Description

Course: CSF – Cloud Security Foundations

Overview

The Cloud Security Foundation class provides students a comprehensive two-day review of cloud security fundamentals. The course begins with a discussion of a basic risk assessment framework and then reviews each of the security domains put forth by the Cloud Security Alliance (CSA) and recommendations from the European Network and Information Security Agency (ENISA). Each domain area is discussed and reviewed followed by recommendations and requirements for each.

Audience Profile

This class is geared towards security professionals, but is also useful for anyone looking to expand their knowledge of cloud security including IT Managers and Business Managers tasked with deploying some or all of their IT services in the cloud. (We recommend attendees have at least a basic understanding of security fundamentals, such as firewalls, secure development, encryption, and identity management).

At course completion

Students should have a good understanding of the security issues and risks to consider when deploying IT services in the Cloud.

Course Outline

PART 1: CLOUD ARCHITECTURE

Cloud Computing Architectural Framework

• What is Cloud Computing
• What comprises Cloud Computing
• The Characteristics of Cloud Computing
• Multi-Tenancy
• Cloud Reference Model
• Cloud Deployment Models
• Recommendations
• Requirements

PART 2: GOVERNING IN THE CLOUD

Governance and Enterprise Risk Management

• Corporate Governance
• Enterprise Risk Management
• Permissions
• Recommendations
• Requirements

Legal Issues: Contracts and Electronic Discovery

• Legal Issues
• Contract Considerations
• Special Issues Raised by E-Discovery

Compliance and Audit Management

• Compliance
• Audit
• Recommendations
• Requirements

Information Management and Data Security

• Cloud Information Architectures
• Data (Information) Dispersion
• Information Management
• The Data Security Lifecycle
• Information Governance
• Data Security
• Recommendations
• Requirements

Interoperability and Portability

• An Introduction to Interoperability
• An Introduction to Portability
• Recommendations

PART 3: OPERATING IN THE CLOUD

Traditional Security, Business Continuity, and Disaster Recovery

• Establishing a Traditional Security Functions
• Human Resources Physical Security
• Assessing CSP Security
• Business Continuity
• Disaster Recovery
• Permissions
• Recommendations
• Requirements

Data Center Operations

• Data Center Operations
• Permissions
• Recommendations
• Requirements

Incident Response

• Cloud Computing Characteristics that Impact Incident Response
• The Cloud Architecture Security Model as a Reference
• Incident Response Lifecycle Examined
• Recommendations
• Requirements

Application Security

• Secure SDLC (Software Development Life Cycle)
• Authentication, Authorization, and Compliance – Application Security Architecture in the Cloud
• Identity, Entitlement, and Access Management for Cloud Application Security
• Application Penetration Testing for the Cloud
• Monitoring Applications in the Cloud
• Recommendations

Encryption and Key Management

• Introduction to Encryption
• Alternative Approached to Encryption
• Cryptography in Cloud Deployments
• Key Management
• Recommendations
• Requirements

Identity, Entitlement, and Access Management

• Terminology Used in this Document
• Introduction to Identity in a Cloud Environment
• Identity Architecture for the Cloud
• Identity Federation
• Provisioning and Governance of Identity and Attributes
• The Entitlement Process
• Authorization and Access Management
• Architectures for Interfacing to Identity and Attribute Providers
• Level of Trust with Identity and Attributes
• Provisioning of Accounts on Cloud Systems
• Identity-as-a-Service
• Compliance and Audit
• Application Design for Identity
• Identity and Data Protection
• Consumerization and the Identity Challenge
• Identity Service Providers
• Recommendations
• Requirements

Virtualization

• Hypervisor Architecture Concerns
• Recommendations
• Requirements

Security as a Service

• Ubiquity of Security as a Service
• Concerns When Implementing Security as a Service
• Advantages When Implementing Security as a Service
• Diversity of Existing Security as a Service Offerings
• Permissions
• Recommendations
• Requirements

Prerequisites

Students should have an IT background and foundational knowledge of security based on ISO/IEC 27002 and/or NIST 800-53 and CSA CCM3. Prerequisite knowledge is also covered in Day 1 of the course Security Essentials.

Additional Reading

• IST 800-53 – http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53Ar4.pdf (FREE)
• SA CCM3 – https://cloudsecurityalliance.org/download/cloud-controls-matrix-v3-0-1/ (FREE)
• SO/IEC 27002 – http://webstore.ansi.org/RecordDetail.aspx?sku=ISO%2fIEC+27002%3a2013+Plus+Redline ~$300