实战云安全：设计与部署指南

需积分: 9 97 浏览量更新于2024-07-17 收藏 6.6MB PDF 举报

"Practical Cloud Security - A Guide for Secure Design and Deployment" 本书《实用云安全》是一本关于如何保障云环境安全的实战指南。在许多组织中，安全常常需要与功能开发争夺时间和资金，往往处于次要地位。作者Chris Dotson强调了在有限的资源下，从安全角度寻找“性价比最高”的策略至关重要。云安全是一个复杂且日益重要的领域，随着企业越来越多地将数据和应用程序迁移到云端，确保这些资源的安全变得越来越关键。本书旨在帮助读者理解并实施有效的云安全措施，以保护组织免受潜在威胁。书中可能涵盖了以下几个主要知识点： 1. **云安全基础**：介绍云安全的基本概念，包括公有云、私有云和混合云的安全特性，以及云计算中的责任分担模型，帮助读者了解在云环境中谁负责哪部分的安全。 2. **风险评估与管理**：讨论如何识别和评估云环境中的安全风险，包括数据泄露、身份验证和授权问题、网络攻击等，并提供风险管理策略。 3. **安全设计原则**：阐述在设计云架构时应遵循的安全原则，如最小权限原则、加密、多因素认证等，以增强系统的安全性。 4. **云服务安全配置**：详细讲解如何正确配置云服务以降低安全漏洞，包括防火墙设置、存储加密、访问控制列表等。 5. **监控与日志管理**：探讨如何实施持续监控和有效日志管理，以便及时发现并应对安全事件。 6. **灾难恢复与业务连续性**：介绍如何规划和执行灾难恢复计划，以确保业务在遭受攻击或故障后能够迅速恢复。 7. **合规性与法规遵从**：讨论云环境下的合规性要求，如GDPR、HIPAA等，以及如何满足这些法规标准。 8. **安全自动化**：介绍如何利用自动化工具和流程来提升云安全，如自动化安全扫描、安全配置管理等。 9. **最佳实践案例**：提供实际案例研究，展示如何应用上述理论和方法解决实际问题，提升云环境的安全性。 10. **持续更新与改进**：强调在云环境中，安全是持续的过程，需要定期审查和更新策略以适应新的威胁和挑战。这本书对于IT管理员、安全专业人员、DevOps团队以及任何关心云安全的人来说都是一份宝贵的资源。通过深入学习和实践，读者将能够构建更加坚固的云安全防护体系。

2 I recommend reat Modeling: Designing for Security, by Adam Shostack (Wiley).

To borrow a technique from the world of user experience design, you may want to

imagine a member of each applicable group, give them a name, jot down a little about

that “persona” on a card, and keep the cards visible when designing your defenses.

The second thing you have to do is figure out what needs to talk to what in your

application, and the easiest way to do that is to draw a picture and figure out where

your weak spots are likely to be. There are entire books on how to do this,

but you

don’t need to be an expert to draw something useful enough to help you make deci‐

sions. However, if you are in a high-risk environment, you should probably create

formal diagrams with a suitable tool rather than draw stick figures.

Although there are many different application architectures, for the sample applica‐

tion used for illustration here, I will show a simple three-tier design. Here is what I

recommend:

1. Draw a stick figure and label it “user.” Draw another stick figure and label it

“administrator” (Figure 1-1). You may find later that you have multiple types of

users and administrators, or other roles, but this is a good start.

Figure 1-1. User and administrator roles

2. Draw a box for the first component the user talks to (for example, the web

servers), draw a line from the user to that first component, and label the line with

how the user talks to that component (Figure 1-2). Note that at this point, the

component may be a serverless function, a container, a virtual machine, or some‐

thing else. This will let anyone talk to it, so it will probably be the first thing to go.

We really don’t want the other components trusting this one more than neces‐

sary.

Threat Actors, Diagrams, and Trust Boundaries | 3

3 Original concept from an article by Albert Barron.

Perhaps one of the most jarring changes when moving from an on-premises environ‐

ment to a cloud environment is a more complicated shared responsibility model for

security. In an on-premises environment, you may have had some sort of internal

document of understanding or contract with IT or some other department that ran

servers for you. However, in many cases business users of IT were used to handing

the requirements or code to an internal provider and having everything else done for

them, particularly in the realm of security.

Even if you’ve been operating in a cloud environment for a while, you may not have

stopped to think about where the cloud provider’s responsibility ends and where

yours begins. This line of demarcation is different depending on the types of cloud

service you’re purchasing. Almost all cloud providers address this in some way in

their documentation and education, but the best way to explain it is to use the anal‐

ogy of eating pizza.

With Pizza-as-a-Service,

you’re hungry for pizza. There are a lot of choices! You

could just make a pizza at home, although you’d need to have quite a few ingredients

and it would take a while. You could run up to the grocery store and grab a take-and-

bake; that only requires you to have an oven and a place to eat it. You could call your

favorite pizza delivery place. Or, you could just go sit down at a restaurant and order

a pizza. If we draw a diagram of the various components and who’s responsible for

them, we get something like Figure 1-7.

The traditional on-premises world is like making a pizza at home. You have to buy a

lot of different components and put them together yourself, but you get complete

flexibility. Anchovies and cinnamon on wheat crust? If you can stomach it, you can

make it.

When you use Infrastructure as a Service, though, the base layer is already done for

you. You can bake it to taste and add a salad and drinks, and you’re responsible for

those things. When you move up to Platform as a Service, even more decisions are

already made for you, and you just use that service as part of developing your overall

solution. (As mentioned in the previous section, sometimes it can be difficult to cate‐

gorize a service as IaaS or PaaS, and they’re growing together in many cases. The

exact classification isn’t important; what’s important is that you understand what the

service provides and what your responsibilities are.)

When you get to Software as a Service (compared to dining out in Figure 1-7), it

seems like everything is done for you. It’s not, though. You still have a responsibility

to eat safely, and the restaurant is not responsible if you choke on your food. In the

SaaS world, this largely comes down to managing access control properly.

The Cloud Shared Responsibility Model | 7

剩余194页未读，继续阅读

NickMouseLao

粉丝: 0
资源: 12

实战云安全：设计与部署指南

Enterprise Cloud Security and Governance-Packt Publishing(2017).epub

Practical.Information.Security.Management

信息安全_数据安全_Alibaba_Cloud_Security：practical.pdf

SpringCloudStudy-Practical:SpringCloud实战学习,本项目是SpringCloud实战学习，集成了eureka、fegin、zuul、分布式事务tx-lcn、swagger、Spring Security、SpringBoot Admin、Oauth2（redis和mysql两种存储方式）、SpringCloud Config、SpringCloud Bus

信息安全_数据安全_Practical_Approaches_to_Cloud_Na.pdf

OpenStack Cloud Computing Cookbook

Practical Data Science with Python3

Practical API Architecture and Development with Azure and AWS

Personal.Cybersecurity.epub

Cloud Native Python_Packt Publishing(2017).pdf

最新资源