Hybrid Cloud Security Patterns: Leverage modern repeatable architecture patterns to secure your workloads on the cloud

BIRMINGHAM—MUMBAI

Hybrid Cloud Security Patterns

Copyright © 2022 Packt Publishing

All rights reserved. No part of this book may be reproduced, stored in a retrieval system, or transmitted in any form or by any means, without the prior written permission of the publisher, except in the case of brief quotations embedded in critical articles or reviews.

Every effort has been made in the preparation of this book to ensure the accuracy of the information presented. However, the information contained in this book is sold without warranty, either express or implied. Neither the author, nor Packt Publishing or its dealers and distributors, will be held liable for any damages caused or alleged to have been caused directly or indirectly by this book.

Packt Publishing has endeavored to provide trademark information about all of the companies and products mentioned in this book by the appropriate use of capitals. However, Packt Publishing cannot guarantee the accuracy of this information.

Group Product Manager: Rahul Nair

Publishing Product Manager: Niranjan Naikwadi

Senior Editor: Athikho Sapuni Rishana

Technical Editor: Nithik Cheruvakodan

Copy Editor: Safis Editing

Project Coordinator: Ashwin Kharwa

Proofreader: Safis Editing

Indexer: Subalakshmi Govindhan

Production Designer: Prashant Ghare

Marketing Coordinator: Nimisha Dua

First published: December 2022

Production reference: 1201022

Published by Packt Publishing Ltd.

Livery Place

35 Livery Street

Birmingham

B3 2PB, UK.

ISBN 978-1-80323-358-1

www.packt.com

To my mother Parvathy and my father Ramakrishna Iyer for their sacrifices and the values they have instilled in me – to stay selfless, work hard, and be thankful.

To my wife Saritha and my sons Varun and Vignesh for their love, support, and inspiration.

– Sreekanth Iyer

Foreword

As enterprises and businesses adopt hybrid cloud to accelerate innovation, cloud security remains an important focus area to both mitigate risk and achieve compliance. Leveraging his hands-on experience in building cloud delivered products, as well as solution engagements with customers to address their challenges, Sreekanth has done a wonderful job in outlining a practical approach to cloud security in this book.

Capturing best practices and repeatable patterns is a great way to bring together the different dimensions of cloud security, with practical solutions that are readily usable. For each of the patterns, his approach to outlining use cases, challenges, solution approaches, along with applicable technologies from the different cloud providers, is commendable. Each chapter provides standalone content, rendering the book a readily referenceable asset which is thus very valuable to cloud security practitioners who can quickly get to their topic of interest.

I have worked closely with Sreekanth for more than a decade, and I can clearly see him bringing his expertise, experience, and passion for sharing his knowledge - all wrapped into this book.

Dr. Nataraj Nagaratnam

IBM Fellow, CTO for Cloud Security at IBM

Contributors

About the author

Sreekanth (Sreek) Iyer is a thought leader in architecture with over 25 years of experience building enterprise solutions across multiple industries. He is currently working as a principal architect with Apptio. Prior to this role, he worked as an executive IT architect at IBM. He has served as a trusted advisor on digital transformation strategies and the journey to the cloud for many enterprise clients. He is an expert in cloud engineering, security, complex integration, and app modernization. He is an IBM Master Inventor with more than 60 patents. He has built strong software engineering teams and made outstanding contributions to creating security reference architectures. When he is not working, he enjoys music and his time with family and friends.

My sincere thanks to Nataraj Nagaratnam and Sridhar Muppidi at IBM for introducing me to the world of security and for their continued guidance and support.

I’m grateful to Marc Fiammante for being my career mentor and inspiration to write this book. My gratitude to Kyle Brown and Bobby Woolf for imparting the knowledge on pattern language.

I’m thankful to Tony Carrato for the careful and detailed technical review of the book that helped significantly improve the quality of the content. I’m very fortunate to have Tony, who has extensive experience and deep expertise in the cloud security domain, as the technical reviewer .

I’ve benefited from every interaction with my IBM and Apptio colleagues. I’ve tremendous respect for each of them. This book reflects the knowledge and wisdom gained from engagement and collaboration with my talented colleagues.

Finally, my sincere thanks to the Packt publishing team – Neil, Niranjan, and Sapuni for their patience, support during difficult times, and their constant encouragement to complete this project.

About the reviewer

Tony Carrato is a member of the steering committee of the Security Forum at The Open Group, as well as an invited expert in their Security Forum. He is a member of the planning group for the New Mexico Technology Council’s Cybersecurity Peer Group and a part of the Critical Asset Management (for climate resilience) open source project. He is on the board of Telemetry Insight, a New Mexico startup, and a board advisor to the Ortelius open source project focused on microservices and software supply chain security.

He retired from IBM in 2019, with a total of nearly 50 years of technology experience. His major areas of expertise are in technology architecture, including security, enterprise, and solution architecture.

I’ve known and worked with Sreek for many years. He’s truly knowledgeable about security and the cloud and very good at explaining difficult topics in the area of hybrid cloud security. It’s been a pleasure and privilege to support this book coming to fruition.

Table of Contents

Preface

Part 1: Introduction to Cloud Security

1

Opportunities and Challenges with Hybrid Multi-cloud Solutions

The evolution of the cloud

Defining cloud computing

Cloud personas

Cloud deployment models

Cloud delivery models

From cloud to hybrid multi-cloud

Digitization trends

Application modernization

Data modernization and the emergence of data fabric

Integration, coexistence, and interoperability

Event hubs and intelligent workflows

Coexistence and interoperability

DevOps

Optimization of operations

Leveraging observability for a better customer experience

Automation, automation, automation

Building pipeline of pipelines for hybrid multi-cloud

Security for the digital hybrid multi-cloud era

App modernization and security

Data security

Security for integration, coexistence, and interoperability

Shift left security – from DevOps to DevSecOps

Configuration management

Security Orchestration, Automation, and Response

Integrated security and continuous compliance

Zero-trust architecture and security models

Summary

2

Understanding Shared Responsibility Model for Cloud Security

A strategic approach to cloud security

A shared responsibility model

Cloud security domains

A pattern-based approach to address hybrid cloud security

Summary

Part 2: Identity and Access Management Patterns

3

Cloud Identity and Access Management

User management patterns

Registration pattern

Identity federation pattern

Cloud identity pattern

User group management patterns

Service accounts

User de-provisioning

Authentication patterns

Logging in with user ID and credentials

Application access key or API key

SSH keys

SSO

Multi-factor authentication

Single logout

Physical authentication pattern

Authorization patterns

Access control pattern

Governance and administration patterns

Identity governance and administration pattern

Related patterns

Summary

4

Implementing Identity and Access Management for Cloud Applications

Authentication pattern for cloud application users

Problem

Context

Solution

Known uses

Service-to-service authentication

Problem

Context

Solution

Known uses

Cloud application authorization patterns

Problem

Context

Solution

Known uses

Summary

References

Part 3: Infrastructure Security Patterns

5

How to Secure Compute Infrastructure

Securing physical (bare-metal) servers

Problem

Context

Solution

Known uses

Trusted compute patterns

Problem

Context

Solution

Known uses

Securing hypervisors

Problem

Context

Solution

Known uses

Protecting VMs

Problem

Context

Solution

Known uses

Securing containers

Problem

Context

Solution

Known uses

Securing serverless implementations

Problem

Context

Solution

Known uses

Summary

References

6

Implementing Network Isolation, Secure Connectivity, and Protection

Network isolation patterns

Problem

Context

Solution

Known uses

Secure network connectivity

Problem

Context

Solution

Known uses

Network protection

Problem

Context

Solution

Known uses

Summary

References

Part 4: Data and Application Security Patterns

7

Data Security Patterns

Patterns for protecting data at rest

Problem

Context

Solution

Known uses

Protecting data in transit patterns

Problem

Context

Solution

Known uses

Data in use

Problem

Context

Solution

Known uses

Data classification and monitoring patterns

Problem

Context

Solution

Known uses

Summary

References

8

Shift Left Security for DevOps

Secure engineering and threat modeling

Problem

Context

Solution

Known uses

The DevSecOps pattern

Problem

Context

Solution

Known uses

Summary

References

Part 5: Cloud Security Posture Management and Zero Trust Architecture

9

Managing the Security Posture for Your Cloud Deployments

CSPM patterns

Problem

Context

Solution

Known uses

Summary

References

10

Building Zero Trust Architecture with Hybrid Cloud Security Patterns

Zero trust pattern

Problem

Context

Solution

Known uses

Summary

References

Index

Other Books You May Enjoy

Preface

Hybrid cloud security is a complex topic and needs different considerations in various security domains. People who are new to the topic can master the subject in no time with a pattern-based approach. Hybrid Cloud Security Patterns is a comprehensive introduction to cloud security patterns.

This book discusses security patterns and how to implement them, with specific cloud providers and pointers to tutorials and easy-to-follow prescriptive guidance. It comes complete with pointers to tutorials and guidance on how to secure or implement security patterns on specific clouds – AWS, Azure, GCP, and IBM Cloud.

By the end of this book, you will learn to use the power of patterns to address security for all your cloud deployments.

Who this book is for

This is a guide for cloud solution architects and security focals to securely deploy their applications in the cloud. This provides prescriptive guidance for cloud engineers/DevSecOps professionals who can build security by design for their cloud-native applications. This also provides business users who are considering cloud deployments with the different aspects of security that they need to consider.

What this book covers

Chapter 1, Opportunities and Challenges with Hybrid Multi-cloud Solution, discusses the evolution of cloud, cloud consumption and deployment patterns, challenges, and opportunities.

Chapter 2, Understanding Shared Responsibility Model for Cloud Security, discusses an overall approach to addressing hybrid cloud security.

Chapter 3, Implementing Identity and Access Management for Cloud Users, describes the patterns to implement authentication, access control, and audit for cloud resources.

Chapter 4, Implementing Identity and Access Management for Applications, shows you how to add authentication and access to web and mobile applications deployed in the cloud. This chapter will discuss the pattern to enhance apps with advanced security capabilities.

Chapter 5, How to Secure Compute Infrastructure, shows you how to secure Virtual Machines (VMs) and containers. We will discuss patterns to provide isolation to varying degrees and enable both portability and security for VMs and containers.

Chapter 6, Implementing Network Protection, Isolation, and Secure Connectivity, discusses how to secure a cloud network and the architecture patterns and security elements needed to secure the network, including isolation, connectivity, and protection.

Chapter 7, Data Protection Pattern, explores data protection patterns, including protecting data at rest, in transit, and in use. Data at rest protection patterns include how to protect files, objects stored physically in a database, or raw, in data or storage services. You will learn how to use encryption and key management patterns to protect data at rest, and understand the threats related to data in transit and patterns for protecting data in transit. This chapter will discuss the importance of certificates and their use in protecting data in transit. This chapter also discusses how to protect data during processing, as well as services from the cloud that deliver stronger end-to-end data security in the cloud.

Chapter 8, Shift Left Security for DevOps, discusses how to infuse security into a DevOps pipeline. Shifting left security to be incorporated in the early first stages of concept, development, and operations is required to ensure an application runs safely in the cloud. Threat and vulnerability management are critical aspects of security and compliance programs. This chapter discusses patterns to identify vulnerabilities in cloud resources across infrastructure, middleware, and applications and how to remediate them. Configuration management is another important topic that covers how to manage and control configurations for cloud resources to enable security and facilitate the management of risk.

Chapter 9, Manage Security Posture for Your Cloud Deployments, delves into Cloud Security Posture Management (CSPM), which helps to proactively monitor, track, and react to security violations. This chapter provides information on how to build end-to-end visibility and integration of security processes and tooling throughout an organization to get a security posture for cloud applications. A security and compliance posture provides a method to see controls in place against policies and their effectiveness. This chapter discusses how to prepare an enterprise to respond to large volumes of alerts and events related to cloud security. Given the use of multiple tools and a shortage of staff, enterprises need to adopt security orchestration, automation, and response to improve their effectiveness against security events.

Chapter 10, Building Zero Trust Architecture with Hybrid Cloud Security Patterns, discusses reference architectures and patterns to implement the zero trust model. The principles for zero trust are also discussed in detail. This chapter explores the use cases requiring the zero trust model and how to leverage hybrid cloud security patterns to protect critical data using zero trust security practices.

To get the most out of this book

The book assumes you have basic knowledge of the cloud and its advantages. Knowledge of the different types of cloud, their deployment, and consumption models is a pre-requisite.

The GitHub repository provides links that provide details on how to implement the patterns discussed in each chapter. Refer to Git pages and follow the links on the tutorials and examples from the security services and solution providers listed above. If you are using the digital version of this book, we advise you to type the code yourself or access the reference links to examples code from the book’s GitHub repository (a link is available in the next section). Doing so will help you avoid any potential errors related to the copying and pasting of code.

Download the example code files

You can download the example code files for this book from GitHub at https://github.com/PacktPublishing/Hybrid-Cloud-Security-Patterns. If there’s an update to the code, it will be updated in the GitHub repository.

We also have other code bundles from our rich catalog of books and videos available at https://github.com/PacktPublishing/. Check them out!

Download the color images

We also provide a PDF file that has color images of the screenshots and diagrams used in this book. You can download it here: https://packt.link/cbJMK.

Conventions used

There are a number of text conventions used throughout this book.

Code in text: Indicates code words in text, database table names, folder names, filenames, file extensions, pathnames, dummy URLs, user input, and Twitter handles. Here is an example: Mount the downloaded WebStorm-10*.dmg disk image file as another disk in your system.

Bold: Indicates a new term, an important word, or words that you see on screen. For instance, words in menus or dialog boxes appear in bold. Here is an example: Select System info from the Administration panel.

Tips or Important Notes

Appear like this.

Get in touch

Feedback from our readers is always welcome.

General feedback: If you have questions about any aspect of this book, email us at [email protected] and mention the book title in the subject of your message.

Errata: Although we have taken every care to ensure the accuracy of our content, mistakes do happen. If you have found a mistake in this book, we would be grateful if you would report this to us. Please visit www.packtpub.com/support/errata and fill in the form.

Piracy: If you come across any illegal copies of our works in any form on the internet, we would be grateful if you would provide us with the location address or website name. Please contact us at [email protected] with a link to the material.

If you are interested in becoming an author: If there is a topic that you have expertise in and you are interested in either writing or contributing to a book, please visit authors.packtpub.com.

Share Your Thoughts

Once you’ve read Hybrid Cloud Security Patterns, we’d love to hear your thoughts! Please click here to go straight to the Amazon review page for this book and share your feedback.

Your review is important to us and the tech community and will help us make sure we’re delivering excellent quality content.

Download a free PDF copy of this book

Thanks for purchasing this book!

Do you like to read on the go but are unable to carry your print books everywhere? Is your eBook purchase not compatible with the device of your choice?

Don’t worry, now with every Packt book you get a DRM-free PDF version of that book at no cost.

Read anywhere, any place, on any device. Search, copy, and paste code from your favorite technical books directly into your application.

The perks don’t stop there, you can get exclusive access to discounts, newsletters, and great free content in your inbox daily

Follow these simple steps to get the benefits:

Scan the QR code or visit the link below

https://packt.link/free-ebook/9781803233581

Submit your proof of purchase

That’s it! We’ll send your free PDF and other benefits to your email directly

Part 1: Introduction to Cloud Security

Security is the primary concern for enterprises adopting hybrid IT and multi-cloud technologies as they pursue application modernization. By taking a strategic approach to security, businesses can infuse security into various stages of their journey to the cloud. This part will discuss how enterprises are adopting hybrid cloud and the challenges with regard to securing their transition to the cloud.