Index
As this ebook edition doesn't have fixed pagination, the page numbers below are hyperlinked for reference only, based on the printed edition of this book.
A
access-control list (ACL) 93, 130
access control pattern 66
context 66
issue 66
solution 66
access control pattern, solution
platform roles 69
policy 67
resource and resource groups 67, 68
service roles 69
user and user group 67
access delegation model (OAuth) 95, 96
Advanced Encryption Standard (AES) 160
Amazon Elastic Compute Cloud (Amazon EC2) 169
Amazon Virtual Private Cloud documentation
URL 131
Amazon Web Services (AWS) 11, 119
application
accessing, protected resource on cloud through gateway 86, 87
accessing, protected resource on cloud through service 87, 88
application access key/API key 58
context 58
issue 58
solution 58
application IAM 38
application identity and authorization
reference link 97
application layer 161
Application Load Balancer (ALB) 141
application modernization 13, 22
batch functions, modernizing in cloud 14
built-in intelligence 14
cloud-native applications 14
existing applications, migrating to cloud 14
existing applications, modernizing to cloud 14
runtimes 15
tools 15
application security domain 38
Architectural Patterns
reference link 39
artificial intelligence (AI) 15, 113
attribute-based access control (ABAC) 69, 93, 94
authentication pattern, for cloud application users
context 78
problem 78
authentication patterns 56
application access key/API key 58
login, with user ID and credentials 57
multi-factor authentication 62
physical authentication pattern 65
single logout 63
SSH keys 59
SSO 61
authorization patterns 66
access control pattern 66
automation 20
Availability Zones (AZs) 129
AWS Certificate Manager (ACM) 166
AWS Direct Connect
URL 137
AWS Key Management Service (AWS KMS) 161
AWS Network Firewall 145
URL 145
AWS Security Finding Format (ASFF) 201
Azure Active Directory (Azure AD) 83, 97
Azure ExpressRoute
URL 137
Azure Security Benchmark (ASB) 201
Azure Virtual Network
URL 131
B
bare-metal servers
issue 102
known uses 104
securing 102
basic input/output system (BIOS) 105
Bring Your Own Identity (BYOI) 78
Bring Your Own Key (BYOK) 38, 158
Broken Access Control 180
business owners 6
Business Process as a Service (BPaaS) 9
Business to Business (B2B) 18
Business to Consumer (B2C) 18
Business to Employee (B2E) 18
Business Unit Information Security Officer (BISO) 32
C
capital expenses (Capex) 12
central processing units (CPUs) 112
certificate 162
certificate authority (CA) 154
Chief Information Officer (CIO) 28, 32
Chief Information Security Officer (CISO) 32
client application
accessing, protected resource on cloud 86
client VPN 134
cloud 4
benefits 12
delivery models 10
evolution 4
to hybrid multi-cloud 11
Cloud Access Security Brokers (CASBs) 199
cloud administrator 7
cloud application authorization patterns
access delegation model (OAuth) 95, 96
attribute-based access control (ABAC) 93, 94
coarse-grained 90
context 90
discretionary access control (DAC) 92
fine-grained 90
issue 90
mandatory access control (MAC) 91, 92
role-based access control (RBAC) 92, 93
task-based access control (TBAC) 94, 95
cloud computing
location-independent resource pooling 5
on-demand self-service 5
pay per use 6
rapid elasticity 5
ubiquitous network access 5
Business Process as a Service (BPaaS) 9
Infrastructure as a Service (IaaS) 9
Platform as a Service (PaaS) 9
Software as a Service (SaaS) 9
cloud DevOps engineer 7
cloud IAM pattern
cloud service providers 73
cloud identity and access management (Cloud IAM) 38, 155
cloud identity pattern 51
context 51
issue 51
cloud identity solution
cloud-native development
securing 23
cloud-native operations
securing 23
Cloud-Native Security Platform (CNSP) 202
cloud personas 6
business owners 6
cloud service consumer 7
cloud service creator/developer 7
cloud service provider 7
cloud provider-managed encryption 158
cloud security
domains 36
pattern-based approach, to address hybrid cloud security 39, 40
shared responsibility model 30
cloud security, domains
application security 38
CSPM 39
data security 38
DevOps 39
IAM 37
infrastructure security 38
Cloud Security Posture Management (CSPM) 39
cloud security strategy
principles 29
cloud service providers (CSPs) 79, 104
cloud solution architect 7
cloud user 7
Cloud Workload Protection Platform (CWPP) 198
coexistence 19
Command-Line Tool (CLI) 58
confidentiality, integrity, and availability (CIA) 180
configuration management 24
container engine 114
containers
advantages 114
attacking, routes 115
external attackers 114
internal attackers 115
issue 113
known uses 118
securing 113
securing, best practices 116
solution 116
continuous compliance 24
continuous delivery (CD) 20, 178
continuous integration (CI) 20, 178
continuous integration/continuous deployment (CI/CD) 36, 115
control groups (cgroups) 115
create, read, update, delete (CRUD) 90
cryptographic failure 180
CSPM patterns 194
issues 194
customer experience
observability, leveraging 20
customer-managed encryption 157
customer-managed keys 158
Cyber Threat Intelligence (CTI) 200
D
data at rest patterns
context 153
issue 152
protecting 152
database layer 161
data classification
confidential 173
general 173
highly confidential 173
non-business 173
public 173
data classification and monitoring patterns
context 169
issue 169
data encryption key (DEK) 154, 161
data fabric
data in motion 162
data integrity 151
data in transit patterns
context 162
issue 162
protecting 162
data in use
context 167
issue 167
known uses 169
protecting 167
Data Loss Prevention (DLP) 173
data modernization 15
data security patterns
availability 152
confidentiality 151
data classification 169
for protecting, data in transit 162
for protecting, data in use 167
integrity 151
monitoring 169
data tokenization 165
dedicated servers 102
defense in depth (DiD) 120
denial-of-service (DoS) attack 185
development-operations (DevOps) 19, 33, 39, 119
DevOps pipeline
security 23
DevSecOps pattern 182
context 183
problem 182
DevSecOps pipeline
deployable artefacts, securing 23
security testing tools, used to address issues in code 23
digital hybrid multi-cloud era
security 21
digital signatures (DSs) 105
digitization trends 13
discretionary access control (DAC) 69, 92
Distributed Denial of Service (DDoS) attacks 38, 138
dynamic security scanning tools 185
E
east-west traffic 126
enclaves 169
encryption at rest 161
Endpoint Detection and Response (EDR) 113, 198
enterprise integration 18
enterprise outbound model 199
envelope encryption pattern 154
event hubs 19
extended-validation (EV) certificates 163
F
Function as a Service (FaaS) 119
G
gateway appliances
URL 137
Google Authenticator 63
Google Cloud
URL 137
Google Cloud Platform (GCP) 11
Google Cloud Threat Intelligence (GCTI) 202
Google Front End (GFE) 166
Google Identity Services (GIS) 83
URL 83
Google Kubernetes Engine (GKE) 131
governance and administration patterns 69
context 70
identity 70
issue 70
known uses 73
Governance, Risk, and Compliance (GRC) 28, 36
H
hardware security modules (HSMs) 105, 154
high availability (HA) 122
highly confidential information (HCI) 170
HTTPS 162
hybrid cloud 11
hybrid cloud security
hybrid cloud security patterns
using, for Zero Trust 210, 211
hybrid multi-cloud 11
hyperjacking 108
HyperText Transfer Protocol (HTTP) 162
issue 106
known uses 110
securing 106
solution 109
types 107
vulnerability and security threats 108
hypervisor management vulnerability 108
I
IAM patterns
authentication patterns 56
authorization patterns 66
governance and administration patterns 69, 70
user management patterns 46, 47
IBM 11
IBM Cloud App ID 83
URL 83
IBM Cloud Direct Link
URL 137
IBM Cloud Hyper Protect Crypto Services
URL 161
Identification and Authentication Failures 181
identifiers (IDs) 106
Identity and Access Management (IAM) 22, 37, 45, 122
patterns 46
Identity as a Service (IDaaS) 51
identity federation 50
identity federation pattern 49
context 49
issue 49
solution 50
identity management (IdM) 81
Identity Provider (IdP) 50, 78
identity SP (IDSP) 82
Infrastructure as a Service (IaaS) model 9, 31
infrastructure security domain 38
injection 180
Insecure Design 180
insider threats 207
Integrated Development Environment (IDE) 23
integrated security 24
integration modernization
coexistence, supporting 18
interoperability, supporting 18
Intel® Trusted Execution Technology (Intel TXT) 106
intelligent workflows, for cognitive enterprise 19
International Standards Organization/International Electrotechnical Commission (ISO/IEC) 106
internet gateway 130
Internet of Things (IoT) 143, 179
Internet of Things (IoT)-enabled services 163
interoperability 19
intrusion detection systems (IDSs) 109, 140
intrusion prevention systems (IPSs) 140
J
JavaScript Object Notation (JSON) 82
just in time (JIT) 78
K
Keep Your Own Key (KYOK) 38, 160
key-encryption key (KEK) 155, 161
key management service (KMS) 154
L
Lightweight Directory Access Protocol (LDAP) 50
Linux Security Modules (LSMs) 115
M
mandatory access control (MAC) 69, 91, 92
man-in-the-middle (MITM) attacks 90
message authentication code (MAC) 163
Microsoft (Azure) 11
multi-cloud 11
multi-factor authentication (MFA) 55, 62, 83, 209
factors 63
issue 62
Mutual Transport Layer Security (mTLS) 89
N
NAT gateway 130
National Institute of Standards and Technology (NIST) 5
Network Address Translation (NAT) 130
network isolation patterns
issue 126
known uses 131
network protection
context 138
issue 138
known uses 145
non-disclosure agreement (NDA) 171
north-south traffic 126
O
observability
leveraging, for customer experience 20
One-Time Password (OTP) 63
Open Authorization (OAuth) 81
Open Container Initiative (OCI) 115
Open Cyber Security Alliance
URL 24
OpenID Connect (OIDC) 50, 80-82
OpenShift Compliance Operator (OSCO) 201
Open Web Application Security Project® (OWASP) 23, 185
optimization, of operations 20
OS layer 161
P
payment card industry (PCI) 170
Personal Identification Number (PIN) 63
personally identifiable information (PII) 32, 167, 178
physical authentication pattern 65
context 65
issue 65
pipeline
building, for hybrid multi-cloud 20, 21
Platform as a Service (PaaS) model 9, 31, 32
Policy Administration Point (PAP) 209
Policy Decision Point (PDP) 209
Policy Enforcement Point (PEP) 209
private cloud 11
Privilege Access Management (PAM) 72
public cloud 11
R
resource-centric 34
random-access memory (RAM) 112
region 129
registration pattern 47
context 48
issue 47
relying party (RP) 96
REpresentational State Transfer (REST) 81
Request for Comments (RFC) 82
responsibility assignment matrix
reference link 33
role-based access control (RBAC) 69, 92, 93
S
sample pattern template 40
secure cryptoprocessor
reference link 106
secure engineering 178
context 178
need for 182
problem 178
secure naming 166
secure network connectivity
context 132
issue 132
known uses 137
Secure Sockets Layer (SSL) 162
configuration management 24
DevOps pipeline 23
for coexistence 22
for integration 22
for interoperability 22
zero-trust architecture 24
security and compliance focal 8
Security Assertion Markup Language (SAML) 50, 80, 81
reference link 81
security configuration management 187
security focal 33
security group 130
Security Information and Event Management (SIEM) 22, 72, 198
Security Logging and Monitoring Failures 181
Security Misconfiguration 180
Security Orchestration, Automation, and Response (SOAR) 24, 39, 199
Separation of Duties (SoD) 71
server hardening 103
serverless function
implementations, securing 119
issue 119
known uses 122
securing, challenges 120
securing, elements 121
solution 120
Server-Side Request Forgery (SSRF) 181
service accounts 54
context 55
issue 54
solution 55
service ID (SID) 84
Service Level Agreements (SLAs) 12
service provider (SP) 80
Service Reliability Engineer (SRE) 7
service-to-service authentication
issue 83
known uses 90
shared responsibility model 30, 32-36
IaaS model 31
SaaS model 32
shift-left security 177
single logout (SLO) pattern 63
context 63
issue 63
solution 64
single sign-on (SSO) 50, 61, 80
context 61
issue 61
Site Reliability Engineer (SRE) 33
sniffing attack 108
Software and Data Integrity Failures 181
Software as a Service (SaaS) model 9, 32
Software Composition Analysis (SCA) tool 187
Software Development Kit (SDK) 96
solution, DevSecOps pattern
dynamic security scanning tools 185
runtime analysis and code coverage tools 185
security configuration management 187
source and byte code scanning tools 185
vulnerability management 185, 186
source and byte code scanning tools 185
spoofing attack 108
context 59
issue 59
solution 60
storage layer 161
Structured Threat Information Expression (STIX™) 200
System of Records (SoRs) 15
T
task-based access control (TBAC) 94, 95
threat modeling 178
time-based one-time-passwords (TOTPs) 63
Total Cost of Ownership (TCO) 15
Transport Layer Security (TLS) 162
Trusted Automated Exchange of Intelligence Information (TAXII™) 200
trusted compute pattern
context 104
issue 104
known uses 106
solution 105
Trusted Computing Group (TCG) 105
trusted computing (TC) 105
Trusted Platform Module (TPM) 105, 106
reference link 106
U
unencrypted data 158
Unified Extended Firmware Interface (UEFI) 106
Uniform Resource Locator (URL) 84
user de-provisioning 55
context 55
issue 55
solution 56
user group management patterns 53
context 53
issue 53
solution 54
user ID and password
context 57
issue 57
solution 58
user identifier (UID) 78
user management patterns 46, 47
cloud identity pattern 51
identity federation pattern 49
registration pattern 47
service accounts 54
user de-provisioning 55
user group management patterns 53
V
virtual local area networks (VLANs) 127
virtual machines (VMs) 131
attacks 111
context 110
known uses 113
protecting 110
Virtual Private Cloud (VPC) 128
URL 131
Virtual Private Network (VPN) 134
virtual trusted platform module (vTPM) 106
VM escaping 108
VM manager 107
VM sprawl 109
VM theft 108
vSphere Security Configuration Guide (SCG) 110
vulnerability management 185, 186
Vulnerable and Outdated Components 180
W
web application firewall (WAF) 142
Web Services Federation 83
Z
Zero Trust network security model 143
Zero Trust pattern 205
hybrid cloud security patterns, using 210, 211
implementation requirements 208
problem 206
solution 208
Zero Trust pattern, principles
assume breach 208
enable least privilege 208
never trust, always verify 208
zero trust security model 24