LDR520: Cloud Security for Leaders

Overview

The first section of the course aims to help management professionals develop a solid fundamental knowledge into cloud adoption models and gain understanding on one of the most important security domain within cloud security which is Identity and Access Management (IAM).

Exercises

• Cloud security planning
• Landing Zone template scenario
• IAM account and access-based scenario

Topics

Introduction to Cloud

• Industry Cloud Adoption Rate

Cloud Service Model

• Cloud services fundamentals
• IaaS/PaaS/SaaS

Transition Process

• Planning process
• Initial setup and Landing Zone establishment

IAM - Segregation

• Multi-account/subscription
• Isolation to reduce blast radiation

IAM - Identity Management

• MFA/passwordless
• Single Sign-on for cloud
• Customer IAM integration
• Centralized management of identity, process and workflow

IAM - Access Management

• Leadership support in access management
• Managed policies/custom access policies
• Role management with workflow
• Risk reduction access rationalization drive on recurring basis
• Temporary just in time access management for privileged access
• Access management transformation for cloud adoption

Overview

The second section of the course is dedicated to managing the technology aspect of the cloud environment. Securing cloud technology is rather different than securing technologies on-premise. This section will highlight the difference and discuss the capabilities and competencies that matter the most.

Exercises

• Config Management
• Container/Image Management security
• Firewall/Network Architecture

Topics

Config Management

• Security configuration span and importance
• Configuration guardrail across services
• CSPM services and native tooling
• Maturity transformation over the journey of cloud adoption

Image Management

• VM and container image security management
• OS images in hybrid environment
• OS image automation and pipeline

Resource Management

• Resource management security automation
• Enterprise strategy to provide assistance and reference material

Network Management

• Cloud network design principles, IP schemes, network architecture
• Secure Network to support workforce, customers, partners and work locations
• Network Firewall challenges in cloud and identity based perimeter transformation

Cloud Architecture

• Security Best practices (Well architected framework and Security Reference Design)
• Zero Trust and Segmentation Transformation

Overview

In section three, we delve into three key cloud security domains: data asset protection, security detection and response in the cloud environment, and governance aspects of cloud security.

Exercises

• Data Protection
• Security Monitoring
• Cost Management

Topics

Data Encryption and Key Management

• Encryption at rest/in use and in transit within cloud
• Key management in cloud and hybrid environment, both strategy and implementation
• Common compliance driven requirements in encryption

Data Classification and Protection

• Automated data discovery across various cloud services
• Automated encryption and de-identification
• Enterprise practices and transformation in data protection (tagging, identification...)

Data Backup

• Data backup strategy in cloud
• Continuity vs recovery/resiliency
• Immutable backup
• Measuring metrics and validation

Security Intelligence

• Intelligence collection and generation
• Detection logic translation and transformation
• Feed evaluation and prioritization

Security Detection Analysis and Monitoring

• Security Monitoring and analysis
• Logs normalization
• Network flows/traffic based logs and application based logs
• Alerts tuning
• Hybrid environment monitoring operations
• Data level monitoring (CASB)

Security Response and Transformation

• Runbooks and playbooks in security response
• Metrics based operations and tuning
• Automation and effectiveness based transformation in cloud
• Modeling via table top and purple team exercises

Log Management

• Logging configuration, collection and device configuration
• Consolidated logs visibility across hybrid environments

Cloud Leadership and Oversight

• Strategy for executive involvement
• Organization for collaboration and driving proper ownership
• Goals, cadence and operations of the governance committee

Security Policy

• Structuring the policy and connecting the policy with implementation policies
• Enforcement of policy
• Communication of policy

Cost Management

• Cost management principles
• Model, budget and optimization
• Automation to assist with cost management
• Importance of tagging

Overview

Section four begins with a focus on securing applications/workloads within the cloud environment through comprehensive DevSecOps practices and integrated assessment tools. The discussion then transitions to security assurance mechanisms including protection services, posture validation, and regulatory compliance frameworks. The section concludes with an exploration of security testing methodologies including vulnerability assessments, penetration testing with deliberate scoping, and threat modeling of the cloud environment.

Exercises

• Application Protection
• Security validation and assessment
• Validation and Security testing

Topics

Cloud Application Practices

• DevSecOps best practices, security throughout the lifecycle
• SBOM
• CI/CD pipeline and security protection + integration
• Empowering development teams supported by security guidance
• Full stack development -- impact to IAM and traditional organization alignment

Application Assessment

• SAST/DAST integrated into CI/CD pipeline
• Threat modeling and manual testing

Security Protection Services

• Cloud based protection services such as DDoS and DNS protection
• WAF services
• CWPP and RASP that can be integrated into the application or running environment
• Progression of protection capabilities

Posture Validation

• Roles and responsibilities defined, ownership of vulnerabilities identified
• Getting consensus and commitment to remediate
• Benchmark selection and implementing the assessments in automatic fashion
• Operationalize the validation
• Rolling into a measurable program supporting 3rd line visibility

Regulatory Compliance

• Provider compliance
• Split of responsibilities for compliance
• Data level analysis to determine best compliance requirements

Security Testing

• Vulnerability assessment in cloud
• Penetration testing with deliberate scoping
• Threat modeling of the environment

Overview

In section five, we delve into the growing trend of adopting multi-cloud systems and emphasize the significance of a security strategy tailored for multi-cloud environments. Additionally, we examine the management aspects of the Software as a Service (SaaS) model and its application in enterprise settings. The section concludes with a capstone exercise, allowing students to apply the concepts, management tools, and methodologies they have learned in a practical scenario.

Exercises

Capstone: Large scale traditional enterprise moving to the cloud. Working in groups, students are to draft the roadmap to modernize the entire security program and present to the class on their approach.

Topics

Skill Readiness

• Structuring a training program
• Define training and learning models 
• Skills requirements definition 
• Scaling the program 

Organizational Alignment

• Involving teams at inception
• Supporting transformation through cross-functional teams
• Evolving the DevSecOps team
• Choosing between decentralized and centralized approaches

SaaS security management

• Multicloud Management
  • Security governance with multicloud
  • Technical config alignment
  • Workload mobility
  • Data level security alignment
  • Security monitoring across CSP