Cloud Security Hands On (CCSK-Plus)

James Arlen, Securosis | July 22-23 & July 24-25



Overview

This course provides a solid foundation in cloud security, and includes a full day of hands-on labs to apply the principles in practice. It also includes new, expanded material for advanced students. We cover all the material needed to pass the version 4 of the Cloud Security Alliance Certificate of Cloud Security Knowledge (CCSK) exam, but add a pragmatic approach to immediate kick start your cloud security projects. For Black Hat, we also add expanded material to show you how to take cloud security to the next level by leveraging DevOps techniques and the characteristics of the cloud.

**Note: all labs use Amazon Web Services, and students will need to have an AWS account (instructions are sent before class) AND A LAPTOP. We do include demonstrations of some other major cloud platforms, such as Microsoft Azure, but all exercises are restricted to AWS.**

The course is designed to appeal to a wide range of skill levels, but we highly recommend a solid security foundation and, for the labs, experience making SSH connections. While most of the labs occur in a web browser, you will need to connect to Linux cloud servers and copy and paste a handful of command lines.

This training mixes lecture and lab modules across two days:

Module 1: Introduction to Cloud Computing. This module covers the fundamentals of cloud computing, including definitions, architectures, and the role of virtualization. Key topics include cloud computing service models, delivery models, and fundamental characteristics. It also introduces a model for assessing the risk of moving to the cloud.

Module 2: Securing Cloud Infrastructure. This module digs into the details of the different cloud delivery models and their basic security issues. Students will learn the differences between security responsibilities for SaaS, PaaS, and IaaS, and key questions to ask a potential provider. It includes recommendations for both public and private cloud. The instructors will also demonstrate creating and applying security to a simple cloud instance on IaaS.

Module 3: Managing Cloud Security and Risk. This module covers important considerations for managing security for cloud computing. It begins with risk assessment and governance, then covers legal and compliance issues, such as discovery requirements in the cloud. It finishes with a discussion or portability and interoperability and managing incident response when working with cloud providers.

Module 4: Securing Cloud Data. One of the biggest issues in cloud security is protecting data. This module covers information lifecycle management for the cloud and how to apply security controls. Topics include the Data Security Lifecycle, cloud storage models, data security issues with different delivery models, and managing encryption in and for the cloud.

Module 5: Securing Cloud Users and Applications. This module covers identity management and application security for cloud deployments. Topics include federated identity and different IAM applications, secure development, and managing application security in and for the cloud.

Module 6: Selecting and Working with Cloud Providers. In this module, we review the key questions and considerations when selecting a cloud provider, and how to work with them over time. This includes both cloud computing providers, and Security as a Service providers.

Labs:

Exercise 1: Introduction and Risk Analysis. Students will be introduced to the day's scenario and build a threat model for migrating to the cloud.

Exercise 2: Root Account Security and Create and Secure a Public Cloud Instance. Students will create a basic cloud instance on a public cloud infrastructure and establish a security baseline. Topics include root account security with MFA, creating an AWS instance, establishing network security, and understanding machine images.

Exercise 3: Cloud Monitoring and Encrypt Public Cloud Data. In this module, students will dive into cloud storage options and learn the basics to encrypt data for their public cloud deployment. They will also enable cloud security monitoring.

Exercise 4: Create and Secure a Cloud Application. Now students will secure their first public application for the cloud, following best practices such as architecting their cloud application stack and managing appropriate network security.

Advanced Interlude: For Black Hat, we expand with a section on leveraging DevOps techniques and Software Defined Security. This section changes from year to year but is likely to include a discussion and demo (with code samples) of serverless, event-driven security.

Exercise 5: Identity Management for the Cloud. Students will create a basic federated identity infrastructure to support their cloud application and learn additional details on standards like SAML and OAuth. They will also delve into writing more-complex Amazon IAM policies.

Advanced Exercises: The course also includes advanced exercises on the following, which may be instructor lead or self paced depending on the skill level of the students:

Building dynamic security alerts in AWS
Understanding and security VPCs
Writing intermediate Amazon IAM policies
Implementing event-driven security

Who Should Take this Course

Security professionals who need to understand cloud computing security.

Student Requirements

A basic understanding of security fundamentals. You should know what most or all of the following terms mean: IAM, federated identity, hypervisor, SSH, key management, SDLC, IDS, and DLP. We cover more, but if you know most of those, you are ready. We also highly recommend you know how to use SSH and aren't afraid of entering a few pre-scripted commands into a terminal since we will ne connecting to Linux instances.

What Students Should Bring

A laptop and an active Amazon Web Services account (instructions will be provided).

What Students Will Be Provided With

Electronic materials

Trainers

James Arlen is Leviathan's Director of Risk and Advisory Services and a Contributing Analyst at Securosis. He is responsible for the development and delivery of Leviathan's professional services, assisting executive clients to develop and implement their information security policies and strategic plans. Over the past twenty years, James has delivered information security solutions to Fortune 500, TSE 100, and major public-sector organizations. In both a consultant and staff member role, James has led business and technical teams of professionals in both tactical short-term projects and multi-year organizational change initiatives. James has held key contributor roles, including both being the CISO of a publicly traded financial institution and being the Information Security Coordinator at a large-scale power utility. Among other major technical accomplishments, James has architected and built multi-million dollar security infrastructure, handled incident response and event containment, written multiple policy and standards suites, and completed penetration testing activities as both a leader and as a team member. James is involved in information security policy, process, and procedure improvements for internationally-known manufacturing and financial organizations. James is also a frequent speaker at industry conferences, and his commentary can often be found in trade publications. James is a prolific contributor to standards bodies, having been an author for the Cloud Security Alliance's CloudAudit, Guidance for Critical Areas of Focus in Cloud Computing, and Certificate of Cloud Security Knowledge (CCSK) training and testing material; he also serves as one of the CCSK instructor trainers. He was also a contributor to the ISACA-published whitepaper "Guiding Principles for Cloud Computing Adoption and Use." In addition to being a Certified Information Systems Auditor (CISA), James has been Certified in Risk and Information Systems Control (CRISC) by ISACA. James also holds the Certified Information Systems Security Professional (CISSP) credential.