Cloud Security Fundamentals
Cloud Security Fundamentals
This seminar will provide attendees with a comprehensive review of cloud technologies and cloud security fundamentals. The course covers all major domains identified in the Guidance document from the Cloud Security Alliance (CSA), the Cloud Control Matrix (CCM) from CSA including mapping of controls to other various security frameworks, and the recommendations from the European Network and Information Security Agency (ENISA). Attendees will learn about key vulnerabilities in cloud solutions and strategies for managing those risks.
This course is available on-site at your location, or offered through open enrollment 12/1/20 - 12/3/20.
- 1 Introduction to the Cloud, Cloud architecture overview (key principles), Cloud service categories (IaaS, PaaS, SaaS), Cloud deployment models (public, private, hybrid, community).
- 2 Top Threats to Cloud Computing, Data breaches and losses, Account or service traffic hijacking, Insecure interfaces and APIs, Insufficient due diligence, OWASP Top 10 Threats.
- 3 Cloud operations and data centers, Data center design, Cloud resource sharing technologies: virtualization and containers, Configuration best practices, Security network configuration, Network security controls, Logical infrastructure for cloud environments, Cloud operations management.
- 4 Cloud Security Models, Cloud security data lifecycle, Information and data governance, Data storage and data dispersion, Relevant data security technologies, Masking, obfuscation, anonymization and tokenization.
- 5 Data Security and Encryption, Data classification, Data discovery and challenges in the cloud, Encryption key management.
- 6 Data Privacy, Privacy vs security, Privacy roles, Privacy agreements, Privacy impact assessments.
- 7 Identity Management, Identity and access management, Authentication, Federated identity management, Cloud Access Security Brokers.
- 8 Effectively managing security services in the cloud.
- 9 Application Security, Application security testing (static and dynamic), Cloud secure development lifecycle, Vulnerability assessments and penetration testing.
- 10 Review of Cloud Controls Matrix, OWASP Proactive security controls, Mapping of CCM to other industry frameworks (COBIT, NIST, PCI, etc.), Management of control for privacy and data protection.
- 11 Legal Issues related to Cloud Service Models, Global privacy and data protection laws in US, EU, APEC, Jurisdictional issues and international legislative conflicts, Common legal requirements, Legal controls, eDiscovery challenges and risks.
- 12 IT Governance for cloud computing, managing the risk, Risk profiles, Cloud risk assessments, Risk mitigation, Vendor management and supply chain management.
- 13 Incident Response, ITSM in the cloud, Collection and preservation of forensic evidence, Managing communications with customers, vendors, partners, regulators and other stakeholders, Cloud forensics.
- 14 Business Continuity and Disaster Recovery in the cloud, Critical success factors, SLAs, Relevant cloud infrastructure characteristics, Understanding BCDR risks, BCDR strategies in the cloud.
- 15 Assessing Cloud Providers, Discuss what should be included when assessing a new cloud provider or re-assessing an existing cloud provider, Articulating the goals for the self-assessment, Reviewing the planned activities for a typical cloud assessment, Confirming the typical information to be gathered when assessing a cloud provider, Explore the various types of audit and assessment reports provided by cloud providers.
- 16 Case studies as time permits.
The materials within this course focus on the Knowledge Skills and Abilities (KSAs) identified within the Specialty Areas listed below. Click to view Specialty Area details within the interactive National Cybersecurity Workforce Framework.
If you would like to provide feedback for this course, please e-mail the NICCS SO at NICCS@hq.dhs.gov.