPM effectiveness to auditors and regulators
Automating compliance checks and reporting
Emerging trends in security alerts and monitoring
Real-time visibility across multi-cloud environments
Artificial intelligence-driven threat detection and anomaly analysis
Cloud-native security monitoring
Automated remediation and orchestration
Cloud compliance and governance
Integration with SIEM solutions
Case study and lessons learned
Case study – streamlined threat detection and incident response with CSPM and SIEM
Case highlights
Implementing proactive resilience using alerts and monitoring
Summary
Further reading
Part 4: Advanced Topics and Future Trends
16
Integrating CSPM with IaC
Understanding IaC
What is IaC?
How did IaC evolve, and what problems does it solve?
Key principles and benefits
Key IaC tools and technologies
IaC offerings by cloud providers
CSPM and IaC integration
How IaC and CSPM enhance security posture together
Potential integration challenges and strategies to overcome
Human and cultural aspects of challenges
Best practices and design patterns
DRY principle – Reducing redundancy in IaC code
Separation of concerns – Organizing code for maintainability and scalability
Testing and validation – Ensuring the reliability of your IaC code
Infrastructure as Data – Leveraging data-driven approaches for configuration
Summary
Further reading
17
DevSecOps – Workflow Automation
Understanding DevSecOps
DevOps versus DevSecOps – Key differences and principles
The DevSecOps life cycle
The importance of CI/CD pipelines
The role of security in DevSecOps
Key automation concepts
The relationship between CSPM and workflow automation
Benefits of automation in security and compliance
Common automation challenges and their solutions
Workflow automation in CSPM
Automating compliance checks and policy enforcement
Dynamic asset discovery and tracking
Incident response and remediation automation
Real-time monitoring and alerting
Implementing workflow automations
Setting up and configuring automation pipelines
Writing scripts and playbooks for CSPM automation
Testing and validating automation workflows
Scaling automation for enterprise-level CSPM
Case studies, best practices, and lessons learned
Best practices for implementing and maintaining automation in DevSecOps
Lessons learned from DevSecOps and CSPM automation adoption
Security and compliance in DevSecOps automation
Ensuring the security of automation pipelines
Compliance with regulatory requirements in automated processes
Handling secrets and sensitive data securely in automation
Continuous monitoring and auditing of automated workflows
Future trends and emerging technologies
The evolving landscape of DevSecOps and CSPM
Artificial intelligence (AI) and machine learning (ML) in CSPM automation
The role of containers and serverless in automated security
Predictions for the future of DevSecOps automation
Summary
Further reading
18
CSPM-Related Technologies
Understanding the cloud security ecosystem
Why is CSPM not enough?
CNAPPs
CWPPs
CASBs
DSPM
CIEM
Summary
Further reading
19
Future Trends and Challenges
Emerging technologies impacting CSPM
Quantum computing and its potential threat to encryption
AI and ML in enhancing CSPM capabilities
The Internet of Things (IoT) and its implications for CSPM
Blockchain and its role in securing cloud environments
Regulatory landscape
Evolving threat landscape
Zero-day vulnerabilities and their implications for CSPM
Skills and talent gap
Key challenges
Strategies for bridging the gap
User awareness and training
Case studies and best practices
Lessons learned from successful CSPM deployments
Lessons learned from unsuccessful CSPM deployments
Best practices for staying ahead of emerging threats in CSPM
Summary
Further reading
Index
Other Books You May Enjoy
Part 1:CSPM Fundamentals
In this part, you will discover the essentials of Cloud Security Posture Management (CSPM). From cloud security fundamentals to navigating the threat landscape, we provide insights into potential challenges. You will explore CSPM tools and features, empowering organizations to enhance their cloud security. Chapter 4 will take you through informed tool selection, laying a crucial foundation for readers new to cloud security or seeking a deeper understanding. These chapters set the stage for a confident and comprehensive exploration of CSPM.
This part contains the following chapters:
Chapter 1, Cloud Security FundamentalsChapter 2, Understanding CSPM and the Threat LandscapeChapter 3, CSPM Tools and FeaturesChapter 4, CSPM Tool Selection1
Cloud Security Fundamentals
In the age of digital innovation, cloud computing has become the backbone of modern business operations. The convenience, scalability, and cost-efficiency of the cloud have revolutionized how we store, process, and share data. As we embrace the cloud’s potential, we must also acknowledge the growing importance of cloud security. Protecting our digital assets from a range of threats is paramount in this interconnected world. Cloud security encompasses a wide range of concerns, including data protection, access control, compliance with regulatory requirements, and the overall integrity and confidentiality of information stored and processed in the cloud.
This chapter focuses on building baseline understanding of cloud security, which means understanding the key principles and strategies that underpin our ability to operate securely in the cloud. You will learn about some of the most important topics of cloud security, such as the shared responsibility model, defense in depth, the Zero Trust model, compliance concepts in the cloud, and the Cloud Adoption Framework.
The following main topics are covered in this chapter:
What is cloud computing?Exploring cloud securityThe shared responsibility modelDefense in depthThe Zero Trust modelCompliance conceptsCryptography and encryption in the cloudThe Cloud Adoption FrameworkLet us get started!
Technical requirements
To get the most out of this chapter, you are expected to have the following:
A baseline understanding of cloud computing concepts.A general understanding or experience of working in an IT environment. To have a better understanding, you can use the sandbox environment of the organization’s CSPM tool, if available.What is cloud computing?
Cloud computing is a technology that allows organizations and individuals to access and use computing resources such as processing power, storage, and software over the internet without having to buy and maintain physical infrastructure. Cloud service providers (CSPs) such as Amazon Web Services (AWS), Microsoft Azure, Google Cloud Platform (GCP), and many other providers offer these services. Cloud offerings empower traditional IT offerings by adding many other services such as artificial intelligence (AI), machine learning (ML), Internet of Things (IoT), and security.
Cloud computing is a powerful technology for organizations of all sizes. Here are some of the key features of cloud computing:
Agility: Cloud computing allows organizations to rapidly deploy and scale computing resources up or down as needed, which means they can be more agile and respond quickly to changing business requirements. With cloud computing, businesses can avoid the time and expense of building and managing their IT infrastructure, allowing them to focus on developing and delivering their products and services.Productivity: Cloud computing can improve productivity by providing access to computing resources and software from anywhere, on any device, and at any time. This flexibility allows employees to work remotely and collaborate more easily, which can lead to increased productivity and efficiency:Figure 1.1 – Cloud computing
Resiliency: Cloud computing can improve resiliency by providing redundancy and failover options, which means that if one computing resource fails, others can take over seamlessly. This reduces the risk of downtime and improves the availability and reliability of applications and services.FinOps: Cloud computing offers Financial Operations (FinOps) capabilities that allow organizations to manage and optimize their cloud spending. This includes tools for monitoring cloud usage, forecasting costs, and optimizing resource allocation to reduce costs and maximize value.Pay-as-you-go model: Cloud computing is often priced on a pay-as-you-go basis, which means that organizations only pay for the computing resources they use. This allows businesses to avoid the capital expense of buying and maintaining their IT infrastructure, and instead, pay for computing resources as an operational expense.In summary, cloud computing provides organizations with agility, productivity, resiliency, FinOps, and a pay-as-you-go model, making it an attractive option for businesses looking to optimize their IT operations and focus on delivering value to their customers.
Gartner estimates the following by 2025 (https://www.gartner.com/en/newsroom/press-releases/2021-11-10-gartner-says-cloud-will-be-the-centerpiece-of-new-digital-experiences):
More than 95% of new digital workloads will be deployed on cloud-native application platforms, up from 30% in 202170% of the new applications developed by companies will use low-code or no-code technologiesMore than 50% of organizations will have explicit strategies to adopt cloud-delivered Secure Access Service Edge (SASE), up from less than 5% in 202085% of organizations will embrace cloud-first principlesWhile these fact-based estimations look very overwhelming, there is no doubt that the cloud provides extraordinary benefits to the data-driven business world.
Cloud computing service model
Cloud service models are different types of cloud computing services that are provided by CSPs to customers or users. There are three main types of cloud service models:
Infrastructure-as-a-Service (IaaS): In this service model, the CSP provides the infrastructure or computing resources such as servers, storage, and networking, which can be used by customers to build and manage their applications or services. The customer has control over the operating system, applications, and security, while the CSP is responsible for the underlying infrastructure.Platform-as-a-Service (PaaS): In this service model, the CSP provides a platform for customers to develop, run, and manage their applications without the need to manage the underlying infrastructure. The customer can focus on building and deploying their applications while the CSP takes care of the infrastructure, operating system, and middleware.Software-as-a-Service (SaaS): In this service model, the CSP provides a complete software application or service that can be accessed and used by customers over the internet. The customer does not need to install or manage the software as it is provided by the CSP as a service. Examples of SaaS include email, online storage, and customer relationship management (CRM) software.In simple terms, cloud service models are different types of cloud computing services that are provided by CSPs to customers. These services can range from providing infrastructure resources to complete software applications, with varying degrees of control and management by the customer.
Next, let us talk about cloud security.
What is cloud security?
Cloud security refers to the set of practices, technologies, policies, and measures designed to safeguard data, applications, and infrastructure in cloud environments. Security in clouds is crucial because it addresses the unique security challenges and risks associated with cloud computing, which includes services such as IaaS, PaaS, and SaaS.
Important note
Gartner reports (https://www.gartner.com/en/newsroom/press-releases/2021-11-10-gartner-says-cloud-will-be-the-centerpiece-of-new-digital-experiences) that 99% of cloud breaches are traced back to preventable misconfigurations or mistakes by cloud customers.
It is evident that cloud computing services bring some overriding concerns too, and most of them can be prevented if they are configured correctly. This includes network and system misconfigurations, IAM misconfigurations, and accidental exposure of resources. We will read more about major configuration risks in Chapter 11, but some of them are explained in the following subsection.
Security concerns with the public cloud
There are several overriding concerns associated with cloud computing that organizations should be aware of:
Unauthorized access: Public cloud services can be vulnerable to unauthorized access, which can lead to data breaches and the exposure of sensitive information.Insider threats: Cloud providers have access to users’ data, which means that insider threats can pose a risk to security.Data loss: Public cloud services can suffer from data loss, which can occur due to hardware failures or other technical issues:Figure 1.2 – Cloud security concerns
Compliance issues: Public cloud services may not always meet regulatory and compliance requirements for data storage and security.Multi-tenancy risks: Public cloud services are often multi-tenant, which means that multiple users share the same physical infrastructure. This can increase the risk of data leakage or unauthorized access if they’re not managed properly.Vulnerabilities in third-party tools: Public cloud services often rely on third-party tools and vendors, which can create vulnerabilities if these vendors are not properly vetted or have weak security measures in place.Lack of control: Public cloud services are managed by the cloud provider, which means that users have limited control over the security measures that are implemented.DDoS attacks: Public cloud services can be vulnerable to distributed denial of service (DDoS) attacks, which can disrupt service availability.Data breaches through APIs: Public cloud services often use APIs to enable integration with other systems, which can create vulnerabilities if these APIs are not secured properly.Data exposure through misconfigured services: Public cloud services can be vulnerable to data exposure if services are misconfigured, or access controls have not been set up properly.It is important to understand these risks and take appropriate measures to mitigate them, such as implementing strong authentication and access controls, regularly monitoring and auditing activity, and using encryption to protect sensitive data. It is also important to work with reputable cloud providers who have a strong track record for security and compliance, be aware of the overriding concerns, and take steps to mitigate these risks through careful planning, risk assessment, and ongoing monitoring and management.
Now that you understand cloud computing and the security concerns around it, let us learn about the shared responsibility model.
The shared responsibility model
Cloud security is a tricky area. There are many myths about securing the cloud. Some think that once you have moved to the cloud, it is the cloud provider’s responsibility to protect everything in the cloud, while others think that nothing is secure in the cloud and it is not safe to move to the cloud, especially when you are dealing with sensitive data. The fact is security and compliance in the cloud is a shared responsibility between cloud providers and cloud customers.
This brings a lot of questions to our minds. Who is responsible for what? How do you define the responsibility matrix between cloud providers and customers? Who defines those responsibilities and on what basis?
Let us understand this with a simple and fun analogy of a Pizza-as-a-Service model. The cloud’s shared responsibility model can be explained using the analogy of ordering pizza in different ways: making it at home, ordering a Take and Bake pizza, ordering a pizza for delivery, or dining out at a restaurant:
Figure 1.3 – Pizza-as-a-Service model
Making pizza at home is like managing your IT infrastructure. You are responsible for everything, including buying the ingredients (hardware and software), preparing the dough and toppings (setting up the infrastructure and applications), cooking the pizza (maintaining the infrastructure), and cleaning up afterward (managing security, backups, and disaster recovery).Ordering a Take and Bake pizza is like using IaaS. You order the pizza with the toppings you want, but the pizza is not cooked yet. You must take it home and cook it yourself. Similarly, with IaaS, you are provided with a virtual infrastructure that you configure and manage yourself, including installing and configuring the operating system, middleware, and applications.Ordering a pizza for delivery is like using PaaS. You order the pizza with the toppings you want, and it is delivered to you fully cooked. You do not have to worry about the cooking process, but you still have control over the toppings. Similarly, with PaaS, you are provided with a platform for developing and deploying applications, and the CSP takes care of the underlying infrastructure.Dining out at a restaurant is like using SaaS. You order the pizza, and it is delivered to you fully cooked and ready to eat. You do not have to worry about cooking or toppings as the restaurant takes care of everything. Similarly, with SaaS, you use a cloud-based application that is fully managed by the cloud service provider, and you do not have to worry about the underlying infrastructure, security, or backups.In all these scenarios, the shared responsibility model applies. You, as the customer, are responsible for selecting the pizza toppings you want, just as you are responsible for configuring and securing your data and applications in the cloud. The cloud service provider is responsible for providing a secure and reliable environment for your data and applications, just as the restaurant is responsible for providing a clean and safe dining experience.
Now that you have understood shared responsibility via an interesting analogy, let’s understand the concept with the help of an actual responsibility model provided by every cloud provider for their customers. This responsibility is also known as security of the cloud versus security inthe cloud:
Figure 1.4 – Shared responsibility model
Let us quickly discuss what security of the cloud and security in the cloud mean:
Security of the cloud: Security of the cloud means protecting the infrastructure that runs all the services offered by the cloud provider, which is composed of the hardware, software, networking, and facilities that public cloud services use. Cloud providers are responsible for the security of the cloud, which includes protecting the cloud environment against any security threats.Security in the cloud: This refers to the responsibility held by customers and is solely determined by the cloud services that customers choose for consumption and where those workloads are hosted, such as IaaS, PaaS, SaaS, Database-as-a-Service (DBaaS), Container-as-a-Service (CaaS), or even Security-as-a-Service (SECaaS).Customers must carefully consider the services they choose from different providers as their responsibilities vary depending on the services they use, the integration of those services into their IT environment, and applicable laws and regulations.
The responsibility model makes responsibility clear. When an organization does not have a cloud footprint, the organization is 100% responsible for the security and compliance of the infrastructure. When an organization moves to the cloud in a hybrid or cloud-native setup, the responsibility is shared between both parties.
Division of responsibility
Let us understand how the division of responsibilities varies from one service model to another:
On-premises data centers: In an on-premises infrastructure (hardware and software), the customer is responsible for everything, from the physical security of data centers to the encryption of sensitive data.IaaS: Virtual machines as services, which are offered by cloud providers such as Azure VM, AWS EC2, and Google Compute Engine, can be taken as examples of IaaS. If a customer decides to use VMs in the cloud, the cloud provider is responsible for the security of the physical data center, physical network, and physical host where the VM is hosted. As per Figure 1.4, security to the operating system (vulnerabilities and patches), network controls, applications hosted in the VM, identity and directory infrastructure, devices through which VMs are accessed, and information and data in the VM are all the customer’s responsibility.PaaS: A wide range of services is offered by cloud providers under the PaaS category. Azure Web App, Logic Apps, Azure Functions, Azure SQL, Azure Service Bus, AWS Lambda, AWS Elastic Beanstalk, and Google App Engine are a few services under the PaaS category. As the service name suggests, PaaS provides an environment for building, testing, and deploying software applications. The most useful benefit of PaaS for its customer is that it helps create an application quickly without the need to manage the underlying infrastructure, such as hardware and operating systems. This becomes easy for customers as they are only responsible for securing the application and data.SaaS: SaaS is a readymade, subscription-based application made available by cloud providers for its customers. Microsoft 365, Skype, Google Workspace, ERP, Amazon Chime, Amazon WorkDocs, and Dynamics CRM are some common examples of SaaS offerings. Out of all the service offerings, SaaS requires the least security responsibility from customers. The cloud provider is responsible for everything except data, identity access, accounts, and devices.Important note
No matter which service is availed by the customer, the responsibility to protect accounts and identity, devices (mobile and PCs), and data is always retained by the customer.
The shared responsibility model is one of the most important topics to understand in the cloud security domain. Now that you understand it, let us understand another important topic – defense in depth.
Defense in depth
Defense in depth (DiD) is a cybersecurity strategy that uses a layered security approach to protect organizations’ critical assets from cyber criminals by utilizing a series of security measures to slow the advance of an attack. This was originally inspired by the military strategy, where each layer provides protection so that if one layer is breached, a subsequent layer will prevent an attacker from getting unauthorized access to data.
Defense in depth guiding principle
The guiding principle of DiD is the idea that a single security product will not ensure the safety of critical data. Implementing multiple security controls at distinct levels reduces the chance of breaches caused by external or internal threats. The following diagram depicts the concept of the DiD layer. This approach is designed to provide a layered defense that can stop attackers at multiple points in the attack chain, rather than having to rely on a single point of failure:
Figure 1.5 – Defense in depth (http://3.bp.blogspot.com/-YNJp1PXeV0o/UjpD7j1-31I/AAAAAAAADJE/O_6COIge7CA/s1600/TechnetDinD.jpg)
The guiding principle of DiD is a strategy that is used to provide multiple layers of protection for a system or organization. Some important security practices that are used in DiD are as follows:
Least-privilege: Least-privilege access is the practice of granting just enough access to the user so that they can perform their designated task in the organization and restrict their access to all other resources and systems. Limiting permissions on a user’s identity helps minimize risk in case credentials are compromised and an unauthorized user attempts to access sensitive data.Multi-factor authentication (MFA): This is a security mechanism that requires users to provide two or more factors of authentication to access a system or application. This approach adds an extra layer of security to the authentication process, making it more difficult for attackers to gain unauthorized access. They can use either software or hardware tokens to provide an additional layer of security beyond a user’s password:Software tokens are typically generated by a mobile app or software program. Once the user has entered their username and password, they are prompted to enter a one-time code generated by the app or software. This code is typically valid for only a short period and changes frequently, making it difficult for attackers to intercept and reuse.Hardware tokens, on the other hand, are physical devices that generate one-time codes that the user must enter to complete the authentication process. These tokens may be in the form of key fobs, smart cards, or USB devices. The user inserts the hardware token into a device or presses a button to generate a code, which they then enter into the system or application being accessed.Both software and hardware tokens provide an additional layer of security by requiring something in addition to the user’s password to gain access to a system or application. However, hardware tokens are generally considered more secure as they are not susceptible to attacks that can compromise software-based tokens, such as malware or phishing attacks. They also require physical possession of the token, making it more difficult for attackers to gain access, even if they have compromised the user’s password.
Network segmentation: This is the practice of dividing computer networks into smaller parts to limit the exposure of internal systems and data to vendors, contractors, and other outside or inside users. This also helps the security team protect sensitive data from insider threats, limit the spread of malware, and comply with data regulations.Intrusion detection and prevention: Intrusion detection and prevention systems can be used to detect and prevent attacks on a system or network. These systems can be configured to alert security personnel or take automated action when an attack is detected.Security training: Providing security awareness training to employees is an important security practice to ensure that they understand the importance of security and are aware of common threats and attack vectors.These are just a few examples of the security practices that are part of DiD. Implementing these practices in a comprehensive and layered approach can help improve the overall security of an organization.
Security products and strategies at different layers
Let us take a closer look at what security products and strategies are appropriate and applied at different layers:
Physical security: Physical security controls are an important part of DiD as they help protect an organization’s physical assets, such as its buildings, servers, and other infrastructure. Here are some examples of physical security controls that are applied in the same way:Perimeter security: Perimeter security controls are used to control access to the organization’s property. Examples include fences, walls, gates, and barriers.Access control: Access control measures are used to control who has access to the organization’s physical assets. Examples include ID badges, security guards, and biometric authentication systems.Surveillance: Surveillance measures are used to monitor the organization’s physical assets for potential security threats. Examples include CCTV cameras, motion detectors, and security patrols.Environmental controls: Environmental controls are used to protect the organization’s physical assets from damage caused by environmental factors such as fire, water, and temperature. Examples include fire suppression systems, water leak detection systems, and temperature control systems.Redundancy: Redundancy measures are used to ensure that the organization’s physical assets remain operational even in the event of failure. Examples include backup generators, redundant HVAC systems, and redundant network connections.Identity and access: This implements security controls such as MFA, condition-based access, attribute-based access control (ABAC), and role-based access control (RBAC) to protect infrastructure and change control.Perimeter: A protection mechanism that is used across your corporate network to filter large-scale attacks such as DDoS so that the resources are not exhausted, causing a denial of service.Network: Security techniques such as network segmentation and network access control are used to segregate different resources together and to limit communication between resources to prevent lateral movement.Compute: This involves limiting access to VM from limited/whitelisted IPs only and also restricting certain ports and opening only the required ones.Applications: Four primary techniques can be used to secure applications, each with its strengths and weaknesses. Let us take a look:Runtime Application Self-Protection (RASP): RASP is an application security technology that is designed to detect and prevent attacks at runtime. RASP integrates with the application runtime environment and monitors the behavior of the application to identify potential threats. RASP can detect attacks such as SQL injection, cross-site scripting (XSS), and buffer overflow attacks, and can take action to block the attack or alert security personnel.Interactive Application Security Testing (IAST): IAST is an application security testing technique that combines aspects of both SAST and DAST. IAST is a real-time security testing technology that provides feedback on vulnerabilities during the testing process. IAST can detect vulnerabilities such as SQL injection and XSS attacks by monitoring the application during testing.Static Application Security Testing (SAST): SAST is an application security testing technique that analyzes the application’s source code for security vulnerabilities. SAST can identify vulnerabilities such as buffer overflows, SQL injection, and XSS attacks. SAST is typically run during the development process and can help developers identify and fix vulnerabilities before the application is deployed.Dynamic Application Security Testing (DAST): DAST is an application security testing technique that analyzes the application while it is running. DAST can identify vulnerabilities such as SQL injection, XSS attacks, broken authentication, and session management. DAST is typically run after the application is deployed to identify vulnerabilities that may have been missed during the development process.Overall, these techniques can be used in combination to provide a comprehensive approach to securing applications. Each technique has its strengths and weaknesses, and the choice of which technique to use depends on the specific needs of the organization and the application being secured.
Data: RBAC and ABAC are both access control models that are used to enforce data security:In an RBAC model, access to resources is granted based on the user’s role or job function within an organization. This means that users are assigned specific roles, and those roles are granted permission to access specific resources. For example, an administrator role might be granted full access to a system, while a regular user role might only be granted access to certain parts ofthe system.In an ABAC model, access to resources is granted based on a combination of attributes, such as the user’s job function, location, and time of day. This means that access control policies can be more flexible and granular than in an RBAC model. For example, a policy might be created to grant access to a resource only if the user is accessing it from a specific location and during specific hours.Both RBAC and ABAC can be used to enforce data security by ensuring that only authorized users are granted access to sensitive data. Which model to use depends on the specific needs of the organization and the level of granularity and flexibility required for access control policies.
At this point, you should have a clear and baseline understanding of DiD. Now, let’s try understanding a benchmark model in information security famously known as the confidentiality, integrity, availability (CIA) triad.
The CIA triad
Not to be confused with the central intelligence agency of the same acronym, CIA stands for confidentiality, integrity, and availability. It is a widely popular information security model that helps an organization protect its sensitive critical information and assets from unauthorized access:
Figure 1.6 – The CIA triad (https://devopedia.org/images/article/178/8179.1558871715.png)
The preceding diagram depicts the CIA triad. Let’s understand its attributes in detail.
Confidentiality
Confidentiality ensures that sensitive information is kept private and accessible only to authorized individuals. This attribute focuses on keeping sensitive information private and accessible only to authorized individuals or entities. It aims to prevent unauthorized disclosure of information, protecting it from being accessed or viewed by unauthorized users. Let’s understand this by looking at an example of the payroll system of an organization. The confidentiality aspect of the payroll system ensures that employee salary information, tax details, and other sensitive financial data is kept private and accessible only to authorized personnel. Unauthorized access to such information can lead to privacy breaches, identity theft, or financial fraud.
Integrity
Integrity maintains the accuracy and trustworthiness of data by preventing unauthorized modifications. The integrity aspect ensures that information remains accurate, trustworthy, and unaltered. It safeguards against unauthorized modifications, deletions, or data tampering efforts, ensuring that the information’s integrity is maintained throughout its life cycle. Let’s understand integrity using the same example of the payroll system of an organization. The integrity aspect of the payroll system ensures that the data remains accurate and unchanged throughout its life cycle. Any unauthorized modifications to payroll data could lead to incorrect salary payments, tax discrepancies, or compliance issues.
Availability
Availability ensures that information and services are accessible and operational when needed without disruptions. This aspect emphasizes ensuring that information and systems are available and operational when needed. It focuses on preventing disruptions or denial of service, ensuring that authorized users can access the information and services they require without interruptions. Let’s understand availability by using the same example of the payroll system of an organization. The availability aspect of the payroll system ensures that it is accessible and functional when needed. Payroll processing is critical for employee satisfaction and business operations, and any disruptions to the system could result in delayed payments or other financial issues.
Overall, the CIA triad provides a framework for organizations to develop effective cybersecurity strategies. By focusing on confidentiality, integrity, and availability, organizations can ensure that their systems and data are protected from a wide range of threats, including cyberattacks, data breaches, and other security incidents.
Why is it important to maintain confidentiality, integrity, and availability?
Cybersecurity professionals and cybercriminals work on the same strategy; the former works to develop the strategy to protect the confidentiality, integrity, and availability of a system, while the latter put all their effort to disrupt it. Maintaining the CIA triad is crucial because it serves as a comprehensive framework for addressing and balancing critical aspects of information security. Here is why it is essential to maintain the CIA triad:
Comprehensive security: The CIA triad covers three fundamental dimensions of information security. By considering all three aspects, organizations can ensure a holistic approach to protecting their data and systems from a wide range of threats.Risk management: The triad helps organizations identify and prioritize potential risks. By understanding the vulnerabilities associated with confidentiality, integrity, and availability, they can implement appropriate security measures to mitigate these risks effectively.Compliance and regulations
