Securing Cloud Containers: Building and Running Secure Cloud-Native Applications (Paperback)

· 제목 : Securing Cloud Containers: Building and Running Secure Cloud-Native Applications (Paperback) 
· 분류 : 외국도서 > 컴퓨터 > 네트워킹 > 일반
· ISBN : 9781394333738
· 쪽수 : 352쪽
· 출판일 : 2025-08-12

Foreword xxv

Introduction xxvii

Chapter 1 Introduction to Cloud-Based Containers 1

Cloud Cafe Story 1

The Story Continues: The Cafe’s Expansion 2

The Cloud Kitchen Model 3

Making Cloud Kitchen a Success 3

How Containers Changed the Whole Game Plan 3

The New Hub of HiTechville 4

The Evolution of Cloud Infrastructure 4

The Era of Mainframes 4

The Rise of Virtualization 4

The Emergence of Cloud Services 5

The Shift to Containers 5

Introduction to Containers in Cloud Computing 6

The Role of Containers in Modern Cloud Computing 6

Virtual Machines Versus Containers in Cloud Environments 6

Benefits of Using Containers in Cloud 7

Popular Cloud Container Technologies 8

Overview of Cloud-Native Ecosystem for Containers 11

Summary 12

Chapter 2 Cloud-Native Kubernetes: Azure, GCP, and AWS 13

What Is Kubernetes? 15

Managed Kubernetes Services 17

Microsoft Azure Kubernetes Services 17

Google Kubernetes Engine 18

Amazon Elastic Kubernetes Service 19

Azure-, GCP-, and AWS-Managed Kubernetes Service Assessment Criteria 21

Azure, GCP, and AWS Cloud-Native Container Management Services 23

Summary 23

Chapter 3 Understanding the Threats Against Cloud-Based Containerized Environments 25

Initial Stage of Threat Modeling 25

The MITRE ATT&CK Framework 26

Threat Vectors 27

Tactic and Techniques in MITRE ATT&CK 27

Cloud Threat Modeling Using MITRE ATT&CK 31

Cloud Container Threat Modeling 37

Foundations of Cloud Container Threat Modeling 37

Kubernetes Control Plane: Securing the Orchestration Core 37

Worker Nodes: Securing the Execution Environment 38

Cluster Networking: Defending the Communication Fabric 39

Workloads: Hardening Containers and Application Logic 40

IAM: Enforcing Granular Access Across Layers 41

Persistent Storage: Securing Data at Rest 42

CI/CD Pipeline Security: Defending the DevOps Chain 42

Log Monitoring and Visibility: Detecting What Matters 43

Resource Abuse and Resiliency: Planning for the Worst 44

Resource Abuse: Unauthorized Exploitation of Cloud Resources 44

Resiliency and Business Continuity Planning in Kubernetes 46

Compliance and Governance 47

Summary 48

Chapter 4 Secure Cloud Container Platform and Container Runtime 49

Introduction to Cloud-Specific OS and Container Security 49

Cloud-Specific OS: A Shifting Paradigm How OS Should Work 50

Container Security Architecture 51

Host OS Hardening for Container Environments 53

Leverage Container-Optimized OSs 53

Establish and Maintain Secure Configuration Baselines 54

Implement Robust Access Controls and Authentication 55

Apply Timely Security Updates and Patches 55

Implement Host-Based Security Controls 56

Container Runtime Hardening 56

Minimal Container Images 56

Multistage Build 57

Drop Unnecessary Capabilities 57

Implement Seccomp Profiles 58

Resource Controls 59

Use Memory and CPU Limits 60

Process and File Restrictions 60

Logging and Monitoring 61

Regular Security Updates 62

Network Security 62

Implementing Kubernetes Network Policies (netpol) 64

Leveraging Service Mesh for Advanced Secure Communication 64

Leveraging Cloud Network Security Groups 66

Linux Kernel Security Feature for the Container Platform 67

Linux Namespaces, Control Groups, and Capabilities 68

OS-Specific Security Capabilities (SELinux, AppArmor) 69

Security Best Practices in Cloud Container Stack 70

Least Privilege (RBAC) and Resource Limitation for Azure, Gcp, Aws 71

Scanning and Verifying Images Using Cloud Services 72

Compliance and Governance in Cloud Environments 73

Meeting Regulatory Compliance (PCI-DSS, HIPAA) for Containerized Workload 73

Tools to Help Meet Compliance 76

Cloud-Native Security Benchmarks and Certifications 76

Future Trends and Emerging Standards in Cloud-Native Security 78

AI and Machine Learning Security Standards 79

Automated Compliance and Continuous Assessment 79

Summary 81

Chapter 5 Secure Application Container Security in the Cloud 83

Securing Containerized Applications in Cloud Container Platforms 83

Shared Responsibility Model 84

Image Security 84

Network Security 85

Threat Intelligence for Cloud-Native Containers 87

CI/CD Security in Cloud-Based Container Pipelines 90

Shifting Left and Managing Privileges in Azure DevOps, Google Cloud Build, and AWS CodePipeline 91

Azure DevOps 91

Google Cloud Build 92

AWS CodePipeline 93

Penetration Testing for Cloud-Based Containers 94

Supply Chain Risks and Best Practices in the Cloud 95

Securing Container Registries in the Cloud (ACR, ECR, GCR) 97

Image Signing and Verification in Cloud Platforms 98

Role-Based Access Control in Cloud Supply Chains 99

Summary 101

Chapter 6 Secure Monitoring in Cloud-Based Containers 103

Introduction to Secure Container Monitoring 103

Key Monitoring Enablement Business Goals 104

Enabling Cost Efficiency 104

Supporting Compliance and Audit Readiness 104

Enhancing Incident Response 105

Ensuring High Availability 106

Continuous Risk Identification and Remediation 106

Driving Strategic Decision-Making 108

Challenges in Monitoring Cloud-Based Containers 108

Ephemeral Workloads 108

Distributed Architectures 109

Data Volume and Noise 109

Security Considerations in Container Monitoring 110

Observability in Multitenancy 111

Integration with Modern DevOps and SecOps Toolchains 111

Lack of Standardization 112

Advanced Analytics and Predictive Insights 112

Comprehensive Monitoring and Security Architecture for Containerized Workloads 112

Comprehensive Visibility Across Layers 115

Container-Level Monitoring: Runtime Security and Observability 116

Kubernetes Control Plane Monitoring: Orchestration Platform Security 118

Infrastructure Monitoring: Host and Cloud Environment Security 119

Threat Intelligence Integration: Enriched Detection and Proactive Defense 120

Automated Detection and Response 120

Application Performance Monitoring and Security 121

Compliance and Regulatory Adherence 122

Proactive Threat Detection: MITRE ATT&CK Operationalization 123

Enhancing Modern Capabilities with Advanced Techniques 123

Toward a Secure and Resilient Cloud-Native Future 127

Summary 127

Chapter 7 Kubernetes Orchestration Security 129

Cloud-Specific Kubernetes Architecture Security 130

Control Plane Security 130

Worker Node Security 131

Shared Security Responsibilities 133

Securing the Kubernetes API in Azure, GCP, and AWS 134

Securing AKS API 134

Securing GKE API 135

Securing EKS API 135

Best Practices for Securing the Kubernetes API 136

Audit Logging and Policy Engine in Cloud Platform 137

Implementation Strategies 137

Policy Engine 138

Integration and Operational Considerations 138

AKS Policy Implementation 139

GKE Policy Controls 139

EKS Policy Framework 140

Cross-Platform Policy Considerations 140

Advanced Policy Patterns 141

Audit Logging 141

AKS Audit Logging 142

GKE Audit Logging 142

EKS Audit Logging 143

Cross-Platform Audit Logging Strategies 143

Advanced Audit Logging Patterns 144

Security Policies and Resource Management for Cloud-Based Kubernetes 144

Network Policies and Admission Controllers in Cloud 145

Azure Policy Implementation 145

Google Kubernetes Engine Policy Control 146

AWS Network Policy Implementation 147

Network Policy Implementation 147

Advanced Implementation Strategies 148

Summary 148

Chapter 8 Zero Trust Model for Cloud Container Security 149

Zero Trust Concept and Core Principles 150

Core Principles of Zero Trust Architecture 151

Implementing Zero Trust in Cloud-Based Containers 153

IAM in Zero Trust 153

Network Segmentation and Micro-Segmentation in Cloud Containers 154

Network Segmentation 154

Micro-Segmentation 155

Continuous Monitoring and Risk-Based Access Decisions in Cloud 155

End-to-End Encryption and Data Security in Cloud Containers 156

Zero Trust in Kubernetes Security 157

Enforcing Kubernetes Security Policies with Zero Trust Principles 157

Zero Trust for Service Meshes (Istio, Linkerd) in Cloud-Based Kubernetes 158

Secure Access to Cloud-Based Kubernetes Control Planes 160

The Importance of Secure Access 160

Securing with Private Azure Kubernetes Service Cluster 161

Implementing Zero Trust for Multicloud Container Environments 163

Zero Trust Framework in Multicloud 163

Case Study: Applying Zero Trust in Cloud Container Workloads for a Banking Customer 165

Summary 166

Chapter 9 DevSecOps in Cloud-Based Container Platform 169

DevOps to DevSecOps in Azure, GCP, and AWS 170

Integrating Security into Cloud CI/CD Pipelines 172

SAST and Dependency Analysis in Cloud Environments 175

Infrastructure as Code Security for Cloud 177

Secrets Management in Cloud-Native DevSecOps 178

Continuous Monitoring and Alerts in Cloud-Based DevSecOps 180

Cloud-Based DevSecOps Tools and Frameworks 183

Azure DevOps 183

Google Cloud Build 183

AWS CodePipeline 184

Cross-Platform DevSecOps Frameworks 184

Selecting Cloud-Based DevSecOps Tools and Frameworks 185

Summary 185

Chapter 10 Application Modernization with Cloud Containers 187

Analyzing Legacy Architectures 188

Microservices Transformation in Practice 188

Adopting an API-First Strategy 191

Containerization and Orchestration 191

Cloud Migration and Modernization Approaches 192

Implementing Security Development Operation Practices 192

Microservices Architecture 195

Netflix’s Journey to Microservices 195

Security Challenges in Microservices-Based Applications 197

Kubernetes and Service Mesh for Microservices 197

Implementing Zero Trust Security in Microservices 198

Securing APIs in Cloud-Native Microservices 199

Securing APIs in Cloud-Native Microservices 199

API Security Challenges in Cloud-Native Environments 200

API Gateway Solutions in Each Cloud Provider 200

Best Practices for API Security and Rate Limiting 201

Security Design Principles for Cloud-Native Apps 202

The 12-Factor App as a Cloud-Native Development Guiding Principle 203

Runtime Protection and CNAPP Integration 204

Application Modernization and Resiliency 205

Summary 205

Chapter 11 Compliance and Governance in Cloud-Based Containers 207

Understanding the Key Compliance and Governance in Containerized Environments 208

General Data Protection Regulation (GDPR) 208

Health Insurance Portability and Accountability Act (HIPAA) 208

Payment Card Industry Data Security Standard (PCI-DSS) 209

System and Organization Controls (SOC 2) 209

NIST SP 800-190: Application Container Security Guide 209

ISO/IEC 27000 Series 210

Iso/iec 27001 210

Iso/iec 27017 210

Iso/iec 27018 211

CIS Kubernetes Benchmark (General) 211

CIS AKS Benchmark (Azure Kubernetes Service) 211

CIS GKE Benchmark (Google Kubernetes Engine) 212

CIS EKS Benchmark (Amazon Elastic Kubernetes Service) 212

A Comparison of the Key Compliance Standards and Regulations 212

How to Achieve Container Compliance and Governance for AKS, GKE, and EKS 214

Identity and Access Management (IAM) 214

Authentication and Authorization 215

Data Encryption (at Rest and in Transit) 216

Logging and Monitoring 218

Vulnerability Management 219

Network Security 220

Policy and Governance 221

Incident Response 222

Data Residency and Privacy 223

Supply Chain Security 224

Continuous Compliance and Automation 226

Container-Specific Best Practices 227

Compliance Dashboard 228

Summary 228

Chapter 12 Case Studies and Real-World Examples in Cloud Container Security 231

Case Study 1: Netflix’s Adoption of Cloud Containers Security 232

Case Study 2: Capital One’s Adoption of Zero Trust Security for Cloud Containers 235

Case Study 3: PayPal’s Adoption of Zero Trust Security for Cloud Containers 238

Case Study 4: Uber’s Cloud Container Security Implementation 241

Summary 245

Chapter 13 The Future of Cloud-Based Container Security 247

The Rise of Advanced Container Orchestration 247

Zero Trust and Container Security 248

Enhanced Runtime Security and AI Integration 249

Evolution of Container Image Security 249

Container Security as Code 249

Shift-Left Security Paradigm 251

Serverless Containers and Security Implications 251

Compliance and Regulatory Frameworks 252

Blockchain and Container Provenance 252

Increased Visibility and Observability 253

Quantum Computing and Container Security 253

Community-Driven Security Standards 253

Business Impact of Container Security Failures 254

Organizational Maturity and Operating Models for Container Security 254

Talent and Skills Gap in Container Security 255

Global Regulations and Data Sovereignty Impact 256

Integration with Enterprise Security Ecosystem 256

Future Predictions: Autonomous Container Security 256

Summary 257

Chapter 14 Security Automation and AI in Cloud Container Security 259

Threat Landscape in Container Environments 260

Foundations of Security Automation in Container Platforms 260

Integrating AI and Machine Learning for Proactive Defense 261

Security Orchestration, Automation, and Response in Cloud-Based Containers 261

Microsoft Azure Kubernetes Service Integration with SOAR 262

Google Kubernetes Engine Integration with SOAR 263

Amazon Elastic Kubernetes Service Integration with SOAR 263

Enhancing Container Threat Intelligence Feeds with Cloud-Based AI 264

Azure Kubernetes Service: Proactive Defense with AI-Enhanced Threat Intelligence 265

Google Kubernetes Engine: Threat Intelligence Amplified with Chronicle and AI Correlation 265

Amazon EKS: Scaling AI-Driven Threat Intelligence in Hyper-Scale Environments 266

Challenges and Considerations 267

Ensuring Explainability and Trust in AI Decisions 269

Addressing the Skills Gap in AI and Automation 269

Best Practices and Automation Strategies 270

The Road Ahead: Future of AI and Automation in Container Security 272

Strategic Roadmap for Decision-Makers 273

Summary 274

Chapter 15 Cloud Container Platform Resiliency 275

High Availability and Fault Tolerance in Cloud Container Platforms 276

Disaster Recovery Strategies for Cloud Container Platform 277

Core Components of Modern DR Architecture 278

Implementation Strategies and Best Practices 278

Advanced Topics in Container DR 279

Operational Considerations and Maintenance 279

Future Planning 280

Security and Compliance in DR Strategies 280

Resiliency in Multicloud Container Platform Environments 281

Architectural Foundations 282

Data Management and Persistence 283

Platform Operations and Management 283

Security and Compliance 283

Cost Management and Resource Optimization 284

Disaster Recovery and Business Continuity 284

Monitoring and Testing Container Resiliency 285

Summary 287

Appendix A Glossary of Cloud and Container Security Terms 289

Appendix B Resources for Further Reading on Cloud-Based Containers 299

Foundational Concepts and Containerization Basics 299

Cloud-Specific Container Services 300

Advanced Container Management and Orchestration 301

Books and Articles 302

Online Courses and Tutorials 302

Security Resources 303

Appendix c Cloud-Specific Tools and Platforms for Container Security 305

Microsoft Azure Container Security Tools 305

Amazon Web Services (AWS) Container Security Tools 306

Google Cloud Platform (GCP) Container Security Tools 308

Multicloud and Open-Source Container Security Tools 309

Index 311