SEC488: Cloud Security Essentials

GIAC Cloud Security Essentials (GCLD)
GIAC Cloud Security Essentials (GCLD)
  • In Person (6 days)
  • Online
36 CPEs

More businesses than ever are moving sensitive data and shifting mission-critical workloads to the cloud, and not just to one cloud service provider (CSP). Organizations are responsible for securing their data and mission-critical applications in the cloud. The benefits in terms of cost and speed of leveraging a multicloud platform to develop and accelerate delivery of business applications and analyze customer data can quickly be reversed if security professionals are not properly trained to secure the organization's cloud environment and investigate and respond to the inevitable security breaches. New technologies introduce new risks. Help your organization successfully navigate both the security challenges and opportunities presented by cloud services. 20 Hands-on Labs + CloudWars CTF

What You Will Learn

License to Learn Cloud Security

Research shows that most enterprises have strategically decided to deploy a multicloud platform, including Amazon Web Services (AWS), Azure, Google Cloud Platform (GCP), other cloud service providers. Mature CSPs have created a variety of security services that can help customers use their products in a more secure manner, but only if the customer knows about these services and how to use them properly. This course covers real-world lessons using security services created by the Big 3 CSPs, as well as open-source tools. Each section of the course features hands-on lab exercises to help students hammer home the lessons learned. We progressively layer multiple security controls in order to end the course with a functional security architecture implemented in the cloud.

This course will equip you to implement appropriate security controls in the cloud, often using automation to "inspect what you expect." We will begin by diving headfirst into one of the most crucial aspects of cloud - Identity and Access Management (IAM). From there, we'll move on to securing the cloud through discussion and practical, hands-on exercises related to several key topics to defend various cloud workloads operating in the different CSP models of: Infrastructure as a Service (IaaS), Platform as a Service (PaaS), Software as a Service (SaaS), and Functions as a Service (FaaS).

"I would recommend any tech friend to learn what they can about cloud security as the industry has been transitioning this way for quite a while. This class is a great introduction to this subject." - Christopher Barath, Wells Fargo

"Use of AWS, Azure and even GCP with concrete examples: that's a win!" - Maite Amourdon, SAP France

BUSINESS TAKEAWAYS:

  • Understand the current cloud deployment
  • Protect cloud-hosted workloads, services, and virtual machines
  • Cost-effectively select appropriate services and configure properly to adequately defend cloud resources
  • Get in front of common security misconfigurations BEFORE they are implemented in the cloud
  • Ensure business is aligning to industry regulations and laws when operating in the cloud
  • Decrease adversary dwell time in compromised cloud deployments

SKILLS LEARNED:

  • Navigate your organization through the security challenges and opportunities presented by cloud services
  • Identify the risks of the various services offered by cloud service providers (CSPs)
  • Select the appropriate security controls for a given cloud network security architecture
  • Evaluate CSPs based on their documentation, security controls, and audit reports
  • Confidently use the services of any of the leading CSPs
  • Protect secrets used in cloud environments
  • Leverage cloud logging capabilities to establish accountability for events that occur in the cloud environment
  • Identify the risks and risk control ownership based on the deployment models and service delivery models of the various products offered by cloud service providers (CSPs).
  • Evaluate the trustworthiness of CSPs based on their security documentation, service features, third-party attestations, and position in the global cloud ecosystem.
  • Secure access to the consoles used to access the CSP environments.
  • Implement network security controls that are native to both AWS and Azure.
  • Follow the penetration testing guidelines put forth by AWS and Azure to invoke your "inner red teamer"to compromise a full stack cloud application

HANDS-ON TRAINING:

SEC488: Cloud Security Essentials reinforces the training material via multiple hands-on labs in each section of the course. Labs are performed via a browser-based application rather than virtual machine. Each lab is designed to impart practical skills that students can bring back to their organizations and apply on the first day back in the office. The labs go beyond the step-by-step instructions by providing the context of why the skill is important and instilling insights as to why the technology works the way it does.

Highlights of what students will learn in SEC488 labs include:

  • Leveraging the web consoles of AWS and Azure to secure various cloud service offerings
  • Hardening and securing cloud environments and applications using open source security tools and services
  • Building, hardening, patching, and securing virtual machines and virtual machine images
  • Using the command line interface (CLI) and simple scripts to automate work
  • Preventing secrets leaking in code deployed to the cloud
  • Using logs and security services to detect malware on a cloud virtual machine and perform preliminary forensics
  • Using Terraform to deploy a complete environment to multiple cloud providers

Section 1: New cloud users, Permissions boundaries, Cloud management station, Deploy CD/CA environment

Section 2: Secure instance deployment, Threat intelligence gold image, Which reality, Blob lock down

Section 3: Data hunting, Data in transit, Terraform code assessment, CASB techniques

Section 4: Restricting network access, Web Application Firewall (WAF), Cloud services logging, IaaS logging

Section 5: Security hub compliance assessment, Microsoft Defender for cloud, Multicloud penetration testing, Multicloud forensics

Section 6: CloudWars

"CloudWars was a very fun challenge. Each section had a good test of knowledge questions." - Evelyn Saucedo, USAA

"Today's Cloud Wars challenge was icing on the cake. Great way to tie in the materials lectured on as well as the lab exercises we have been doing all week. The topics covered were extremely relevant to issues that the military command I work for is having with their cloud environments." - Neale S., US Military

"The labs are my favorite part of the course. Hands on experience with industry standard environments." - Michael Moore, Wells Fargo

"Labs are great, great to reinforce material and also to see how things work behind the scenes." - Ed Yuwono

SYLLABUS SUMMARY:

Section 1 - Before we begin locking down specific services, we MUST understand Identity Access Management (IAM) as, if left in the vendors default state, can prove devastating as a compromised account can mean GAME OVER for the cloud environment.

Section 2 - This section begins by focusing on how to securely deploy, manage, and maintain compute infrastructure as well as looking at cloud application deployments holistically to focus on locking down all relevant cloud components.

Section 3 - To avoid making negative headlines, we will ensure that we understand the data circulating through our cloud deployments and how to best protect this data as it resides in different types of services.

Section 4 - Two very important topicsnetworking and loggingallow us to control the flow our traffic into, out of, and within our cloud-based operating environment as well as setting ourselves up for success to spot adversarial activity.

Section 5 - Now that we understand industry best practices, there is still work to be done in this section as we understand how cloud impacts compliance programs and how best to perform penetration test and forensics investigations in the cloud.

Section 6 - The final section is unlike the previous as you will prove your skills learned in the first five sections through a hands-on CloudWars challenge.

ADDITIONAL FREE RESOURCES:

Defending Lift and Shift Cloud Applications, webcast

Cloud Security: Youre It!, webcast

Cloud Complexities: Navigating the Headwinds, webcast

Secure Service Configuration in AWS, Azure, and GCP, poster

En Español - Configuración Secure Service en AWS, Azure y GCP, poster

Take your learning beyond the classroom. Explore sans.org/cloud-security and the SANS Cloud Security YouTube channel for a wide variety of cloud security-specific content.

WHAT YOU WILL RECEIVE:

  • MP3 audio files of the complete course lectures
  • Printed and Electronic courseware
  • Extended access to the courses 20 + lab exercises
  • Access to SANS Cloud Alum Slack

WHAT COMES NEXT:

Depending on your professional goals and direction, SANS offers a number of follow-on courses to SEC488.

Cloud Security Analyst

Cloud Security Engineer or Architect

Cloud Security Management / Leadership

Please review our SANS Cloud Security Flight Plan for a full picture.

Syllabus (36 CPEs)

Download PDF
  • Overview

    The first section will set the stage for the course and then dive straight into all things Identity and Access Management (IAM). Students will learn very quickly that IAM arguably plays the most important role (no pun intended) in protecting the organization's cloud account. AFter this section, students will be able to:

    • Identify security holes in their cloud account's IAM service
    • Understand what it takes to implement cloud accounts which follow the concept of least privilege access
    • Discover and protect various secrets related to cloud service authentication
    • Use cloud vendor-provided IAM analysis tools to automate the discovery of any security shortcomings
    Exercises
    • New Cloud Users
    • Permissions Boundaries
    • Cloud Management Station
    • Deploy CD/CA Environment
    Topics
    • Course Overview
    • Cloud Accounts
    • Policies and Permissions
    • Groups and Roles
    • Temporary Credentials
    • Secrets Management
    • Customer Account Management and External Access
    • More IAM Best Practices
  • Overview

    The second section will cover ways to protect the compute elements in cloud providers' Infrastructure as a Service (IaaS) and Platform as a Service (PaaS) offerings. Students will determine early on that there is much more complexity when launching instances or virtual machines in the cloud as opposed to on-premises. As the section progresses, students will learn to:

    • Securely deploy a compute instance/virtual machine in CSP environments
    • Maintain the running instance throughout its lifecycle
    • Create hardened images for re-use in the organization
    • Understand the various threats that could affect cloud-based applications
    • Lock down cloud storage to prevent spillage of sensitive information
    Exercises
    • Secure Instance Deployment
    • Threat Intelligence Gold Image
    • Which Reality
    • Blob Lock Down
    Topics
    • Secure Instance/Virtual Machine Deployment
    • Host Configuration Management
    • Image Management
    • Application Security
    • Threat Modeling
    • Platform as a Service (PaaS) and Software as a Service (SaaS) Challenges
    • Container Services
    • Cloud Storage
  • Overview

    The third section will first focus on the protection of data in cloud environments. All too often, we are reading news articles about breaches that, very frequently, come down to a misconfiguration of a cloud service. Students will learn just what to look out for regarding these misconfiguration as well as:

    • How to properly identify and classify their organization's data in various cloud services
    • Encrypt data where it resides and as it traverses networks
    • Ensure the data is available when it is required
    • Leverage Infrastructure as Code (IaC) not only to automate operations, but also automate security configurations
    • Identify gaps in cloud-based productivity services
    • Learn how CASBs operate and what benefit they may add to the organization
    Exercises
    • Data Hunting
    • Data in Transit Encryption
    • Terraform Code Assessment
    • CASB Techniques
    Topics
    • Data Classification
    • Data at Rest Encryption
    • Availability
    • Data in Transit Encryption
    • Lifecycle Management
    • Infrastructure as Code
    • Productivity Services
    • Cloud Access Security Brokers (CASB)
  • Overview

    Section 4 is where many network security analysts, engineers, and architects will begin salivating as they will do a deep dive into the ins and outs of cloud networking and log generation, collection, and analysis to set themselves up for success to defend their IaaS workloads. Students will learn to:

    • Learn how to control cloud data flows via network controls
    • Add segmentation between compute resources of varying sensitivity levels
    • Generate the proper logs, collect those logs, and process them as a security analyst
    • Increase the effectiveness of their security solutions by gaining more network visibility
    • Detect treats in real time as they occur in the cloud
    Exercises
    • Restricting Network Access
    • Web Application Firewall (WAF)
    • Cloud Services Logging
    • IaaS Logging
    Topics
    • Public Cloud Networking
    • Remote Management of IaaS Systems
    • Segmentation
    • Network Protection Services
    • Cloud Logging Services
    • Log Collection and Analysis
    • Network Visibility
    • Cloud Detection Services
  • Overview

    In the fifth section, we'll dive headfirst into compliance frameworks, audit reports, privacy, and eDiscovery to equip you with the information and references to ensure that the right questions are being asked during CSP risk assessments. After covering special-use cases for more restricted requirements that may necessitate the AWS GovCloud or Azure's Trusted Computing, we'll delve into penetration testing in the cloud and finish the day with incident response and forensics. Student will learn to:

    • Leverage the Cloud Security Alliance Cloud Controls Matrix to select the appropriate security controls for a given cloud network security architecture and assess a CSP's implementation of those controls using audit reports and the CSP's shared responsibility model
    • Use logs from cloud services and virtual machines hosted in the cloud to detect a security incident and take appropriate steps as a first responder according to a recommended incident response methodology
    • Perform a preliminary forensic file system analysis of a compromised virtual machine to identify indicators of compromise and create a file system timeline
    Exercises
    • Security Hub Compliance Assessment
    • Microsoft Defender for Cloud
    • Multicloud Penetration Testing
    • Multicloud Forensics
    Topics
    • Security Assurance
    • Cloud Auditing
    • Privacy
    • Risk Management
    • Serverless for Defenders
    • Penetration Testing
    • Legal and Contractual Requirements
    • Incident Response and Forensics
  • Overview

    This final section consists of an all-day, CloudWars competition to reinforce the topics covered in books 1-5. Through this friendly competition, students will answer several challenges made up of multiple choice, fill-in-the-blank, as well as hands-on and validated exercises performed in two CSP environments. They will be given a brand-new environment to deploy in two different cloud vendors and will be tasked to take this very broken environment and make the appropriate changes to increase its overall security posture.

GIAC Cloud Security Essentials

The GCLD certification validates a practitioner's ability to implement preventive, detective, and reactionary techniques to defend valuable cloud-based workloads.

  • Evaluation of cloud service provider similarities, differences, challenges, and opportunities
  • Planning, deploying, hardening, and securing single and multi-cloud environments
  • Basic cloud resource auditing, security assessment, and incident response
More Certification Details

Prerequisites

A basic understanding of TCP/IP, network security, information security principles are helpful but not required for this course. Familiarity with the Linux command-line or common cloud technology concepts is a bonus.

Laptop Requirements

Important! Bring your own system configured according to these instructions!

A properly configured system is required to fully participate in this course. If you do not carefully read and follow these instructions, you will likely leave the class unsatisfied because you will not be able to participate in hands-on exercises that are essential to this course. Therefore, we strongly urge you to arrive with a system meeting all the requirements specified for the course.

Students need to have:

  • A laptop with the Google Chrome web browser. The laptop should have unrestricted access to the Internet and full administrative access.
  • An OpenSSH client installed on their laptop
  • Adobe Acrobat Reader or other PDF reader application
  • A brand new free tier Amazon Web Services (AWS) account or an existing AWS account with root access and no restrictions (estimated cost is $5)
  • A brand new free trial Azure account or an existing Azure account with owner access and no restrictions

It is critical that you back-up your system before class. It is also strongly advised that you do not bring a system storing any sensitive data.

System Hardware Requirements

  1. Hard Drive Free Space: No course VM is used in this course: Labs are performed the web browser and a locally-installed OpenSSH client.
  2. Operating System: Windows or macOS operating systems are supported.

Additional Hardware Requirements

The requirements below are in addition to the baseline requirements provided above.

Laptop Requirements for SEC488: Network, Wireless Connection: A wireless 802.11 network adapter is required. This can be the internal wireless adapter in your system or and external USB wireless adapter.

SANS has begun providing printed materials in PDF form. Additionally, certain classes are using an electronic workbook in addition to the PDFs. The number of classes using eWorkbooks will increase quickly. In this new environment, we have found that a second monitor and/or a tablet device can be useful for keeping the class materials visible while the instructor is presenting or while you are working on lab exercises.

If you have additional questions about the laptop specifications, please contact laptop_prep@sans.org.

Author Statement

"More businesses than ever are shifting mission-critical workloads to the cloud. And not just one cloud - research shows that most enterprises are using up to five different cloud providers. Yet, cloud security breaches happen all the time and many security professionals feel ill-prepared to deal with this rampant change. SEC488 equips students to view the cloud through a lens informed by standards and best practices to rapidly identify security gaps. It provides class participants with hands-on tools, techniques, and patterns to shore up their organization's cloud security weaknesses."

- Ryan Nicholson

"Ryan is just awesome! He's very well versed and such a great instructor. I'm very fortunate to be part of his session." - Soumya P., Ernst & Young

"Ryan is terrific. His pace and speaking style are relaxed and easy to follow. Yet, it's easy to see he really knows a ton about this, and probably many other, topics. And he's always asking for feedback and checking to make sure everyone is following along OK." - Matt B., US Government

Reviews

I learned a lot, went deeper technically than I expected to, and feel like this was absolutely a great use of my time. The instructors and TAs are top notch and made my experience taking this course a very positive one.
Marni Reemer
AWS
Real world practicality of the labs has enabled me to envision how to explore and implement cloud best practices, tests, configurations, and the like which I found to be very valuable.
Emmanuel Ekochu
USDA
This course is exactly what I hoped it would be. Teaching me Cloud from an IT Cloud Engineer perspective, but with a Security lens.
Jonathan Stohler
Boys Town

    Register for SEC488

    • In Person

    Training events and topical summits feature presentations and courses in classrooms around the world.

    Learn more
    • Live Online

    Live, interactive sessions with SANS instructors over the course of one or more weeks, at times convenient to students worldwide.

    Learn more
    • OnDemand

    Study and prepare for GIAC Certification with four months of online access. Includes labs and exercises, and support.

    Learn more

    Loading...