SEC549: Cyber Security Training at SANS Managing Security Risk 2023

What You Will Learn

DESIGN IT RIGHT FROM THE START

Without a mental model for threats in the cloud, architects attempt to strong-arm design patterns intended for the on-premise world onto cloud systems, hindering the speed of cloud adoption and modernization. Worse yet, failure to identify trust boundaries in the cloud results in missing security controls at the identity or network-planes and poor security outcomes. SEC549 introduces students to security architecture as it applies to the cloud. Students take away from this course a clear mental model of the cloud and the controls available to them, allowing students to shift their threat models to this new, vastly different world with distributed perimeters and unfamiliar trust boundaries.

It's inevitable that even the most mature organizations will have their security posture challenged, therefore in this course we dive deep into architectures which enable Security Operation Centers to monitor, detect, respond and recover from incidents in the cloud. Students learn how to effectively support business goals with robust logging of cloud telemetry and centralization of events and insights gathered at the edge. This course empowers the Architect to ensure adequate logging is configured in cloud environments and develop recovery strategies emphasizing the need to design for availability.

SEC549 is constructed around the cloud migration journey of a fictional company and the challenges they encounter along the way. Students are tasked with phasing in a centralized identity plan, building large scale micro-networks, and designing big data services for cloud-hosted applications. Both network-layer and identity-layer controls are covered in-depth as complementary mechanisms for securing access to distributed resources. The importance of centralizing identity is a core take-away of this course as showcased through the discussion of fragmented identity and its perils, especially with the rise of the Cloud and the adoption of multiple cloud service providers. Students are taught the foundational concepts used when designing for phased identity consolidation so they can confidently tackle similar challenges on the job.

"I would recommend this course. It hits many core aspects of secure design. Additionally, lack of Cloud Security Architecture and Strategy, and Insecure Design have been highlighted as a top risk by organizations like Cloud Security Alliance and OWASP. Cloud security architecture topics need to have more attention and focus in general." - Greg Lewis, SAP

BUSINESS TAKEAWAYS

• Mitigate the risk posed by nascent cloud technologies and their rapid adoption
• Decrease the risk of cloud migrations by planning a phased approach
• Help your organization prevent identity sprawl and tech debt through centralization
• Enable business growth by creating high-level guardrails
• Prevent costly anti-patterns from becoming entrenched
• Move your organization towards a Zero-Trust posture through the uplifting of existing access patterns

SKILLS LEARNED

• Enable business through secure cloud architectural patterns
• Connect the dots between architectural patterns and real-life infrastructure
• Build a secure, scalable identity foundation in the cloud
• Centralize your organization's workforce identity to prevent sprawl
• Build micro-segmented networks using hub and spoke patterns
• Configure centralized network firewalls for inspecting north-south and east-west traffic
• Learn how to incorporate both network-based and identity-based controls
• Ability to create data perimeters for cloud-hosted data repositories
• Centralize and share Key Management Service (KMS) resources across an organization
• Enable Security Operations to respond in the Cloud
• Understand the telemetry and logging available across service models (IaaS, PaaS and SaaS)
• Design recovery processes leveraging break-glass accounts
• Strategically approach a phased cloud migration

HANDS-ON TRAINING

The hands-on portion of the course is unique and especially suited to the student who wants to architect for the cloud. Each lab is performed by observing and correcting an anti-pattern presented as an architectural diagram. The "correct" version of each diagram is implemented as live infrastructure in AWS and made available to the student to explore the configurations. In this course, the students have access to an enterprise-scale AWS Organization and can observe all details discussed in the labs and throughout the course.

Each of the sections of the course discusses security design considerations for all three major clouds, however there is an emphasis on working with AWS and labs are structured around concepts in AWS.

Section 1:

• Threat Modeling the Cloud
• Centralizing User Account Provisioning
• Structuring Accounts to Create Effective Hierarchies
• Transitioning Access from IAM Users to Roles

Section 2:

• Threat Modeling Zero-Trust Access
• Integrating Modern Authentication into Legacy Applications
• Scaling Cross-Cloud Authentication
• Access Control for Shared Data Sets

Section 3:

• Centralizing Network Security Controls
• Building a Transit Gateway
• Network Firewall Policies
• VPC Private Network Access

Section 4:

• Managing Access to Cloud-Native Storage
• Data-Lake Access Controls and Governance
• Architecting for Big Data Governance
• Data Resiliency: Key Management and Backup Strategies

Section 5:

• Centralizing Cloud-Native Events
• Exporting Cloud Telemetry to an External SIEM
• Architecting Network-layer Quarantine

"All three of today's labs were helpful in cementing the concepts. The "See It In Action" portions were particularly useful." - Oritse Uku

"The book, material, labs allow for a very interactive learning experience regarding building and understanding cloud architecture."- Nevan Beal, Raymond James

"I really liked that architecture diagrams were incorporated in each."- Greg Lewis, SAP

"Exercises provoke thought and instill good discussions." - Soe San Win, Robert Bosch, LLC

SYLLABUS SUMMARY

• Section 1: A foundational section covering IAM in the cloud, the higher-level resource containers in each of the 3 major cloud providers, and how to use restrictive policy to enforce guardrails on an enterprise-scale cloud estate.

• Section 2: A heavy emphasis on zero-trust and how to use cloud services to employ a ZT strategy to authorize access to cloud resources and build guardrails preventing unauthorized access.
• Section 3: Managing cloud network resources at-scale requires an architect to understand cloud-native network controls. Learn how to centralize network configuration, enforce micro-segmentation, configure traffic inspection appliances, and share network services across accounts.
• Section 4: Protecting data in the cloud requires security teams to examine cloud-native data protection capabilities. Learn how to protect and govern data stored in cloud-native storage and big data services.
• Section 5: In this section we focus on how to uplift a SOCs capabilities, adapt traditional methodologies to cloud-hosted environments, ensuring robust detection and response continues as an organization shifts their workloads to the cloud.

ADDITIONAL FREE RESOURCES

• Privilege Escalation in GCP - A Transitive Path, webcast
• It's Like Chipotle - Demystifying GCP PaaS Services, video
• Breaking the Cloud Kill Chain, webcast
• Lessons Learned Deploying Modern Cloud Systems in Highly Regulated Environments, webcast
• Fix Security Issues Left of Prod, cheatsheet
• Detecting and Locking Down Malware in Azure, blog
• Top 5 Considerations for Multicloud Security, blog
• Secure Service Configuration: AWS, Azure, GCP, poster
• Cloud Ace Podcast

WHAT YOU WILL RECEIVE

• Printed and electronic courseware
• Draw.io architectural diagrams representing secure patterns you can use as reference architecture
• Access to the SEC549 Cloud lab environment
• MP3 audio files of the complete course lecture

WHAT COMES NEXT

Depending on your current role or future plans, one of these courses is a great next step in your cloud security journey:

• Cloud Security Architect:
• SEC510: Public Cloud Security: AWS, Azure and GCP
• SEC540: Cloud Security and DevOps Automation
• Cloud Security Engineer:
• SEC540: Cloud Security and DevOps Automation
• SEC510: Public Cloud Security: AWS, Azure and GCP
• Cloud Security Manager:
• MGT520: Leading Cloud Security Design and Implementation
• MGT516: Managing Security Vulnerabilities: Enterprise and Cloud