Foreword xxv Introduction xxvii Chapter 1 Introduction to Cloud-Based Containers 1 Cloud Café Story 1 The Story Continues: The Café''s Expansion 2 The Cloud Kitchen Model 3 Making Cloud Kitchen a Success 3 How Containers Changed the Whole Game Plan 3 The New Hub of HiTechville 4 The Evolution of Cloud Infrastructure 4 The Era of Mainframes 4 The Rise of Virtualization 4 The Emergence of Cloud Services 5 The Shift to Containers 5 Introduction to Containers in Cloud Computing 6 The Role of Containers in Modern Cloud Computing 6 Virtual Machines Versus Containers in Cloud Environments 6 Benefits of Using Containers in Cloud 7 Popular Cloud Container Technologies 8 Overview of Cloud-Native Ecosystem for Containers 11 Summary 12 Chapter 2 Cloud-Native Kubernetes: Azure, GCP, and AWS 13 What Is Kubernetes? 15 Managed Kubernetes Services 17 Microsoft Azure Kubernetes Services 17 Google Kubernetes Engine 18 Amazon Elastic Kubernetes Service 19 Azure-, GCP-, and AWS-Managed Kubernetes Service Assessment Criteria 21 Azure, GCP, and AWS Cloud-Native Container Management Services 23 Summary 23 Chapter 3 Understanding the Threats Against Cloud-Based Containerized Environments 25 Initial Stage of Threat Modeling 25 The MITRE ATT&CK Framework 26 Threat Vectors 27 Tactic and Techniques in MITRE ATT&CK 27 Cloud Threat Modeling Using MITRE ATT&CK 31 Cloud Container Threat Modeling 37 Foundations of Cloud Container Threat Modeling 37 Kubernetes Control Plane: Securing the Orchestration Core 37 Worker Nodes: Securing the Execution Environment 38 Cluster Networking: Defending the Communication Fabric 39 Workloads: Hardening Containers and Application Logic 40 IAM: Enforcing Granular Access Across Layers 41 Persistent Storage: Securing Data at Rest 42 CI/CD Pipeline Security: Defending the DevOps Chain 42 Log Monitoring and Visibility: Detecting What Matters 43 Resource Abuse and Resiliency: Planning for the Worst 44 Resource Abuse: Unauthorized Exploitation of Cloud Resources 44 Resiliency and Business Continuity Planning in Kubernetes 46 Compliance and Governance 47 Summary 48 Chapter 4 Secure Cloud Container Platform and Container Runtime 49 Introduction to Cloud-Specific OS and Container Security 49 Cloud-Specific OS: A Shifting Paradigm How OS Should Work 50 Container Security Architecture 51 Host OS Hardening for Container Environments 53 Leverage Container-Optimized OSs 53 Establish and Maintain Secure Configuration Baselines 54 Implement Robust Access Controls and Authentication 55 Apply Timely Security Updates and Patches 55 Implement Host-Based Security Controls 56 Container Runtime Hardening 56 Minimal Container Images 56 Multistage Build 57 Drop Unnecessary Capabilities 57 Implement Seccomp Profiles 58 Resource Controls 59 Use Memory and CPU Limits 60 Process and File Restrictions 60 Logging and Monitoring 61 Regular Security Updates 62 Network Security 62 Implementing Kubernetes Network Policies (netpol) 64 Leveraging Service Mesh for Advanced Secure Communication 64 Leveraging Cloud Network Security Groups 66 Linux Kernel Security Feature for the Container Platform 67 Linux Namespaces, Control Groups, and Capabilities 68 OS-Specific Security Capabilities (SELinux, AppArmor) 69 Security Best Practices in Cloud Container Stack 70 Least Privilege (RBAC) and Resource Limitation for Azure, Gcp, Aws 71 Scanning and Verifying Images Using Cloud Services 72 Compliance and Governance in Cloud Environments 73 Meeting Regulatory Compliance (PCI-DSS, HIPAA) for Containerized Workload 73 Tools to Help Meet Compliance 76 Cloud-Native Security Benchmarks and Certifications 76 Future Trends and Emerging Standards in Cloud-Native Security 78 AI and Machine Learning Security Standards 79 Automated Compliance and Continuous Assessment 79 Summary 81 Chapter 5 Secure Application Container Security in the Cloud 83 Securing Containerized Applications in Cloud Container Platforms 83 Shared Responsibility Model 84 Image Security 84 Network Security 85 Threat Intelligence for Cloud-Native Containers 87 CI/CD Security in Cloud-Based Container Pipelines 90 Shifting Left and Managing Privileges in Azure DevOps, Google Cloud Build, and AWS CodePipeline 91 Azure DevOps 91 Google Cloud Build 92 AWS CodePipeline 93 Penetration Testing for Cloud-Based Containers 94 Supply Chain Risks and Best Practices in the Cloud 95 Securing Container Registries in the Cloud (ACR, ECR, GCR) 97 Image Signing and Verification in Cloud Platforms 98 Role-Based Access Control in Cloud Supply Chains 99 Summary 101 Chapter 6 Secure Monitoring in Cloud-Based Containers 103 Introduction to Secure Container Monitoring 103 Key Monitoring Enablement Business Goals 104 Enabling Cost Efficiency 104 Supporting Compliance and Audit Readiness 104 Enhancing Incident Response 105 Ensuring High Availability 106 Continuous Risk Identification and Remediation 106 Driving Strategic Decision-Making 108 Challenges in Monitoring Cloud-Based Containers 108 Ephemeral Workloads 108 Distributed Architectures 109 Data Volume and Noise 109 Security Considerations in Container Monitoring 110 Observability in Multitenancy 111 Integration with Modern DevOps and SecOps Toolchains 111 Lack of Standardization 112 Advanced Analytics and Predictive Insights 112 Comprehensive Monitoring and Security Architecture for Containerized Workloads 112 Comprehensive Visibility Across Layers 115 Container-Level Monitoring: Runtime Security and Observability 116 Kubernetes Control Plane Monitoring: Orchestration Platform Security 118 Infrastructure Monitoring: Host and Cloud Environment Security 119 Threat Intelligence Integration: Enriched Detection and Proactive Defense 120 Automated Detection and Response 120 Application Performance Monitoring and Security 121 Compliance and Regulatory Adherence 122 Proactive Threat Detection: MITRE ATT&CK Operationalization 123 Enhancing Modern Capabilities with Advanced Techniques 123 Toward a Secure and Resilient Cloud-Native Future 127 Summary 127 Chapter 7 Kubernetes Orchestration Security 129 Cloud-Specific Kubernetes Architecture Security 130 Control Plane Security 130 Worker Node Security 131 Shared Security Responsibilities 133 Securing the Kubernetes API in Azure, GCP, and AWS 134 Securing AKS API 134 Securing GKE API 135 Securing EKS API 135 Best Practices for Securing the Kubernetes API 136 Audit Logging and Policy Engine in Cloud Platform 137 Implementation Strategies 137 Policy Engine 138 Integration and Operational Considerations 138 AKS Policy Implementation 139 GKE Policy Controls 139 EKS Policy Framework 140 Cross-Platform Policy Considerations 140 Advanced Policy Patterns 141 Audit Logging 141 AKS Audit Logging 142 GKE Audit Logging 142 EKS Audit Logging 143 Cross-Platform Audit Logging Strategies 143 Advanced Audit Logging Patterns 144 Security Policies and Resource Management for Cloud-Based Kubernetes 144 Network Policies and Admission Controllers in Cloud 145 Azure Policy Implementation 145 Google Kubernetes Engine Policy Control 146 AWS Network Policy Implementation 147 Network Policy Implementation 147 Advanced Implementation Strategies 148 Summary 148 Chapter 8 Zero Trust Model for Cloud Container Security 149 Zero Trust Concept and Core Principles 150 Core Principles of Zero Trust Architecture 151 Implementing Zero Trust in Cloud-Based Containers 153 IAM in Zero Trust 153 Network Segmentation and Micro-Segmentation in Cloud Containers 154 Network Segmentation 154 Micro-Segmentation 155 Continuous Monitoring and Risk-Based Access Decisions in Cloud 155 End-to-End Encryption and Data Security in Cloud Containers 156 Zero Trust in Kubernetes Security 157 Enforcing Kubernetes Security Policies with Zero Trust Principles 157 Zero Trust for Service Meshes (Istio, Linkerd) in Cloud-Based Kubernetes 158 Secure Access to Cloud-Based Kubernetes Control Planes 160 The Importance of Secure Access 160 Securing with Private Azure Kubernetes Service Cluster 161 Implementing Zero Trust for Multicloud Container Environments 163 Zero Trust Framework in Multicloud 163 Case Study: Applying Zero Trust in Cloud Container Workloads for a Banking Customer 165 Summary 166 Chapter 9 DevSecOps in Cloud-Based Container Platform 169 DevOps to DevSecOps in Azure, GCP, and AWS 170 Integrating Security into Cloud CI/CD Pipelines 172 SAST and Dependency Analysis in Cloud Environments 175 Infrastructure as Code Security for Cloud 177 Secrets Management in Cloud-Native DevSecOps 178 Continuous Monitoring and Alerts in Cloud-Based DevSecOps 180 Cloud-Based DevSecOps Tool.