Advanced Cloud Security and Applied SecDevOps

Rich Mogull. Securosis | July 22-23 & July 24-25



Overview

Real-world cloud security is most definitely not business as usual. The fundamental abstraction and automation used to build cloud platforms upends much of how we implement security. The same principles may apply, but *how* they apply is dramatically different, especially at enterprise scale.

This highly technical course expands off the basics of our Cloud Security Hands on Training and delves deep into practical cloud security and applied SecDevOps, which is really the only way to survive when operating in the cloud. It focuses completely on Infrastructure and Platform as a Service, and will not cover Software as a Service. The training is laser focused on technology, and *will not cover policies, risk, or governance issues* except as they come up in passing.

We begin on day one with an in-depth discussion of cloud platform technologies; giving you a look into how the services are built and managed, and the security implications. We will then quickly start building out a sandbox environment and deploying security controls.

Some of the topics and techniques covered will include (at a minimum):

  • Use of accounts for managing blast radius.
  • Building out advanced cloud virtual networks.
  • Leveraging inherent cloud capabilities for network security.
  • Use of DNS management, auto scale groups, load balancers, and other technologies for immutable infrastructure.
  • Advanced Identity and Access management for cloud, including setting up SAML federation across providers.
  • Privileged user management, MFA, and other access essentials.
  • Securing serverless, PaaS and mixed IaaS/PaaS architectures.


Day two shifts gears to focus on designing secure architectures, integrate with DevOps, and build your own SecDevOps toolkit for managing cloud security at scale:

  • Fundamentals of SecDevOps.
  • Building secure deployment pipelines.
  • Integrating automated security testing into deployment pipelines.
  • Cloud security architectural patterns for major application types.
  • Cloud data security and encryption.
  • Automating continuous security monitoring and alerting using cloud native capabilities.
  • Security automation through the console.
  • Security automation through code.
  • Scaling your security operations to hundreds (or thousands) of accounts through automation.


Most labs will be in Amazon Web Services, with some demonstrations and integrations with Microsoft Azure.

Who Should Take this Course

Technical security professionals wanting to expand their hands on knowledge of cloud security and SecDevOps.

Student Requirements

Students should have basic familiarity with at least one public cloud provider (Amazon or Azure) and hands-on experience launching and managing basic instances/services. They should also be comfortable with the command line and basic scripting.

Additionally we highly encourage students to understand basic Ruby programming for the coding portions. Code snippets will be provided, so students with experience in other languages should be able to keep up.

This is a very broad, advanced training that requires a diverse skills set to complete all the labs. Students may fall behind in certain sections due to the rapid pace but the labs can all be completed outside of the training environment if needed. Only about 10% of those who take the class have the background to complete every hands-on portion but we ensure through lecture that everyone gains the needed knowledge.

What Students Should Bring

A laptop with SSH and wireless connectivity. Students MUST sign up for Amazon Web Services before training begins, and bring their credentials and keys.

What Students Will Be Provided With

Electronic training materials

Trainers

Rich Mogull has twenty years experience in information security, physical security, and risk management. He specializes in cloud security, data security, application security, emerging security technologies, and security management. He is also the principle course designer of the Cloud Security Alliance training class and actively works on developing hands-on cloud security techniques. Prior to founding Securosis, Rich was a Research Vice President at Gartner on the security team. Prior to his seven years at Gartner, Rich worked as an independent consultant, web application developer, software development manager at the University of Colorado, and systems and network administrator. Rich is the Security Editor of TidBITS and a frequent contributor to publications ranging from Information Security Magazine to Macworld. He is a frequent industry speaker at events including the RSA Security Conference, Black Hat, and DefCon, and has spoken on every continent except Antarctica (where he's happy to speak for free -- assuming travel is covered).