This summer James Arlen and I are teaching the recently updated cloud security class we developed for the Cloud Security Alliance (CCSK Plus). We are pretty excited to teach this at Black Hat, and will be bringing a few extra tricks to handle the more advanced audience we expect.
The class runs two days and covers a huge amount of material. The first day is mostly lecture, covering:
- Introduction to cloud computing and cloud architectures.
- Securing cloud infrastructure (public and private).
- Governing and managing risk in cloud computing (yep, we have to cover compliance, but we also include incident response).
- Securing cloud data.
- Application security and identity management for cloud.
- Selecting and managing cloud providers.
This gives you everything you need to take the CCSK test if you want.
The second day is where the real fun starts – we spend pretty much the entire time in labs. Including:
- Assessing cloud risk. This is a tabletop risk management exercise focused on practical scenarios.
- Launching and securing public cloud instances. You’ll learn the ins and outs of Amazon EC2 as you launch and secure your first instance. This includes a deep dive into security groups, picking AMIs, and using initialization scripts to auto-update and configure instances.
- Encrypting cloud data. We encrypt a storage volume using
dm-cryptand dig into different key management scenarios and encryption options. We may have some new demos here of products just hitting the market.
- Building secure cloud applications. We expand on what we have created to build a multi-tier secure application, focusing on proper use of hypersegregation by splitting application components.
- Federated identity and using IAM to harden the management plane. We add a little OpenID to our application. Up to this point everything builds out into a complete stack and all the exercises tie together. We also work with AWS IAM and how to use different kinds of credentials and templates to segregate things at the management plane.
- Securing a private cloud. Using your laptops and our virtual machines we build a running OpenStack cloud in the classroom and run through the security essentials.
But here is the trick for Black Hat. Aside from teaching a very recently updated version of the class, we are preparing for a more technical audience. We will be bringing more advanced exercise options (on top of the basics so people with less experience can still get something out of the class), and even a demo attack tool PoC. We will feel the audience out but we already have some advanced (self-guided) exercises together.
If you’re interested you can sign up now.
Also, although this isn’t an instructor class, anyone who takes this (and contacts us ahead of time) will be eligible to complete additional, web-based instructor training free of charge after Black Hat. We aren’t a training organization, and we care more about getting more teachers out there than keeping it all to ourselves.
Hope to see you in Vegas!