SINA MANAVI is the Global Head of Cloud Security and Compliance at DHL IT Services.

ABBAS KUDRATI is Asia's Chief Identity Security Advisor at Silverfort. He is a former Chief Cybersecurity Advisor at Microsoft Asia and a Professor of Practice in Cybersecurity at LaTrobe University, Australia.

MUHAMMAD AIZUDDIN ZALI is a principal architect and team manager at DHL ITS for Secure Public Cloud Services - Container & Kafka Platform team.

Foreword xxv

Introduction xxvii

Chapter 1 Introduction to Cloud-Based Containers 1

Cloud Café Story 1

The Story Continues: The Café's Expansion 2

The Cloud Kitchen Model 3

Making Cloud Kitchen a Success 3

How Containers Changed the Whole Game Plan 3

The New Hub of HiTechville 4

The Evolution of Cloud Infrastructure 4

The Era of Mainframes 4

The Rise of Virtualization 4

The Emergence of Cloud Services 5

The Shift to Containers 5

Introduction to Containers in Cloud Computing 6

The Role of Containers in Modern Cloud Computing 6

Virtual Machines Versus Containers in Cloud Environments 6

Benefits of Using Containers in Cloud 7

Popular Cloud Container Technologies 8

Overview of Cloud-Native Ecosystem for Containers 11

Summary 12

Chapter 2 Cloud-Native Kubernetes: Azure, GCP, and AWS 13

What Is Kubernetes? 15

Managed Kubernetes Services 17

Microsoft Azure Kubernetes Services 17

Google Kubernetes Engine 18

Amazon Elastic Kubernetes Service 19

Azure-, GCP-, and AWS-Managed Kubernetes Service Assessment Criteria 21

Azure, GCP, and AWS Cloud-Native Container Management Services 23

Summary 23

Chapter 3 Understanding the Threats Against Cloud-Based Containerized Environments 25

Initial Stage of Threat Modeling 25

The MITRE ATT&CK Framework 26

Threat Vectors 27

Tactic and Techniques in MITRE ATT&CK 27

Cloud Threat Modeling Using MITRE ATT&CK 31

Cloud Container Threat Modeling 37

Foundations of Cloud Container Threat Modeling 37

Kubernetes Control Plane: Securing the Orchestration Core 37

Worker Nodes: Securing the Execution Environment 38

Cluster Networking: Defending the Communication Fabric 39

Workloads: Hardening Containers and Application Logic 40

IAM: Enforcing Granular Access Across Layers 41

Persistent Storage: Securing Data at Rest 42

CI/CD Pipeline Security: Defending the DevOps Chain 42

Log Monitoring and Visibility: Detecting What Matters 43

Resource Abuse and Resiliency: Planning for the Worst 44

Resource Abuse: Unauthorized Exploitation of Cloud Resources 44

Resiliency and Business Continuity Planning in Kubernetes 46

Compliance and Governance 47

Summary 48

Chapter 4 Secure Cloud Container Platform and Container Runtime 49

Introduction to Cloud-Specific OS and Container Security 49

Cloud-Specific OS: A Shifting Paradigm How OS Should Work 50

Container Security Architecture 51

Host OS Hardening for Container Environments 53

Leverage Container-Optimized OSs 53

Establish and Maintain Secure Configuration Baselines 54

Implement Robust Access Controls and Authentication 55

Apply Timely Security Updates and Patches 55

Implement Host-Based Security Controls 56

Container Runtime Hardening 56

Minimal Container Images 56

Multistage Build 57

Drop Unnecessary Capabilities 57

Implement Seccomp Profiles 58

Resource Controls 59

Use Memory and CPU Limits 60

Process and File Restrictions 60

Logging and Monitoring 61

Regular Security Updates 62

Network Security 62

Implementing Kubernetes Network Policies (netpol) 64

Leveraging Service Mesh for Advanced Secure Communication 64

Leveraging Cloud Network Security Groups 66

Linux Kernel Security Feature for the Container Platform 67

Linux Namespaces, Control Groups, and Capabilities 68

OS-Specific Security Capabilities (SELinux, AppArmor) 69

Security Best Practices in Cloud Container Stack 70

Least Privilege (RBAC) and Resource Limitation for Azure, Gcp, Aws 71

Scanning and Verifying Images Using Cloud Services 72

Compliance and Governance in Cloud Environments 73

Meeting Regulatory Compliance (PCI-DSS, HIPAA) for Containerized Workload 73

Tools to Help Meet Compliance 76

Cloud-Native Security Benchmarks and Certifications 76

Future Trends and Emerging Standards in Cloud-Native Security 78

AI and Machine Learning Security Standards 79

Automated Compliance and Continuous Assessment 79

Summary 81

Chapter 5 Secure Application Container Security in the Cloud 83

Securing Containerized Applications in Cloud Container Platforms 83

Shared Responsibility Model 84

Image Security 84

Network Security 85

Threat Intelligence for Cloud-Native Containers 87

CI/CD Security in Cloud-Based Container Pipelines 90

Shifting Left and Managing Privileges in Azure DevOps, Google Cloud Build, and AWS CodePipeline 91

Azure DevOps 91

Google Cloud Build 92

AWS CodePipeline 93

Penetration Testing for Cloud-Based Containers 94

Supply Chain Risks and Best Practices in the Cloud 95

Securing Container Registries in the Cloud (ACR, ECR, GCR) 97

Image Signing and Verification in Cloud Platforms 98

Role-Based Access Control in Cloud Supply Chains 99

Summary 101

Chapter 6 Secure Monitoring in Cloud-Based Containers 103

Introduction to Secure Container Monitoring 103

Key Monitoring Enablement Business Goals 104

Enabling Cost Efficiency 104

Supporting Compliance and Audit Readiness 104

Enhancing Incident Response 105

Ensuring High Availability 106

Continuous Risk Identification and Remediation 106

Driving Strategic Decision-Making 108

Challenges in Monitoring Cloud-Based Containers 108

Ephemeral Workloads 108

Distributed Architectures 109

Data Volume and Noise 109

Security Considerations in Container Monitoring 110

Observability in Multitenancy 111

Integration with Modern DevOps and SecOps Toolchains 111

Lack of Standardization 112

Advanced Analytics and Predictive Insights 112

Comprehensive Monitoring and Security Architecture for Containerized Workloads 112

Comprehensive Visibility Across Layers 115

Container-Level Monitoring: Runtime Security and Observability 116

Kubernetes Control Plane Monitoring: Orchestration Platform Security 118

Infrastructure Monitoring: Host and Cloud Environment Security 119

Threat Intelligence Integration: Enriched Detection and Proactive Defense 120

Automated Detection and Response 120

Application Performance Monitoring and Security 121

Compliance and Regulatory Adherence 122

Proactive Threat Detection: MITRE ATT&CK Operationalization 123

Enhancing Modern Capabilities with Advanced Techniques 123

Toward a Secure and Resilient Cloud-Native Future 127

Summary 127

Chapter 7 Kubernetes Orchestration Security 129

Cloud-Specific Kubernetes Architecture Security 130

Control Plane Security 130

Worker Node Security 131

Shared Security Responsibilities 133

Securing the Kubernetes API in Azure, GCP, and AWS 134

Securing AKS API 134

Securing GKE API 135

Securing EKS API 135

Best Practices for Securing the Kubernetes API 136

Audit Logging and Policy Engine in Cloud Platform 137

Implementation Strategies 137

Policy Engine 138

Integration and Operational Considerations 138

AKS Policy Implementation 139

GKE Policy Controls 139

EKS Policy Framework 140

Cross-Platform Policy Considerations 140

Advanced Policy Patterns 141

Audit Logging 141

AKS Audit Logging 142

GKE Audit Logging 142

EKS Audit Logging 143

Cross-Platform Audit Logging Strategies 143

Advanced Audit Logging Patterns 144

Security Policies and Resource Management for Cloud-Based Kubernetes 144

Network Policies and Admission Controllers in Cloud 145

Azure Policy Implementation 145

Google Kubernetes Engine Policy Control 146

AWS Network Policy Implementation 147

Network Policy Implementation 147

Advanced Implementation Strategies 148

Summary 148

Chapter 8 Zero Trust Model for Cloud Container Security 149

Zero Trust Concept and Core Principles 150

Core Principles of Zero Trust Architecture 151

Implementing Zero Trust in Cloud-Based Containers 153

IAM in Zero Trust 153

Network Segmentation and Micro-Segmentation in Cloud Containers 154

Network Segmentation 154

Micro-Segmentation 155

Continuous Monitoring and Risk-Based Access Decisions in Cloud 155

End-to-End Encryption and Data Security in Cloud Containers 156

Zero Trust in Kubernetes Security 157

Enforcing Kubernetes Security Policies with Zero Trust Principles 157

Zero Trust for Service Meshes (Istio, Linkerd) in Cloud-Based Kubernetes 158

Secure Access to Cloud-Based Kubernetes Control Planes 160

The Importance of Secure Access 160

Securing with Private Azure Kubernetes Service Cluster 161

Implementing Zero Trust for Multicloud Container Environments 163

Zero Trust Framework in Multicloud 163

Case Study: Applying Zero Trust in Cloud Container Workloads for a Banking Customer 165

Summary 166

Chapter 9 DevSecOps in Cloud-Based Container Platform 169

DevOps to DevSecOps in Azure, GCP, and AWS 170

Integrating Security into Cloud CI/CD Pipelines 172

SAST and Dependency Analysis in Cloud Environments 175

Infrastructure as Code Security for Cloud 177

Secrets Management in Cloud-Native DevSecOps 178

Continuous Monitoring and Alerts in Cloud-Based DevSecOps 180