Tags:
The security industry is infamous for failing to keep up with the new technologies adopted by their product development counterparts. While much of the industry has fully embraced the public cloud, many in security are struggling to keep up. SANS, recognizing that security professionals are looking to modernize their skillsets, have been running several high-quality cloud courses for years, such as SEC540: Cloud Security and DevOps Automation, and SEC545: Cloud Security Architecture and Operations. With the recent launch of the SANS Cloud Curriculum, SANS has greatly expanded its cloud course offerings.
In an ideal world, one could learn the core concepts of cloud computing and apply them to whatever cloud provider their organization utilizes. Unfortunately, we live in a world where each of the top 3 most popular cloud platforms, Amazon Web Services (AWS), Microsoft Azure, and the Google Cloud Platform (GCP), radically differ from one another in both design and implementation. These differences require different security strategies, as I previously explored in the SANS Webcast Secure by Default? Scoring the Big 3 Cloud Providers. Meanwhile, existing SANS courses focus on one or two cloud providers. For example, SEC540 discusses DevSecOps methodologies using a combination of AWS, Azure, and on-premises technologies, but does not specifically detail GCP. SEC584: Defending Cloud Native Infrastructure, is all about containers and Kubernetes, so their lab environment is completely based in GCP, the cloud platform created by the same company that created K8s. These are phenomenal courses, yet there has nonetheless been an unfulfilled demand for courseware that compares the three major clouds and illustrates how to appropriately secure each.
This demand has inspired Eric Johnson and I to co-author SEC510: Multicloud Security Assessment and Defense. SEC510 is the first SANS course designed to provide equal coverage of the AWS, Azure, and GCP. The course helps students navigate through the public cloud service offering catalogue and examine how the security settings of analogous services differ. For example, in the SEC510’s course preview webcast, we contrasted each cloud provider’s Instance Metadata Service (IMDS) and discussed how an insecure default setting in AWS’s IMDSv1 was a proximate cause of Capital One’s 2019 breach. I explored a similar attack in the context of serverless functions in the SANS Webcast Attacking Serverless Servers: Reverse Engineering the AWS, Azure, and GCP Function Runtimes, which we also expand upon in the course.

A diagram featured in the course demonstrating how the Capital One attacker used their cloud against them to elevate their privileges and steal hundreds of thousands of credit card applications
Some might question the value of an all-in-one cloud security course when the cloud providers offer security training of their own to help you secure their platforms. Although we are grateful that these cloud providers are taking security seriously, it is impossible to ignore the conflict of interest here: each cloud provider wants to make their customers believe that they are doing everything in their power to secure them by default. They do not have an incentive to admit where their services have deficiencies. We, on the other hand, are delighted to highlight what they got wrong and praise what they got right. Beyond this, if you need to support an organization that uses multiple clouds, you must be able to translate concepts between providers. Only a comprehensive course that juxtaposes each provider will make you obtain a multicloud lexicon. As more organizations are identifying as multicloud (as explored in my whitepaper, Top 5 Considerations for Multicloud Security), this skillset is in high-demand.
The course builds on the Center for Internet Security’s cloud benchmarks and the MITRE ATT&CK Cloud Matrix to teach students how to harden their cloud environments. They will put these lessons into practice by assessing and defending a modern React application that they will automatically deploy to each of their cloud accounts using Terraform. The application is for a fictional company, Nimbus Inmutable, that has a significant presence in the cloud. The application has the same functionality regardless to which cloud it is deployed to, but each uses the cloud-managed services of their provider. After identifying flaws in this application, students will secure will apply secure settings for IAM, networking, encryption, and more to mitigate the damage caused by these flaws.
Although each version of the application looks identical on its surface, the implementation is different in each cloud.

The first beta run of SEC510 will be a 3-day version beginning on August 17th, 2020 via the SANS Live Online platform. If interested, click here to visit the course webpage and enroll.
About the Author: Brandon Evans is the lead author of SEC510: Multicloud Security Assessment and Defense and an instructor for SEC540: Cloud Security and DevOps Automation. His full-time role is as a Senior Application Security Engineer at Asurion, where he provides security services for thousands of his coworkers in product development across several global sites responsible for hundreds of web applications. This includes performing secure code reviews, conducting penetration tests, developing secure coding patterns, and evangelizing the importance of creating secure products. Read his full bio here.