As the title states, this book is a practical guide to securing your cloud environments. In almost all organizations, security has to fight for time and funding, and it often takes a back seat to implementing features and functions. Focusing on the “best bang for the buck,” security-wise, is important.
This book is intended to help you get the most important security controls for your most important assets in place quickly and correctly, whether you’re a security professional who is somewhat new to the cloud, or an architect or developer with security responsibilities. From that solid base, you can continue to build and mature your controls.
While many of the security controls and principles are similar in cloud and on-premises environments, there are some important practical differences. For that reason, a few of the recommendations for practical cloud security may be surprising to those with an on-premises security background.
While there are certainly legitimate differences of opinion among security professionals in almost any area of information security, the recommendations in this book stem from years of experience in securing cloud environments, and they are informed by some of the latest developments in cloud computing offerings.
The first few chapters deal with understanding your responsibilities in the cloud and how they differ from in on-premises environments, as well as understanding what assets you have, what the most likely threats are to those assets, and some protections for them.
The next chapters of the book provide practical guidance, in priority order, of the most important security controls that you should consider first:
– Identity and access management
– Vulnerability management
– Network controls
The final chapter deals with how to detect when something’s wrong and deal with it. It’s a good idea to read this chapter before something actually goes wrong!
Do you need to get any certifications or attestations for your environment, like PCI certification or a SOC 2 report? If so, you’ll need to watch out for a few specific pitfalls, which will be noted.
You’ll also need to make sure you’re aware of any applicable regulations—for example, if you’re handling PHI (protected health information) in the United States, or if you’re handling personal information for EU citizens, regardless of where your application is hosted.