"AWS, Azure and GCP don't handle basic security functions...in exactly the same way. There are nuances that must be taken into account in order for security measures to work properly...The professionals who understand these nuances are not easy to find." - Shai Morag, Forbes Technology Council
This is exactly why Eric Johnson and I launched SEC510: Public Cloud Security: AWS, Azure, and GCP over three years ago. Since then, we expanded the course to five days, introduced the associated GPCS: GIAC Public Cloud Security Certification certification, updated the content to respond to new cloud-specific security incidents, and enhanced our 20 hands-on labs and bonus challenges. My favorite part of the labs is that students can re-do them, both after the course ends and as many times as they would like. It is great to see former students continue to level-up into the multicloud professionals our industry so desperately needs!
The Big 3 cloud providers continue to evolve, and this past year is no exception. A 2023 study from Thales shows that many organizations are failing to keep up: 39% of businesses experienced a cloud data breach in the past year alone. Here are the top 5 changes we made to SEC510 to help you stay ahead of the curve.
Learn more about the SANS Cloud Ace Journeys
1. Securely Integrate Multicloud Environments with Workload Identity Federation
The most recently published SANS Multicloud Survey results show that the use of multiple cloud providers is continuing to trend upward. Not only were the Big 3 cloud providers used by over 80% of the respondents, but the “Little 3”, Oracle, Alibaba, and IBM, were used by over 50%. Typically, an organization’s multiple clouds will need to talk to one another in some way. To accomplish this, engineers will often build integrations at the Identity and Access Management (IAM) level.
Here is the problem: everyone does this wrong. This includes organizations who avoid some of the common pitfalls, such as hardcoding long-lived IAM credentials, failing to rotate them, or re-using cloud identities across multiple applications. It is always better to use short-lived, automatically rotating credentials. The cloud providers make this easy within a single cloud, but extremely difficult across multiple clouds.
The new SEC510 solves this problem with new content and labs on Workload Identity Federation. It provides students with the exact tools necessary to access cloud resources in one provider from another with short-lived credentials. While this concept is simple, it is very difficult to implement. I would truly be shocked to learn that your organization is properly using this capability in production. Let us help you fix that and substantially reduce your risk!
2. Discover the Benefits and Limitations of Cloud Data Loss Detection Services
The new roadmap of SEC510 aligns with the Cyber Defense Matrix, which defines the types of cloud assets our organizations need to secure. Our newly extended Section 3 is all about one of these asset types: data.
When discussing data security in the past, some of my students have questioned the value of encryption. They would state that most of their data is public, so encrypting their insensitive data is unnecessary. My common refrain is “how do you know where your private data is?” Sometimes, they will respond that they use “Data Loss Prevention (DLP)” solutions like Amazon Macie, Microsoft Purview, and Google Cloud DLP to classify their data.
For this update, we interrogated the assumption that these solutions truly solve this problem. I strongly believed that these services, while useful, would fall short of their customer’s expectations. Lo and behold, not only is Amazon Macie not a DLP, not only does it only detect sensitive data in a single service (S3), but all three solutions were far from accurate. We have created new content and a lab exercise to demonstrate these limitations to SEC510 students. After they see how many false positives and negatives these tools produce, they will learn that the only way to keep your organization safe and compliant is to implement encryption consistently without any excuses. Of course, we will also teach them how to easily encrypt data across the cloud services that they use.
3. Leverage Multicloud Security Posture Management (CSPM)
510 previously had some coverage of the CSPM solutions provided by the cloud providers. CSPM is a popular and growing security product category. It attempts to find security misconfigurations to streamline the process of fixing them. As CSPM adoption grew, our coverage of it needed to increase.
The new version drastically increases our CSPM coverage to span two full modules and lab exercises. In the first, students will explore these solutions, AWS Security Hub, Microsoft Defender for Cloud, and the Google Cloud Security Command Center, in more depth. The second will show how your organization can assess the security of the Big 3 cloud providers and more from a single pane of glass using Microsoft Defender for Cloud. This solution leverages Workload Identity, which students will be prepared to well-equipped to tackle at that point in the course.
4. Follow New Cloud Provider Developments and Security Incidents
The past year has been huge for the Big 3 cloud providers. Their annual revenue has gone well into the 10 figures USD, and their customers are expecting more. They have taken a lot of steps in the right direction to address their insecure configuration defaults. I count that we have added approximately 14 new cloud changes that have been made since the last version of the course. Many of these changes are related to data security and crucial for you to understand.
Unfortunately, threat actors have also stepped their game up recently. Combined with the security budget cuts and decreased investment in training due to economic woes, 2023 has been one of the worst in our industry’s history. You are probably aware of at least three major breaches in the past month related to the cloud. The good news is that these painful breaches make for great case studies. Many of these were added to our course to explain the serious impact of failing to implement the controls that we teach.
5. Get Up and Running Faster with a Better, Cheaper Lab Environment
Our labs are performed in real cloud environments. Nothing is simulated. While this is great for reinforcing the concepts that we cover in our lectures, it also poses challenges. Real clouds have real turbulence, after all. As such, getting started with our labs can take some time. Your time is precious, and we want you to use it to learn critical skills.
This is why I am overjoyed to announce massive improvements to our deployment process. SANS will now provide all students, regardless of the modality (Live In-Person, Live Online, Hybrid, or OnDemand), with AWS and Azure accounts that they can use for the labs. Past students might recall how setting up an Azure environment can be especially finicky. Our new approach solves this problem. Deploying to these environments will now be much, much quicker for students.
We have also received a lot of feedback about students (and companies) not wanting to spend additional money on cloud accounts to do the labs. I get it. Even if the bill is less than $20, simply filling out the expense report can be a pain in the neck. Thankfully, by using the SANS-managed AWS and Azure accounts along with the $300 free credit from Google Cloud, students should no longer receive any cloud charges for the duration of the course!
- Course Video
- Syllabus: SEC510: Public Cloud Security: AWS, Azure, and GCP
- Certification: GPCS: GIAC Public Cloud Security Certification
- Updated Poster: Secure Services Configuration: AWS, Azure, and GCP
- Cheat Sheet: Multicloud Command Line Interface
About the Course Authors
Brandon Evans is the owner and an InfoSec Consultant at On-Brand Technologies LLC, a consultancy helping organizations secure their applications and other workloads in multi cloud environments, specializing in AWS, Azure, and Google Cloud. Prior to starting his consultancy, Brandon led the secure development training program at Zoom Video Communications. He began his career as a Software Engineer, where he worked on both the core product of a startup, later acquired by a Fortune 500 organization, and on various products spanning a multi-billion dollar enterprise. Brandon is lead author for SEC510: Public Cloud Security: AWS, Azure, and GCP, a contributor to SEC540: Cloud Security and DevSecOps Automation, host of Cloud Ace podcast, Season 1, an analyst for the SANS Multicloud Survey, and a multi-year RSA Conference presenter. Read more about Brandon.
Eric Johnson is a Co-founder and Principal Security Engineer at Puma Security and a Senior Instructor with the SANS Institute. His experience includes cloud security assessments, cloud infrastructure automation, static source code analysis, web and mobile application penetration testing, secure development lifecycle consulting, and secure code review assessments. Eric is the lead author and an instructor for SEC540: Cloud Security and DevSecOps Automation and a co-author and instructor for both SEC549: Enterprise Cloud Security Architecture and SEC510: Public Cloud Security: AWS, Azure, and GCP. Additionally, Eric is a SANS Security Awareness Developer Training Advisory Board Member and SANS Analyst for Application Security and DevSecOps Surveys. Read more about Eric.