Introduction 1 About This Book 2 Foolish Assumptions 3 Icons Used in This Book 3 Beyond the Book 3 Where to Go from Here 4 Part 1: Getting Started with Cloud Security 5 Chapter 1: Clouds Aren''t Bulletproof 7 Knowing Your Business 8 Discovering the company jewels 8 Initiating your plan 8 Automating the discovery process 8 Knowing Your SLA Agreements with Service Providers 10 Where is the security? 10 Knowing your part 11 Building Your Team 11 Finding the right people 12 Including stakeholders 12 Creating a Risk Management Plan 13 Identifying the risks 14 Assessing the consequences of disaster 15 Pointing fingers at the right people 15 Disaster planning 16 When Security Is Your Responsibility 17 Determining which assets to protect 17 Knowing your possible threat level 20 Van Gogh with it (paint a picture of your scenario) 21 Setting up a risk assessment database 22 Avoiding Security Work with the Help of the Cloud 24 Having someone else ensure physical security 25 Making sure providers have controls to separate customer data 25 Recognizing that cloud service providers can offer better security 25 Chapter 2: Getting Down to Business 27 Negotiating the Shared Responsibility Model 28 Coloring inside the lines 29 Learning what to expect from a data center 29 Taking responsibility for your 75 percent 31 SaaS, PaaS, IaaS, AaaA! 31 SaaS 31 SaaS security 32 PaaS 32 PaaS security 33 IaaS 33 IaaS security 34 FaaS 34 SaaS, PaaS, IaaS, FaaS responsibilities 34 Managing Your Environment 35 Restricting access 36 Assessing supply chain risk 36 Managing virtual devices 38 Application auditing 38 Managing Security for Devices Not Under Your Control 39 Inventorying devices 39 Using a CASB solution 40 Applying Security Patches 41 Looking Ahead 42 Chapter 3: Storing Data in the Cloud 43 Dealing with the Data Silo Dilemma 44 Cataloging Your Data 45 Selecting a data catalog software package 46 Three steps to building a data catalog 46 Controlling data access 47 Working with labels 49 Developing label-based security 50 Applying sensitivity levels 50 Assessing impact to critical functions 50 Working with Sample Classification Systems 51 Tokenizing Sensitive Data 54 Defining data tokens 54 Isolating your tokenization system 55 Accessing a token system 55 Segmenting Data 56 Anonymizing Data 56 Encrypting Data in Motion, in Use, and at Rest 58 Securing data in motion 59 Encrypting stored data 59 Protecting data in use by applications 60 Creating Data Access Security Levels 60 Controlling User Access 61 Restricting IP access 61 Limiting device access 62 Building the border wall and other geofencing techniques 63 Getting rid of stale data 64 Chapter 4: Developing Secure Software 65 Turbocharging Development 65 No more waterfalls 66 CI/CD: Continuous integration/continuous delivery 68 Shifting left and adding security in development 68 Tackling security sooner rather than later 69 Putting security controls in place first 70 Circling back 70 Implementing DevSecOps 71 Automating Testing during Development 71 Using static and dynamic code analysis 72 Taking steps in automation 73 Leveraging software composition analysis 74 Proving the job has been done right 76 Logging and monitoring 76 Ensuring data accountability, data assurance, and data dependability 77 Running Your Applications 78 Taking advantage of cloud agnostic integration 79 Recognizing the down sides of cloud agnostic development 80 Getting started down the cloud agnostic path 81 Like DevOps but for Data 82 Testing, 1-2-3 84 Is this thing working? 85 Working well with others 85 Baking in trust 85 DevSecOps for DataOps 86 Considering data security 87 Ending data siloes 88 Developing your data store 89 Meeting the Challenges of DataSecOps 90 Understanding That No Cloud Is Perfect 92 Chapter 5: Restricting Access 95 Determining the Level of Access Required 95 Catching flies with honey 96 Determining roles 97 Auditing user requirements 97 Understanding Least Privilege Policy 98 Granting just-in-time privileges 99 The need-to-know strategy 99 Granting access to trusted employees 99 Restricting access to contractors 100 Implementing Authentication 101 Multifactor authentication (Or, who''s calling me now?) 101 Authenticating with API keys 102 Using Firebase authentication 102 Employing OAuth 103 Google and Facebook authentication methods 103 Introducing the Alphabet Soup of Compliance 104 Global compliance 104 Complying with PCI 105 Complying with GDPR 106 HIPAA compliance 107 Government compliance 109 Compliance in general 110 Maintaining Compliance and CSPM 110 Discovering and remediating threats with CSPM applications 112 Automating Compliance 113 Integrating with DevOps 113 Controlling Access to the Cloud 114 Using a cloud access security broker (CASB) 115 Middleware protection systems 117 Getting Certified 121 ISO 27001 Compliance 121 SOC 2 compliance 122 PCI certification 124 Part 2: Acceptance 125 Chapter 6: Managing Cloud Resources 127 Defending Your Cloud Resources from Attack 128 Living in a Virtual World 129 Moving to virtualization 130 Addressing VM security concerns 130 Using containers 131 Securing Cloud Resources with Patch Management 132 Patching VMs and containers 133 Implementing patch management 133 Keeping Your Cloud Assets Straight in Your Mind 134 Keeping Tabs with Logs 136 Using Google Cloud Management software 136 Using AWS log management 137 Using Azure log management 139 Working with third-party log management software 139 Logging containers 140 Building Your Own Defenses 141 Creating your development team 141 Using open-source security 142 Protecting your containers 143 Protecting your codebase 143 Chapter 7: The Role of AIOps in Cloud Security 145 Taking the AIOps Route 146 Detecting the problem 148 Using dynamic thresholds 149 Catching attacks early in the Cyber Kill chain 149 Prioritizing incidents 150 Assigning tasks 150 Diagnosing the root problem 151 Reducing time to MTTR 151 Spotting transitory problems 152 Digging into the past 152 Solving the problem 153 Achieving resolution 154 Automating security responses 154 Continually improving 155 Making Things Visible 155 Implementing resource discovery 155 Automating discovery 156 Managing Resources, CMDB-Style 157 Seeing potential impacts 157 Adding configuration items 158 Employing CSDM 158 Using AIOps 159 Gaining insights 159 Examining a wireless networking use case 159 Using Splunk to Manage Clouds 161 Observability 161 Alerts 162 Splunk and AIOps 163 Predictive analytics 163 Adaptive thresholding 163 Views of everything 164 Deep Dive in Splunk 164 Event Analytics in Splunk 164 Splunk On-Call 165 Phantom 166 Putting ServiceNow Through Its Paces 167 AIOps require an overhead view 167 React to problems 167 Gauge system health 168 Automation makes it all happen 169 Getting the Job Done with IT Service Management 170 How ITSM is different 170 Performance analytics 170 Changing Your Team 171 A (Not So Final) Word 172 Chapter 8: Implementing Zero Trust 173 Making the Shift from Perimeter Security 174 Examining the Foundations of Zero Trust Philosophy 175 Two-way authentication 175 Endpoint device management 176 End-to-end encryption 177 Policy based access 179 Accountability 181 Least privilege 182 Network access control and beyond 182 CSPM risk automation 184 Dealing with Zero Trust Challenges 185 Choose a roadmap 186 Take a simple, step-by-step approach 186 Keep in mind some challenges you face in implementing zero trust 190 Chapter 9: Dealing with Hybrid Cloud Environments 195 Public Clouds Make Pretty Sunsets 196 Controlling your environment 197 Optimizing for speed 197 Managing security 198 Private Clouds for Those Special Needs 199 Wrapping Your Mind around Hybrid Cloud Options 200 Hybrid storage solution 201 Tiered data storage 202 Gauging the Advantages of the Hybrid Cloud Setup 203 It''s scalable 203 The costs 203 You maintain control 203 The need for speed 204 Overcoming data silos 204 Compliance 206 Struggling with Hybrid Challenges 207 Handling a larger attack surface 207 Data leakage 207 Data transport times 208