SEC549: Enterprise Cloud Security Architecture

DESIGN IT RIGHT FROM THE START

Without a mental model for threats in the cloud, architects attempt to strong-arm design patterns intended for the on-premise world onto cloud systems, hindering the speed of cloud adoption and modernization. Worse yet, failure to identify trust boundaries in the cloud results in missing security controls at the identity or network-planes and poor security outcomes. In the SEC549, students are introduced to security architecture as it applies to the cloud. Students take away from this course a clear mental model of the cloud and the controls available to them, allowing students to shift their threat models to this new, vastly different world with distributed perimeters and unfamiliar trust boundaries.

The course is constructed around the cloud migration journey of a fictional company and the challenges they encounter along the way. Students are tasked with phasing in a centralized identity plan and designing secure patterns for enabling cloud-hosted applications. Both network-layer and identity-layer controls are covered in-depth as complementary mechanisms for securing access to distributed resources. The importance of centralizing identity is a core take-away of this course as showcased through the discussion of fragmented identity and its perils, especially with the rise of the Cloud and the adoption of multiple cloud service providers. Students are taught the foundational concepts used when designing for phased identity consolidation so they can confidentially tackle similar challenges on the job.

"The book, material, labs allow for a very interactive learning experience regarding building and understanding cloud architecture. I am somewhat new to this side of the industry and have been able to follow along and keep up with everything discussed and taught in this module." - Nevan Beal, Raymond James

BUSINESS TAKEAWAYS:

• Mitigate the risk posed by nascent cloud technologies and their rapid adoption
• Decrease the risk of cloud migrations by planning for phased approach
• Help your organization prevent identity sprawl and tech debt through centralization
• Enable business growth by creating high-level guardrails
• Prevent costly anti-patterns from becoming entrenched
• Move your organization towards a Zero-Trust posture through the uplifting of existing access patterns

SKILLS LEARNED:

• Enable business through secure cloud architectural patterns
• Connect the dots between architectural patterns and real-life infrastructure
• Build a secure, scalable identity foundation in the cloud
• Centralize your organization's workforce identity to prevent sprawl
• Learn how to incorporate both network-based and identity-based controls
• Ability to create data perimeters for cloud-hosted data repositories
• Strategically approach a phased cloud migration

HANDS-ON TRAINING:

The hands-on portion of the SEC549 is unique and especially suited to the student who wants to architect for the cloud. Each lab is performed by observing and correcting an anti-pattern presented as an architectural diagram. The correct version of each diagram is implemented as live infrastructure in AWS and made available to the student to explore the configurations. In this course, the students have access to an enterprise-scale AWS Organization and can observe all details discussed in the labs and throughout the course.

Each of the sections of the course discusses security design considerations for all three major clouds, however there is an emphasis on working with AWS and labs are structured around concepts in AWS.

• Section 1: Structuring Accounts to Create Effective Hierarchies, Transitioning Access from IAM Users to Roles, AWS SSO for Permission Management
• Section 2: Integrating Modern Authentication into Legacy Applications, Creating a Shared VPC Architecture, Access Control for Shared Data Sets

"All three of today's labs were helpful in cementing the concepts. The "See It In Action" portions were particularly useful." - Oritse Uku

"The lab was straightforward and didn't require much existing AWS cloud knowledge. The lab demonstrated the how and why policies need to be manageable." - Andrew Guggenberger

SYLLABUS SUMMARY:

• Section 1: A foundational section covering IAM in the cloud, the higher-level resource containers in each of the 3 major cloud providers, and how to use restrictive policy to enforce guardrails on an enterprise-scale cloud estate.
• Section 2: A heavy emphasis on zero-trust and how to use cloud services to employ a ZT strategy, dividing the content into three categories, identity-layer controls, network-layer controls and controls used when building a data perimeter.

ADDITIONAL FREE RESOURCES:

• Privilege Escalation in GCP - A Transitive Path
• It's Like Chipotle - Demystifying GCP PaaS Services
• Fix Security Issues Left of Prod
• Detecting and Locking Down Malware in Azure, by Brandon Evans
• Top 5 Considerations for Multicloud Security, by Brandon Evans

WHAT YOU WILL RECEIVE:

• Printed and electronic courseware
• Draw.io architectural diagrams representing secure patterns you can use as reference architecture
• Access to SANS Cloud Security Alum Slack

WHAT COMES NEXT:

Depending on your current role or future plans, one of these courses is a great next step in your cloud security journey:

• Cloud Security Architect:
• MGT516: Managing Security Vulnerabilities: Enterprise and Cloud
• MGT520: Leading Cloud Security Design and Implementation

• Cloud Security Engineer:

  • SEC588: Cloud Penetration Testing
• Cloud Security Manager:
• SEC557: Continuous Automation for Enterprise and Cloud Compliance
• MGT516: Managing Security Vulnerabilities: Enterprise and Cloud
• MGT520: Leading Cloud Security Design and Implementation