Hybrid Cloud Security Patterns: Leverage modern repeatable architecture patterns to secure your workloads on the cloud
()
About this ebook
Security is a primary concern for enterprises going through digital transformation and accelerating their journey to multi-cloud environments. This book recommends a simple pattern-based approach to architecting, designing and implementing security for workloads deployed on AWS, Microsoft Azure, Google Cloud, and IBM Cloud.
The book discusses enterprise modernization trends and related security opportunities and challenges. You’ll understand how to implement identity and access management for your cloud resources and applications. Later chapters discuss patterns to protect cloud infrastructure (compute, storage and network) and provide protection for data at rest, in transit and in use. You’ll also learn how to shift left and include security in the early stages of application development to adopt DevSecOps. The book also deep dives into threat monitoring, configuration and vulnerability management, and automated incident response. Finally, you’ll discover patterns to implement security posture management backed with intelligence and automated protection to stay ahead of threats.
By the end of this book, you’ll have learned all the hybrid cloud security patterns and be able to use them to create zero trust architecture that provides continuous security and compliance for your cloud workloads.
Related to Hybrid Cloud Security Patterns
Related ebooks
Cloud Native Software Security Handbook: Unleash the power of cloud native tools for robust security in modern applications Rating: 0 out of 5 stars0 ratingsPractical Cybersecurity Architecture: A guide to creating and implementing robust designs for cybersecurity architects Rating: 0 out of 5 stars0 ratingsCCSP (ISC)2 Certified Cloud Security Professional Exam Guide: Build your knowledge to pass the CCSP exam with expert guidance Rating: 0 out of 5 stars0 ratingsUltimate Microsoft Cybersecurity Architect SC-100 Exam Guide Rating: 0 out of 5 stars0 ratingsCybersecurity Architect's Handbook: An end-to-end guide to implementing and maintaining robust security architecture Rating: 0 out of 5 stars0 ratingsBuilding a Next-Gen SOC with IBM QRadar: Accelerate your security operations and detect cyber threats effectively Rating: 0 out of 5 stars0 ratingsLearn Azure Sentinel: Integrate Azure security with artificial intelligence to build secure cloud systems Rating: 0 out of 5 stars0 ratingsMastering Cloud-Native Microservices: Designing and implementing Cloud-Native Microservices for Next-Gen Apps (English Edition) Rating: 0 out of 5 stars0 ratings“Careers in Information Technology: Cloud Security Specialist”: GoodMan, #1 Rating: 0 out of 5 stars0 ratingsCloud Auditing Best Practices: Perform Security and IT Audits across AWS, Azure, and GCP by building effective cloud auditing plans Rating: 0 out of 5 stars0 ratingsSecuring Cloud Services - A pragmatic guide: Second edition Rating: 0 out of 5 stars0 ratingsMicrosoft Unified XDR and SIEM Solution Handbook: Modernize and build a unified SOC platform for future-proof security Rating: 0 out of 5 stars0 ratingsMastering Service Mesh: Enhance, secure, and observe cloud-native applications with Istio, Linkerd, and Consul Rating: 0 out of 5 stars0 ratingsMicroservices Design Patterns in .NET: Making sense of microservices design and architecture using .NET Core Rating: 0 out of 5 stars0 ratingsMastering Defensive Security: Effective techniques to secure your Windows, Linux, IoT, and cloud infrastructure Rating: 0 out of 5 stars0 ratingsImplementing DevSecOps Practices: Supercharge your software security with DevSecOps excellence Rating: 0 out of 5 stars0 ratingsCloud Native Microservices Cookbook: Master the art of microservices in the cloud with over 100 practical recipes (English Edition) Rating: 0 out of 5 stars0 ratingsImplementing Multifactor Authentication: Protect your applications from cyberattacks with the help of MFA Rating: 0 out of 5 stars0 ratingsPractical Internet of Things Security: Design a security framework for an Internet connected ecosystem Rating: 0 out of 5 stars0 ratingsIncident Response in the Age of Cloud: Techniques and best practices to effectively respond to cybersecurity incidents Rating: 0 out of 5 stars0 ratingsKubernetes Secrets Handbook: Design, implement, and maintain production-grade Kubernetes Secrets management solutions Rating: 0 out of 5 stars0 ratingsMachine Learning Security with Azure: Best practices for assessing, securing, and monitoring Azure Machine Learning workloads Rating: 0 out of 5 stars0 ratings
Software Development & Engineering For You
Python For Dummies Rating: 4 out of 5 stars4/5Android App Development For Dummies Rating: 0 out of 5 stars0 ratingsGrokking Algorithms: An illustrated guide for programmers and other curious people Rating: 4 out of 5 stars4/5PYTHON: Practical Python Programming For Beginners & Experts With Hands-on Project Rating: 5 out of 5 stars5/5Hand Lettering on the iPad with Procreate: Ideas and Lessons for Modern and Vintage Lettering Rating: 4 out of 5 stars4/5Learn to Code. Get a Job. The Ultimate Guide to Learning and Getting Hired as a Developer. Rating: 5 out of 5 stars5/5Creative Selection: Inside Apple's Design Process During the Golden Age of Steve Jobs Rating: 5 out of 5 stars5/5Beginning Programming For Dummies Rating: 4 out of 5 stars4/5Level Up! The Guide to Great Video Game Design Rating: 4 out of 5 stars4/5Debugging: The 9 Indispensable Rules for Finding Even the Most Elusive Software and Hardware Problems Rating: 4 out of 5 stars4/5Lua Game Development Cookbook Rating: 0 out of 5 stars0 ratingsOneNote: The Ultimate Guide on How to Use Microsoft OneNote for Getting Things Done Rating: 1 out of 5 stars1/5Tiny Python Projects: Learn coding and testing with puzzles and games Rating: 5 out of 5 stars5/5Managing Humans: Biting and Humorous Tales of a Software Engineering Manager Rating: 4 out of 5 stars4/5How Do I Do That In InDesign? Rating: 5 out of 5 stars5/5Adobe Illustrator CC For Dummies Rating: 5 out of 5 stars5/5Coding All-in-One For Dummies Rating: 0 out of 5 stars0 ratingsAgile Practice Guide Rating: 4 out of 5 stars4/5How to Write Effective Emails at Work Rating: 4 out of 5 stars4/5Gray Hat Hacking the Ethical Hacker's Rating: 5 out of 5 stars5/527 PROGRAM MANAGEMENT INTERVIEW TECHNIQUES - To Ace That Dream Job Offer ! Rating: 5 out of 5 stars5/5Data Visualization: a successful design process Rating: 4 out of 5 stars4/5Succeeding with AI: How to make AI work for your business Rating: 0 out of 5 stars0 ratingsRy's Git Tutorial Rating: 0 out of 5 stars0 ratingsGood Code, Bad Code: Think like a software engineer Rating: 5 out of 5 stars5/5iPhone Application Development For Dummies Rating: 4 out of 5 stars4/5
Reviews for Hybrid Cloud Security Patterns
0 ratings0 reviews
Book preview
Hybrid Cloud Security Patterns - Sreekanth Iyer
BIRMINGHAM—MUMBAI
Hybrid Cloud Security Patterns
Copyright © 2022 Packt Publishing
All rights reserved. No part of this book may be reproduced, stored in a retrieval system, or transmitted in any form or by any means, without the prior written permission of the publisher, except in the case of brief quotations embedded in critical articles or reviews.
Every effort has been made in the preparation of this book to ensure the accuracy of the information presented. However, the information contained in this book is sold without warranty, either express or implied. Neither the author, nor Packt Publishing or its dealers and distributors, will be held liable for any damages caused or alleged to have been caused directly or indirectly by this book.
Packt Publishing has endeavored to provide trademark information about all of the companies and products mentioned in this book by the appropriate use of capitals. However, Packt Publishing cannot guarantee the accuracy of this information.
Group Product Manager: Rahul Nair
Publishing Product Manager: Niranjan Naikwadi
Senior Editor: Athikho Sapuni Rishana
Technical Editor: Nithik Cheruvakodan
Copy Editor: Safis Editing
Project Coordinator: Ashwin Kharwa
Proofreader: Safis Editing
Indexer: Subalakshmi Govindhan
Production Designer: Prashant Ghare
Marketing Coordinator: Nimisha Dua
First published: December 2022
Production reference: 1201022
Published by Packt Publishing Ltd.
Livery Place
35 Livery Street
Birmingham
B3 2PB, UK.
ISBN 978-1-80323-358-1
www.packt.com
To my mother Parvathy and my father Ramakrishna Iyer for their sacrifices and the values they have instilled in me – to stay selfless, work hard, and be thankful.
To my wife Saritha and my sons Varun and Vignesh for their love, support, and inspiration.
– Sreekanth Iyer
Foreword
As enterprises and businesses adopt hybrid cloud to accelerate innovation, cloud security remains an important focus area to both mitigate risk and achieve compliance. Leveraging his hands-on experience in building cloud delivered products, as well as solution engagements with customers to address their challenges, Sreekanth has done a wonderful job in outlining a practical approach to cloud security in this book.
Capturing best practices and repeatable patterns is a great way to bring together the different dimensions of cloud security, with practical solutions that are readily usable. For each of the patterns, his approach to outlining use cases, challenges, solution approaches, along with applicable technologies from the different cloud providers, is commendable. Each chapter provides standalone content, rendering the book a readily referenceable asset which is thus very valuable to cloud security practitioners who can quickly get to their topic of interest.
I have worked closely with Sreekanth for more than a decade, and I can clearly see him bringing his expertise, experience, and passion for sharing his knowledge - all wrapped into this book.
Dr. Nataraj Nagaratnam
IBM Fellow, CTO for Cloud Security at IBM
Contributors
About the author
Sreekanth (Sreek) Iyer is a thought leader in architecture with over 25 years of experience building enterprise solutions across multiple industries. He is currently working as a principal architect with Apptio. Prior to this role, he worked as an executive IT architect at IBM. He has served as a trusted advisor on digital transformation strategies and the journey to the cloud for many enterprise clients. He is an expert in cloud engineering, security, complex integration, and app modernization. He is an IBM Master Inventor with more than 60 patents. He has built strong software engineering teams and made outstanding contributions to creating security reference architectures. When he is not working, he enjoys music and his time with family and friends.
My sincere thanks to Nataraj Nagaratnam and Sridhar Muppidi at IBM for introducing me to the world of security and for their continued guidance and support.
I’m grateful to Marc Fiammante for being my career mentor and inspiration to write this book. My gratitude to Kyle Brown and Bobby Woolf for imparting the knowledge on pattern language.
I’m thankful to Tony Carrato for the careful and detailed technical review of the book that helped significantly improve the quality of the content. I’m very fortunate to have Tony, who has extensive experience and deep expertise in the cloud security domain, as the technical reviewer .
I’ve benefited from every interaction with my IBM and Apptio colleagues. I’ve tremendous respect for each of them. This book reflects the knowledge and wisdom gained from engagement and collaboration with my talented colleagues.
Finally, my sincere thanks to the Packt publishing team – Neil, Niranjan, and Sapuni for their patience, support during difficult times, and their constant encouragement to complete this project.
About the reviewer
Tony Carrato is a member of the steering committee of the Security Forum at The Open Group, as well as an invited expert in their Security Forum. He is a member of the planning group for the New Mexico Technology Council’s Cybersecurity Peer Group and a part of the Critical Asset Management (for climate resilience) open source project. He is on the board of Telemetry Insight, a New Mexico startup, and a board advisor to the Ortelius open source project focused on microservices and software supply chain security.
He retired from IBM in 2019, with a total of nearly 50 years of technology experience. His major areas of expertise are in technology architecture, including security, enterprise, and solution architecture.
I’ve known and worked with Sreek for many years. He’s truly knowledgeable about security and the cloud and very good at explaining difficult topics in the area of hybrid cloud security. It’s been a pleasure and privilege to support this book coming to fruition.
Table of Contents
Preface
Part 1: Introduction to Cloud Security
1
Opportunities and Challenges with Hybrid Multi-cloud Solutions
The evolution of the cloud
Defining cloud computing
Cloud personas
Cloud deployment models
Cloud delivery models
From cloud to hybrid multi-cloud
Digitization trends
Application modernization
Data modernization and the emergence of data fabric
Integration, coexistence, and interoperability
Event hubs and intelligent workflows
Coexistence and interoperability
DevOps
Optimization of operations
Leveraging observability for a better customer experience
Automation, automation, automation
Building pipeline of pipelines for hybrid multi-cloud
Security for the digital hybrid multi-cloud era
App modernization and security
Data security
Security for integration, coexistence, and interoperability
Shift left security – from DevOps to DevSecOps
Configuration management
Security Orchestration, Automation, and Response
Integrated security and continuous compliance
Zero-trust architecture and security models
Summary
2
Understanding Shared Responsibility Model for Cloud Security
A strategic approach to cloud security
A shared responsibility model
Cloud security domains
A pattern-based approach to address hybrid cloud security
Summary
Part 2: Identity and Access Management Patterns
3
Cloud Identity and Access Management
User management patterns
Registration pattern
Identity federation pattern
Cloud identity pattern
User group management patterns
Service accounts
User de-provisioning
Authentication patterns
Logging in with user ID and credentials
Application access key or API key
SSH keys
SSO
Multi-factor authentication
Single logout
Physical authentication pattern
Authorization patterns
Access control pattern
Governance and administration patterns
Identity governance and administration pattern
Related patterns
Summary
4
Implementing Identity and Access Management for Cloud Applications
Authentication pattern for cloud application users
Problem
Context
Solution
Known uses
Service-to-service authentication
Problem
Context
Solution
Known uses
Cloud application authorization patterns
Problem
Context
Solution
Known uses
Summary
References
Part 3: Infrastructure Security Patterns
5
How to Secure Compute Infrastructure
Securing physical (bare-metal) servers
Problem
Context
Solution
Known uses
Trusted compute patterns
Problem
Context
Solution
Known uses
Securing hypervisors
Problem
Context
Solution
Known uses
Protecting VMs
Problem
Context
Solution
Known uses
Securing containers
Problem
Context
Solution
Known uses
Securing serverless implementations
Problem
Context
Solution
Known uses
Summary
References
6
Implementing Network Isolation, Secure Connectivity, and Protection
Network isolation patterns
Problem
Context
Solution
Known uses
Secure network connectivity
Problem
Context
Solution
Known uses
Network protection
Problem
Context
Solution
Known uses
Summary
References
Part 4: Data and Application Security Patterns
7
Data Security Patterns
Patterns for protecting data at rest
Problem
Context
Solution
Known uses
Protecting data in transit patterns
Problem
Context
Solution
Known uses
Data in use
Problem
Context
Solution
Known uses
Data classification and monitoring patterns
Problem
Context
Solution
Known uses
Summary
References
8
Shift Left Security for DevOps
Secure engineering and threat modeling
Problem
Context
Solution
Known uses
The DevSecOps pattern
Problem
Context
Solution
Known uses
Summary
References
Part 5: Cloud Security Posture Management and Zero Trust Architecture
9
Managing the Security Posture for Your Cloud Deployments
CSPM patterns
Problem
Context
Solution
Known uses
Summary
References
10
Building Zero Trust Architecture with Hybrid Cloud Security Patterns
Zero trust pattern
Problem
Context
Solution
Known uses
Summary
References
Index
Other Books You May Enjoy
Preface
Hybrid cloud security is a complex topic and needs different considerations in various security domains. People who are new to the topic can master the subject in no time with a pattern-based approach. Hybrid Cloud Security Patterns is a comprehensive introduction to cloud security patterns.
This book discusses security patterns and how to implement them, with specific cloud providers and pointers to tutorials and easy-to-follow prescriptive guidance. It comes complete with pointers to tutorials and guidance on how to secure or implement security patterns on specific clouds – AWS, Azure, GCP, and IBM Cloud.
By the end of this book, you will learn to use the power of patterns to address security for all your cloud deployments.
Who this book is for
This is a guide for cloud solution architects and security focals to securely deploy their applications in the cloud. This provides prescriptive guidance for cloud engineers/DevSecOps professionals who can build security by design for their cloud-native applications. This also provides business users who are considering cloud deployments with the different aspects of security that they need to consider.
What this book covers
Chapter 1, Opportunities and Challenges with Hybrid Multi-cloud Solution, discusses the evolution of cloud, cloud consumption and deployment patterns, challenges, and opportunities.
Chapter 2, Understanding Shared Responsibility Model for Cloud Security, discusses an overall approach to addressing hybrid cloud security.
Chapter 3, Implementing Identity and Access Management for Cloud Users, describes the patterns to implement authentication, access control, and audit for cloud resources.
Chapter 4, Implementing Identity and Access Management for Applications, shows you how to add authentication and access to web and mobile applications deployed in the cloud. This chapter will discuss the pattern to enhance apps with advanced security capabilities.
Chapter 5, How to Secure Compute Infrastructure, shows you how to secure Virtual Machines (VMs) and containers. We will discuss patterns to provide isolation to varying degrees and enable both portability and security for VMs and containers.
Chapter 6, Implementing Network Protection, Isolation, and Secure Connectivity, discusses how to secure a cloud network and the architecture patterns and security elements needed to secure the network, including isolation, connectivity, and protection.
Chapter 7, Data Protection Pattern, explores data protection patterns, including protecting data at rest, in transit, and in use. Data at rest protection patterns include how to protect files, objects stored physically in a database, or raw, in data or storage services. You will learn how to use encryption and key management patterns to protect data at rest, and understand the threats related to data in transit and patterns for protecting data in transit. This chapter will discuss the importance of certificates and their use in protecting data in transit. This chapter also discusses how to protect data during processing, as well as services from the cloud that deliver stronger end-to-end data security in the cloud.
Chapter 8, Shift Left Security for DevOps, discusses how to infuse security into a DevOps pipeline. Shifting left security to be incorporated in the early first stages of concept, development, and operations is required to ensure an application runs safely in the cloud. Threat and vulnerability management are critical aspects of security and compliance programs. This chapter discusses patterns to identify vulnerabilities in cloud resources across infrastructure, middleware, and applications and how to remediate them. Configuration management is another important topic that covers how to manage and control configurations for cloud resources to enable security and facilitate the management of risk.
Chapter 9, Manage Security Posture for Your Cloud Deployments, delves into Cloud Security Posture Management (CSPM), which helps to proactively monitor, track, and react to security violations. This chapter provides information on how to build end-to-end visibility and integration of security processes and tooling throughout an organization to get a security posture for cloud applications. A security and compliance posture provides a method to see controls in place against policies and their effectiveness. This chapter discusses how to prepare an enterprise to respond to large volumes of alerts and events related to cloud security. Given the use of multiple tools and a shortage of staff, enterprises need to adopt security orchestration, automation, and response to improve their effectiveness against security events.
Chapter 10, Building Zero Trust Architecture with Hybrid Cloud Security Patterns, discusses reference architectures and patterns to implement the zero trust model. The principles for zero trust are also discussed in detail. This chapter explores the use cases requiring the zero trust model and how to leverage hybrid cloud security patterns to protect critical data using zero trust security practices.
To get the most out of this book
The book assumes you have basic knowledge of the cloud and its advantages. Knowledge of the different types of cloud, their deployment, and consumption models is a pre-requisite.
The GitHub repository provides links that provide details on how to implement the patterns discussed in each chapter. Refer to Git pages and follow the links on the tutorials and examples from the security services and solution providers listed above. If you are using the digital version of this book, we advise you to type the code yourself or access the reference links to examples code from the book’s GitHub repository (a link is available in the next section). Doing so will help you avoid any potential errors related to the copying and pasting of code.
Download the example code files
You can download the example code files for this book from GitHub at https://github.com/PacktPublishing/Hybrid-Cloud-Security-Patterns. If there’s an update to the code, it will be updated in the GitHub repository.
We also have other code bundles from our rich catalog of books and videos available at https://github.com/PacktPublishing/. Check them out!
Download the color images
We also provide a PDF file that has color images of the screenshots and diagrams used in this book. You can download it here: https://packt.link/cbJMK.
Conventions used
There are a number of text conventions used throughout this book.
Code in text: Indicates code words in text, database table names, folder names, filenames, file extensions, pathnames, dummy URLs, user input, and Twitter handles. Here is an example: Mount the downloaded WebStorm-10*.dmg disk image file as another disk in your system.
Bold: Indicates a new term, an important word, or words that you see on screen. For instance, words in menus or dialog boxes appear in bold. Here is an example: Select System info from the Administration panel.
Tips or Important Notes
Appear like this.
Get in touch
Feedback from our readers is always welcome.
General feedback: If you have questions about any aspect of this book, email us at [email protected] and mention the book title in the subject of your message.
Errata: Although we have taken every care to ensure the accuracy of our content, mistakes do happen. If you have found a mistake in this book, we would be grateful if you would report this to us. Please visit www.packtpub.com/support/errata and fill in the form.
Piracy: If you come across any illegal copies of our works in any form on the internet, we would be grateful if you would provide us with the location address or website name. Please contact us at [email protected] with a link to the material.
If you are interested in becoming an author: If there is a topic that you have expertise in and you are interested in either writing or contributing to a book, please visit authors.packtpub.com.
Share Your Thoughts
Once you’ve read Hybrid Cloud Security Patterns, we’d love to hear your thoughts! Please click here to go straight to the Amazon review page for this book and share your feedback.
Your review is important to us and the tech community and will help us make sure we’re delivering excellent quality content.
Download a free PDF copy of this book
Thanks for purchasing this book!
Do you like to read on the go but are unable to carry your print books everywhere? Is your eBook purchase not compatible with the device of your choice?
Don’t worry, now with every Packt book you get a DRM-free PDF version of that book at no cost.
Read anywhere, any place, on any device. Search, copy, and paste code from your favorite technical books directly into your application.
The perks don’t stop there, you can get exclusive access to discounts, newsletters, and great free content in your inbox daily
Follow these simple steps to get the benefits:
Scan the QR code or visit the link below
https://packt.link/free-ebook/9781803233581
Submit your proof of purchase
That’s it! We’ll send your free PDF and other benefits to your email directly
Part 1: Introduction to Cloud Security
Security is the primary concern for enterprises adopting hybrid IT and multi-cloud technologies as they pursue application modernization. By taking a strategic approach to security, businesses can infuse security into various stages of their journey to the cloud. This part will discuss how enterprises are adopting hybrid cloud and the challenges with regard to securing their transition to the cloud.