Course Description:
DAY ONE
Introduction
- Introductions
- Objectives of course
- Agenda
Cloud Concepts
- What is Cloud Computing?
- Why is everyone moving to the Cloud?
- Cloud computing model
- Infrastructure, Platform, and Software as a Service
- Boundaries and responsibilities
- Cloud Service Providers – Gartner Magic Quadrant(s)
- Cloud reference architectures
Virtualization
- Overview of different virtualization technologies and types covering storage, networks, and systems.
Cloud Security Frameworks, Principles, Patterns and Certifications
- Security Principles
- Separation and layers as security controls
- Cloud Security Alliance (CSA) Cloud Control Matrix
- GOV.UK Cabinet Office and NCSC Cloud Security Principles
- Security Architecture Frameworks
- Security Architecture Patterns
- Cloud Security Architecture Patterns
- Trusted Cloud Initiative Reference Architecture
- Cloud Security Certifications
AWS Security Technologies
- EC2 (Elastic Compute Cloud) and VPC (Virtual Private Cloud) fundamentals
- Availability zones and regions
- Internet Gateway, Elastic IPs, NAT Gateway, DirectConnect
- Security Implications of Elastic Load Balancing (ELB) and auto-scaling
- Security Groups, Flow Logs, S3, ACLs and subnet routing
- AWS Config, CloudTrail, CloudWatch, Trusted Advisor
- IPSec VPN options: AWS VPNs, third party solutions
- AWS CloudFront, Web Application Firewall and Certificate Manager
- Vulnerability management using AWS Inspector
- AWS Key Management Service (KMS) and CloudHSM
- AWS Identity and Access Management (IAM)
- Labs providing practical experience of implementing and using AWS security technologies
Quiz
- End of day knowledge check – exam-style questions
DAY TWO
Microsoft Azure and Office 365
- Azure platform security architecture
- Azure Virtual Networks
- Azure network security best practices
- Azure data security and encryption best practices
- Azure Active Directory
- Federated identity and Single Sign-On
- Azure Multi-factor authentication
- Azure Key Vault
- Azure Virtual Machine encryption
- Microsoft Antimalware for Azure Cloud Services and Virtual Machines
- Azure Security Center
- Office 365 Service Architectures
- Office 365 security across physical, logical and data layers
- Office 365 email encryption options
- Exchange Online Protection
- GOV.UK Microsoft Office Security Guidance
- Labs providing practical experience of implementing and using Microsoft Azure security technologies
Google Apps for Work
- Google Apps for Work applications and architectures
- Integration with corporate directories
- Single sign-on to enforce the use of corporate devices and threat prevention
- GOV.UK Google Apps for Work Security Guidance
- Google Admin Console
- Google Authenticator
- Organizational Units
- Administrative roles
- Data privacy opt-in
Assurance
- Centre for Internet Security (CIS) Foundation Benchmarks
- Penetration tests of cloud environments
- External audit and configuration review
Data Protection and Compliance
- Personally Identifiable Information (PII) and Personal Data
- UK Data Protection Act and Information Commissioner’s Office (ICO)
- European Union (EU) Data Protection Directive
- EU General Data Protection Regulation (GDPR)
- Cyber Essentials Plus
- Cloud Security Alliance STAR
- PCI DSS
- AICPA SOC3 (formerly SAS70)
- ISO 27001
Quiz
- End of day knowledge check – exam-style questions
DAY THREE
Containers
- Concept of containers
- Docker
- Why development teams are moving to containers
- Security issues of containers
- Container security good practice
- CIS Benchmark for Docker and Docker Bench tool
- Orchestration – Kubernetes
- Security features of Kubernetes
- Orchestration – Docker Swarm
- Cloud Service Provider container platforms (AWS, Azure, Google)
- Container security solutions (e.g. Twistlock, NeuVector, AquaSecurity)
- Labs providing hands-on experience of Docker containers and potential security issues
Web Application Security
- OWASP Top 10
- Threat Modelling
- Secure Software Development Lifecycle
Cloud Identity Services
- SAML
- oAuth, oAuth 2.0 and OpenID Connect
- Cloud Identity Providers
Quiz
- End of day knowledge check – exam-style questions
DAY FOUR
Serverless
- Concept of ‘serverless’
- Pros and Cons
- AWS Lambda
- Step functions
- Dynamo DB
- SQS, SWS, S3
- Serverless application architecture
- Security implications
- Environment Variable encryption
- Azure Cloud Functions
- Google Cloud Functions
- Labs providing hands-on experience of Serverless architectures
Cloud Security as a Service
- Cloud Security Services
- Cloud analytics, e.g. Splunk Cloud
- Cloud security operations management, e.g. AlertLogic
Quiz
- End of day knowledge check – exam-style questions
Cloud Security Workshop
- Scenario requirement
- Develop security architecture in groups
- Present back to wider group, review and discuss
DAY FIVE
Automation
- Cloud service provider automation tools
- Terraform by Hashicorp
- Hardened build images
- Vault by Hashicorp
- Patching and update strategies
- DevSecOps
Continuous Integration Pipeline
- Continuous Integration Pipeline
- Automated environment testing
- Jenkins
- Security issues
