Practitioner Certificate in Cloud Security

There are no pre-requisites. However, we recommend that all delegates have an understanding of the general technologies, for example Operating Systems and Networking and Security principles. Experience of using cloud services and security technologies is helpful but not essential.

For those delegates looking for some pre-course general cloud security background, guidance and organisational compliance, the NCSC cloud security collection is probably the single best resource.

Delegates will learn about the following topics:

• Cloud Concepts
• Virtualisation
• Cloud Security Frameworks, Principles, Patterns and Certifications
• AWS Security Technologies
• Microsoft Azure and Office 365
• Google Cloud Platform and G Suite
• Assurance
• Data Protection and Compliance
• Containers
• Web Application Security
• Cloud Identity Services
• Serverless
• Cloud Security as a Service
• Automation
• Continuous Integration Pipeline
• DevSecOps

• Introductions
• Objectives of course
• Agenda

• What is Cloud Computing?
• Why is everyone moving to the Cloud?
• Cloud computing model
• Infrastructure, Platform and Software as a Service
• Boundaries and responsibilities
• Cloud Service Providers – Gartner Magic Quadrant(s)
• Cloud reference architectures

• Overview of different virtualisation technologies and types covering storage, networks and systems.

• Security Principles
• Separation and layers as security controls
• Cloud Security Alliance (CSA) Cloud Control Matrix
• GOV.UK Cabinet Office and NCSC Cloud Security Principles
• Security Architecture Frameworks
• Security Architecture Patterns
• Cloud Security Architecture Patterns
• Trusted Cloud Initiative Reference Architecture
• Cloud Security Certifications

• EC2 (Elastic Compute Cloud) and VPC (Virtual Private Cloud) fundamentals
• Availability zones and regions
• Internet Gateway, Elastic IPs, NAT Gateway, DirectConnect
• Security Implications of Elastic Load Balancing (ELB) and auto-scaling
• Security Groups, Flow Logs, S3, ACLs and subnet routing
• AWS Config, CloudTrail, CloudWatch, Trusted Advisor
• IPSec VPN options: AWS VPNs, third party solutions
• AWS CloudFront, Web Application Firewall and Certificate Manager
• Vulnerability management using AWS Inspector
• AWS Key Management Service (KMS) and CloudHSM
• AWS Identity and Access Management (IAM)

• Architecting on AWS - Lab 1 - Hosting a Static Website

• End of module knowledge check – exam style questions

• Azure platform security architecture
• Azure Virtual Networks
• Azure network security best practices
• Azure data security and encryption best practices
• Azure Active Directory
• Federated identity and Single Sign On
• Azure Multi-factor authentication
• Azure Key Vault
• Azure Virtual Machine encryption
• Microsoft Antimalware for Azure Cloud Services and Virtual Machines
• Azure Security Center
• Office 365 Service Architectures
• Office 365 security across physical, logical and data layers
• Office 365 email encryption options
• Exchange Online Protection
• GOV.UK Microsoft Office Security Guidance

• Architecting on AWS - Deploying a Web Application on AWS

• Google Apps for Work applications and architectures
• Integration with corporate directories
• Single sign-on to enforce use of corporate devices and threat prevention
• GOV.UK Google Apps for Work Security Guidance
• Google Admin Console
• Google Authenticator
• Organisational Units
• Administrative roles
• Data privacy opt-in

• Centre for Internet Security (CIS) Foundation Benchmarks
• Penetration tests of cloud environments
• External audit and configuration review

• Personally, Identifiable Information (PII) and Personal Data
• UK Data Protection Act and Information Commissioner’s Office (ICO)
• European Union (EU) Data Protection Directive
• EU General Data Protection Regulation (GDPR)
• Cyber Essentials Plus
• Cloud Security Alliance STAR
• PCI DSS
• AICPA SOC3 (formerly SAS70)
• ISO 27001

• End of module knowledge check – exam style questions

• Concept of containers
• Docker
• Why development teams are moving to containers
• Security issues of containers
• Container security good practice
• CIS Benchmark for Docker and Docker Bench tool
• Orchestration – Kubernetes
• Security features of Kubernetes
• Orchestration – Docker Swarm
• Cloud Service Provider container platforms (AWS, Azure, Google)
• Container security solutions

• Google Cloud Fundamentals: Getting Started with GKE
• Architecting on AWS - Automating Infrastructure Deployment with AWS CloudFormation

• OWASP Top 10
• Threat Modelling
• Secure Software Development Lifecycle

• SAML
• oAuth, oAuth 2.0 and OpenID Connect
• Cloud Identity Providers

• End of module knowledge check – exam style questions

• Concept of ‘serverless’
• Pros and Cons
• AWS Lambda
• Step functions
• Dynamo DB
• SQS, SWS, S3
• Serverless application architecture
• Security implications
• Environment Variable encryption
• Azure Cloud Functions
• Google Cloud Functions

• Architecting on AWS - Implementing a Serverless Architecture with AWS Managed Services

• Cloud Security Services
• Cloud analytics, e.g. Splunk Cloud
• Cloud security operations management

• End of module knowledge check – exam style questions

• Scenario requirement
• Develop security architecture in groups
• Present back to wider group, review and discuss

• Cloud service provider automation tools
• Terraform by Hashicorp
• Hardened build images
• Vault by Hashicorp
• Patching and update strategies
• DevSecOps

• Continuous Integration Pipeline
• Automated environment testing
• Jenkins
• Security issues

• Automating the Deployment of Infrastructure Using Terraform

• End of module knowledge check – exam style questions