What You Will Learn
License to Learn Cloud Security
SEC488: CLOUD SECURITY ESSENTIALS WILL PREPARE YOU TO:
- Navigate your organization through the security challenges and opportunities presented by cloud services
- Identify the risks of the various services offered by cloud service providers (CSPs)
- Select the appropriate security controls for a given cloud network security architecture
- Evaluate CSPs based on their documentation, security controls, and audit reports
- Confidently use the services of any of the leading CSPs
- Articulate the business and security implications of multiple cloud providers
- Secure, harden, and audit CSP environments
- Protect the access keys and secrets used in cloud environments
- Use application security tools and threat modeling to assess the security of cloud-based applications
- Automatically create and provision patched and hardened virtual machine images
- Deploy a complete "infrastructure as code" environment to multiple cloud providers
- Leverage cloud logging capabilities to establish accountability for events that occur in the cloud environment
- Detect and respond to security incidents in the cloud and take appropriate steps as a first responder
- Perform a preliminary forensic file system analysis of compromised cloud resources
More businesses than ever are moving sensitive data and shifting mission-critical workloads to the cloud - and not just to one cloud service provider (CSP). Research shows that most enterprises have strategically decided to deploy a multicloud platform, including Amazon Web Services, Azure, Google Cloud, and others.
Organizations are responsible for securing their data and mission-critical applications in the cloud. The benefits in terms of cost and speed of leveraging a multicloud platform to develop and accelerate delivery of business applications and analyze customer data can quickly be reversed if security professionals are not properly trained to secure the organization's cloud environment and investigate and respond to the inevitable security breaches.
The SANS SEC488: Cloud Security Essentials course will prepare you to advise and speak about a wide range of topics and help your organization successfully navigate both the security challenges and opportunities presented by cloud services. Like foreign languages, cloud environments have similarities and differences, and SEC488 covers all of the major CSPs and thus all of the languages of cloud services.
We will begin by diving headfirst into one of the most crucial aspects of cloud - Identity and Access Management (IAM). From there, we'll move on to securing the cloud through discussion and practical, hands-on exercises related to several key topics to defend various cloud workloads operating in the different CSP models of: Infrastructure as a Service (IaaS), Platform as a Service (PaaS), and Software as a Service (SaaS).
New technologies introduce new risks. This course will equip you to implement appropriate security controls in the cloud, often using automation to "inspect what you expect." Mature CSPs have created a variety of security services that can help customers use their products in a more secure manner, but nothing is a magic bullet. This course covers real-world lessons using security services created by the CSPs as well as open-source tools. As mentioned, each course book features hands-on lab exercises to help students hammer home the lessons learned. We progressively layer multiple security controls in order to end the course with a functional security architecture implemented in the cloud.
You Will Be Able To:
- Identify the risks and risk control ownership based on the deployment models and service delivery models of the various products offered by cloud service providers (CSPs).
- Evaluate the trustworthiness of CSPs based on their security documentation, service features, third-party attestations, and position in the global cloud ecosystem.
- Create accounts and use the services of any one the leading CSPs and be comfortable with the self-service nature of the public cloud, including finding documentation, tutorials, pricing, and security features.
- Articulate the business and security implications of a multicloud strategy.
- Secure access to the consoles used to access the CSP environments.
- Use command line interfaces to query assets and identities in the cloud environment.
- Use hardening benchmarks, patching, and configuration management to achieve and maintain an engineered state of security for the cloud environment.
- Evaluate the logging services of various CSPs and use those logs to provide the necessary accountability for events that occur in the cloud environment.
- Configure the command line interface (CLI) and properly protect the access keys to minimize the risk of compromised credentials.
- Use basic Bash and Python scripts to automate tasks in the cloud.
- Implement network security controls that are native to both AWS and Azure.
- Employ an architectural pattern to automatically create and provision patched and hardened virtual machine images to multiple AWS accounts.
- Use Azure Security Center to audit the configuration in an Azure deployment and identify security issues.
- Use Terraform to deploy a complete "infrastructure as code" environment to multiple cloud providers.
- Leverage the Cloud Security Alliance Cloud Controls Matrix to select the appropriate security controls for a given cloud network security architecture and assess a CSP's implementation of those controls using audit reports and the CSP's shared responsibility model.
- Follow the penetration testing guidelines put forth by AWS and Azure to invoke your "inner red teamer" to compromise a full stack cloud application
- Use logs from cloud services and virtual machines hosted in the cloud to detect a security incident and take appropriate steps as a first responder according to a recommended incident response methodology.
- Perform a preliminary forensic file system analysis of a compromised virtual machine to identify indicators of compromise and create a file system timeline.
SEC488: Cloud Security Essentials reinforces the training material via multiple hands-on labs in each section of the course. Every lab is designed to impart practical skills that students can bring back to their organizations and apply on the first day back in the office. The labs go beyond the step-by-step instructions providing the context of "why" the skill is important and instilling insights as to why the technology works the way it does.
Highlights of what students will learn in SEC488 labs include:
- Leveraging the web consoles of AWS, Azure, and GCP to secure various cloud service offerings
- Hardening and securing cloud environments and applications using open source security tools and services
- Hardening, patching, and securing virtual machine images
- Using the command line interface (CLI) and simple scripts to automate work
- Preventing secrets leaking in code deployed to the cloud
- Using logs and security services to detect malware on a cloud virtual machine and perform preliminary file-system forensics
- Using Terraform to deploy a complete environment to multiple cloud providers
SEC488 Lab Summary
- Lab 1.1 - Deploying the SEC488, Inc. Infrastructure
- Lab 1.2 - Securing Console Access
- Lab 1.3 - Preventing Leakage of Secrets
- Lab 1.4 - IAM Access Analyzer
- Lab 2.1 - Deploy and Harden Threat Intelligence Instance
- Lab 2.2 - Serverless Dynamic Application Security Testing (DAST)
- Lab 2.3 - Which Reality
- Lab 2.4 - Bucket Lock Down
- Lab 3.1 - Data at Rest Encryption
- Lab 3.2 - Data in Transit Encryption
- Lab 3.3 - Terraform Code Assessment
- Lab 3.4 - CASB Techniques
- Lab 4.1 - Restricting Network Access
- Lab 4.2 - Web Application Firewall (WAF)
- Lab 4.3 - Cloud Log Retrieval
- Lab 4.4 - Azure Security Center
- Lab 5.1 - Security Hub Compliance Assessment
- Lab 5.2 - Government Clouds
- Lab 5.3 - Multicloud Penetration Testing
- Lab 5.4 - Multicloud Forensics
WHAT YOU WILL RECEIVE
- MP3 audio files of the complete course lectures
- Digital download package with supplementary content
- Printed and Electronic courseware
WHAT TO TAKE NEXT
SANS offers a wide variety of courses to take after SEC488, depending on your professional goals and direction. Please review our SANS Cloud Security Flight Plan for a full picture. Many students follow with one of the following courses:
Syllabus (36 CPEs)Download PDF
The first book will set the stage for the course and then dive straight into all things Identity and Access Management (IAM). Students will learn very quickly that IAM arguably plays the most important role (no pun intended) in protecting the organization's cloud account. In this book, students will be able to:
- Identify security holes in their cloud account's IAM service
- Understand what it takes to implement cloud accounts which follow the concept of least privilege access
- Discover and protect various secrets related to cloud service authentication
- Use cloud vendor-provided IAM analysis tools to automate the discovery of any security shortcomings
- Deploying the SEC488, Inc. Environment
- Securing Console Access
- Preventing Leakage of Secrets
- IAM Access Analyzer
- Course Overview
- Cloud Accounts
- Policies and Permissions
- Groups and Roles
- Temporary Credentials
- Secrets Management
- Customer Account Management and External Access
- More IAM Best Practices
The second book will cover ways to protect the compute elements in cloud providers' Infrastructure as a Service (IaaS) and Platform as a Service (PaaS) offerings. Students will determine early on that there is much more complexity when launching instances or virtual machines in the cloud as opposed to on-premise. As the book progresses, students will learn to:
- Securely deploy a compute instance/virtual machine in CSP environments
- Maintain the running instance throughout its lifecycle
- Create hardened images for re-use in the organization
- Understand the various threats that could affect cloud-based applications
- Lock down cloud storage to prevent spillage of sensitive information
- Deploy and Harden Threat Intelligence Instance
- Serverless Dynamic Application Security Testing (DAST)
- Which Reality
- Bucket Lock Down
- Secure Instance/Virtual Machine Deployment
- Host Configuration Management
- Image Management
- Application Security
- Threat Modeling
- Platform as a Service (PaaS) and Software as a Service (SaaS) Challenges
- Container Services
- Cloud Storage
The third book will first focus on the protection of data in cloud environments. All too often, we are reading news articles about breaches that, very frequently, come down to a misconfiguration of a cloud service. Students will learn just what to look out for regarding these misconfiguration as well as:
- How to properly identify and classify their organization's data in various cloud services
- Encrypt data where it resides and as it traverses networks
- Ensure the data is available when it is required
- Leverage Infrastructure as Code (IaC) not only to automate operations, but also automate security configurations
- Identify gaps in cloud-based productivity services
- Learn how CASBs operate and what benefit they may add to the organization
- Data at Rest Encryption
- Data in Transit Encryption
- Terraform Code Assessment
- CASB Techniques
- Data Classification
- Data at Rest Encryption
- Data in Transit Encryption
- Lifecycle Management
- Infrastructure as Code
- Productivity Services
- Cloud Access Security Brokers (CASB)
In book 4 is where many network security analysts, engineers, and architects will begin salivating as they will do a deep dive into the ins and outs of cloud networking and log generation, collection, and analysis to set themselves up for success to defend their IaaS workloads. Students will learn to:
- Lean how to control cloud data flows via network controls
- Add segmentation between compute resources of varying sensitivity levels
- Generate the proper logs, collect those logs, and process them as a security analyst
- Increase the effectiveness of their security solutions by gaining more network visibility
- Detect treats in real time as they occur in the cloud
- Restricting Network Access
- Web Application Firewall (WAF)
- Cloud Log Retrieval
- Azure Security Center
- Private Cloud Networking
- Public Cloud Networking
- Network Segmentation
- Network Protection Services
- Cloud Logging Services
- Log Collection and Analysis
- Network Visibility
- Cloud Detection Services
In the fifth book, we'll dive headfirst into compliance frameworks, audit reports, privacy, and eDiscovery to equip you with the information and references to ensure that the right questions are being asked during CSP risk assessments. After covering special-use cases for more restricted requirements that may necessitate the AWS GovCloud or Azure's Trusted Computing, we'll delve into penetration testing in the cloud and finish the day with incident response and forensics. Student will learn to:
- Leverage the Cloud Security Alliance Cloud Controls Matrix to select the appropriate security controls for a given cloud network security architecture and assess a CSP's implementation of those controls using audit reports and the CSP's shared responsibility model
- Use logs from cloud services and virtual machines hosted in the cloud to detect a security incident and take appropriate steps as a first responder according to a recommended incident response methodology
- Perform a preliminary forensic file system analysis of a compromised virtual machine to identify indicators of compromise and create a file system timeline
- Security Hub Compliance Assessment
- Government Clouds
- Multicloud Penetration Testing
- Multicloud Forensics
- Security Assurance
- Cloud Auditing
- Government Clouds
- Risk Management
- Penetration Testing
- Legal and Contractual Requirements
- Incident Response and Forensics
This final book consists of an all-day, CloudWars competition to reinforce the topics covered in books 1-5. Through this friendly competition, students will answer several challenges made up of multiple choice, fill-in-the-blank, as well as hands-on and validated exercises performed in two CSP environments. They will be given a brand-new environment to deploy in two different cloud vendors and will be tasked to take this very broken environment and make the appropriate changes to increase its overall security posture.
GIAC Cloud Security Essentials
"The GIAC Cloud Security Essentials (GCLD) certification proves that the certificate holder understands many of the security challenges brought forth when migrating systems and applications to cloud service provider (CSP) environments. Understanding this new threat landscape is only half the battle. The GCLD certification goes one step further - proving that the defender can implement preventive, detective, and reactionary techniques to defend these valuable cloud-based workloads." - Ryan Nicholson, SANS SEC488 Course Author
Evaluation of cloud service provider similarities, differences, challenges, and opportunities
Planning, deploying, hardening, and securing single and multi-cloud environments
Basic cloud resource auditing, security assessment, and incident response
A basic understanding of TCP/IP, network security, and information security principles are helpful but not required for this course. Familiarity with the Linux command-line is a bonus.
Important! Bring your own system configured according to these instructions!
A properly configured system is required to fully participate in this course. If you do not carefully read and follow these instructions, you will likely leave the class unsatisfied because you will not be able to participate in hands-on exercises that are essential to this course. Therefore, we strongly urge you to arrive with a system meeting all the requirements specified for the course.
Students need to have:
- A laptop with a Chrome Internet browser. The laptop should have unrestricted access to the Internet and full administrative access. Chrome should allow for the addition of Chrome Extensions. Before class, the user should install the Secure Shell App in Chrome, https://url.sec488.com?id=425.
- Adobe Acrobat Reader
- A brand new free tier Amazon Web Services (AWS) account or an existing AWS account with root access and no restrictions
- A brand new free trial Azure account or an existing Azure account with owner access and no restrictions
SANS will provide:
- Supplementary content via download
Important! Bring your own system configured according to these instructions!
A properly configured system is required to fully participate in this course. These requirements are the mandatory minimums. If you do not carefully read and follow these instructions, you will likely leave the course unsatisfied because you will not be able to participate in hands-on exercises that are essential to this course. We strongly encourage you to arrive with a system meeting all the requirements specified for the course.
It is critical that you back-up your system before class. it is also strongly advised that you do not bring a system storing any sensitive data.
System Hardware Requirements
1. CPU: 64-bit Intel i5/i7 2.0+ GHz processor: Your system's processor must be a 64-bit Intel i5 or i7 2.0 GHz processor or higher.
2. RAM: 8 GB RAM (4 GB min): 8 GB RAM (4 GB min) is required for the best experience. To verify on Windows 10, press Windows key + "I" to open Settings, then click "System", then "About". Your RAM information will be toward the bottom of the page. To verify on a Mac, click the Apple logo at the top left-hand corner of your display and then click "About this Mac".
3. Hard Drive Free Space: No course VM is used in this course: Labs are performed via a browser-based application.
4. Operating System: Windows, macOS, or Linux have been tested to perform well with the course exercises.
Additional Hardware Requirements
The requirements below are in addition to the baseline requirements provided above.
1. Laptop Requirements for SEC488: Network, Wireless Connection: A wireless 802.11 B, G, N, or AC network adapter is required. This can be the internal wireless adapter in your system or and external USB wireless adapter. A wireless adapter allows you to connect to the network without any cables. If you can surf the Internet on your system without plugging in a network cable, you have wireless.
Additional Software Requirements
1. Adobe Acrobat or other PDF reader application
2. Google Chrome Browser: You need the Google Chrome browser installed on your system before you arrive for class. The course exercises have been tested with Chrome and not other browsers. You can download Chrome from here.
Your course media will then be delivered via download. The media files for class can be large, with some in the 40 - 50 GB range. You need to allow plenty of time for the download to complete. Internet connections and speed vary greatly and are dependent on many different factors. Therefore, it is not possible to give an estimate of the length of time it will take to download your materials. Please start your course media downloads as you get the link. You will need your course media immediately on the first day of class. Waiting until the night before the class starts to begin your download has a high probability of failure.
SANS has begun providing printed materials in PDF form. Additionally, certain classes are using an electronic workbook in addition to the PDFs. The number of classes using eWorkbooks will increase quickly. In this new environment, we have found that a second monitor and/or a tablet device can be useful for keeping the class materials visible while the instructor is presenting or while you are working on lab exercises.
If you have additional questions about the laptop specifications, please contact firstname.lastname@example.org.
"More businesses than ever are shifting mission-critical workloads to the cloud. And not just one cloud - research shows that most enterprises are using up to five different cloud providers. Yet, cloud security breaches happen all the time and many security professionals feel ill-prepared to deal with this rampant change. SEC488 equips students to view the cloud through a lens informed by standards and best practices to rapidly identify security gaps. It provides class participants with hands-on tools, techniques, and patterns to shore up their organization's cloud security weaknesses."