Provided by SANS

About the course

As more organizations move data and infrastructure to the cloud, security is becoming a major priority. Operations and development teams are finding new uses for cloud services, and executives are eager to save money and gain new capabilities and operational efficiency by using these services. But, will information security prove to be an Achilles' heel? Many cloud providers do not provide detailed control information about their internal environments, and quite a few common security controls used internally may not translate directly to the public cloud.

The SEC545 course, Cloud Security Architecture and Operations, will tackle these issues one by one. We'll start with a brief introduction to cloud security fundamentals, and then cover the critical concepts of cloud policy and governance for security professionals. For the rest of day one and all of day two, we'll move into technical security principles and controls for all major cloud types (SaaS, PaaS, and IaaS). We'll learn about the Cloud Security Alliance framework for cloud control areas, then delve into assessing risk for cloud services, looking specifically at technical areas that need to be addressed.

The course then moves into cloud architecture and security design, both for building new architectures and for adapting tried-and-true security tools and processes to the cloud. This will be a comprehensive discussion that encompasses network security (firewalls and network access controls, intrusion detection, and more), as well as all the other layers of the cloud security stack. We'll visit each layer and the components therein, including building secure instances, data security, identity and account security, and much more. We'll devote an entire day to adapting our offense and defense focal areas to cloud. This will involve looking at vulnerability management and pen testing, as well as covering the latest and greatest cloud security research. On the defense side, we'll delve into incident handling, forensics, event management, and application security.

We wrap up the course by taking a deep dive into SecDevOps and automation, investigating methods of embedding security into orchestration and every facet of the cloud life cycle. We'll explore tools and tactics that work, and even walk through several cutting-edge use cases where security can be automated entirely in both deployment and incident detection-and-response scenarios using APIs and scripting.

Course Syllabus

SEC545.1: Cloud Security Foundations

Overview

The first day of the class starts out with an introduction to the cloud, including terminology, taxonomy, and basic technical premises. We also examine what is happening in the cloud today, and cover the spectrum of guidance available from the Cloud Security Alliance, including the Cloud Controls Matrix, the 14 major themes of cloud security, and other research available.

Next we spend time on cloud policy and planning, delving into the changes an organization needs to make for security and IT policy to properly embrace the cloud. After all the legwork is done, we'll start talking about some of the main technical considerations for the different cloud models. We'll start by breaking down Software-as-a-Service (SaaS) and some of the main types of security controls available. A specialized type of Security-as-a-Service (SecaaS) known as Cloud Access Security Brokers (CASBs) will also be explained, with examples of what to look for in such a service. We'll wrap up with an introduction to Platform-as-a-Service (PaaS) and Infrastructure-as-a-Service (IaaS) controls, which will set the stage for the rest of the class.

Exercises

• Exploring AWS and Security
• Evaluating Cloud Policies
• Evaluating Cloud Contracts
• Deploying and Securing Cloud Containers
• SecaaS with Cloud Passage

CPE/CMU Credits: 6

Topics

• Introduction to the Cloud and Cloud Security Basics
• Cloud Security Alliance Guidance
• Cloud Policy and Planning
• SaaS Security
• Cloud Access Security Brokers (CASBs)
• Intro to PaaS and IaaS Security Controls

SEC545.2: Core Security Controls for Cloud Computing

Overview

The second day of SEC545 compares traditional in-house controls with those in the cloud today. Some controls are similar and mostly compatible, but not all of them. Since most cloud environments are built on virtualization technology, we walk through a short virtualization security primer, which can help teams building hybrid clouds that integrate with internal virtualized assets, and also help teams properly evaluate the controls cloud providers offer in this area. We'll then break down cloud network security controls and tradeoffs, since this is an area that is very different from what we've traditionally run in-house.

For PaaS and IaaS environments, it's critical to secure virtual machines (instances) and the images we deploy them from, so we cover this next. At a high level, we'll also touch on identity and access management for cloud environments to help control and monitor who is accessing the cloud infrastructure, as well as what they're doing there. We also cover data security controls and types, including encryption, tokenization, and more. Specific things to look for in application security are laid out as the final category of overall controls. We then pull it all together to demonstrate how you can properly evaluate a cloud provider's controls and security posture.

Exercises

• Hypervisor Security
• Setting Up VPCs and Cloud Networks
• Configuration Control and Assessment with AWS Config
• Cloud Risk Assessment

CPE/CMU Credits: 6

Topics

• Cloud Security: In-House versus Cloud
• A Virtualization Security Primer
• Cloud Network Security
• Instance and Image Security
• Identity and Access Management
• Data Security for the Cloud
• Application Security for the Cloud
• Provider Security: Cloud Risk Assessment

SEC545.3: Cloud Security Architecture and Design

Overview

Instead of focusing on individual layers of our cloud stack, we start day three by building the core security components. We'll break down cloud security architecture best practices and principles that most high-performing teams prioritize when building or adding cloud security controls and processes to their environments. We start with infrastructure and core component security - in other words, we need to look at properly locking down all the pieces and parts we covered on day two!

This then leads to a focus on major areas of architecture and security design. The first is building various models of access control and compartmentalization. This involves breaking things down into two categories: identity and access management (IAM) and network security. We delve into these in significant depth, as they can form the backbone of a sound cloud security strategy. We then look at architecture and design for data security, touching on encryption technologies, key management, and what the different options are today. We wrap up our third day with another crucial topic: availability. Redundant and available design is as important as ever, but we need to use cloud provider tools and geography to our advantage. At the same time, we need to make sure we evaluate the cloud provider's DR and continuity, and so this is covered as well.

Exercises

• IAM within S3
• EC2 and IAM Roles
• Managing Cloud Instances with EC2 Systems Manager
• Complex IAM with Container Secrets
• Secure Network Architecture with Bastion Hosts

CPE/CMU Credits: 6

Topics

• Cloud Security Architecture Overview
• Cloud Architecture and Security Principles
• Infrastructure and Core Component Security
• Access Controls and Compartmentalization
• Confidentiality and Data Protection
• Availability

SEC545.4: Cloud Security - Offense and Defense

Overview

There are many threats to our cloud assets, so the fourth day of the course begins with an in-depth breakdown of the types of threats out there. We'll look at numerous examples. The class also shows students how to design a proper threat model focused on the cloud by using several well-known methods such as STRIDE and attack trees and libraries.

Scanning and pen testing the cloud used to be challenging due to restrictions put in place by the cloud providers themselves. But today it is easier than ever. There are some important points to consider when planning a vulnerability management strategy in the cloud, and this class touches on how to best scan your cloud assets and which tools are available to get the job done. Pen testing naturally follows this discussion, and we talk about how to work with the cloud providers to coordinate tests, as well as how to perform testing yourself.

On the defensive side, we start with network-based and host-based intrusion detection, and how to monitor and automate our processes to better carry out this detection. This is an area that has definitely changed from what we're used to in-house, so security professionals need to know what their best options are and how to get this done. Our final topics on day four include incident response and forensics (also topics that have changed significantly in the cloud). The tools and processes are different, so we need to focus on automation and event-driven defenses more than ever.

Exercises

• Vulnerability Assessment with AWS Inspector
• Cloud Threat Modeling
• Deploying Kali in the Cloud for Pen Tests
• flAWS: A Cloud-Based CTF
• Logging and Events in the Cloud

CPE/CMU Credits: 6

Topics

• Threats to Cloud Computing
• Vulnerability Management in the Cloud
• Cloud Pen Testing
• Intrusion Detection in the Cloud
• Cloud IR and Event Management
• Cloud Forensics

SEC545.5: Cloud Security Automation and Orchestration

Overview

On our final day, we'll focus explicitly on how to automate security in the cloud, both with and without scripting techniques. We will use tools like the AWS CLI and AWS Lambda to illustrate the premises of automation, then turn our attention toward SecDevOps principles. We begin by explaining what that really means, and how security teams can best integrate into DevOps and cloud development and deployment practices. We'll cover automation and orchestration tools like Ansible and Chef, as well as how we can develop better and more efficient workflows with AWS CloudFormation and other tools.

Continuing some of the topics from day four, we will look at event-driven detection and event management, as well as response and defense strategies that work. While we won't automate everything, some actions and scenarios really lend themselves to monitoring tools like CloudWatch, tagging assets for identification in security processes, and initiating automated response and remediation to varying degrees. We wrap up the class with a few more tools and tactics, followed by a sampling of real-world use cases.

Exercises

• AWS CLI Automation
• Ansible Basics
• Ansible Roles and Security
• AWS CloudFormation
• AWS CloudWatch
• AWS Lambda Automation

CPE/CMU Credits: 6

Topics

• Scripting and Automation in the Cloud
• SecDevOps Principles
• Creating Secure Cloud Workflows
• Building Automated Event Management
• Building Automated Defensive Strategies
• Tools and Tactics
• Real-World Use Cases
• Class Wrap-Up

Who Should Attend

• Security Analysts
• Security Architects
• Senior Security Engineers
• Technical Security Managers
• Security Monitoring Analysts
• Cloud Security Architects
• DevOps and DevSecOps Engineers
• System Administrators
• Cloud Administrators

Prerequisites

A basic understanding of TCP/IP, network security, and security architecture are helpful for this course. Comfort with the command line is a must, as many exercises are conducted there (Linux command line skills are useful). Comfort with VMware virtualization is a plus.

You Will Receive With This Course

• Several virtual machines that include a hypervisor, Ansible platform, and more
• MP3 audio files of the complete course lectures
• All policy and configuration files that can be used to automate security in AWS
• A threat-modeling template that can be used for SEC545 and beyond
• USB 3.0 stick that includes the above and more

This Course Will Prepare You To:

• Revise and build internal policies to ensure cloud security is properly addressed
• Understand all major facets of cloud risk, including threats, vulnerabilities, and impact
• Articulate the key security topics and risks associated with SaaS, PaaS, and IaaS cloud deployment models
• Evaluate Cloud Access Security Brokers (CASBs) to better protect and monitor SaaS deployments
• Build security for all layers of a hybrid cloud environment, starting with hypervisors and working to application layer controls
• Evaluate basic virtualization hypervisor security controls
• Design and implement network security access controls and monitoring capabilities in a public cloud environment
• Design a hybrid cloud network architecture that includes IPSec tunnels
• Integrate cloud identity and access management (IAM) into security architecture
• Evaluate and implement various cloud encryption types and formats
• Develop multi-tier cloud architectures in a Virtual Private Cloud (VPC), using subnets, availability zones, gateways, and NAT
• Integrate security into DevOps teams, effectively creating a DevSecOps team structure
• Build automated deployment workflows using AWS and native tools
• Incorporate vulnerability management, scanning, and penetration testing into cloud environments
• Build automated and flexible detection and response programs using tools like AWS-IR, CloudWatch, CloudTrail, and AWS Lambda
• Leverage the AWS CLI to automate and easily execute operational tasks
• Set up and use an enterprise automation platform, Ansible, to automate configuration and orchestration tasks
• Use CloudWatch, CloudFormation, and other automation tools to integrate automated security controls into your cloud security program

Hands-on Labs

SEC545: Cloud Security Architecture and Operations reinforces knowledge transfer through the use of numerous hands-on labs. This approach goes well beyond traditional lectures and delves into literal application of techniques. Hands-on labs are held every day to reinforce the skills covered in class and to provide students experience with the tools used to implement effective security. The labs are designed to enable students to apply what they are learning in an instructor-led environment. Labs are wide-ranging and include:

• Policy and governance labs
• Security-as-a-Service labs
• Architecture and design labs
• Security automation labs
• Offensive and defensive labs in the cloud
• Log collection and review labs
• Playing flAWS, a challenging cloud CTF