Rewind, Revisit, Reinforce, Retain with OnDemand - Special Offer Available Now

Security West 2020 - Live Online

Virtual, US Mountain | Mon, May 11 - Sat, May 16, 2020

SEC488: Cloud Security Essentials Beta

Mon, May 11 - Fri, May 15, 2020

Course Syllabus  ·  30 CPEs  ·   Laptop Requirements
Instructor: Kyle Dickinson

***Please note- The SEC488 course is offered as a beta including discounted pricing, seating is limited to a maximum of two seats per organization. No additional discounts apply.***

More businesses than ever are moving sensitive data and shifting mission-critical workloads to the cloud. And not just one cloud service provider (CSP) - research shows that most enterprises have strategically decided to deploy a multi-cloud platform, including Amazon Web Services, Azure, Google Cloud, and others.

Organizations are responsible for securing their data and mission-critical applications in the cloud. The benefits in terms of cost and speed of leveraging a multi-cloud platform to develop and accelerate delivery of business applications and analyze customer data can quickly be reversed if security professionals aren't properly trained to secure the organization's cloud environment and investigate and respond to the inevitable security breaches.

The SANS SEC488: Cloud Security Essentials course will prepare you to advise and speak about a wide range of topics and help your organization successfully navigate both the security challenges as well as the opportunities presented by cloud services. Like foreign languages, cloud environments have similarities and differences, and SEC488 covers all of the major CSPs.

We will begin by showing how your day-to-day operations will change due to the evolution of Cloud. Expect changes from the different responsibility models to the different CSP models of Infrastructure-as-a-Service, Platform-as-a-Service, and Software-as-a-Service. From there we'll move on to securing the cloud, managing risk, and addressing the challenges you may experience as you look to achieve a specific level of security assurance.

New technologies introduce new risks. This course will equip you to implement appropriate security controls in the cloud, often using automation to "inspect what you expect." Mature CSPs have created a variety of security services that can help customers use their products in a more secure manner, but nothing is a magic bullet. This course covers real-world lessons using security services created by the CSPs and open-source tools. Each course day features hands-on lab exercises to help students hammer home the lessons learned. We progressively layer multiple security controls in order to end the week with a functional security architecture implemented in the cloud.

Course Syllabus


Kyle Dickinson
Mon May 11th, 2020
9:00 AM - 12:15 PM MT
1:30 PM - 5:00 PM MT

Overview

The first course day will set the stage for how day-to-day operations could change as an enterprise looks at cloud technologies. Different service and delivery models will influence how a business changes based on the model that is being leveraged. In addition to learning about important cloud fundamentals, students will be able to:

  • Identify the risks and risk control ownership based on the deployment and service delivery models of the various products offered by cloud service providers (CSPs).
  • Evaluate the trustworthiness of cloud service providers based on their security documentation, service features, third-party attestations, and position in the global cloud ecosystem.
  • Create accounts and use the services of any of the leading CSPs and be comfortable with the self-service nature of the public cloud. This includes finding documentation, tutorials, pricing, and security features.
  • Articulate the business and security implications of a multi-cloud strategy.

Day 1 Overview

What This Course Is Not

  1. Not a deep dive into all CSPs
  2. Not cloud vendor-specific training
  3. Not a complete comparison of major CSPs

What Is the Cloud?

  1. Characteristics of the cloud
  2. NIST SP 800-144 Guidelines on Security and Privacy in Public Cloud Computing
  3. ISO 17788 Information Technology - Cloud Computing - Overview and Vocabulary
  4. Cloud deployment models (SP 800-144)
  5. Service delivery models (SP 800-144)
  6. Additional services
  7. Cloud actors
  8. Specialized providers

The Global Cloud Ecosystem

  1. Market data on the growth of cloud computing
  2. IaaS market shares
  3. The top SaaS providers
  4. The JEDI contract
  5. Doing cloud in China (Note: Unlike the rest of Asia, China has very restrictive cloud computing regulations. This section addresses those restrictions because this is such a huge market.)
  6. Global cloud computing issues

Pros and Cons of the Public Cloud

(For this section, reference NIST SP 800-144)

  1. Trust issues: Customer sentiment toward the public cloud
  2. Market research showing concerns with public cloud adoption
  3. Potential security and privacy benefits and issues
  4. Risk- and cost-based decisions
Exercises

Lab 1.1: Exploring the Web Consoles of AWS, Azure, GCP, and Alibaba

In this lab, students will use an assigned user ID and password to log in to four different major cloud service providers to develop a sense of the similarities and differences across the CSPs.

Lab Learning Objectives

  • Log in with an assigned user account on each provider
  • Learn how to find documentation, tutorials, pricing, etc.
  • Explore IaaS on each CSP
  • Explore PaaS on each CSP
  • Explore SaaS on each CSP
  • Explore storage options on each CSP
  • Learn how to create user accounts on each provider

Lab 1.1 Topics

  • Multi-Cloud
    1. Trend data on using multiple CSPs
    2. Are all services created equal?
    3. Location, location, location: Why do location, regulation and other issues matter?
    4. Regions and availability zones
    5. Comparison of regions offered by various CSPs
  • Shared Responsibility Models
    1. What NIST has to say - Diagram from SP 800-144
    2. Cloud Security Alliance
    3. AWS shared responsibility model
    4. Azure shared responsibility model
    5. Google shared responsibility model
  • Infrastructure as a Service (IaaS)
    1. What is IaaS?
    2. Shared responsibility definition of IaaS
    3. Examples of IaaS in AWS
    4. Examples of IaaS in Azure
    5. Examples of IaaS in GCP
    6. Other IaaS providers

LAB 1.2: Launching Virtual Machines in AWS, Azure, GCP, and Alibaba

The students' cloud credentials will give them access to launch a virtual machine in all four CSPs via the console. Advanced students can play with multiple CSPs, while less advanced students can focus on the one of their choosing. A script triggered by the instructor will clean up the environments when this lab is over.

  • Platform as a Service (PaaS)
    1. What is PaaS?
    2. Shared responsibility definition of PaaS
    3. Examples of PaaS in AWS - AWS Elastic Beanstalk
    4. Examples of PaaS in Azure - Azure App Service
    5. Examples of PaaS in GCP - Google AppEngine
    6. Other PaaS providers

Lab 1.3: Exploring Platform-as-a-Service Offerings

In this lab, you will be taking advantage of a Platform as a Service (PaaS) offering from Google Cloud Platform (GCP) to deploy a web application, in what used to take hours, days, or even weeks, in just a few minutes. Both during and after deployment, we will explore what the provider does for us on our behalf from both an operations and security perspective (whether we like it or not).

  • Software as a Service (SaaS)
    1. What is SaaS?
    2. Shared responsibility definition of SaaS
    3. Office 365
    4. Other SaaS providers: Dropbox, Salesforce, Workday

Lab 1.4: High-Level Security Assessment of Box.com

In this lab, students will conduct a very high-level security assessment focused on data protection measures that can (or cannot) be taken in a particular SaaS solution, Box.com. Given that we do not have granular access to the underlying application, we will find that we are totally at the mercy of the vendor as to how the data can be protected from prying eyes. There are, however, some options available to lock these data down.

  • X as a Service

    1. Desktop, identify, data science, database, functions
  • Cloud Communities...as a Service
    1. Conferences: RE:Invent, Ignite, RE:Inforce (AWS Security), Google Next
    2. Local: AWS Lofts, meet-ups, DevOps meet-ups

Day 1 Wrap-Up

CPE/CMU Credits: 6


Kyle Dickinson
Tue May 12th, 2020
9:00 AM - 12:15 PM MT
1:30 PM - 5:00 PM MT

Overview

Day 2 will cover ways you can access your cloud environments through new management interfaces, as well as programmatic access with APIs, access keys, and SDKs. We'll cover industry best practices for hardening the environments and securing workloads in different service providers and deployment models. We will finish the day by covering the different log sources you can pull from your environment to provide visibility, as well as the tools that can automatically review your accounts for compliance with best practices and industry benchmarks.

Day 2 will equip student to:

  • Secure access to the consoles used to access cloud service provider environments.
  • Use command line interfaces to query assets and identities in the cloud environment.
  • Use hardening benchmarks, patching, and configuration management to achieve and maintain an engineered state of security for the cloud environment.
  • Evaluate the logging services of various cloud service providers and use those logs to provide the necessary accountability for events that occur in the cloud environment.

How Does Security Change in the cloud?

  1. User interfaces aka the "data center panel"
  2. Command line interfaces and SDKs
  3. Infrastructure-as-code
  4. Source code repositories
  5. Serverless technologies
  6. Flexibility

Interacting with CSPs

  1. User interfaces aka the "data center panel"
  2. AWS console
  3. Azure console
  4. GCP platform
  5. Command line interfaces and SDKs
  6. AWS CLI
  7. BOTO3
  8. Azure PowerShell
  9. Azure Cloud Shell
  10. Google's Cloud SDK
  11. Gcloud Web Shell

Infrastructure-as-a-Code

  1. Tagging strategies
  2. Tagging resources
  3. Tags across CSPs
  4. Infrastructure-as-code
  5. CloudFormation
  6. Terraform
  7. Azure Resource Manager
  8. Source code repositories
  9. git
  10. GitHub
  11. Code repository details
  12. .gitignore

Serverless

  1. AWS Lambda
  2. Containers
  3. AWS Elastic Container Service
  4. Kubernetes as-a-Service
  5. Container security - Azure
  6. Container security - AWS
  7. Container security tools
Exercises

Lab 2.1: Securing Console Access

This lab will go over best practices for securing access to the AWS and Azure console. The purpose is to expose students to an existing account that may be typical in a day-to-day scenario, and have them evaluate what has and has not been done to secure the account in the most basic way possible.

  • Identify and Access Management
    1. Introduction to IAM
    2. AWS - IAM users
    3. AWS - IAM user API calls
    4. AWS - Groups
    5. AWS - Roles
    6. Assume role method
    7. AWS IAM - Policies
    8. AWS IAM policy evaluation
    9. AWS IAM analyzer
    10. AWS IAM credential report
    11. Azure Identity and access management
    12. Azure - Roles
    13. Azure - Service principal
    14. User lifecycle management - Local IAM users
    15. Identity federation
    16. Single sign-on providers
    17. M-F-A

Lab 2.2: Getting to Know AWS via the AWS Command Line Interface

This lab will have student create IAM groups and policies with the CLI. Students will also review the permissions associated with their IAM user in order to understand actions that are permitted and restricted. Finally, students will leverage the CLI to create an inventory of users as well as other assets of interest.

  • Hardening Infrastructure
    1. Patching
    2. CIS operating system benchmarks
    3. AWS config service
    4. Center for Internet Security (CIS)
    5. CIS benchmark for AWS
    6. CIS benchmarks for AWS example
    7. CIS benchmarks for AWS - Security Hub
    8. CIS benchmark for Azure
    9. Hardening virtual machines
    10. Host assessment tools
    11. Marketplace images
    12. Hardening containers and Kubernetes

Lab 2.3: Using an Open-Source Tool to Audit an AWS Account

This lab will use an open-source tool to compare the configuration of an AWS account against the CIS benchmarks. We will also introduce the idea of combining multiple CLI commands into a script.

  • Logging Services
    1. AWS logging services at a glance
    2. AWS CloudTrail
    3. CloudTrail example
    4. CloudTrail - Who
    5. CloudTrail - What/Where/How
    6. AWS organization trail
    7. Centralize CloudTrail logs
    8. Visualizing AWS CloudTrail
    9. Visualizing CloudTrail S3 logs
    10. Amazon CloudWatch
    11. CloudWatch logs agent
    12. CloudWatch log group example
    13. AWS VPC traffic mirroring
    14. Visualizing VPC FlowLogs
    15. VPC FlowLogs vs. VPC traffic mirroring
    16. AWS Kinesis Firehose aka ship logs elsewhere...fast!
    17. Azure logging services
    18. Azure activity
    19. Azure diagnostic logging
    20. Azure Event Hub
    21. Google Stackdriver
    22. Logging tools
    23. Athena
    24. Azure Data Lake Analytics
    25. Azure Advisor
    26. AWS Trusted Advisor
    27. AWS Elasticsearch
    28. Microsoft PowerBI
    29. GrayLog
    30. Splunk
    31. Azure Sentinel

Lab 2.4: Log Service Exploration

In this lab students will review the different logging technologies from multiple cloud service providers. We'll also provide a brief technology overview to prepare for a more in-depth logging lab on day 5.

  • Cloud Security Tools
    1. Cloud Security Platform Management (CSPM)
    2. CSPM integration
    3. Cloud Access Security Broker (CASB)
    4. Cloud workload protection platform
    5. Cloud security tool groups
    6. Prisma Cloud
    7. CloudSploit by Aqua
    8. CapitalOne's Cloud Custodian
    9. PACU
    10. CloudGoat
    11. Prowler
    12. PowerZure

Day 2 Wrap-Up

CPE/CMU Credits: 6


Kyle Dickinson
Wed May 13th, 2020
9:00 AM - 12:15 PM MT
1:30 PM - 5:00 PM MT

Overview

This course day will build on our review of how developers can leverage the cloud's flexibility. After starting with a discussion of secrets management, we dive into Application Security, and apply cloud technologies, design patterns, and best practices to our cloud applications. Understanding and applying the basics of securing cloud applications will put you ahead of many residents of the cloud. Students will learn to:

  • Implement, configure, and secure certificate-based SSH authentication to virtual machines launched in the cloud.
  • Configure the CLI and properly protect the access keys to minimize the risk of compromised credentials.
  • Use basic Bash and Python scripts to automate tasks in the cloud.
  • Learn to prevent secrets leakage in code deployed to the cloud.
  • Use application security tools to threat model and assess the security of cloud-based web applications.

Application Security

  1. Systems Development Life Cycle (SDLC)
  2. Common SDLC stages
  3. AppSec frameworks
  4. MS SDL best practices
  5. Compliance reporting
  6. AWS Inspector
  7. Cloud SAST/DAST
  8. OWASP SAMM
  9. OWASP SAMM overview
  10. Cloud components
  11. Vendor Security Assessment Questionnaire (VSAQ)

Threat Modeling

  1. How does the application normally function?
  2. Data flow diagram
  3. How could the application be abused?
  4. Spoofing
  5. Tampering
  6. Repudiation
  7. Information disclosure
  8. Denial of service
  9. Escalation of privilege
  10. What can I do to address the abuse?
  11. Microsoft's threat modeling tool
  12. OWASP Threat Dragon
Exercises

Lab 3.1: Threat Modeling

In this lab, students will use two Software-as-a-Service (SaaS) offerings in our quest to threat model a sample application.

  • IAM Key Management
    1. Identity and Access Management (IAM)
    2. Cloud console access
    3. AWS IAM best practices
    4. AWS IAM security status
    5. Account types
    6. AWS programmatic access
    7. AWS config and credentials files
    8. Adding programmatic account keys to AWS CLI
    9. AWS configure
    10. Instance/Virtual machine access
    11. GCP web-based Interface
    12. SSH public key authentication
    13. Known_hosts
    14. AWS EC2 key pairs
    15. Break the glass key
    16. Using the AWS-generated key (UNIX/Linux/Windows)
    17. Using the provider-generated key (PuTTY)
    18. Recovering an instance with a lost keypair
    19. Bring your own key pair
    20. Using SSH public keys in Azure
    21. Adding a second key to an EC2 instance
    22. Centralized directory service

Lab 3.2: Adding and Rotating SSH Keys

In this lab, students will implement a few best practices in our AWS EC2 instance. First, we will create a new, unique user to help with our non-repudiation objective. We will then create and use an SSH keypair to log into this instance as well as go through the process of rotating this keypair.

  • Secrets Management Overview
    1. What are secrets?
    2. CWE-256: Unprotected storage of credentials
    3. CWE-256 example: WordPress
    4. Protecting secrets with cloud services
    5. Addressing the WordPress issue
    6. Secrets rotation
    7. AWS secrets manager rotation
    8. git-secrets

Lab 3.3: Preventing Leakage of Secrets

This lab will have our ivirtual machine acting as a development system that pulls and pushes code to GitHub. Here, we will implement some protections to prevent a developer from accidentally (or purposefully) uploading sensitive information.

  • Handling Temporary Access
    1. Temporary credentials
    2. AWS STS
    3. AWS CLI STS example
    4. Identity federation
    5. SAML 2.0
    6. SAML workflow
    7. AWS SAML-based federation
    8. OAuth 2.0
    9. OpenID Connect
    10. Azure AD OpenID Connect Integration
    11. AWS Cognito
    12. Firebase
    13. Delegation
    14. AWS cross-account access
    15. Instance roles
    16. EC2-Full role
  • Application Programming Interface (API)
    1. Cloud API resources
    2. API request example
    3. Logging of API calls
    4. Cloud logging
    5. Console log view
    6. Integration into SIEM
    7. Gartner's 10 Questions to Answer Before Adopting SaaS SIEM
    8. Cloud Access Security Broker (CASB)
    9. CASB deployments

Lab 3.4: CloudTrail Log Retrieval

In this lab, we will develop a proof-of-concept solution to begin pull specific CloudTrail log data data from AWS to demonstrate how security can export these valuable logs to a SIEM solution.

  • Encryption Primer
    1. Data-at-rest encryption
    2. Data-in-transit encryption
    3. Symmetric encryption
    4. Asymmetric encryption
    5. Attacking cryptography - Theory
    6. Key guessing
    7. Man-in-the-middle
    8. Storage encrypted by default?
    9. Hardware Security Module (HSM)
    10. Cloud-based HSMs
    11. Cloud HSM SSL/TLS offloading
    12. Bring your own keys
    13. Key wrapping
    14. Data-at-rest considerations
    15. Data-at-rest risks
    16. S3 information disclosure blunders
    17. Addressing information disclosure
    18. Public read
    19. Public read warnings
    20. Assessing public buckets
    21. Assessing AWS encryption
    22. Assessing Azure disk encryption
    23. Addressing data integrity and data Loss
    24. Data versioning
    25. Additional retention options
    26. Data availability
    27. Data hunting
    28. AWS Macie
    29. GCP data loss prevention

Lab 3.5: Data Protection

In this lab, we will be making some configuration changes in the AWS S3 and EC2 services to protect the data housed in these two services. We are address several facets of security: Confidentiality, Availability, and Integrity.

  • Denial of Service Protections
    1. Denial of service
    2. Denial of service attack types
    3. Amplification
    4. Leveraging cloud vendors for DoS protection
    5. AWS Shield
    6. What about On-Premise?
    7. Web Application Firewalls (WAF)
    8. Why cloud-based WAFs?
    9. AWS WAF

Day 3 Wrap-Up

CPE/CMU Credits: 6


Kyle Dickinson
Thu May 14th, 2020
9:00 AM - 12:15 PM MT
1:30 PM - 5:00 PM MT

Overview

On day 4, we look at the components of cloud security architecture, including architecture frameworks and cloud network design principles and component technologies. We cover native cloud security services and their importance in a well-designed security architecture as well as important operational practices such as hardening and patching - using cloud automation, of course. Next, we leverage the flexibility of cloud services using capabilities that enable "infrastructure-as-code" for rapid deployments, including serverless technologies.

After day 4, students will be able to:

  • Implement network security controls that are native to both AWS and Azure.
  • Employ an architectural pattern to automatically create and provision patched and hardened virtual machine images to multiple AWS accounts.
  • Use Azure Security Center to audit the configuration in an Azure deployment and identify security issues.
  • Use Terraform to deploy a complete "infrastructure as code" environment to multiple cloud providers.

Architecture Considerations

  1. AWS Well Architected Framework
  2. AWS Well Architected Framework tool
  3. AWS Cloud Adoption Framework├ó┬┬»
  4. Azure Cloud Adoption Framework
  5. Azure Cloud Journey Tracker
  6. Load balancing
  7. AWS Elastic Load Balancer (ELB)
  8. Scaling
  9. AWS Auto Scaling groups
  10. Azure Autoscale
  11. Chaos engineering
  12. DevOps
  13. AWS Artifact
  14. Azure Service Trust Portal
  15. Azure Virtual Machine
  16. AWS Certificate Manager
  17. Azure Key Vault
  18. AWS Secrets Manager
  19. AWS KMS
  20. AWS KMS Management
  21. AWS VPC FlowLogs
  22. AWS VPC Traffic Mirroring
  23. AWS VPC Endpoints
  24. AWS S3 Glacier
  25. AWS S3
  26. AWS Snowball
  27. AWS Outposts

Segmentation and Isolation

  1. Segmentation
  2. Google Cloud projects
  3. Account segmentation
  4. Azure resource groups
  5. Azure policy
  6. GCP projects
  7. AWS organizations
  8. AWS Resource Access Manager
  9. VPNs
  10. Azure ExpressRoute
  11. NACLs
  12. AWS security groups vs. NACLs
  13. Virtual Private Cloud (AWS VPC/Azure VNet)
  14. AWS Virtual Private Cloud (VPC)
  15. AWS Subnets
  16. Azure Virtual Network (VNet)
  17. Security groups
  18. AWS security group
  19. Azure security group
  20. Azure Just-in-Time (JIT)
  21. Azure Bastion Host
  22. AWS Bastion Quickstart
  23. Azure Firewall
  24. AWS VPC peering
  25. AWS VPC Peering Considerations
  26. AWS VPN
  27. S3 Bucket Hardening
  28. S3 Bucket Hardening for Sensitive Use-Cases
  29. Azure Storage Accounts
  30. Harden Azure Storage
Exercises

Lab 4.1: VPCs

We have a Production VPC that has no public internet connectivity. (That is the Virtual Machines have no public IP addresses.) We need to have our development environment be able to communicate to a Server that resides in this Production VPC without requiring network configurations to expose this Production VPC to the Internet.

We're going to peer (make a trust) between your VPC, and our "Production VPC." Our Production VPC is located in the Instructor's account - that has a couple Virtual Machines that only can be accessed by Private IP. A simple solution to access this environment is to peer our VPCs so that you may access this environment.

  • Patching
    1. AWS SSM Patch Manager
    2. Azure Automation, Update Manager
    3. SCCM/BigFix
    4. Automox
  • Let's Cook...Images...
    1. AWS Service Catalog
    2. AWS Image Builder
    3. Azure Image Builder
    4. Hashicorp Packer
    5. Chef
    6. Puppet
    7. AWS OpsWorks
    8. Ansible
    9. AWS Systems Manager

Lab 4.2: Hardened Image Provisioning

This lab will take us through the process to creating a hardened virtual machine, installing some common security tools, creating an image and then deploying a new virtual machine from that image.

  • Vulnerability Scanning
    1. AWS GuardDuty
    2. AWS Security Hub
    3. Azure Security Center
    4. Vulnerability assessment requests
    5. Security assessments - AWS
    6. Vulnerability assessments - Azure
    7. AWS Inspector
    8. Vulnerability scanning considerations

Lab 4.3: Azure Security Center Exploration

The various Cloud Service Providers (CSP) offer tools to help Secure our Cloud presence. What sort of insight do these tools give us? We're going to take a look at Azure Security Center and the different areas that help us secure our Azure environment further.

  • Infrastructure as Code
    1. Terraform CLI
    2. Terraform Cloud
    3. CloudFormation deep dive
    4. Disaster recovery planning
    5. AWS Service Catalog - Item Creation
    6. AWS Landing Zone

Lab 4.4: Introduction to Terraform

This lab will use Terraform to provision a simple architecture in a single cloud provider. If you want to test both your will and skills, you'll have the option to deploy a simple architecture to AWS and Azure.

CPE/CMU Credits: 6


Kyle Dickinson
Fri May 15th, 2020
9:00 AM - 12:15 PM MT
1:30 PM - 5:00 PM MT

Overview

On the fifth day, we dive headfirst into compliance frameworks, audit reports, privacy, and eDiscovery to equip you with the questions and references that ensure the right questions are being asked during CSP risk assessments. After covering special-use cases for more restricted requirements that may necessitate the AWS GovCloud or Azure's Trusted Computing, we delve into penetration testing in the cloud and finish the day with incident response and forensics. Day 5 will equip students to:

  • Leverage the Cloud Security Alliance Cloud Controls Matrix to select the appropriate security controls for a given cloud network security architecture and assess a CSP's implementation of those controls using audit reports and the CSP's shared responsibility model.
  • Use logs from cloud services and virtual machines hosted in the cloud to detect a security incident and take appropriate steps as a first responder according to a recommended incident response methodology.
  • Perform a preliminary forensic file system analysis of a compromised virtual machine to identify indicators of compromise and create a file system timeline.

Security Assurance

  1. Security Assurance: The big picture
  2. Stakeholders (Per NIST)
  3. Stakeholders within the company
  4. Administrative controls
  5. Due care and industry consensus
  6. Standards
  7. Audits and the cloud
  8. CIS Cloud Companion Guide
  9. Audit reports
  10. Audit reporting periods
  11. SOC 2 trust principles
  12. Sample SOC 2 Report

Privacy

  1. Privacy poles
  2. What constitutes PII processing?
  3. Fair information principles
  4. Privacy standards and laws
  5. Examples of personal identifying attributes
  6. HIPAA and CSPs
  7. General Data Protection Regulation
  8. U.S privacy laws (including the new CCPA)
  9. Data protection laws of the world
  10. Breach notification processes
  11. Privacy and compliance in AWS, Azure, GCP, and Alibaba

Risk Management

  1. Risk frameworks
  2. Privacy risk management
  3. Privacy Impact assessments
  4. CSA Octagon Model, CCM, CAIQ

Legal and Contractual Requirements

  1. The supply chain - Visualized
  2. Negotiated agreements vs. Non-negotiable cloud agreements
  3. Cloud computing agreement topics
  4. eDiscovery in the cloud
  5. The Clarifying lawful Overseas Use of Data (CLOUD) Act
  6. Contract lifecycle
Exercises

Lab 5.1: Using AWS Artifact and the Cloud Controls Matrix

In the Lab Scenario section, we provide you with a proposed cloud architecture for a fictional company ("ACME Medical") along with the compliance regulations that the environment must meet. Your tasks are to review the architecture, identify the compliance issues, and use the Cloud Controls Matrix to select the applicable security controls. We will also use AWS Artifact to download the applicable attestations and make a cursory review of each artifact.

  • Government Clouds
    1. Government cloud migrations
    2. U.S. government compliance programs
    3. FedRAMP
    4. DoD Cloud SRG
    5. AWS GovCloud/Azure Government
  • Incident Response & Forensics
    1. The SANS Incident Response Methodology
    2. Preparation
    3. Planning for early identification
    4. Planning for effective containment
    5. Planning for effective eradication/recovery
    6. Planning to maximize lessons learned
    7. How about a word from our friends at CSA?
    8. Security logging strategy for the cloud
    9. AWS vs. Azure vs. GCP - Security and logging services
    10. Cloud management plane logging: AWS CloudTrail
    11. Cloud log monitoring /dashboard: AWS CloudWatch
    12. AI threat detection: Azure Advanced Threat Protection (ATP)
    13. Security alert aggregation: GCP Cloud Security Command Center (SCC)
    14. Packet capture: Azure Network Watcher and Virtual Network TAP
    15. Intrusion detection/prevention systems in the cloud
    16. Host OS logs
    17. Application load balancer access logs
    18. Application logs
    19. Common automated intrusion response options

Lab 5.2: Cloud Log Analysis

This lab builds upon the "Exploring Log Services" lab from Day 2 where you were introduced CloudTrail. We will use Athena to analyze CloudTrail logs in more depth than is possible via the CloudTrail Console. We will also use CloudWatch Logs Insights to analyze logs forwarded from EC2 Instances and VPC Flow Logs.

In this lab, we are not simply looking at a variety of logs, we will learn analysis techniques to drill down into the data to get the answers that we need. Answers such as who did what from where.

Lab 5.3: AWS Guard Duty and Security Hub

In this lab, we will be exploring AWS GuardDuty and AWS Security Hub. We will learn about the data sources that GuardDuty analyzes and explore the current set of possible findings.

  • Penetration Testing
    1. Pentesting the cloud?
    2. Types of penetration testing
    3. Pen test preparation checklist
    4. SaaS considerations
    5. PaaS considerations
    6. IaaS considerations
    7. AWS pen testing specifics
    8. Azure pen testing specifics
    9. GCP pen testing specifics
    10. Choose your weapon - Offensive tools for AWS/Azure

Lab 5.4: EC2 Forensics

In this lab, students will learn how forensics differs in the Cloud, by using a snapshot of the infected host that is shared to the Security Service account. Students will spin up a SIFT workstation (we will provide an AMI for them), and then mount the snapshot as a read-only volume for review. This lab is at the end of the day so students can explore our suggestions of what to analyze and use different tools or methods they're familiar with as well.

Day 5 Wrap-Up

CPE/CMU Credits: 6

Additional Information

Students need to have:

  • A laptop with Chrome internet browser. The laptop should have unrestricted access to the Internet and full administrative access. Chrome should allow for the addition of Chrome Extensions. Before class, the user should install the Secure Shell App in Chrome
  • Adobe Acrobat Reader

SANS will provide:

  • AWS Accounts/Azure Subscriptions/GCP Accounts/Alibaba Cloud Accounts for students to leverage during labs.
  • Supplementary content via download

If you have additional questions about the laptop specifications, please contact laptop_prep@sans.org.

Anyone who works in a cloud environment, is interested in cloud security, or needs to understand the risks using CSP├ó┬┬s should take this course, including:

  • Security engineers
  • Security analysts
  • System administrators
  • Risk managers
  • Security managers
  • Security auditors
  • Anyone new to the cloud!

A basic understanding of TCP/IP, network security, and information security principles are helpful for this course, but not required. Being accustomed to the Linux command-line is a bonus.

This course will prepare you to

  • Navigate your organization through the security challenges and opportunities presented by cloud services
  • Identify the risks of the various services offered by cloud service providers (CSPs).
  • Select the appropriate security controls for a given cloud network security architecture.
  • Evaluate CSPs based on their documentation, security controls, and audit reports.
  • Confidently use the services on any of the leading CSPs.
  • Articulate the business and security implications of multiple cloud providers.
  • Secure, harden, and audit CSP environments.
  • Protect the access keys and secrets used in cloud environments.
  • Use application security tools and threat modeling to assess the security of cloud-based web applications.
  • Automatically create and provision patched and hardened virtual machine images.
  • Deploy a complete "infrastructure as code" environment to multiple cloud providers.
  • Leverage cloud logging capabilities to establish accountability for events that occur in the cloud environment.
  • Prepare to detect and respond to security incidents in the cloud and take appropriate steps as a first responder.
  • Perform a preliminary forensic file system analysis of a compromised virtual machine.

  • MP3 audio files of the complete course lectures
  • Digital Download Package with supplementary content
  • Cloud security services cheat sheet (AWS vs. Azure vs GCP)
  • Electronic Courseware
  • Identify the risks and risk control ownership based on the deployment models and service delivery models of the various products offered by cloud service providers (CSPs).
  • Evaluate the trustworthiness of CSPs based on their security documentation, service features, third-party attestations, and position in the global cloud ecosystem.
  • Create accounts and use the services on any one the leading CSPs and be comfortable with the self-service nature of the public cloud. This includes finding documentation, tutorials, pricing, and security features.
  • Articulate the business and security implications of a multi-cloud strategy.
  • Secure access to the consoles used to access the CSP environments.
  • Use command line interfaces to query assets and identities in the cloud environment.
  • Use hardening benchmarks, patching, and configuration management to achieve and maintain an engineered state of security for the cloud environment.
  • Evaluate the logging services of various CSPs and use those logs to provide the necessary accountability for events that occur in the cloud environment.
  • Implement, configure, and secure certificate-based SSH authentication to virtual machines launched in the cloud.
  • Configure the CLI and properly protect the access keys to minimize the risk of compromised credentials.
  • Use basic Bash and Python scripts to automate tasks in the cloud.
  • Configure cross-account role assumption, a best practice for AWS.
  • Implement network security controls that are native to both AWS and Azure.
  • Employ an architectural pattern to automatically create and provision patched and hardened virtual machine images to multiple AWS accounts.
  • Use Azure Security Center to audit the configuration in an Azure deployment and identify security issues.
  • Use Terraform to deploy a complete "infrastructure as code" environment to multiple cloud providers.
  • Leverage the Cloud Security Alliance Cloud Controls Matrix to select the appropriate security controls for a given cloud network security architecture and assess a CSP's implementation of those controls using audit reports and the CSP's shared responsibility model.
  • Use logs from cloud services and virtual machines hosted in the cloud to detect a security incident and take appropriate steps as a first responder according to a recommended incident response methodology.
  • Perform a preliminary forensic file system analysis of a compromised virtual machine to identify indicators of compromise and create a file system timeline.

SEC488: Cloud Security Essentials reinforces the training material via multiple hands-on labs each day of the course. Every lab is designed to impart practical skills that students can bring back to their organizations and apply on the first day back in the office. The labs go beyond the step-by-step instructions and provide the context of "why" the skill is important and instill insights as to why the technology works the way it does.

Highlights of what students will learn in SEC488 labs include:

  • Accessing the web consoles of AWS, Azure, GCP, and Alibaba and launching virtual machines in each environment
  • Performing a security assessment of a Software-as-a-Service offering
  • Hardening and securing cloud environments and applications using security tools and services
  • Hardening, patching, and securing virtual machine images, including SSH
  • Using the command line interface (CLI) and simple scripts to automate work
  • Preventing secrets leakage in code deployed to the cloud
  • Using logs and security services to detect malware on a cloud virtual machine and perform preliminary file-system forensics
  • Using Terraform to deploy a complete environment to multiple cloud providers.

SEC488 Lab Summary

  • Lab 1.1 - Exploring the Web Consoles of AWS, Azure, GCP, and Alibaba
  • Lab 1.2 - Launching Virtual Machines in AWS, Azure, GCP and Alibaba
  • Lab 1.3 - Exploring Platform-as-a-Service Offerings
  • Lab 1.4 - High-Level Security Assessment of Box.com
  • Lab 2.1 - Securing Console Access
  • Lab 2.2 - Getting to Know IAM via the Command Line Interface
  • Lab 2.3 - Using an Open-Source Tool to Audit an AWS Account
  • Lab 2.4 - Log Service Exploration
  • Lab 3.1 - Threat Modeling
  • Lab 3.2 - Adding and Rotating SSH Keys
  • Lab 3.3 - Preventing Leakage of Secrets
  • Lab 3.4 - CloudTrail Log Retrieval
  • Lab 3.5 - Data Protection
  • Lab 4.1 - VPCs
  • Lab 4.2 - Hardened Image Provisioning
  • Lab 4.3 - Azure Security Center Exploration
  • Lab 4.4 - Introduction to Terraform
  • Lab 5.1 - Using AWS Artifact and the Cloud Controls Matrix
  • Lab 5.2 - Cloud Log Analysis
  • Lab 5.3 - AWS Guard Duty and Security Hub
  • Lab 5.4 - EC2 Forensics

Author Statement

"What is the cloud? It is much more than a big nebulous fluffy thing, filled with hype. More businesses than ever are shifting mission-critical workloads to the cloud. And not just one cloud - research shows that most enterprises are using up to five different cloud providers. Yet, cloud security breaches happen all the time and many security professionals feel ill-prepared to deal with this rampant change. SEC488 equips students to view the cloud through a lens informed by standards and best practices to rapidly identify security gaps. It provides class participants with hands-on tools, techniques, and patterns to shore up their organization's cloud security weaknesses."

- Kenneth G. Hartman, Kyle Dickinson, and Ryan Nicholson