Last day to save $500 off interactive Live Online courses taught by industry experts during SANS 2021!

SANSFIRE 2020 - Live Online

Virtual, US Eastern | Sat, Jun 13 - Sat, Jun 20, 2020

SEC545: Cloud Security Architecture and Operations

Mon, June 15 - Fri, June 19, 2020

As more organizations move data and infrastructure to the cloud, security is becoming a major priority. Operations and development teams are finding new uses for cloud services, and executives are eager to save money and gain new capabilities and operational efficiency by using these services. But will information security prove to be an Achilles' heel? Many cloud providers do not disclose detailed control information about their internal environments, and many common security controls used internally may not translate directly to the public cloud.

SEC545: Cloud Security Architecture and Operations will tackle these issues one by one. We'll start with a brief introduction to cloud security fundamentals, then touch on the Cloud Security Alliance framework for cloud control areas. The rest of day 1 will cover the critical concepts of cloud technical security principles and controls for Software-as-a-Service (SaaS) and Platform-as-a-Service (PaaS), SaaS brokering services, and architecture concepts for containers and serverless controls and architecture. We'll finish up with an introduction to Infrastructure-as-a-Service (IaaS) and virtualization security.

The course then moves into cloud architecture and security design for two full days, both for building new architectures and adapting tried-and-true security tools and processes to the cloud. This will be a comprehensive discussion that encompasses network security (firewalls and network access controls, intrusion detection, and more), as well as all the other layers of the cloud security stack. We'll visit each layer and its components, including building secure instances, data security, identity and account security, and much more.

We'll then devote an entire day to adapting our offense and defense architecture and processes for the cloud. This will involve looking at vulnerability management and pen testing, as well as covering the latest and greatest cloud security research. On the defense side, we'll delve into incident handling, forensics, event management, and application security.

We'll wrap up the course by taking a deep dive into DevSecOps and automation, investigating methods of embedding security into orchestration and every facet of the cloud life cycle. We'll explore tools and tactics that work, and even walk through several cutting-edge use cases where security can be automated entirely in both deployment and incident detection-and-response scenarios using APIs and scripting.

Course Syllabus

Dave Shackleford
Mon Jun 15th, 2020
9:00 AM - 12:15 PM ET
1:30 PM - 5:00 PM ET


The course starts with an introduction to the cloud, including terminology, taxonomy, and basic technical premises. We also examine guidance available from the Cloud Security Alliance, including the Cloud Controls Matrix, the 14 major themes of cloud security, and other research available.

For most of the day we will examine the main technical considerations for Software-as-a-Service (SaaS) and Platform-as-a-Service (PaaS). We'll start by breaking down SaaS and some of the main types of security controls available, with examples of well-known SaaS provider options. A specialized type of Security-as-a-Service (SecaaS) known as Cloud Access Security Brokers will also be explained, with examples of what to look for in such a service. We'll touch on additional brokering services like Secure Access Service Edge and architecture and control concepts for this. We'll then shift to Platform-as-a-Service (PaaS) controls and architecture, with an emphasis on containers, orchestration, and serverless. We'll break down security controls for all of these in the major cloud providers and outline some suggested security architecture principles and practices to better secure and monitor these environments.

Finally, we'll discuss Infrastructure-as-a-Service (IaaS) security, which will set the stage for the rest of the course. The course day wraps up with an introduction to virtualization security, which all IaaS environments significantly rely upon.

  • VM Setup and Exploring Amazon Web Services
  • SecaaS with CloudPassage
  • Docker and Container Security Basics
  • Virtualization Security

CPE/CMU Credits: 6

  • Introduction to the Cloud and Cloud Security Basics
  • Cloud Security Alliance Guidance
  • SaaS Security Controls and Examples
  • Cloud Access Security Brokers
  • Secure Access Service Edge
  • Intro to PaaS Security Controls
  • Container Security Controls and Architecture
  • Orchestration Tools and Security Controls
  • Serverless Security Controls and Architecture
  • Introduction to IaaS Security Controls
  • Virtualization Security

Dave Shackleford
Tue Jun 16th, 2020
9:00 AM - 12:15 PM ET
1:30 PM - 5:00 PM ET


On day 2 we begin our journey into the realm of cloud security architecture and operational design. We'll start by breaking down a number of core architecture principles that can help all organizations use best practices in any project or cloud deployment scenario. Then we'll analyze suggested architecture best practices from the three leading cloud providers. Amazon, Microsoft, and Google all have recommendations that we can dissect and apply to any security design for the cloud.

After we cover core security architecture, we'll focus on two of the biggest topic areas: network security and identity and access management (IAM). We'll start by breaking down cloud-native network security controls in all of the major providers, then comparing traditional on-premise network controls to the cloud. Then we'll look at network security architecture models, comparing and contrasting which may work best for different organizations regardless of the cloud provider.

Once we finish up with network security, we'll spend a good amount of time discussing IAM core principles, as well as the service options available in each cloud provider. Then we'll start to assemble design structures for identity that include federation, roles, asset profiles, and the use of IAM as an isolation and segmentation tactic. We'll finish up with some discussion on the use of larger-scale network and identity designs that employ multiple virtual private clouds (VPCs) and cloud accounts.

  • VPC and Network Controls
  • Bastion Host Deployment
  • Introduction to IAM
  • Instance Profiles and asset-oriented IAM

CPE/CMU Credits: 6

  • Introduction to Cloud Security Architecture Principles
  • Amazon Web Services Frameworks: Well Architected and Cloud Adoption (more depth)
  • Azure Cloud Adoption Framework and Cloud + Assessments (Azure Architecture Review, Cloud Journey Tracker, Governance Benchmark)
  • Google 5 Principles for Cloud Native Architecture
  • Network Security Controls and Design
  • Network Security Architecture Models and Design
  • Identity and Access Management Core Controls and Policies
  • IAM Advanced Controls: Federation, Roles, Instance Profiles, Identity "Isolation"
  • Multi-VPC and Multi-Account Architecture and Strategies

Dave Shackleford
Wed Jun 17th, 2020
9:00 AM - 12:15 PM ET
1:30 PM - 5:00 PM ET


The third day of SEC545 continues our breakdown of controls and architecture considerations, starting with cloud workload security and operations management. We'll then look at architecture and design for data security, touching on encryption technologies, key management, and what the different options are today. We'll also cover another crucial topic: availability. Redundant and available design is as important as ever, but we need to use cloud provider tools and geography to our advantage. At the same time, we need to make sure we evaluate the cloud provider's DR and continuity, and so this is covered as well.

Additional topics will include cloud control plane assessment and architecture (touching on cloud security posture management), as well as a discussion of multi-cloud security architecture and controls.

  • Cloud Workload Security and Management
  • Secrets Management in a PaaS infrastructure
  • Cloud Configuration
  • Outbound Proxy Architecture

CPE/CMU Credits: 6

  • Cloud Workload Security and Operations Architecture
  • Data Security Controls and Architecture
  • Availability Design and Architecture
  • DR+BCP Considerations
  • Cloud Control Plane Security (Cloud Security Posture Management)
  • Multi-cloud Security Architecture

Dave Shackleford
Thu Jun 18th, 2020
9:00 AM - 12:15 PM ET
1:30 PM - 5:00 PM ET


There are many threats to our cloud assets, so the fourth day of the course begins with an in-depth breakdown of the types of threats out there. We'll look at numerous examples. We'll also show you how to design a proper threat model focused on the cloud by using several well-known methods such as STRIDE and attack trees and libraries.

On the defensive side, we start with network-based and host-based intrusion detection, and how to monitor and automate our processes to better carry out this detection. This is an area that has definitely changed from what we're used to in-house, so security professionals need to know what their best options are and how to get this done. We then cover incident response and forensics (also topics that have changed significantly in the cloud). The tools and processes are different, so we need to focus on automation and event-driven defenses more than ever.

Scanning and pen testing the cloud used to be challenging due to restrictions put in place by the cloud providers themselves. But today we are seeing significant progress, with most mature solutions well adapted to cloud provider environments. There are some important points to consider when planning a vulnerability management strategy in the cloud, and we'll touch on how to best scan your cloud assets and which tools are available to get the job done. Pen testing naturally follows this discussion, so weâll talk about how to work with the cloud providers to coordinate tests as well as how to perform testing yourself.

  • Cloud Threat Modeling
  • Cloud Defensive Guardrails
  • Logging and Event Monitoring in the Cloud
  • Scanning with AWS Inspector
  • Cloud Penetration Testing
  • Guardrail Analysis and Validation
  • Optional: Cloud Capture-the-Flag Challenge

CPE/CMU Credits: 6

  • Cloud Threats and Threat Modeling
  • Building Cloud Defensive Guardrails
  • Cloud Forensics and Incident Response
  • Cloud Vulnerability Assessment
  • Cloud Pen Testing + Red Team Operations

Dave Shackleford
Fri Jun 19th, 2020
9:00 AM - 12:15 PM ET
1:30 PM - 5:00 PM ET


On our final day we'll focus explicitly on how to automate security in the cloud, both with and without scripting techniques. We will use tools like the AWS CLI and AWS Lambda to illustrate the premises of automation, then turn our attention to DevSecOps principles. We begin by explaining what that really means, and how security teams can best integrate into DevOps and cloud development and deployment practices. We'll cover automation and orchestration tools like Ansible and Chef, as well as how to develop better and more efficient workflows with AWS CloudFormation and other tools.

Continuing some of the topics from day four, we will look at event-driven detection and event management, as well as response and defense strategies that work. While we won't automate everything, some actions and scenarios really lend themselves to monitoring tools like CloudWatch, tagging assets for identification in security processes, and initiating automated response and remediation to varying degrees. We wrap up the class day covering a few more tools and tactics, followed by a sampling of real-world use cases.

  • AWS CLI Automation
  • Infrastructure-as-Code
  • Cloud Configuration Management and Orchestration
  • Automating Cloud Defenses

CPE/CMU Credits: 6

  • Introduction to Automation and the AWS CLI
  • DevOps + DevSecOps Introduction (Pipeline Security)
  • Infrastructure-as-Code
  • Systems Management and Orchestration
  • Automating Detection and Response
  • Final Tools and Considerations

Additional Information

SEC545 students will have the opportunity to install, configure, and utilize the tools and techniques they have learned. You will be given a USB drive with three virtual machines, but it is critical that you have a properly configured system prior to class. Most labs are done online in the AWS Cloud.

IMPORTANT: You can use any 64-bit version of Windows, Mac OSX, or Linux as your core operating system that can also install and run VMware virtualization products. You also must have a minimum of 8 GB of RAM or higher for the VMs to function properly in the class. A VMware product must also be installed prior to coming to class. Verify that under BIOS, Virtual Support is ENABLED.

Mandatory System Requirements

  • System running Windows, Linux, or Mac OS X 64-bit version
  • At least 8 GB RAM
  • 40 GB of available disk space (more space is recommended)
  • Administrator access to the operating system
  • Anti-virus software will need to be disabled in order to install some of the tools
  • An available USB port
  • Wireless NIC for network connectivity
  • Machines should NOT contain any personal or company data
  • Verify that under BIOS, Virtual Support is ENABLED

Mandatory Downloads Prior to Coming to Class:

Mandatory Amazon Web Services (AWS) Account Prior to Coming to Class:

  • An AWS account is required to do hands-on exercises during this course. The AWS account must be created prior to the start of class. Your ability to execute the hands-on exercises will be delayed if you wait to set up the AWS account in class.
  • Estimated additional costs for the week of AWS account usage are $15 to $25.
  • For detailed instructions on how to create and/or set up this account, please visit the following URL:

It is critical that your CPU and operating system support 64-bits so that our 64-bit guest virtual machine will run on your laptop. VMware provides a free tool for Windows and Linux that will detect whether or not your host supports 64-bit guest virtual machines. For further troubleshooting, this article also provides good instructions for Windows users to determine more about CPU and OS capabilities. For Macs, please use this support page from Apple to determine 64-bit capability.

Please download and install VM Workstation Pro 15.5 or higher, VMware Fusion 11.5 or higher, or VMware Workstation Player 15.5 or higher versions on your system prior to the start of the class. If you do not own a licensed copy of VMware Workstation or Fusion, you can download a free 30-day trial copy from VMware. VMware will send you a time-limited serial number if you register for the trial on its website.

If you have additional questions about the laptop specifications, please contact

  • Security Analysts
  • Security Architects
  • Senior Security Engineers
  • Technical Security Managers
  • Security Monitoring Analysts
  • Cloud Security Architects
  • DevOps and DevSecOps Engineers
  • System Administrators
  • Cloud Administrators

A basic understanding of TCP/IP, network security, and security architecture are helpful for this course. Comfort with the command line is a must, as many exercises are conducted there (Linux command line skills are useful). Comfort with VMware virtualization is also a plus.

  • Several virtual machines that include a hypervisor, Ansible platform, and more
  • MP3 audio files of the complete course lectures
  • All policy and configuration files that can be used to automate security in AWS
  • A threat-modeling template that can be used for SEC545 and beyond
  • A Digital Download Package that includes the above and more
  • Understand all major facets of cloud risk, including threats, vulnerabilities, and impact
  • Articulate the key security topics and risks associated with SaaS, PaaS, and IaaS cloud deployment models
  • Evaluate Cloud Access Security Brokers to better protect and monitor SaaS deployments
  • Evaluate Secure Access Service Edge to help with cloud architecture design
  • Build security for all layers of a hybrid cloud environment, starting with hypervisors and working up to application layer controls
  • Evaluate basic virtualization hypervisor security controls
  • Design and implement network security access controls and monitoring capabilities in a public cloud environment
  • Design a hybrid cloud network architecture that includes IPSec tunnels
  • Integrate cloud identity and access management into security architecture
  • Evaluate and implement various cloud encryption types and formats
  • Develop multi-tier cloud architectures in a virtual private cloud using subnets, availability zones, gateways, and NAT
  • Integrate security into DevOps teams, effectively creating a DevSecOps team structure
  • Build automated deployment workflows using AWS and native tools
  • Incorporate vulnerability management, scanning, and penetration testing into cloud environments
  • Build automated and flexible detection and response programs using tools like AWS-IR, CloudWatch, CloudTrail, and AWS Lambda
  • Leverage the AWS CLI to automate and easily execute operational tasks
  • Set up and use an enterprise automation platform, Ansible, to automate configuration and orchestration tasks
  • Use CloudWatch, CloudFormation, and other automation tools to integrate automated security controls into your cloud security program

SEC545: Cloud Security Architecture and Operations reinforces knowledge transfer through the use of numerous hands-on labs. This approach goes well beyond traditional lectures and delves into literal application of techniques. Hands-on labs are held every day to reinforce the skills covered in class and to provide students with experience using tools to implement effective security. The labs are designed to enable students to apply what they are learning in an instructor-led environment. Labs are wide-ranging and include:

  • Security-as-a-Service labs
  • Architecture and design labs
  • Security automation labs
  • Offensive and defensive labs in the cloud
  • Log collection and review labs
  • Playing flAWS, a challenging cloud Capture-the-Flag challenge

Author Statement

The cloud is happening - face it! Security teams need to adapt to moving assets to the cloud, and quickly. Unfortunately, many security teams aren't comfortable with the tools, controls, and design models needed to properly secure the cloud, and they need to get up to speed fast. In addition, many DevOps teams are building automated deployment pipelines, and security teams aren't integrated into those workflows. This class is going to help you. We'll take you from A to Z in the cloud covering everything from policy, contracts, and governance to controls at all layers. We'll design cloud architectures, cover identity and access management and encryption, and look at how offense and defense differ in the cloud. We'll wrap it all up with automation tactics that will help you work effectively with the DevOps teams and build a sustainable cloud security program in your environment.