Top Instructors Share Their Expertise ONLINE at SANS - Special Offers Available NOW!

Reading Room

Subscribe to SANS Newsletters

Join the SANS Community to receive the latest curated cyber security news, vulnerabilities and mitigations, training opportunities, and our webcast schedule.






Cloud Security

Featuring 88 Papers as of June 21, 2021

  • A SANS Survey: Rethinking the Sec in DevSecOps: Security as Code Analyst Paper (requires membership in SANS.org community)
    by Jim Bird and Eric Johnson - June 21, 2021 

    As IT workloads transition to the cloud, there's a shift in how organizations develop and deliver systems, and how security must be practiced. This year's SANS survey explored what this shift means for the modern enterprise and its security program. In this paper, survey authors Jim Bird and Eric Johnson reveal how security professionals must adapt to this new world.


  • How to Fuel Your DevSecOps in AWS Analyst Paper (requires membership in SANS.org community)
    by Dave Shackleford - June 2, 2021 

    To build an effective and successful security automation strategy for the DevOps pipeline, organizations need to consider all parts of the pipeline. This includes securing code and repositories, monitoring and controlling privilege allocation, scanning all checked-in and modified code for vulnerabilities, and scanning all builds and images for package and component vulnerabilities. And by monitoring all running assets through cloud fabric logging, they can use event-driven automation to remediate or alert on issues. In this whitepaper, SANS Analyst Dave Shackleford describes how to bring security teams into all phases of development and during cloud operations to increase visibility and improve security posture.


  • Keeping Control Over the Cloud Analyst Paper (requires membership in SANS.org community)
    by Matt Bromiley - May 18, 2021 

    Are your operations, employees, and data are spread across multiple platforms? This product review examines the benefits offered within the Bitglass platform to manage cloud security. Get a handle on your cloud exposure and gain control over it with a unified platform that allows for consistency in monitoring, detection, and policy implementation across various technologies.


  • How to Build a Security Observability Strategy in AWS Analyst Paper (requires membership in SANS.org community)
    by Dave Shackleford - May 17, 2021 

    By leveraging cloud-native events and services, as well as cloud-integrated third-party services that can aid in correlating and automating security response, public sector organizations can build a robust cloud security architecture that is sustainable and effective at increasing security posture. This whitepaper, which includes four use cases, describes approaches to security event detection and response, event collection and guardrail services, and how to integrate automation capabilities.


  • How to Build a Security Posture Strategy for the Control Plane and Assets in the AWS Cloud Analyst Paper (requires membership in SANS.org community)
    by Dave Shackleford - April 28, 2021 

    Security operations teams need to adjust their strategies as the surface area of the cloud grows. This means stronger configuration practices, including identity policies and authentication, storage configuration, workload configuration, and tuning. Based on the shared responsibility model, these are all control requirements for which cloud tenants are responsible. Improving cloud security posture requires increased visibility and centralized control over cloud configuration and workload management. This whitepaper is designed to help you build an effective and timely strategy for securing your control plane.


  • How to Architect a Security-Driven Networking Strategy in the AWS Cloud Analyst Paper (requires membership in SANS.org community)
    by Dave Shackleford - April 5, 2021 

    As organizations shift more resources to the cloud, defenses have grown organically along with the increase in size and complexity of networks. Today, a new model of security-driven networking, known as security-driven layered defense, is helping organizations create a strong set of proactive layered network defenses. In this whitepaper, SANS analyst Dave Shackleford explains how security teams are using this model to strengthen their network defenses and describes the capabilities and features they should consider when designing a robust, cloud-centered network security strategy.


  • Cloud Security Monitoring on AWS by Sherif Talaat - February 8, 2021 

    Cloud services adoption is growing massively year over year. In most cases, moving to the cloud decision is driven by cost optimization goals. Organizations usually start the cloud journey with the lift-and-shift approach, migrating the datacenter as-is, including the security services and controls, even the physical appliances, to the equivalent virtual appliances from the respective vendor. In some cases, the security controls used on- premises are not as effective with cloud services. Moreover, in some other cases, it can be expensive as well. This paper illustrates Amazon Web Services (AWS) security services a security professional can use to aid the cloud service's continuous security monitoring operations.


  • How to Build an Effective Cloud Threat Intelligence Program in the AWS Cloud Analyst Paper (requires membership in SANS.org community)
    by Dave Shackleford - February 1, 2021 

    Threat intelligence can play a major role in improving the state of security incident-handling operations, either through proactive threat hunting activities or during active investigations based on detection scenarios. But threat intelligence can mean different things to different organizations. In this whitepaper, SANS analyst Dave Shackleford shows you how to customize your CTI program to your organization's processes and workflows as well as how to invest in security solutions that reduce risk and accelerate the resolution of security events with actionable context and minimal noise.


  • The State of Cloud Security: Results of the SANS 2020 Cloud Security Survey Analyst Paper (requires membership in SANS.org community)
    by Thomas (TJ) Banasik - January 21, 2021 

    This paper is an in-depth look at how the definition of cloud security is evolving with new capabilities, such as network detection response (NDR). It explores digital transformation motivations as organizations move into various hybrid, cloud, and multi-cloud environments. It also looks at how cloud security architects use cybersecurity tools to build security operations architectures and the considerations respondents evaluate when making cybersecurity tooling decisions. As the COVID-19 pandemic pushes humankind toward a fifth industrial revolution (5IR)--with greater reliance on security to enable remote workforce productivity--we will explore how protection is evolving from traditional perimeter-based networks to zero trust architectures. The paper's primary goal is to better understand if customers feel cloud-native security tooling is equivalent to industry-leading security tools and what drives decisions behind customer adoption.


  • A New Take on Cloud Shared Responsibility Analyst Paper (requires membership in SANS.org community)
    by Dave Shackleford - December 22, 2020 

    As the use of cloud computing has grown, so has the concept of the shared responsibility model for data protection and cybersecurity in general. While not a new concept, the nature of shared security responsibilities has changed with the advent of the cloud. While all cloud providers are wholly responsible for physical security of their data center environments, data center disaster recovery planning, business continuity, and legal and personnel requirements that pertain to security of their operating environments, cloud customers still need to plan for their own disaster recovery and continuity processes, particularly in IaaS clouds where they are building infrastructure.


  • Detecting and Preventing the Top AWS Database Security Risks SANS.edu Graduate Student Research
    by Gavin Grisamore - December 9, 2020 

    Engineers regularly perform risky actions while deploying and operating databases on cloud services like AWS. Engineers are often focused on delivering value to customers and less on the security of the cloud infrastructure. Security teams are increasingly concerned with identifying these cloud-native risks and putting migrations in place to secure their critical data and limit exposure without inhibiting development workflows or velocity. This paper examines several common AWS database security risks and addresses how to implement detection and prevention controls to mitigate the risks.


  • How to Manage the Shift to Cloud Security Analyst Paper (requires membership in SANS.org community)
    by Dave Shackleford - December 2, 2020 

    This paper explores how SASE (secure access service edge) combines different elements of cloud services, networking and security into a unified fabric. SASE may help organizations move data, systems and applications more seamlessly into the cloud.


  • Supercharge Incident Response with Data Your Network Team Already Collects Analyst Paper (requires membership in SANS.org community)
    by Matt Bromiley - November 16, 2020 

    A simple and efficient way to gain an advantage over attackers—and control of your environment’s security—is to utilize the data you already generate and own. This paper explores how organizations should rely on and incorporate key data points (DNS, DHCP, and IPAM) into nearly every aspect of their security approach.


  • How to Create a Scalable and Automated Edge Strategy in the AWS Cloud Analyst Paper (requires membership in SANS.org community)
    by Dave Shackleford - October 30, 2020 

    As core data center services shift to cloud, cloud edge architecture and deployment models offer the advantage of convergence and unification of disparate network services into a single brokering fabric. In this whitepaper, SANS instructor Dave Shackleford describes how to improve security at the perimeter, by reducing the complexity and increasing interoperability of traditional approaches. This timely approach to defense includes developing a layered control approach to perimeter security, implementing a scalable security solution at the network's edge and improving efficiency through automation.


  • Extending DevSecOps Security Controls into the Cloud: A SANS Survey Analyst Paper (requires membership in SANS.org community)
    by Jim Bird and Eric Johnson - October 27, 2020 

    In the 2020 SANS DevSecOps Survey, authors Jim Bird and Eric Johnson explore how organizations are extending their DevSecOps security controls beyond their on-premises environments into the public cloud to secure their cloud networks, services and applications. Download this paper to learn how to leverage best practices in DevSecOps in your cloud-based environment and how to use the most effective tools and technologies.


  • The SANS Guide to Evaluating Attack Surface Management Analyst Paper (requires membership in SANS.org community)
    by Pierre Lidome - October 26, 2020 

    This guide provides an overview of the benefits and limitations of attack surface management and actionable guidance for organizations looking to evaluate an ASM solution.


  • Prescriptive Model for Software Supply Chain Assurance in Private Cloud Environments SANS.edu Graduate Student Research
    by Robert Wood - October 14, 2020 

    As companies embrace Continuous Integration/Continuous Deployment (CI/CD) environments, automated controls are critical for safeguarding the Software Development Life Cycle (SDLC). The ability to vet and whitelist container images before installation is vitally important to ensuring the security of corporate networks. Google Cloud offers the Container Registry in combination with Binary Authorization to understand the container footprint in the environment and provide a mechanism for enforcing policies. Grafeas and Kritis are open-source alternatives. This paper evaluates Grafeas and Kritis and provides specific recommendations for using these tools or equivalents in private cloud environments.


  • Firebase: Google Cloud's Evil Twin by Brandon Evans - October 8, 2020 

    Firebase allows a frontend application to connect directly to a backend database. Security wonks might think the previous sentence describes a vulnerability, but this is by design. Released in 2012, Firebase was a revolutionary cloud product that set out to "Make Servers Optional". This should raise countless red flags for all security professionals as the application server traditionally serves as the intermediary between the frontend and backend, handling authentication and authorization. Without it, all users could obtain full access to the database. Firebase attempts to solve this by moving authentication and authorization into the database engine itself. Unfortunately, this approach has several flaws.


  • Shall We Play a Game?: Analyzing the Security of Cloud Gaming Services SANS.edu Graduate Student Research
    by Adam Knepprath - October 7, 2020 

    The adoption of cloud gaming services is quickly growing. Like many services that are eager to go to market, cloud gaming services lack strong security measures. This paper provides an analysis of three cloud gaming service providers’ privacy policies, out of the box security, and mitigations end-users should consider.


  • Continuously Monitor and Assess Your Security Posture in the AWS Cloud Analyst Paper (requires membership in SANS.org community)
    by Dave Shackleford - October 2, 2020 

    Cloud computing is a large, often interconnected ecosystem of software-defined infrastructure and applications, and the cloud control plane offers a wide variety of configuration options for consumers to leverage. This paper describes the factors that tend to consistently drive the need for enhanced cloud security management and oversight, continuous monitoring strategies, how to apply CSPM to security operations, and how to integrate CSPM into a DevSecOps pipeline. The paper also covers CSPM reporting and compliance.


  • Mitigating Risk with the CSA 12 Critical Risks for Serverless Applications SANS.edu Graduate Student Research
    by Mishka McCowan - September 30, 2020 

    Since its introduction in 2014, serverless technology has seen significant adoption in businesses of all sizes. This paper will examine a subset of the 12 Most Critical Risks for Serverless Applications from the Cloud Security Alliance and the efficacy of their recommendations in stopping attacks. It will demonstrate practical attacks, measure the effectiveness of the Cloud Security Alliance recommendations in preventing them, and discuss how the recommendations can be applied more broadly.


  • The Poisoned Postman: Detecting Manipulation of Compliance Features in a Microsoft Exchange Online Environment SANS.edu Graduate Student Research
    by Rebel Powell - September 30, 2020 

    Modern attack techniques frequently target valuable information stored on enterprise communications systems, including those hosted in cloud environments. Adversaries often look for ways to abuse tools and features in such systems to avoid introducing malicious software, which could alert defenders to their presence (Crowdstrike, 2020). While on-premise detection strategies have evolved to address this threat, cloud-based detection has not yet matched the adoption pace of cloud-based services (MITRE, 2020). This research examines how adversaries can perform feature attacks on organizations that use Microsoft Office 365's Exchange Online by exploring recent advanced persistent threat tactics in Exchange on-premise environments and applying variations of them to Exchange Online's Compliance and Discovery features. It also analyzes detection strategies and mitigations that businesses can apply to their systems to prevent such attacks.


  • Compliance Benchmarks using Cloud Custodian by Vishnu Varma - September 25, 2020 

    With the increased cloud adaption rate, many companies are looking for ready to use product available to define the security benchmarks at the beginning of their cloud transition. Companies involved in highly regulated industries such as banking, insurance, finance, and healthcare would also require complying with compliance frameworks. Even though many amazing open-source tools utilized for compliance benchmarks and enforcement, still many organizations chose the commercial tools to fulfill the requirements. The paper will examine multiple compliance benchmarks and frameworks that could enforce policies primarily using Cloud Custodian along with highlighting the ease of use and deployment strategies, mainly covering Amazon Web Services. Cloud Custodian is an open-source tool that provides the ability to set up rules for security, cost optimization, governance, and take action on resources.


  • 2020 SANS Enterprise Cloud Incident Response Survey Analyst Paper (requires membership in SANS.org community)
    by Chris Dale - September 14, 2020 

    Our 2020 Enterprise Cloud Incident Response Survey investigated the data sources and services that organizations are leveraging to detect, respond to and remediate incidents in the multi-cloud world. This report on the survey focuses less on which cloud service organizations are using, and more on what data sources they are taking advantage of, what services they find useful, and what methods are working in their programs.


  • How to Improve Threat Detection and Hunting in the AWS Cloud Using the MITRE ATT&CK Matrix Analyst Paper (requires membership in SANS.org community)
    by Dave Shackleford - August 31, 2020 

    To build threat detection and hunting capabilities that are more effective, understanding adversary tactics and techniques based on real-world observations is critical. SANS senior instructor and cloud security expert Dave Shackleford discusses how to apply the MITRE ATT&CK Matrix to the AWS Cloud to classify and understand cloud-based techniques and leverage threat intel in order to maintain a strong security posture.


  • How to Protect All Surfaces and Services in the AWS Cloud Analyst Paper (requires membership in SANS.org community)
    by Dave Shackleford - July 28, 2020 

    Multiple layers of defense are required to protect your AWS environment, and it's essential to use advanced controls and develop more dynamic and continuous processes to evaluate security conditions. Learn how to reduce your overall attack surface to reduce exposure; apply configuration management, real-time assessment and access control mechanisms; and implement automation for monitoring and continuous protection.


  • ATT&CK-Based Live Response for GCP CentOS Instances SANS.edu Graduate Student Research
    by Allen Cox - July 22, 2020 

    As organizations increasingly invest in cloud service providers to host data, applications, and services, incident responders must detect and respond to malicious activity across several major platforms. With nearly one-third of the cloud infrastructure market share, Amazon Web Services (AWS) dominates the information security scientific literature. However, of the other major cloud providers, Google Cloud Platform (GCP) experienced the most significant annual growth in 2019 (Canalys, 2020), and as a result, defenders can expect to respond more frequently to incidents in GCP. This research examines the data sources available to responders on GCP CentOS compute instances and within the cloud platform. Using MITRE ATT&CK to identify attacker tactics and Red Canary’s Atomic Red Team to generate test data, this research proposes a live response script to collect the essential data that responders will need to identify the discussed tactics.


  • How to Implement a Software-Defined Network Security Fabric in AWS Analyst Paper (requires membership in SANS.org community)
    by Dave Shackleford - May 18, 2020 

    Maintaining control and visibility of network assets in hybrid networks creates many security challenges. In this paper, you'll learn proven strategies such as building a control stack of cloud-native and third-party controls to ensure confidentiality and availability of assets; using SD-WAN and cloud security-as-a-service to provide edge security in a unified network fabric; and leveraging infrastructure-as-code for automation and management of infrastructure.


  • Ebb and Flow: Network Flow Logging as a Staple of Public Cloud Visibility or a Waning Imperative? SANS.edu Graduate Student Research
    by Dennis Taggart - May 18, 2020 

    The basic tenets of information security remain relatively unchanged even while specific examples of security-related tools, processes, and procedures may shift in popularity over time. Deciding what to prioritize and recommend as a security professional can be challenging, but the most straightforward cases are those justified by the quantitative reduction of risk. In this search for quantitative risk reduction, it is worthwhile for security professionals to consider that the methods used to fulfill basic security needs in one environment may not provide the same benefit in another. The 2019 version of the Cloud Security Alliance's Top Threats to Cloud Computing document warns of critical security issues facing public cloud consumers (Cloud Security Alliance, 2019, p.40). The CSA also acknowledges their work concentrates less on some of the more traditional security threats like “vulnerabilities and malware”, while calling for further research (Cloud Security Alliance, 2019, p.40). This whitepaper inhabits the category of additional research and also occupies a space parallel, but perhaps not identical to classical security views. This research assumes a slightly-less-traditional approach by not taking the value of flow logging, or its costs in the cloud, for granted. It further asserts that given limited resources, there may be more directly valuable logging sources available. This paper establishes a quantitative methodology for judging the effectiveness of flow and non-flow logging as applied in a public cloud environment. It exercises this methodology by simulating top cloud computing threats and examining the capabilities of each.


  • Top 5 Considerations for Multicloud Security by Brandon Evans - April 15, 2020 

    The move to leveraging multiple public cloud providers introduces new challenges and opportunities for security and compliance professionals. As the service offering landscape is constantly evolving, it is far too easy to prescribe security solutions that are not accurate in all cases. This paper will examine five critical considerations for securely using the three biggest public cloud providers: Amazon Web Services, Microsoft Azure, and the Google Cloud Platform. While it is tempting to dismiss the multicloud movement or block it at the enterprise level, this will only make the problem harder to control. By embracing multicloud as inevitable and working to understand it, security and compliance professionals can help move the organization forward safely.


  • Lateral traffic movement in Virtual Private Clouds SANS.edu Graduate Student Research
    by Andy Huang - January 3, 2020 

    Cloud vendors have introduced virtual private cloud (VPC) structures to bring the benefits of private cloud into the public cloud. These structures provide vertical segmentation and isolation for application projects implemented within them. However, the security context needs to be considered as applications communicate with one another between VPCs using technologies such as peering and privatelinks. Applications are usually highly dependent on each other for data and functionality, leading to cross-connections between VPC structures. The implications between different connection setups need to be vetted to ensure that access is not overly permissive, thus leading to possible lateral movement of traffic.


  • How to Leverage a CASB for Your AWS Environment Analyst Paper (requires membership in SANS.org community)
    by Kyle Dickinson - December 17, 2019 

    As organizations move applications and data to the cloud, the number of applications they can leverage grows constantly, as do the areas where data can reside. Cloud access security brokers (CASBs) provide the convenience and means to integrate with modern technologies and implement security controls. Discover how CASBs help you make sense of auditing data, provide data protection and storage security, take advantage of common CASB features to secure deployments.


  • How to Build a Threat Hunting Capability in AWS Analyst Paper (requires membership in SANS.org community)
    by Shaun McCullough - December 3, 2019 

    Threat hunting is more of an art than a science, in that its approach and implementation can differ substantially among enterprises and still be successful. In cloud environments, where the threat landscape is always changing, security teams must know what data to collect and how to analyze it in order to tease out suspicious anomalies. In addition to these topics, this whitepaper walks you through the threat hunting process, describing tools and techniques you can use to find and neutralize threats.


  • Catch Me If You Can: Detecting Server-Side Request Forgery Attacks on Amazon Web Services SANS.edu Graduate Student Research
    by Sean McElroy - November 27, 2019 

    Cloud infrastructure offers significant benefits to organizations capable of leveraging rich application programming interfaces (APIs) to automate environments at scale. However, unauthorized access to management APIs can enable threat actors to compromise the security of large amounts of sensitive data very quickly. Practitioners have documented techniques for gaining access through Server-Side Request Forgery (SSRF) vulnerabilities that exploit management APIs within cloud providers. However, mature organizations have failed to detect some of the most significant breaches, sometimes for months after a security incident. Cloud services adoption is increasing, and firms need effective methods of detecting SSRF attempts to identify threats and mitigate vulnerabilities. This paper examines a variety of tools and techniques to detect SSRF activity within an Amazon Web Services (AWS) environment that can be used to monitor for real-time SSRF exploit attempts against the AWS API. The research findings outline the efficacy of four different strategies to answer the question of whether security professionals can leverage additional vendor-provided and open-source tools to detect SSRF attacks.


  • Taming the Wild West: Finding Security in Linux Analyst Paper (requires membership in SANS.org community)
    by Matt Bromiley - November 22, 2019 

    Although Linux has historically been less prone to attacks, increased enterprise use on-premises and in the cloud means it has become as common a target as Windows environments. This paper looks at the deficiencies of Linux from a security perspective and how to lock Linux down more effectively.


  • JumpStart Guide to Investigations and Cloud Security Posture Management in AWS Analyst Paper (requires membership in SANS.org community)
    by Kyle Dickinson - November 8, 2019 

    Cloud security posture management ( CSPM) has gained popularity as organizations move to a cloud-first mentality. CSPM enables efficient investigations because it centralizes data sources that provide operational and security insight. When an organization moves to the cloud, the security team needs visibility into its AWS accounts, which can be a complex undertaking. This paper focuses on the tactics that can aid in an investigation.


  • How to Perform a Security Investigation in AWS A SANS Whitepaper Analyst Paper (requires membership in SANS.org community)
    by Kyle Dickinson - October 30, 2019 

    Because the technologies that enable investigations in the cloud differ from those on premises, as do the levels of responsibility, organizations need to put in place a cloud-specific incident response plan. By planning out how they will perform investigations using solutions such as AWS, organizations can validate that any obligations they may have as a security organization can be met as effectively in cloud environments as they did in-house.


  • An AWS Network Monitoring Comparison SANS.edu Graduate Student Research
    by Nichole Dugan - October 30, 2019 

    AWS recently released network traffic mirroring in their environment. As this is a relatively new feature, users of the service in the past have used tools such as Security Onion to monitor traffic using a hosted base model of forwarding network traffic to analyze the data. It may not be apparent to an organization which option works best for them, so an analysis should be done of both the traffic mirroring and host based options to determine the benefits and drawbacks of each method. This paper seeks to compare the two types of network monitoring available in the AWS environment, traffic mirroring and host based, and determine which method is more cost-effective, and, through testing, determine which method generates more alerts.


  • How to Secure App Pipelines in AWS Analyst Paper (requires membership in SANS.org community)
    by Dave Shackleford - October 16, 2019 

    We are seeing nothing less than an evolutionary shift as security infrastructure moves to software-defined models that improve speed and scale, and afford enterprise IT more agility and capabilities than ever before. Application development and deployment are driving this shift, and as the pace of development increases, organizations have a real need to ensure application security is embedded in all phases of the development and deployment life cycle, as well as in the cloud during operations.


  • How to Build a Threat Detection Strategy in Amazon Web Services (AWS) Analyst Paper (requires membership in SANS.org community)
    by David Szili - September 10, 2019 

    Threat detection and continuous security monitoring in the cloud must integrate traditional on-premises system monitoring with the cloud network infrastructure and cloud management plane. A successful, cloud-based threat detection strategy will collect data from systems, networks and the cloud environment in a central platform for analysis and alerting. This paper describes how to build a threat detection strategy that automates common tasks like data collection and analysis.


  • JumpStart Guide for SIEM in AWS Analyst Paper (requires membership in SANS.org community)
    by J. Michael Butler - August 20, 2019 

    This paper explores the needs, implementation options, capabilities, and various considerations for organizations looking to implement SIEM/SOAR capabilities in Amazon Web Services (AWS). The paper compares the integration of SIEM and SOAR in the cloud environment to on-premises use. Suggestions for planning SIEM and SOAR integration into an AWS cloud environment also included.


  • How to Protect Enterprise Systems with Cloud-Based Firewalls Analyst Paper (requires membership in SANS.org community)
    by Kevin Garvey - July 26, 2019 

    Deploying WAFs and firewalls in the cloud saves security teams valuable time as they rely on the cloud to automate many tasks. This paper identifies key considerations in using cloud-based firewalls to protect your enterprise, including network logging, IDS/IPS, authentication and inspection. This paper also covers advanced firewalls features like behavioral threat detection, next-gen analytics and customized rules. A comprehensive use case serves as an essential how-to for making it all work.


  • JumpStart Guide for Cloud-Based Firewalls in AWS Analyst Paper (requires membership in SANS.org community)
    by Brian Russell - July 24, 2019 

    This guide examines options for implementing firewalls within the Amazon Web Services (AWS) Cloud. It examines the needs and capabilities associated with today’s firewall and threat prevention services and details general, technical and operational considerations when choosing these products. The guide concludes by examining AWS-specific considerations and recommending a plan of action for organizations considering the purchase of cloud-based firewalls.


  • Building Cloud-Based Automated Response Systems SANS.edu Graduate Student Research
    by Mishka McCowan - July 2, 2019 

    When moving to public cloud infrastructures such as Amazon Web Services (AWS), organizations gain access to tools and services that enable automated responses to specific threats. This paper will explore the advantages and disadvantages of using native AWS services to build an automated response system. It will examine the elements that organizations should consider including developing the proper skills and systems that are required for the long-term viability of such a system.


  • How to Build an Endpoint Security Strategy in AWS Analyst Paper (requires membership in SANS.org community)
    by Thomas J. Banasik - June 27, 2019 

    Endpoint security is the cornerstone of any successful cloud migration. This paper details how to build an endpoint security strategy that uses a defense-in-depth architecture to protect cloud assets, as well as implement key endpoint security capabilities such as EDR, UEBA and DLP solutions. It also explains synchronization with AWS services for a comprehensive view that increases visibility when combatting threats.


  • JumpStart Guide for Endpoint Security in AWS Analyst Paper (requires membership in SANS.org community)
    by David Hazar - June 19, 2019 

    Endpoint security is a key component of any cybersecurity program, but some organizations struggle with extending this program component to cloud workloads. This paper provides guidance on the key issues to consider when choosing an endpoint security solution for integration on the AWS platform and suggests a process for making that important decision.


  • How to Build a Data Security Strategy in AWS Analyst Paper (requires membership in SANS.org community)
    by Dave Shackleford - June 13, 2019 

    When organizations move sensitive data to the cloud, they absolutely must choose a provider that can ensure compliance with privacy regulations on a global stage. Data security strategies in the cloud must include encryption and key management, data loss prevention and the capability to classify and track data. By using the AWS Cloud, organizations can protect sensitive data at rest, in transit and in use.


  • How to Protect a Modern Web Application in AWS Analyst Paper (requires membership in SANS.org community)
    by Shaun McCullough - May 9, 2019 

    In moving assets to the cloud, organizations need to prioritize their security plans based on the risks to which they are exposed. With threat modeling, organizations can identify and prioritize the risks to infrastructure, applications and the services they provide, as well as evaluate how to manage those risks over time. This paper includes use cases for threat modeling web apps and the DevSecOps platform, using a process that is both repeatable and improvable.


  • SANS 2019 Cloud Security Survey Analyst Paper (requires membership in SANS.org community)
    by Dave Shackleford - April 30, 2019 

    This whitepaper delves into the results of the SANS 2019 Cloud Security Survey, conducted in cooperation with the Cloud Security Alliance, concerning organizations' use of the public cloud and provides actionable advice organizations can use to improve their cloud security. It answers questions including, "Are security infrastructures maturing to support the business and improve risk management in the cloud model?" and "How are organizations using the public cloud to meet their business needs?"


  • How to Build a Security Visibility Strategy in the Cloud Analyst Paper (requires membership in SANS.org community)
    by Dave Shackleford - April 17, 2019 

    The security of cloud-based assets requires visibility into the events and behaviors that move into and through the cloud environment, a strategy that differs from traditional security visibility. This paper describes controls that can be used to ensure network, application, instance/container, database/storage and control plane visibility, and explains how to create a strategy that ties event monitoring, vulnerability scanning and control planes together to enhance visibility.


  • How to Automate Compliance and Risk Management for Cloud Workloads Analyst Paper (requires membership in SANS.org community)
    by Matt Bromiley - March 27, 2019 

    As organizations experience growth and network expansion, their decisions impact the safety and integrity of their data. Organizations that are moving to the cloud must balance the benefits of cloud services with compliance, while also managing risk. Because migrating data to the cloud does not remove the need for compliance, organizations need to focus on compliance from the start and create a strategy that automates compliance and risk management using native and cloud security controls.


  • How to Optimize Security Operations in the Cloud Through the Lens of the NIST Framework Analyst Paper (requires membership in SANS.org community)
    by John Pescatore - February 25, 2019 

    Security teams today face the mandate of moving production workloads from on-premises to the cloud. By using the NIST Cybersecurity Framework (CSF), teams can effectively and efficiently build in security as part of the migration of operations activities to IaaS services and hybrid cloud implementations. This paper shares proven best practices for evaluating and implementing security architectures, processes and controls while developing an approach to migration that is repeatable.


  • Protecting Data To, From and In the Cloud Analyst Paper (requires membership in SANS.org community)
    by Dave Shackleford - December 11, 2018 

    Attackers have adapted their strategies to the cloud and will likely continue to focus on this threat surface. In this spotlight paper, SANS offers some guidance and recommendations for improving cloud service visibility, data protection, threat protection, access control and reporting.


  • 2018 Secure DevOps: Fact or Fiction? Analyst Paper (requires membership in SANS.org community)
    by Jim Bird and Barbara Filkins - November 5, 2018 

    A new SANS survey indicates that fewer than half (46%) of survey respondents are confronting security risks up front in requirements and service design in 2018--and only half of respondents are fixing major vulnerabilities. This report chronicles how security practitioners are managing the collaborative, agile nature of DevOps and weave it seamlessly into the development process.


  • How Visibility of the Attack Surface Minimizes Risk Analyst Paper (requires membership in SANS.org community)
    by Dave Shackleford - July 30, 2018 

    To understand risks and control the attack surface, you need visibility. But what is visibility and why is it critical? And how do you get it? This paper will help you define visibility for effective security and understand why visibility it is key to determining your exposure and potential vulnerabilities.


  • A Guide to Managing Cloud Security Analyst Paper (requires membership in SANS.org community)
    by Dave Shackleford - July 25, 2018 

    While many of the core concepts of vulnerability and threat management remain the same in the world of cloud deployments, we need to adapt our thinking to operate in a hybrid or public cloud deployment model. This paper will help you evaluate cloud vulnerabilities and threat management, and protect your data and assets in a dynamic cloud infrastructure.


  • Securing the Hybrid Cloud: Traditional vs. New Tools and Strategies A SANS Whitepaper Analyst Paper (requires membership in SANS.org community)
    by Dave Shackleford - April 2, 2018 

    This paper takes a look at the current state of cloud security and offers specific recommendations for security best practices, including how to use some traditional security tools and emerging solutions, while taking into account typical staffing, technology and other resource issues.


  • An Evaluator’s Guide to Cloud-Based NGAV: The SANS Guide to Evaluating Next-Generation Antivirus Analyst Paper (requires membership in SANS.org community)
    by Barbara Filkins - March 26, 2018 

    The coupling between NGAV and cloud-based analytics is here. The dynamics of cloud-based analytics, which allow for near-real-time operations, bring an essential dimension to NGAV, disrupting the traditional attack model by processing endpoint activity as it happens, algorithmically looking for any kind of bad or threatening behavior, not just for malicious files. This paper covers how cloud support for NGAVs is changing the game and how to evaluate such solutions.


  • Building the New Network Security Architecture for the Future Analyst Paper (requires membership in SANS.org community)
    by Sonny Sarai - January 22, 2018 

    With the move to cloud services, software-defined networks and IoT devices, the game has changed in terms of defining an organization's network. Current network security architecture doesn't offer the visibility required for modern-day networks, much less guard against threats roaming within them. This white paper examines key elements of the network of the future and their optimal implementation.


  • Digital Forensic Analysis of Amazon Linux EC2 Instances SANS.edu Graduate Student Research
    by Ken Hartman - January 13, 2018 

    Companies continue to shift business-critical workloads to cloud services such as Amazon Web Services Elastic Cloud Computing (EC2). With demand for skilled security engineers at an all-time high, many organizations do not have the capability to do an adequate forensic analysis to determine the root cause of an intrusion or to identify indicators of compromise. To help organizations improve their incident response capability, this paper presents specific tactics for the forensic analysis of Amazon Linux that align with the SANS Finding Malware Step by Step process for Microsoft Windows.


  • Cloud Security: Defense in Detail if Not in Depth Analyst Paper (requires membership in SANS.org community)
    by Dave Shackleford - October 31, 2017 

    Survey respondents feel that they lack visibility, auditability and effective controls to monitor everything that goes on in their public clouds. We are, however, seeing increased use of security controls within cloud provider environments and wider use of security-as-a-service (SecaaS) solutions to achieve in-house and external security and compliance requirements. Related findings and best practices are discussed in the following report.


  • A Technical Approach at Securing SaaS using Cloud Access Security Brokers SANS.edu Graduate Student Research
    by Luciana Obregon - September 6, 2017 

    The adoption of cloud services allows organizations to become more agile in the way they conduct business, providing scalable, reliable, and highly available services or solutions for their employees and customers. Cloud adoption significantly reduces total cost of ownership (TCO) and minimizes hardware footprint in data centers. This paradigm shift has left security professionals securing abstract environments for which conventional security products are no longer effective. The goal of this paper is to analyze a set of cloud security controls and security deployment models for SaaS applications that are purely technical in nature while developing practical applications of such controls to solve real-world problems facing most organizations. The paper will also provide an overview of the threats targeting SaaS, present use cases for SaaS security controls, test cases to assess effectiveness, and reference architectures to visually represent the implementation of cloud security controls.


  • Packet Capture on AWS SANS.edu Graduate Student Research
    by Teri Radichel - August 14, 2017 

    Companies using AWS (Amazon Web Services) will find that traditional means of full packet capture using span ports is not possible. As defined in the AWS Service Level Agreement, Amazon runs certain aspects of the cloud platform and does not give customers access to physical networking hardware. Although access to physical network equipment is limited, packet capture is still possible on AWS but needs to be architected in a different way. Instead of using span ports, security professionals can leverage the software that runs on top of the cloud platform. The tools and services provided by AWS may facilitate more automated, cost-effective, scalable packet capture solutions for some companies when compared to traditional data center approaches.


  • Automating Cloud Security to Mitigate Risk Analyst Paper (requires membership in SANS.org community)
    by Dave Shackleford - July 20, 2017 

    As cloud computing services evolve, the cloud opens up entirely new ways for potential attacks. This paper explores the potential security challenges enterprises face as they migrate to any kind of cloud setup and offers guidance to ensure a smooth migration to new solutions.


  • Zero-Touch Detection and Investigation of Cloud Breaches: A Review of Lacework's Cloud Workload Security Platform Analyst Paper (requires membership in SANS.org community)
    by Matt Bromiley - June 27, 2017 

    Today's increasingly dynamic cloud environments present new challenges to security practitioners. With security talent in short supply, tailoring old policy-and-logs approaches to the needs of an organization can require time and resources it just doesn't have. In this review, SANS analyst and instructor Matt Bromiley shares his experience using Lacework's new Zero Touch Cloud Workload Security Platform to mitigate these challenges.


  • Testing Web Apps with Dynamic Scanning in Development and Operations Analyst Paper (requires membership in SANS.org community)
    by Barbara Filkins - June 15, 2017 

    Building secure web applications requires more than testing the code to weed out flaws during development and keeping the servers on which it runs up to date. Public-facing web apps remain the primary source of data breaches. To keep web apps secure, IT ops groups are increasingly adopting Dynamic Application Security Testing (DAST) tools. Learn how DAST tools can reduce dev costs and security flaws; how to avoid organizational gaps between dev and ops that can make remediation difficult; and other AppSec/vulnerability scanning issues.


  • Security by Design: The Role of Vulnerability Scanning in Web App Security Analyst Paper (requires membership in SANS.org community)
    by Barbara Filkins - June 7, 2017 

    The growth in custom applications in the cloud has increased organizations' security exposure. Although more organizations want to test and remediate during development, this doesn't address the thousands of existing, potentially vulnerable, apps already online. Modern web scanners can help by highlighting areas of likely vulnerability. Their speed and automation can make them a valuable part of a multilayered scanning and monitoring program.


  • Cyber Security Trends: Aiming Ahead of the Target to Increase Security in 2017 Analyst Paper (requires membership in SANS.org community)
    by John Pescatore - March 20, 2017 

    Attackers are always changing their methods, but some cybersecurity trends are clear--and identifying these trends will help security professionals plan for addressing these issues in the coming year. Attacks will continue, and many will be successful. While security professionals should try to prevent a breach, it's far more critical to uncover breaches quickly and mitigate damage. Another significant trend for 2017: expanding current security measures to better protect data in the cloud and to address the security shortcomings of the Internet of Things. Even while fighting daily security fires, security managers can expect boards of directors to show more interest in their efforts. Board members are keenly aware that breaches can be high-profile catastrophes for companies, and they are also concerned that the organizations they oversee are in compliance with new and more stringent regulations. This whitepaper covers the latest and best security hygiene and common success patterns that will best keep your organization off the "Worst Breaches of 2017" lists.


  • Cloud Security Monitoring SANS.edu Graduate Student Research
    by Balaji Balakrishnan - March 13, 2017 

    This paper discusses how to apply security log monitoring capabilities for Amazon Web Services (AWS) Infrastructure as a Service(IaaS) cloud environments. It will provide an overview of AWS CloudTrail and CloudWatch Logs, which can be stored and mined for suspicious events. Security teams implementing AWS solutions will benefit from applying security monitoring techniques to prevent unauthorized access and data loss. Splunk will be used to ingest all AWS CloudTrail and CloudWatch Logs. Machine learning models are used to identify the suspicious activities in the AWS cloud infrastructure. The audience for this paper are the security teams trying to implement AWS security monitoring.


  • Security Assurance of Docker Containers SANS.edu Graduate Student Research
    by Stefan Winkle - November 22, 2016 

    With recent movements like DevOps and the conversion towards application security as a service, the IT industry is in the middle of a set of substantial changes with how software is developed and deployed. In the infrastructure space, we see the uptake of lightweight container technology, while application technologies are moving towards distributed micros services. There is a recent explosion in popularity of package managers and distributors like OneGet, NPM, RubyGems and PyPI. More and more software development becomes dependent on small, reusable components developed by many different developers and often distributed by infrastructures outside our control. In the midst of this all, we often find application containers like Docker, LXC, and Rocket to compartmentalize software components. The Notary project, recently introduced in Docker, is built upon the assumption the software distribution pipeline can no longer be trusted. Notary attempts to protect against attacks on the software distribution pipeline by association of trust and duty separation to Docker containers. In this paper, we explore the Notary service and take a look at security testing of Docker containers.


  • Security and Accountability in the Cloud Data Center: A SANS Survey Analyst Paper (requires membership in SANS.org community)
    by Dave Shackleford - October 10, 2016 

    Despite risk that is higher than more controlled on-premises traditional non-cloud systems, this survey found that almost a quarter of respondents (24%) are in organizations adopting a “cloud first” strategy. Using public cloud or on-premises applications as appropriate led the way, chosen by 46% of respondents, and 30% of respondents said they prefer on-premises applications. Read on to learn more about the state of cloud security and what we need to do to improve it.


  • Changing the Perspective of Information Security in the Cloud: Cloud Access Security Brokers and Cloud Identity and Access Management by Jennifer Johns - August 4, 2016 

    Businesses are leveraging cloud computing services at an exponential rate. Working in the information security industry during the cloud computing frenzy is exciting, but it is also proving to be challenging as cloud computing service providers (CSPs) have typically lacked industry standard security controls.


  • Full Packet Capture Infrastructure Based on Docker Containers SANS.edu Graduate Student Research
    by Mauricio Espinosa Gomez - May 6, 2016 

    In today’s world, it is common to hear news about organizations being breached by malicious actors, even in highly protected environments; the risk of being exploited is always present, when an incident has already occurred, a full packet capture provides invaluable information to effectively backtrack the event in question.


  • Cloud Security Framework Audit Methods by Diana Salazar - April 27, 2016 

    Users have become more mobile, threats have evolved, and actors have become smarter. Users distribute information across multiple locations, many of which are not currently within the organization’s infrastructure.


  • Incident Response in Amazon EC2: First Responders Guide to Security Incidents in the Cloud by Tom Arnold - April 21, 2016 

    As Head of Digital Forensics for Payment Software Company Inc. (“PSC”), a company that focuses exclusively on Clients that accept or process payments,1 we’ve responded to sites operating within cloud environments, most notably Amazon EC2.


  • Implementing the Critical Security Controls in the Cloud SANS.edu Graduate Student Research
    by Jon Mark Allen - February 10, 2016 

    Amazon refers to cloud computing as “the on-demand delivery of IT resources and applications via the Internet with pay-as-you-go pricing” (Amazon Web Services, 2015).


  • Moving Legacy Software and FOSS to the Cloud, Securely by Larry Llewellyn - December 28, 2015 

    Frequently, organizations inherit source code written by a development team, which has long since moved on to other projects. Without fail, business requirements drive software modifications due to market evolution and developing, competitive business strategies.


  • Cloud Assessment Survival Guide SANS.edu Graduate Student Research
    by Edward Zamora - November 10, 2015 

    The time has come where the society at large is living in the cloud. Many have questioned the security of information in the cloud and many have been told that information is safe there. But how can one be sure that information is indeed safe in the cloud? In this day and age where there is an increased dependence on such complex technology as cloud systems, there are needs for methodologies to test cloud deployments. For organizations that have or seek to implement cloud technology in their environment, this paper will present a brief background on cloud technology and a methodology for assessing the security of their cloud implementation based on penetration testing principles.


  • Proposal for standard Cloud Computing Security SLAs - Key Metrics for Safeguarding Confidential Data in the Cloud SANS.edu Graduate Student Research
    by Michael Hoehl - April 1, 2015 

    Cloud computing services provide many technology and business opportunities that were simply unavailable a few years ago.


  • Its 10PM...Do you know where your cloud is? SANS.edu Graduate Student Research
    by Robert J. Mavretich - August 11, 2014 

    From the time that Dr. Gordon Moore, the legendary founder of Intel postulated his theory that the number of transistors on an integrated circuit would double approximately every two years, the far off 21st century always seemed to hold the promise of flying cars and robotics making individual's lives easier.


  • The Security Onion Cloud Client Network Security Monitoring for the Cloud SANS.edu Graduate Student Research
    by Joshua Brower - September 17, 2013 

    Network Security Monitoring (NSM) is the "collection, analysis, and escalation of indications and warnings to detect and respond to intrusions."


  • Simplifying Cloud Access Without Sacrificing Corporate Control: A Review of McAfees Integrated Web and Identity Solutions Analyst Paper (requires membership in SANS.org community)
    by Dave Shackleford - August 21, 2013 

    Review of McAfee Web Gateway version 7.3, McAfee Cloud Single Sign On (CSSO) version 4.0 and McAfee One Time Password version 4.0, with Pledge Software Token (Pledge) version 2.0.


  • An Introduction To Securing a Cloud Environment by Todd Steiner - November 27, 2012 

    As government and private industry budgets continue to shrink, executives are plotting new strategies to become more efficient and cost effective.


  • Diskless Cluster Computing: Security Benefit of oneSIS and Git SANS.edu Graduate Student Research
    by Aron Warren - April 16, 2012 

    This paper introduces the joining of two software packages, oneSIS and Git. Each package by itself is meant to tackle only a certain class of problem.


  • Cloud Computing - Maze in the Haze by Godha Iyengar - October 18, 2011 

    In recent days, “Cloud Computing” has become a great topic of debate in the IT field. Clouds, like solar panels, appear intriguingly simple at first but the details turn out to be more complex than simple pictures and schematics suggest.


  • Following Incidents into the Cloud by Jeff Reed - March 1, 2011 

    The availability and use of cloud computing continues to grow. Discussions of and references to its benefits and issues grow at a similar pace. As it continues to move from a sort of ‘SOA of the Wild West’ into the mainstream, more companies will face the myriad questions arising from its use. When, why, where and how should integration with the cloud occur? How can one be certain that a cloud provider will survive through an organization’s technology integration lifecycle?


  • Cloud Security and Compliance: A Primer Analyst Paper (requires membership in SANS.org community)
    by Dave Shackleford - August 6, 2010 

    A quick guide to cloud computing that address areas of mobility and multi-tenancy, identity and access management, data protection and incident response and assessment.


  • A Guide to Virtualization Hardening Guides Analyst Paper (requires membership in SANS.org community)
    by Dave Shackleford - May 20, 2010 

    A guide to the virtualization hardening guides that includes key configuration and system security settings for VMware ESX and vSphere/Virtual Infrastructure with key control areas organizations need to consider.


Most of the computer security white papers in the Reading Room have been written by students seeking GIAC certification to fulfill part of their certification requirements and are provided by SANS as a resource to benefit the security community at large. SANS attempts to ensure the accuracy of information, but papers are published "as is". Errors or inconsistencies may exist or may be introduced over time as material becomes dated. If you suspect a serious error, please contact webmaster@sans.org.

All papers are copyrighted. No re-posting or distribution of papers is permitted.

SANS.edu Graduate Student Research - This paper was created by a SANS Technology Institute student as part of the graduate program curriculum.