homepage
Menu
Open menu
  • Training
    Go one level top Back

    Training

    • Courses

      Build cyber prowess with training from renowned experts

    • Hands-On Simulations

      Hands-on learning exercises keep you at the top of your cyber game

    • Certifications

      Demonstrate cybersecurity expertise with GIAC certifications

    • Ways to Train

      Multiple training options to best fit your schedule and preferred learning style

    • Training Events & Summits

      Expert-led training at locations around the world

    • Free Training Events

      Upcoming workshops, webinars and local events

    • Security Awareness

      Harden enterprise security with end-user and role-based training

    Featured: Solutions for Emerging Risks

    Discover tailored resources that translate emerging threats into actionable strategies

    Risk-Based Solutions

    Can't find what you are looking for?

    Let us help.
    Contact us
  • Learning Paths
    Go one level top Back

    Learning Paths

    • By Focus Area

      Chart your path to job-specific training courses

    • By NICE Framework

      Navigate cybersecurity training through NICE framework roles

    • DoDD 8140 Work Roles

      US DoD 8140 Directive Frameworks

    • By European Skills Framework

      Align your enterprise cyber skills with ECSF profiles

    • By Skills Roadmap

      Find the right training path based on critical skills

    • New to Cyber

      Give your cybersecurity career the right foundation for success

    • Leadership

      Training designed to help security leaders reduce organizational risk

    • Degree and Certificate Programs

      Gain the skills, certifications, and confidence to launch or advance your cybersecurity career.

    Featured

    New to Cyber resources

    Start your career
  • Community Resources
    Go one level top Back

    Community Resources

    Watch & Listen

    • Webinars
    • Live Streams
    • Podcasts

    Read

    • Blog
    • Newsletters
    • White Papers
    • Internet Storm Center

    Download

    • Open Source Tools
    • Posters & Cheat Sheets
    • Policy Templates
    • Summit Presentations
    • SANS Community Benefits

      Connect, learn, and share with other cybersecurity professionals

    • CISO Network

      Engage, challenge, and network with fellow CISOs in this exclusive community of security leaders

  • For Organizations
    Go one level top Back

    For Organizations

    Team Development

    • Why Partner with SANS
    • Group Purchasing
    • Skills & Talent Assessments
    • Private & Custom Training

    Leadership Development

    • Leadership Courses & Accreditation
    • Executive Cybersecurity Exercises
    • CISO Network

    Security Awareness

    • End-User Training
    • Phishing Simulation
    • Specialized Role-Based Training
    • Risk Assessments
    • Public Sector Partnerships

      Explore industry-specific programming and customized training solutions

    • Sponsorship Opportunities

      Sponsor a SANS event or research paper

    Interested in developing a training plan to fit your organization’s needs?

    We're here to help.
    Contact us
  • Talk with an expert
  • Log In
  • Join - it's free
  • Account
    • Account Dashboard
    • Log Out
  1. Home >
  2. Blog >
  3. Prevent Cloud Incidents from Becoming Cloud Breaches
Brandon Evans
Brandon Evans

Prevent Cloud Incidents from Becoming Cloud Breaches

Explore the mission of the newly renamed SEC510: Cloud Security Controls and Mitigations.

March 7, 2024

Watch the Webcast | Prevent Cloud Incidents from Becoming Cloud Breaches

The number of cloud security breaches in the headlines have been staggering lately. It seems like a week cannot go by without a massive amount of sensitive data being leaked from either AWS, Azure, or Google Cloud. One example that would be funny if it were not so sad is the September 2023 incident where the Microsoft AI team leaked 38TB of sensitive data, including employee workstation backups and 30,000 internal Teams messages, due to a misconfigured storage configuration. How is the industry failing to use the clouds properly, let alone Microsoft, the extremely mature company who created Azure in the first place?

This is the question we answer in SEC510: Cloud Security Controls and Mitigations. Here are some of the course’s findings:

The cloud: the final, current, and only significant frontier

The public cloud is the new norm. Thales Group reported that the percentage of corporate data stored in the cloud has doubled from 2015 (30%) to 2022 (60%). Meanwhile, the 2023 Unit 42 Attack Surface Threat Report, published by a threat research branch of Palo Alto Networks, reported that “80% of security exposures were observed in cloud environments.” Because this percentage is significantly larger than the percentage of data in the cloud, this implies that the cloud is somehow uniquely vulnerable.

CLD_-_Blog_Graphics_-_Prevent_Cloud_Incidents_from_Becoming_Cloud_Breaches_(1).png

The cloud is insecure by default

The cloud providers are here to help you with security, but only to a point. Their ultimate goal is to increase profits. Each cloud provider wants to appear as if they care about security, but this is often outweighed by usability. If a cloud provider is hard to use, it is less likely to be adopted.

For example, the first thing an aspiring cloud administrator will try to do is launch a virtual machine, connect to it over SSH, and run some commands like they would on-premises. If the cloud provider prioritized security over everything else, they would block SSH access by default. However, if they did that, it would frustrate the administrator, require them to read documentation, and potentially discourage them from further exploring the cloud. Instead, when you launch a VM in AWS or Azure, the launch wizard will automatically allow SSH from the internet. Funnily enough, they will display a warning saying how dangerous the rule they suggested is. Google Cloud does the same thing, but they fail to even provide a warning.

Insecure defaults are addressed by the “Shared Responsibility Model.” The cloud provider is responsible for the security of the cloud, while the customer is responsible for the security of what is in the cloud. This includes configurations. Regardless of the default, the customer is ultimately responsible for configuring the services they use to meet their organization’s needs.

Multiple clouds require multiple solutions

It is so much harder for security professionals to support multiple cloud providers than it is to support one. Exactly how much harder?  Let us try to quantify the effort. If we were using three, completely different providers, it would require three times the effort.

Thankfully, there is some overlap between the different cloud providers. Emphasis on “some”. Shai Morag of the Forbes Technology Council stated that “AWS, Azure and GCP don't handle basic security functions...in exactly the same way. There are nuances that must be taken into account in order for security measures to work properly...The professionals who understand these nuances are not easy to find.”

What about the effort to securely integrate these cloud providers together? Odds are, your organization will need its systems to interact with one another regardless of the clouds in which they reside. Enabling this correctly is simply a nightmare. Learn more about why in my webcast with Eric Johnson, Securely Integrate Multicloud Environments with Workload Identity Federation. We also argue that cloud agnosticism alone will not solve this problem.

CLD_-_Blog_Graphics_-_Prevent_Cloud_Incidents_from_Becoming_Cloud_Breaches2_(1).png

We haven’t solved Application Security. Not by a longshot

There is a deep link between software security and cloud security. The 2023 Verizon Data Breach Investigations Report (DBIR) showed that “Basic Web Application Attacks” were still among the ”top attack patterns.” Vulnerable applications are more susceptible to these basic attacks. The risk posed by these attacks is enhanced or mitigated by how the cloud provider hosting these apps is configured. Without the proper controls, an attacker can pivot to these cloud-managed services and potentially compromise the entire cloud account.

The cloud also enables the fast deployment of publicly accessible vulnerable software. The Unit 42 report cited above argued that “it is comparatively easier for developers to create and deploy…substantially outdated software in the cloud” when compared to on-premises. In fact, they reported that “95% of EoL [end-of-life] software systems exposed on the public internet…were found in cloud environments.” This is surprising because most organizations with on-prem and cloud assets start on-prem, so their oldest assets would presumably live there. Perhaps this is because it is much easier to accidentally expose resources on the cloud than on-premises.

CLD_-_Blog_Graphics_-_Prevent_Cloud_Incidents_from_Becoming_Cloud_Breaches3.png

Security professionals don’t know how to code, and that’s OK!

Vulnerable applications, both those developed in-house and by a third-party, are inevitable. Not many cybersecurity professionals can fix vulnerable application code alone. Learning how to code is considered optional for many cybersecurity roles. Thankfully, it is usually much easier to apply secure cloud configuration to mitigate the impact of these vulnerabilities. SEC510 is not an application security course, and it will not teach you how to fix vulnerable application code.

Instead, SEC510 teaches you practical controls and mitigations that you can use to prevent AppSec incidents from becoming breaches. While we leverage material from resources like the CIS Benchmarks, these often focus on compliance. Instead, we put attack-driven controls front and center because they are the most effective to protect your organization’s most important cloud-based assets.

We cover many attack case studies, including the Capital One breach, the Azure SQL lateral movement campaign disclosed in October of 2023, and much more. In all of these case studies, even when the attack involved the complete takeover of a software system, the right cloud-level controls could have dramatically reduced the scope of the incident. Instead of waiting for developers to fix every issue they report, security teams should control what they can by implementing these types of mitigations.

About SEC510 and its New Name

SEC510 is a flagship course in the SANS Cloud Curriculum. Over the past four years, thousands of students have taken it to learn the nuanced security differences between the Big 3 cloud providers and how to securely configure their Platform as a Service (PaaS)/Infrastructure as a Service (IaaS) offerings. The value it has provided is immense, with Sean Ayres of UPS stating, “If you Cloud, you need this course - <period>.”

Multicloud security has become harder, not easier. The SANS 2023 Multicloud Survey demonstrated that the majority of organizations use multiple cloud providers. This trend has resulted in all SANS Cloud Security training courses covering at least 2 of the Big 3 CSPs.

The new SEC510 still supports all Big 3 cloud providers (AWS, Azure, and Google Cloud) equally, with roughly a 33% / 33% / 33% coverage split. It contains all the great content past students have received, while updated to current day, and more. The new name simply highlights the mission SEC510 has had all these years: to mitigate security vulnerabilities in the Big 3 cloud providers with controls and configurations that can block real attacks. SEC510's primary focus is on prevention. If we can prevent security incidents from happening in the first place, or at least mitigate their risk so that they do not become breaches, we can safeguard the confidentiality and integrity of our data, keep our critical systems operational, and lighten the load for our teammates working in other cloud security disciplines.

To learn more, please visit sans.org/sec510. Make sure to click the “Course Demo” button to receive nearly an hour of content from the course for free!

Share:
TwitterLinkedInFacebook
Copy url Url was copied to clipboard
Subscribe to SANS Newsletters
Receive curated news, vulnerabilities, & security awareness tips
United States
Canada
United Kingdom
Spain
Belgium
Denmark
Norway
Netherlands
Australia
India
Japan
Singapore
Afghanistan
Aland Islands
Albania
Algeria
American Samoa
Andorra
Angola
Anguilla
Antarctica
Antigua and Barbuda
Argentina
Armenia
Aruba
Austria
Azerbaijan
Bahamas
Bahrain
Bangladesh
Barbados
Belarus
Belize
Benin
Bermuda
Bhutan
Bolivia
Bonaire, Sint Eustatius, and Saba
Bosnia And Herzegovina
Botswana
Bouvet Island
Brazil
British Indian Ocean Territory
Brunei Darussalam
Bulgaria
Burkina Faso
Burundi
Cambodia
Cameroon
Cape Verde
Cayman Islands
Central African Republic
Chad
Chile
China
Christmas Island
Cocos (Keeling) Islands
Colombia
Comoros
Cook Islands
Costa Rica
Cote D'ivoire
Croatia (Local Name: Hrvatska)
Curacao
Cyprus
Czech Republic
Democratic Republic of the Congo
Djibouti
Dominica
Dominican Republic
East Timor
Ecuador
Egypt
El Salvador
Equatorial Guinea
Eritrea
Estonia
Eswatini
Ethiopia
Falkland Islands (Malvinas)
Faroe Islands
Fiji
Finland
France
French Guiana
French Polynesia
French Southern Territories
Gabon
Gambia
Georgia
Germany
Ghana
Gibraltar
Greece
Greenland
Grenada
Guadeloupe
Guam
Guatemala
Guernsey
Guinea
Guinea-Bissau
Guyana
Haiti
Heard And McDonald Islands
Honduras
Hong Kong
Hungary
Iceland
Indonesia
Iraq
Ireland
Isle of Man
Israel
Italy
Jamaica
Jersey
Jordan
Kazakhstan
Kenya
Kiribati
Korea, Republic Of
Kosovo
Kuwait
Kyrgyzstan
Lao People's Democratic Republic
Latvia
Lebanon
Lesotho
Liberia
Liechtenstein
Lithuania
Luxembourg
Macau
Madagascar
Malawi
Malaysia
Maldives
Mali
Malta
Marshall Islands
Martinique
Mauritania
Mauritius
Mayotte
Mexico
Micronesia, Federated States Of
Moldova, Republic Of
Monaco
Mongolia
Montenegro
Montserrat
Morocco
Mozambique
Myanmar
Namibia
Nauru
Nepal
Netherlands Antilles
New Caledonia
New Zealand
Nicaragua
Niger
Nigeria
Niue
Norfolk Island
North Macedonia
Northern Mariana Islands
Oman
Pakistan
Palau
Palestine
Panama
Papua New Guinea
Paraguay
Peru
Philippines
Pitcairn
Poland
Portugal
Puerto Rico
Qatar
Reunion
Romania
Russian Federation
Rwanda
Saint Bartholemy
Saint Kitts And Nevis
Saint Lucia
Saint Martin
Saint Vincent And The Grenadines
Samoa
San Marino
Sao Tome And Principe
Saudi Arabia
Senegal
Serbia
Seychelles
Sierra Leone
Sint Maarten
Slovakia
Slovenia
Solomon Islands
South Africa
South Georgia and the South Sandwich Islands
South Sudan
Sri Lanka
St. Helena
St. Pierre And Miquelon
Suriname
Svalbard And Jan Mayen Islands
Sweden
Switzerland
Taiwan
Tajikistan
Tanzania, United Republic Of
Thailand
Togo
Tokelau
Tonga
Trinidad And Tobago
Tunisia
Turkey
Turkmenistan
Turks And Caicos Islands
Tuvalu
Uganda
Ukraine
United Arab Emirates
United States Minor Outlying Islands
Uruguay
Uzbekistan
Vanuatu
Vatican City State
Venezuela
Vietnam
Virgin Islands (British)
Virgin Islands (U.S.)
Wallis And Futuna Islands
Western Sahara
Yemen
Zambia
Zimbabwe

By providing this information, you agree to the processing of your personal data by SANS as described in our Privacy Policy.

This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.

Recommended Training

  • SEC480: AWS Secure Builder™
  • SEC541: Cloud Security Threat Detection™
  • SEC549: Cloud Security Architecture

Tags:
  • Cloud Security

Related Content

Blog
SANS_Cloud_Security_340x340.png
Cloud Security
December 11, 2024
SANS Cloud Security Curriculum
The SANS Cloud Security Curriculum is growing fast – like the Cloud itself.
370x370_Frank-Kim.jpg
Frank Kim
read more
Blog
340x340.png
Cloud Security
September 30, 2024
A Visual Summary of SANS CloudSecNext Summit 2024
Check out these graphic recordings created in real-time throughout the event for SANS CloudSecNext Summit 2024
No Headshot Available
Alison Kim
read more
Blog
cloudsecnext_blog_image.png
Cloud Security, DevSecOps
October 16, 2023
A Visual Summary of SANS CloudSecNext Summit 2023
SANS CloudSecNext Summit was hybrid event for the cloud security community. Check out these graphic recordings of the talks created in real-time.
No Headshot Available
Alison Kim
read more
  • Company
  • Mission
  • Instructors
  • About
  • FAQ
  • Press
  • Contact Us
  • Careers
  • Policies
  • Training Programs
  • Work Study
  • Academies & Scholarships
  • Public Sector Partnerships
  • Law Enforcement
  • SkillsFuture Singapore
  • Degree Programs
  • Get Involved
  • Join the Community
  • Become an Instructor
  • Become a Sponsor
  • Speak at a Summit
  • Join the CISO Network
  • Award Programs
  • Partner Portal
Subscribe to SANS Newsletters
Receive curated news, vulnerabilities, & security awareness tips
United States
Canada
United Kingdom
Spain
Belgium
Denmark
Norway
Netherlands
Australia
India
Japan
Singapore
Afghanistan
Aland Islands
Albania
Algeria
American Samoa
Andorra
Angola
Anguilla
Antarctica
Antigua and Barbuda
Argentina
Armenia
Aruba
Austria
Azerbaijan
Bahamas
Bahrain
Bangladesh
Barbados
Belarus
Belize
Benin
Bermuda
Bhutan
Bolivia
Bonaire, Sint Eustatius, and Saba
Bosnia And Herzegovina
Botswana
Bouvet Island
Brazil
British Indian Ocean Territory
Brunei Darussalam
Bulgaria
Burkina Faso
Burundi
Cambodia
Cameroon
Cape Verde
Cayman Islands
Central African Republic
Chad
Chile
China
Christmas Island
Cocos (Keeling) Islands
Colombia
Comoros
Cook Islands
Costa Rica
Cote D'ivoire
Croatia (Local Name: Hrvatska)
Curacao
Cyprus
Czech Republic
Democratic Republic of the Congo
Djibouti
Dominica
Dominican Republic
East Timor
Ecuador
Egypt
El Salvador
Equatorial Guinea
Eritrea
Estonia
Eswatini
Ethiopia
Falkland Islands (Malvinas)
Faroe Islands
Fiji
Finland
France
French Guiana
French Polynesia
French Southern Territories
Gabon
Gambia
Georgia
Germany
Ghana
Gibraltar
Greece
Greenland
Grenada
Guadeloupe
Guam
Guatemala
Guernsey
Guinea
Guinea-Bissau
Guyana
Haiti
Heard And McDonald Islands
Honduras
Hong Kong
Hungary
Iceland
Indonesia
Iraq
Ireland
Isle of Man
Israel
Italy
Jamaica
Jersey
Jordan
Kazakhstan
Kenya
Kiribati
Korea, Republic Of
Kosovo
Kuwait
Kyrgyzstan
Lao People's Democratic Republic
Latvia
Lebanon
Lesotho
Liberia
Liechtenstein
Lithuania
Luxembourg
Macau
Madagascar
Malawi
Malaysia
Maldives
Mali
Malta
Marshall Islands
Martinique
Mauritania
Mauritius
Mayotte
Mexico
Micronesia, Federated States Of
Moldova, Republic Of
Monaco
Mongolia
Montenegro
Montserrat
Morocco
Mozambique
Myanmar
Namibia
Nauru
Nepal
Netherlands Antilles
New Caledonia
New Zealand
Nicaragua
Niger
Nigeria
Niue
Norfolk Island
North Macedonia
Northern Mariana Islands
Oman
Pakistan
Palau
Palestine
Panama
Papua New Guinea
Paraguay
Peru
Philippines
Pitcairn
Poland
Portugal
Puerto Rico
Qatar
Reunion
Romania
Russian Federation
Rwanda
Saint Bartholemy
Saint Kitts And Nevis
Saint Lucia
Saint Martin
Saint Vincent And The Grenadines
Samoa
San Marino
Sao Tome And Principe
Saudi Arabia
Senegal
Serbia
Seychelles
Sierra Leone
Sint Maarten
Slovakia
Slovenia
Solomon Islands
South Africa
South Georgia and the South Sandwich Islands
South Sudan
Sri Lanka
St. Helena
St. Pierre And Miquelon
Suriname
Svalbard And Jan Mayen Islands
Sweden
Switzerland
Taiwan
Tajikistan
Tanzania, United Republic Of
Thailand
Togo
Tokelau
Tonga
Trinidad And Tobago
Tunisia
Turkey
Turkmenistan
Turks And Caicos Islands
Tuvalu
Uganda
Ukraine
United Arab Emirates
United States Minor Outlying Islands
Uruguay
Uzbekistan
Vanuatu
Vatican City State
Venezuela
Vietnam
Virgin Islands (British)
Virgin Islands (U.S.)
Wallis And Futuna Islands
Western Sahara
Yemen
Zambia
Zimbabwe

By providing this information, you agree to the processing of your personal data by SANS as described in our Privacy Policy.

This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.
  • Privacy Policy
  • Terms and Conditions
  • Do Not Sell/Share My Personal Information
  • Contact
  • Careers
© 2025 The Escal Institute of Advanced Technologies, Inc. d/b/a SANS Institute. Our Terms and Conditions detail our trademark and copyright rights. Any unauthorized use is expressly prohibited.
  • Twitter
  • Facebook
  • Youtube
  • LinkedIn