SEC549: Cloud Security Architecture

Design It Right from the Start.

SEC549 teaches students how to design enterprise-scale, cloud infrastructure solutions for their organization. By learning the cloud providers' well-architected frameworks, security architects can design centralized security controls for their cloud estate while maximizing the speed of cloud adoption for the organization. Students will learn how threat models change in the cloud with new, vastly distributed perimeters and unfamiliar trust boundaries. With those challenges in mind, the focus shifts to designing strategies for centralizing and reinforcing workforce identity, conditional access, policy guardrails, workload identity, network security controls, data perimeters, and cloud logging.

SEC549 takes students through the cloud migration journey of a fictional enterprise and the challenges they encounter along the way. As aspiring cloud security architects, students perform threat models against the company’s existing cloud infrastructure. Using those threats and countermeasures, in-depth security architecture reviews are performed to identity the pros and cons of the company’s new cloud design patterns. 

Concluding each section, students are challenged to create their own architecture design plans supporting the enterprise’s acquisition of a young startup company. Each CloudWars scenario gives students insight into the startup’s existing cloud resources, interviews with key employees, and requirements for the migration. Students work in teams to build the migration plans, architecture diagrams, and documentation supporting the acquisition. Each team presents their cloud architecture plans in the final capstone exercise to determine which team wins the SEC549 challenge coin.

"I would recommend this course. It hits many core aspects of secure design. Additionally, lack of Cloud Security Architecture and Strategy, and Insecure Design have been highlighted as a top risk by organizations like Cloud Security Alliance and OWASP. Cloud security architecture topics need to have more attention and focus in general." - Greg Lewis, SAP

What Is Cloud Security Architecture?

Cloud security architecture requires us to understand business requirements and existing cloud services and capabilities in order to design access control patterns, network controls, and secure processes to support a business outcome that can be implemented and maintained within required cloud operating environments. This requires architects to understand and design secure cloud solutions for workloads deployed on Infrastructure-as-a-Service (IaaS), Platform-as-a-Service (PaaS), and Software-as-a-Service (SaaS) service models. Understanding hybrid architecture patterns is also important as cloud workloads integrate with on-premises systems. The cloud security architect's goal is to identify security design flaws and inefficiencies when information systems interconnect and mitigate these flaws in the early stages of development using available cloud-capable security controls.

Business Takeaways

• Reduce cloud risks with strategic, phased adoption plans. 
• Prevent identity sprawl and technical debt through centralization. 
• Support growth with high-level guardrails and secure architecture. 
• Avoid costly anti-patterns with thoughtful cloud design. 
• Move toward zero-trust using proven access control patterns. 
• Create effective conditional access and manage policy exceptions. 

"The problems we talk about are some that I face in my job every day or know I will face shortly. Getting definitive answers for many of these issues is very helpful for me. Getting years of experience from the instructors and what they have worked on is invaluable." - Patrick Haughney, Paylocity

What You Will Learn

• Design secure, enterprise-ready cloud architectures that align with business goals.
• Build a scalable identity foundation using centralized workforce identity, conditional access policies, and break-glass access.
• Implement zero-trust security for workforce, customer, and workload identities using identity-based and network-based controls.
• Create micro-network segmentation with hub-and-spoke models and centralized inspection firewalls.
• Protect cloud data using strong perimeters, data lakes, shared Key Management Service (KMS), and disaster recovery strategies.
• Enable cloud incident response and telemetry with centralized intra-cloud and cross-cloud logging solutions.

Cloud Security Architect Training

The practical portion of SEC549 is unique and especially suited to students who want to architect for the cloud. Each lab is performed by observing and correcting an anti-pattern presented as an architectural diagram. The completed version of each diagram is implemented as live infrastructure in AWS, Azure, or Google (depending on the topic) and made available for students to explore. In this course, students have access to an enterprise-scale AWS, Azure, and Google Cloud organization and can observe all details discussed in the labs and throughout the course.

"I've done a lot of labs over the years. These are likely one of the best ways to present them I've ever used." - Daniel Russell, BCBSLA

"The labs and exercises were excellent and provided additional supplementary, hands-on learning that helped solidify the course content." - Tyler Piller, British Columbia Lottery Corporation

"Based on my experience, the labs in 549 are very much aligned with what an Architect could encounter in their day to day work." - Macie J Bak, Standard Chartered

Syllabus Summary

Each section discusses security design considerations for all three major clouds. Labs are used to demonstrate the real-world implementations.

• Section 1: Introduces core concepts like cloud threat modeling and secure design, then dives into cloud identity. Students build identity foundations, enable federation from Entra ID to AWS and GCP, design resource hierarchies, set up policy guardrails, and manage cloud access.
• Section 2: Explores zero-trust in the cloud, focusing on conditional access policies, customer identity and access management (CIAM), and authenticating users and machines across clouds.
• Section 3: Covers cloud network components and design, starting with key resources for public, private, and hybrid clouds. Students learn centralized management, micro-segmentation, traffic inspection, and how to access shared services.
• Section 4: Dives into cloud-native data protection, covering storage controls, data lake security, and data loss prevention using tags, attribute-based access control (ABAC), and masking. It ends with key management and backup architecture strategies.
• Section 5: Teaches how to enable SOC operations in the cloud—covering cloud data sources, log aggregation, and exporting to a central SIEM. Students design logging architectures that support threat detection, response, and recovery from cloud incidents.

Additional Free Resources

• Aviata Cloud Chapter 5: Centralizing Cross Cloud Security Events, Workshop
• Centralizing Cloud Logs and Events with Microsoft Sentinel, Webcast
• BigQuery Data Access Identity Architecture, cheat sheet
• Inspection VPC Architecture, cheat sheet
• Azure to AWS Identity Architecture, cheat sheet
• Azure to GCP Identity Architecture, cheat sheet
• Designing Access to Shared Datasets in the Cloud, workshop
• Breaking the Cloud Kill Chain, webcast
• Privilege Escalation in GCP - A Transitive Path, video
• It's Like Chipotle - Demystifying GCP PaaS Services, video
• Lessons Learned Deploying Modern Cloud Systems in Highly Regulated Environments, webcast

What You Will Receive

• Printed and electronic courseware
• Draw.io architectural diagrams representing secure patterns you can use as reference architecture
• Access to the SEC549 Cloud lab environment

What Comes Next?

• LDR520: Cloud Security for Leaders