PRACTICAL CLOUD SECURITY A GUIDE FOR SECURE DESIGN AND DEPLOYMENT

by Chris Dotson

All Indian Reprints of O'Reilly are printed in Grayscale. With their rapidly changing architecture and API-driven automation, cloud platforms come with unique security challenges and opportunities. This hands-on book guides you through security best practices for multivendor cloud environments, whether your company plans to move legacy on-premises projects to the cloud or build a new infrastructure from the ground up. Developers, IT architects, and security professionals will learn cloud-specific techniques for securing popular cloud platforms such as Amazon Web Services, Microsoft Azure, and IBM Cloud. Chris Dotson—an IBM senior technical staff member—shows you how to establish data asset management, identity and access management, vulnerability management, network security, and incident response in your cloud environment. Learn how standard principles and concepts, such as least privilege and defense in depth, apply in the cloud Compare cloud-based and on-premises data asset management and protection Manage cloud providers that store or process data or deliver administrative control Understand the critical role played by identity and asset management (IAM) in the cloud Set up a continuous process for managing potential vulnerabilities Learn how network controls in the cloud provide a vital layer of protection Use tactics to detect, respond to, and recover from security incidents

Genres: Technology, Computer Science, Programming, Technical, Software

196 pages, Unknown Binding

Published April 1, 2019

Reviews

[Ali · Rating 4 out of 5]

great primer for cloud security. very readable guide for beginners and good recap for security engineers but not much depth or details if you're looking for specific design patterns. This might be a good study guide for CCSK as it is introductory level and vendor agnostic. For secure configurations of Azure, AWS, GCP, OCI,.. you would need more provider specific implementation guides or cookbooks.

[Ben Rothke · Rating 5 out of 5]

It was not that long ago, that if you wanted to build a data center with a 1,000 servers and 200 terabytes of storage; it would take about a year or so of planning to get such a design into production. With the advent of cloud services such as the Google Cloud Platform, Amazon Web Services and others, one can create such an infrastructure in hours.

Yet with the ease of cloud deployments, security often gets lost in the shuffle. Even though AWS makes it quite clear in nearly every security document of theirs that security is a shared responsibility, that is lost on far too many customers.

In Practical Cloud Security: A Guide for Secure Design and Deployment, author Chris Dotson has written a compact guide that effectively shows the reader how to ensure security is implemented into their cloud environment. Dotson focuses on practical security and tools, and the reader is provided with a solid understanding of the necessary tools, technologies and requirements for creating secure cloud services.

At 175 pages, this is far from a comprehensive guide to cloud security. But what the book lacks in depth, it covers in breadth. Dotson details the core areas of cloud security that needs to be considered when deploying cloud services.

The book is relevant for a large set of readers. From information security managers, system administrators, security architects, application developers who are just finding out they are now tasked with cloud security responsibilities, and more. The book provides the reader with a solid foundation they can use to develop secure cloud services.

There are a lot of definitions for what cloud computing is. Perhaps that most pragmatic is “someone else’s computer”. That means that for nearly every on-premises information security control, there needs to be a corresponding cloud security control. While it’s not a perfect apples to apples comparison, it nonetheless is pretty accurate. And that is the approach the book takes.

In chapter 1, Dotson reiterates the importance of the shared responsibility model. He notes an utterly horrifying statistic, that 77% of IT decision makers believed that public cloud providers were responsible for securing data in the cloud, and 68% said they believed these providers were responsible for securing customer applications as well. It’s precisely for those type of cloud security oblivious IT decision makers that a book like this is needed.

The book does a great job of detailing all of the core areas of cloud security. And Dotson also lists many cloud tools available to get those jobs done. He covers the entire range of information security controls, including: access control, vulnerability management, monitoring and more.

Cloud security is far too important to be ignored. It’s a long and seemingly endless journey to secure the cloud. But for those looking to start the process, Practical Cloud Security is a great guide to help them on their journey.

[Ahmed Eltaher · Rating 5 out of 5]

أرشح الكتاب ده لأي شخص شغال في بيئة فيها Cloud، بغض النظر عن دوره في الفريق طالما بيحتك بشكل من الأشكال مع الـ Cloud.

الكتاب لغته بسيطة وأسلوبه سلس، بالإضافة إنه بيبني كتير من مفاهيم الـ Security الأساسية.
لو عندك قِصر في الجزء ده، فأطمنك الكتاب موجه بشكل عام لشخص جديد عليه مفاهيم الـ Security.

الكتاب عبارة عن ٧ فصول:

1. Principles and Concepts
في الفصل ده كان تركيز الكاتب إنه يبني المفاهيم الأساسية في تفكير القارئ، عشان بعد كده بناء على المفاهيم دي هيبدأ ياخد قرارات في الـ Architecture بتاعة الـ app الافتراضي اللي بيبنيه خلال فصول الكتاب.

2. Data Asset Management and Protection
هنا الكاتب كان بيوضح إيه أشكال البيانات اللي ممكن نتعامل معاها في الـ Cloud، لأنها أكتر جزء حساس في الـ app، واللي بناء عليه هنحدد شكل وقوة التدابير اللي هنحطها.

3. Cloud Asset Management and Protection
بعد ما شفنا الجزء الخاص بالبيانات، بدأنا نشوف إيه الـ assets المختلفة اللي ممكن نتعامل معاها، وإزاي في بيئة سريعة التغير زي الـ Cloud، يكون عندنا طريقة منظمة نعمل بيها inventory للأصول دي عشان نتابعها.

4. Identity and Access Management
بعد كده تطرق لجزء الـ identity ومشاكله والتحديات الجديدة، خصوصًا مع ظهور non-human identities كتير بسبب الـ automation اللي بقى جزء كبير من أي منظومة. واتكلم كمان عن إزاي نحط policy لكل مرحلة في الـ authentication/authorization lifecycle.

5. Vulnerability Management
بعد كده دخل في جزء الـ vulnerabilities وإزاي نتعامل معاها في الـ Cloud، وازاي بعض خصائص بيئة الـ Cloud خلت الموضوع أسهل من جوانب وأصعب من جوانب. وأتكلم عن إزاي تراقب أدائك في الجزء ده وبعض مؤشرات الأداء اللي تعرفك هل تعاملك مع الـ vulnerabilities بيتم بشكل جيد ولا لأ.

6. Network Security
الفصل ده كان عن كل ما يخص الـ Security المتعلقة بالـ networks، وإيه الـ layers المختلفة اللي ممكن أستخدمها والدور الأساسي لكل واحدة.

7. Detecting, Responding to, and Recovering from Security Incidents
هنا بقى بيتكلم عن آخر مرحلة، بعد ما أخدت كل التدابير عشان تحمي الـ environment بتاعتك: ازاي تراقبها وتكتشف لو في أي Incidents حصلت، وازاي تتعامل معاها وتقيّم أدائك في الجانب ده.

في العموم أرشح الكتاب ده، هو صغير، لغته بسيطة، ودم الكاتب خفيف فمش هتحس إن الموضوع تقيل على قلبك.

[Federico · Rating 4 out of 5]

A nice short summary to some of the most common concepts used with current hosting providers (rented virtual computing aka public cloud). If you have used such services for a while you probably already heard of all this, but you might have missed a thing or two. Even if you knew it all, the book can help review your priorities: for example I appreciated the common sense advice on alert fatigue and encryption at rest.

The author's advice is sufficiently broad and vendor-agnostic while remaining concrete (and therefore mostly oriented towards proprietary solutions offered by the hyperscalers, although FLOSS is mentioned too).

[Jana Vonšák · Rating 5 out of 5]

A great and surprisingly up-to-date (at time of reading the book) introduction to security in a cloud environment. The book covers basic concepts, tools and processes connected to cloud security and compares them to the on-premises approach. As the topic itself is too huge for a single book, you can expect a basic overview and pointers to high quality sources to dig into rather than a complete deep dive. For someone who has just recently moved to the security field it is an excellent book to start with, though.

[Kerszi · Rating 4 out of 5]

Kolejna książka o bezpieczeństwie. Z tym, że nacisk jest położony, jak nazwa sugeruje, na chmury i jak ją zabezpieczać. Raczej nie znajdziesz tutaj metod ataków. To znajdziesz w innych książkach.
Godnym polecenia jest fakt, że zostały też omówione główne chmury takie jak: AWS, GCP, Azure.
Tego typu pozycji jest na razie bardzo mało, więc jest godna polecenia.

[kevin · Rating 4 out of 5]

It is a good introduction to understand the considerations of thinking about security in a cloud context, and it also laid out sufficient basic security concepts such that it can be read without too much in depth knowledge of security.

[Trisha Roberson · Rating 4 out of 5]

Practical security including passwords, 2 lock stage, etc

[Linus · Rating 5 out of 5]

It did well providing an overview about what to think of. Do not expect to get any technical details.

[Catherine Castro · Rating 4 out of 5]

A good introduction to cloud security. It provides the reader the basic concepts, necessary tools, technologies and security controls required for creating secure cloud environment.