homepage
Open menu
Go one level top
  • Train and Certify
    Train and Certify

    Immediately apply the skills and techniques learned in SANS courses, ranges, and summits

    • Overview
    • Courses
      • Full Course List
      • Training Roadmap
      • Training Formats
        • OnDemand
        • In-Person
        • Live Online
    • GIAC Certifications
    • Training Events & Summits
      • Event Locations
        • Americas
        • Europe & Middle East
        • Asia Pacific
      • Summits
    • OnDemand
    • Get Started in Cyber
      • Bachelors & Masters Degrees
      • Scholarships
    • Cyber Ranges
  • Manage Your Team
    Manage Your Team

    Build a world-class cyber team with our workforce development programs

    • Overview
      • Why Work with SANS
      • Industries
    • Group Purchasing
    • Build Your Team
      • Team Development
      • Assessments
      • Private Training
      • Hire Cyber Professionals
    • Leadership Training
  • Security Awareness
    Security Awareness

    Increase your staff’s cyber awareness, help them change their behaviors, and reduce your organizational risk

    • Overview
    • Products & Services
      • Security Awareness Training
        • EndUser Training
        • Phishing Platform
      • Specialized
        • Developer Training
        • ICS Engineer Training
        • NERC CIP Training
        • Healthcare Training
      • Risk Assessments
        • Knowledge Assessment
        • Culture Assessment
        • Behavioral Risk Assessment
    • OUCH! Newsletter
    • Career Development
    • Blog
    • Partners
  • Resources
    Resources

    Enhance your skills with access to thousands of free resources, 150+ instructor-developed tools, and the latest cybersecurity news and analysis

    • Overview
    • Webcasts
    • Summits & Forums
    • Content
      • Newsletters
        • NewsBites
        • @RISK
        • OUCH! Newsletter
      • Blog
      • Podcasts
      • Summit Presentations
      • Posters & Cheat Sheets
    • Research
      • White Papers
      • Security Policies
    • Tools
    • Focus Areas
      • Cyber Defense
      • Cloud Security
      • Digital Forensics & Incident Response
      • Industrial Control Systems
      • Cyber Security Leadership
      • Offensive Operations
  • Get Involved
    Get Involved

    Help keep the cyber community one step ahead of threats. Join the SANS community or begin your journey of becoming a SANS Certified Instructor today.

    • Overview
    • Join the Community
    • Work Study
    • Teach for SANS
    • CISO Network
    • Partnerships
    • Sponsorship Opportunities
  • About
    About

    Learn more about how SANS empowers and educates current and future cybersecurity practitioners with knowledge and skills

    • SANS
      • Overview
      • Our Founder
      • Awards
    • Instructors
      • Our Instructors
      • Full Instructor List
    • Mission
      • Our Mission
      • Diversity
      • Scholarships
    • Contact
    • Frequent Asked Questions
    • Customer Reviews
    • Press
    • Careers
  • SANS Sites
    • GIAC Security Certifications
    • Internet Storm Center
    • SANS Technology Institute
    • Security Awareness Training
  • Search
  • Log In
  • Join
    • Account Dashboard
    • Log Out
  1. Home >
  2. Courses >
  3. SEC549: Enterprise Cloud Security Architecture
beta

SEC549: Enterprise Cloud Security Architecture

    12 CPEs

    The age of cloud computing has arrived as organizations have seen the advantages of migrating their applications from traditional on-premises networks. However, the rapid adoption of cloud has left architects scrambling to design on this new medium. A shift to the cloud requires cybersecurity professionals to reorient their security goals around a new threat model to enable business requirements while improving their organization's security posture. SEC549 is here to help enable this shift. The course takes an architectural lens to enterprise-scale, cloud infrastructure challenges, addressing the security considerations architects need to address when tasked with business expansion into the cloud, from the secure usage of shared cloud-hosted data to the centralization of workforce identity.

    Course Authors:
     Kat  Traxler
    Kat Traxler
    Cloud Security Engineer
    What You Will LearnSyllabusPrerequisitesLaptop RequirementsAuthor Statement

    What You Will Learn

    DESIGN IT RIGHT FROM THE START

    Without a mental model for threats in the cloud, architects attempt to strong-arm design patterns intended for the on-premise world onto cloud systems, hindering the speed of cloud adoption and modernization. Worse yet, failure to identify trust boundaries in the cloud results in missing security controls at the identity or network-planes and poor security outcomes. In the SEC549, students are introduced to security architecture as it applies to the cloud. Students take away from this course a clear mental model of the cloud and the controls available to them, allowing students to shift their threat models to this new, vastly different world with distributed perimeters and unfamiliar trust boundaries.

    The course is constructed around the cloud migration journey of a fictional company and the challenges they encounter along the way. Students are tasked with phasing in a centralized identity plan and designing secure patterns for enabling cloud-hosted applications. Both network-layer and identity-layer controls are covered in-depth as complementary mechanisms for securing access to distributed resources. The importance of centralizing identity is a core take-away of this course as showcased through the discussion of fragmented identity and its perils, especially with the rise of the Cloud and the adoption of multiple cloud service providers. Students are taught the foundational concepts used when designing for phased identity consolidation so they can confidentially tackle similar challenges on the job.

    BUSINESS TAKEAWAYS:

    • Mitigate the risk posed by nascent cloud technologies and their rapid adoption
    • Decrease the risk of cloud migrations by planning for phased approach
    • Help your organization prevent identity sprawl and tech debt through centralization
    • Enable business growth by creating high-level guardrails
    • Prevent costly anti-patterns from becoming entrenched
    • Move your organization towards a Zero-Trust posture through the uplifting of existing access patterns

    SKILLS LEARNED:

    • Enable business through secure cloud architectural patterns
    • Connect the dots between architectural patterns and real-life infrastructure
    • Build a secure, scalable identity foundation in the cloud
    • Centralize your organization's workforce identity to prevent sprawl
    • Learn how to incorporate both network-based and identity-based controls
    • Ability to create data perimeters for cloud-hosted data repositories
    • Strategically approach a phased cloud migration

    HANDS-ON TRAINING:

    The hands-on portion of the SEC549 is unique and especially suited to the student who wants to architect for the cloud. Each lab is performed by observing and correcting an anti-pattern presented as an architectural diagram. The correct version of each diagram is implemented as live infrastructure in AWS and made available to the student to explore the configurations. In this course, the students have access to an enterprise-scale AWS Organization and can observe all details discussed in the labs and throughout the course.

    Each of the sections of the course discusses security design considerations for all three major clouds, however there is an emphasis on working with AWS and labs are structured around concepts in AWS.

    • Section 1: Structuring Accounts to Create Effective Hierarchies, Transitioning Access from IAM Users to Roles, AWS SSO for Permission Management
    • Section 2: Integrating Modern Authentication into Legacy Applications, Creating a Shared VPC Architecture, Access Control for Shared Data Sets

    SYLLABUS SUMMARY:

    • Section 1: A foundational section covering IAM in the cloud, the higher-level resource containers in each of the 3 major cloud providers, and how to use restrictive policy to enforce guardrails on an enterprise-scale cloud estate.
    • Section 2: A heavy emphasis on zero-trust and how to use cloud services to employ a ZT strategy, dividing the content into three categories, identity-layer controls, network-layer controls and controls used when building a data perimeter.

    ADDITIONAL FREE RESOURCES:

    • Privilege Escalation in GCP - A Transitive Path
    • It's Like Chipotle - Demystifying GCP PaaS Services
    • Fix Security Issues Left of Prod
    • Detecting and Locking Down Malware in Azure, by Brandon Evans
    • Top 5 Considerations for Multicloud Security, by Brandon Evans

    WHAT YOU WILL RECEIVE:

    • Printed and electronic courseware
    • Draw.io architectural diagrams representing secure patterns you can use as reference architecture
    • Access to SANS Cloud Security Alum Slack

    WHAT COMES NEXT:

    Depending on your current role or future plans, one of these courses is a great next step in your cloud security journey:

    • Cloud Security Architect:
      • MGT516: Managing Security Vulnerabilities: Enterprise and Cloud
      • MGT520: Leading Cloud Security Design and Implementation
    • Cloud Security Engineer:

      • SEC588: Cloud Penetration Testing
    • Cloud Security Manager:
      • SEC557: Continuous Automation for Enterprise and Cloud Compliance
      • MGT516: Managing Security Vulnerabilities: Enterprise and Cloud
      • MGT520: Leading Cloud Security Design and Implementation

    Syllabus (12 CPEs)

    • Overview

      SEC549 kicks off by defining concepts used throughout the course such as threat modeling the cloud, what makes a secure pattern and how our mental models need to adapt for the cloud.

      This section dedicates a portion of time to foundational concepts of identity in the cloud from users, groups, roles, and machine identities and how those concepts subtly differ across the 3 major cloud providers. Managing identity in the cloud is an over-arching theme of this section. This course teaches students the core concepts of identity federation, single sign-on, and the protocols used in these technologies. Using AWS SSO as an example, students are taught how to enable identity federation in support of a centralized workforce identity, automatically provision users to the cloud and centrally maintain attributes governing access control.

      Exercises
      • Structuring Accounts to Create Effective Hierarchies
      • Transitioning Access from IAM Users to Roles
      • AWS SSO for Permission Management
      Topics
      • Security Architecture in the cloud with an emphasis on threat modeling cloud-native services
      • Using the large-scale building blocks offered in three CSP to create effective hierarchical designs
      • Implementing an identity foundation  understanding how permissions are granted and patterns of IAM in the cloud
      • Federated access and single sign-on  managing users at scale with the federation of identity

    • Overview

      Opening up Section 2 is an in-depth look at the zero-trust movement, its history and how zero-trust in the cloud can be leveraged to uplift legacy access patterns. Dividing the day are the complementary concepts of network-layer controls and identity-layer controls. Both are covered in detail as we look to build business enabling patterns such as shared VPCs and the connection of VPC-aware to non VPC-aware resources. Finally, to frame the discussion around S3 Bucket controls, several common use cases for cloud-hosted data repositories are outlined and with the use cases, the accompanied controls that can be leveraged to enable them.

      Exercises
      • Integrating Modern Authentication into Legacy Applications
      • Creating a Shared VPC Architecture
      • Access Control for Shared Data Sets
      Topics
      • Cloud Migrations - considerations and business drivers
      • Zero-Trust Concepts - using cloud services to implement zero-trust patterns in a phased approach
      • Establishing Perimeters in the Cloud for Application Access - Network patterns in the cloud and using network-layer controls to enable application workloads
      • Establishing Perimeters in the Cloud for Application Access - AWS S3 Use Cases and design patterns to secure your data in the cloud

    Prerequisites

    The following are courses or equivalent experiences that are prerequisites for SEC549:

    • SANS SEC488: Cloud Security Essentials or hands-on experience using one of the three major clouds (AWS, Azure or GCP)
    • Familiarity with AWS Management Console

    Preparing for SEC549

    Students taking SEC549 will have the opportunity to learn identity access management (IAM) patterns in the cloud. A basic familiarity with IAM concepts like role-based access control, attribute-based access control and permission management is helpful but not required.

    Additionally, students will delve into cloud-native tools for securing deployments at the network layer. Having a basic understanding of network concepts such as firewalls, network access control lists and IP addressing is helpful but not mandatory.

    Laptop Requirements

    Prior to class, ensure that the following software is installed on the operating system:

    • Web Browser with internet access (i.e. Chrome, Safari, Edge or Firefox)

    SANS has begun providing printed materials in PDF form. Additionally, certain classes are using an electronic workbook in addition to the PDFs. The number of classes using eWorkbooks will increase quickly. In this new environment, we have found that a second monitor and/or a tablet device can be useful for keeping the class materials visible while the instructor is presenting or while you are working on lab exercises.

    If you have additional questions about the laptop specifications, please contact laptop_prep@sans.org.

    Author Statement

    "The cloud has turned our perimeter increasingly distributed and is often solely enforced with identity-based controls. In the cloud, safeguards have been lifted and the room for error is slim. Even with this grim reality, I am still optimistic. The migration to the cloud has enabled our most innovative technologies and presents an opportunity for the security sector to evolve and mature.

    If armed with the correct foundational principles, we can as an industry build a more secure future, with greater availability and confidentiality than ever possible on-premises. If history has taught us anything, transitioning to the new cloud-native, zero-trust world will be bumpy but I am so pleased to help shepherd you along the journey."

    - Kat Traxler

    No scheduled events for this course.

    Who Should Attend SEC549?

    This course is designed for:

    • Cloud Security Architects
    • Security Engineers
    • Cloud Engineers
    • DevOps Engineers
    • Security Auditors
    • System Administrators
    • Operations
    • Anyone who is responsible for:
      • Enabling business through secure cloud architecture
      • Evaluating and adopting new cloud offerings
      • Planning for cloud migrations
      • Identity and access management
      • Managing a cloud-based virtual network

    NICE Work Roles

    • Security Architect - SP-ARC-002
    • Research & Developmental Specialist - SP-TRD-001
    • Information Systems Security Developer - SP-SYS-001
    • Systems Developer - SP-SYS-002
    • IT Program Auditor  OV-OMA-005
    • System Administrator  OM-ADM-001
    • Information Systems Security Manager  OV-MGT-001

    See prerequisites

    Need to justify a training request to your manager?

    Use this justification letter template to share the key details of this training and certification opportunity with your boss.

    Download the Letter
    • Register to Learn
    • Courses
    • Certifications
    • Degree Programs
    • Cyber Ranges
    • Job Tools
    • Security Policy Project
    • Posters & Cheat Sheets
    • White Papers
    • Focus Areas
    • Cyber Defense
    • Cloud Security
    • Cybersecurity Leadership
    • Digital Forensics
    • Industrial Control Systems
    • Offensive Operations
    Subscribe to SANS Newsletters
    Receive curated news, vulnerabilities, & security awareness tips
    United States
    Canada
    United Kingdom
    Spain
    Belgium
    Denmark
    Norway
    Netherlands
    Australia
    India
    Japan
    Singapore
    Afghanistan
    Aland Islands
    Albania
    Algeria
    American Samoa
    Andorra
    Angola
    Anguilla
    Antarctica
    Antigua and Barbuda
    Argentina
    Armenia
    Aruba
    Austria
    Azerbaijan
    Bahamas
    Bahrain
    Bangladesh
    Barbados
    Belarus
    Belize
    Benin
    Bermuda
    Bhutan
    Bolivia
    Bonaire, Sint Eustatius, and Saba
    Bosnia And Herzegovina
    Botswana
    Bouvet Island
    Brazil
    British Indian Ocean Territory
    Brunei Darussalam
    Bulgaria
    Burkina Faso
    Burundi
    Cambodia
    Cameroon
    Cape Verde
    Cayman Islands
    Central African Republic
    Chad
    Chile
    China
    Christmas Island
    Cocos (Keeling) Islands
    Colombia
    Comoros
    Cook Islands
    Costa Rica
    Croatia (Local Name: Hrvatska)
    Curacao
    Cyprus
    Czech Republic
    Democratic Republic of the Congo
    Djibouti
    Dominica
    Dominican Republic
    East Timor
    East Timor
    Ecuador
    Egypt
    El Salvador
    Equatorial Guinea
    Eritrea
    Estonia
    Ethiopia
    Falkland Islands (Malvinas)
    Faroe Islands
    Fiji
    Finland
    France
    French Guiana
    French Polynesia
    French Southern Territories
    Gabon
    Gambia
    Georgia
    Germany
    Ghana
    Gibraltar
    Greece
    Greenland
    Grenada
    Guadeloupe
    Guam
    Guatemala
    Guernsey
    Guinea
    Guinea-Bissau
    Guyana
    Haiti
    Heard And McDonald Islands
    Honduras
    Hong Kong
    Hungary
    Iceland
    Indonesia
    Iraq
    Ireland
    Isle of Man
    Israel
    Italy
    Jamaica
    Jersey
    Jordan
    Kazakhstan
    Kenya
    Kingdom of Saudi Arabia
    Kiribati
    Korea, Republic Of
    Kosovo
    Kuwait
    Kyrgyzstan
    Lao People's Democratic Republic
    Latvia
    Lebanon
    Lesotho
    Liberia
    Liechtenstein
    Lithuania
    Luxembourg
    Macau
    Macedonia
    Madagascar
    Malawi
    Malaysia
    Maldives
    Mali
    Malta
    Marshall Islands
    Martinique
    Mauritania
    Mauritius
    Mayotte
    Mexico
    Micronesia, Federated States Of
    Moldova, Republic Of
    Monaco
    Mongolia
    Montenegro
    Montserrat
    Morocco
    Mozambique
    Myanmar
    Namibia
    Nauru
    Nepal
    Netherlands Antilles
    New Caledonia
    New Zealand
    Nicaragua
    Niger
    Nigeria
    Niue
    Norfolk Island
    Northern Mariana Islands
    Oman
    Pakistan
    Palau
    Palestine
    Panama
    Papua New Guinea
    Paraguay
    Peru
    Philippines
    Pitcairn
    Poland
    Portugal
    Puerto Rico
    Qatar
    Reunion
    Romania
    Russian Federation
    Rwanda
    Saint Bartholemy
    Saint Kitts And Nevis
    Saint Lucia
    Saint Martin
    Saint Vincent And The Grenadines
    Samoa
    San Marino
    Sao Tome And Principe
    Senegal
    Serbia
    Seychelles
    Sierra Leone
    Sint Maarten
    Slovakia
    Slovenia
    Solomon Islands
    South Africa
    South Georgia and the South Sandwich Islands
    South Sudan
    Sri Lanka
    St. Helena
    St. Pierre And Miquelon
    Suriname
    Svalbard And Jan Mayen Islands
    Swaziland
    Sweden
    Switzerland
    Taiwan
    Tajikistan
    Tanzania
    Thailand
    Togo
    Tokelau
    Tonga
    Trinidad And Tobago
    Tunisia
    Turkey
    Turkmenistan
    Turks And Caicos Islands
    Tuvalu
    Uganda
    Ukraine
    United Arab Emirates
    United States Minor Outlying Islands
    Uruguay
    Uzbekistan
    Vanuatu
    Vatican City
    Venezuela
    Vietnam
    Virgin Islands (British)
    Virgin Islands (U.S.)
    Wallis And Futuna Islands
    Western Sahara
    Yemen
    Yugoslavia
    Zambia
    Zimbabwe

    By providing this information, you agree to the processing of your personal data by SANS as described in our Privacy Policy.

    • © 2022 SANS™ Institute
    • Privacy Policy
    • Contact
    • Careers
    • Twitter
    • Facebook
    • Youtube
    • LinkedIn