1 CENTER FOR ADVANCED SECURITY TRAINING 618 Designing and Implementing Cloud Security
2 About EC-Council Center of Advanced Security Training () The rapidly evolving information security landscape now requires professionals to stay up to date on the latest security technologies, threats and remediation strategies. was created to address the need for quality advanced technical training for information security professionals who aspire to acquire the skill sets required for their job functions. courses are advanced and highly technical training programs co-developed by EC-Council and well-respected industry practitioners or subject matter experts. aims to provide specialized training programs that will cover key information security domains, at an advanced level.
3 Designing and Implementing Cloud Security Course Description Most businesses around the world, small and large, use multiple cloud services to handle business-critical data. Though cloud services offer improved efficiency, reduced costs, greater accessibility and flexibility, they also increase security risk. Cloud leaders focus on measures to reduce data breaches, maintain confidentiality, and preserve integrity, authenticity and completeness. Other areas of concern are risk factors associated with virtual machines, vulnerabilities from shared resources, and issues with encryption. Recent hacking attacks on Dropbox, Google s DNS, LinkedIn, etc. are only indications of larger threats to cloud services and data security. According to McAfee Labs 2014 Threats Predictions report, deployment of cloud-based corporate applications will create new attack surfaces that will be exploited by cybercriminals. The Designing and Implementing Cloud Security course provides comprehensive knowledge of cloud services, their characteristics, benefits, applications, and service models. The course will help professionals understand the risks and threats associated with cloud service adoption and migrating business-critical data to third party systems. The program covers planning, designing, and implementing cloud security controls. It delves in to various cloud standards, countermeasures, and best practices to secure information in the cloud. The program also emphasizes the business aspects of cloud security such as cloud uptime, uptime guarantee, availability, fault tolerance, fail-over policy, and how cloud security strengthens the business case for cloud adoption.
4 Designing and Implementing Cloud Security The Program Addresses Critical Cloud Governance, Risk Management, and Compliance (GRC) Issues Encryption Key Management Identity and Access Management Privacy Breach Cloud Forensics Penetration Testing The Designing and Implementing Cloud Security course prepares IT and business leaders to address the risks and challenges of cloud adoption.
5 What Will You Learn? After completing this course, students will learn: Fundamentals of cloud computing, cloud services, its characteristics, benefits, and applications Cloud computing service models, deployment models and security considerations of cloud computing Secure cloud computing environment design Data center, online storage options, cloud based server capacity, and cloud server virtualization Cloud computing standards
6 Cloud uptime, optimizing cloud performance, availability and its characteristics Cloud fault tolerance, load balancing, and cloud failover policies Best practices of virtualization and cloud implementation Cloud security, cloud security control layers, encryption and key management, identity access management, federated identity management, and IAM standards for consumers Cloud configuration management, patching modes, standardized policy creation, and cloud-based patch management tools Cloud computing risk assessment and cloud penetration testing Intrusion detection systems (IDS) in a cloud environment Types of attacks on a cloud environment and techniques to overcome attacks Legal issues such cloud computing contracts, vendor transitioning, auditing cloud data, maintaining privacy and confidentiality, geographic jurisdiction, limitations on vendor liability, and taxation challenges Compliance to established industry standards, acts, and laws including PCI-DSS, HIPAA, Sarbanes-Oxley, and Data Protection Act
7 Who Should Attend IT Security Managers Cloud Security Professionals Entrepreneurs Database and Web Developers Security Auditors and Compliance Managers Network and System Administrator Duration 3 days (9:00 5:00)
8 Course Outline Module 01: Fundamentals of Cloud Computing Cloud Computing Cloud Computing Characteristics Benefits of Cloud Computing Economics of Cloud Computing Application of Cloud Computing in Various Domains Cloud Computing for Enterprises Linux Security Countermeasures Cloud Computing Service Models Cloud Deployment Models Private Cloud Computing Public Cloud Computing Hybrid Cloud Computing Community Cloud Computing Cloud Computing Service Model Applications Challenges in Cloud Computing Adoption Major Barriers to Cloud Computing Adoption 7 Steps for Migrating Services to Cloud What Should Not be Moved to the Cloud Cloud Computing Security Risks Cloud Computing Attacks Cloud Computing Security Considerations Cloud Security Best Practices Case Study
9 Module 02: Designing a Secure Cloud Computing Environment Layers of Cloud Computing Single and Multi-Tenancy Environments Cloud SLA Service Oriented Architecture Cloud Deployment Requirements Cloud Networking Monitoring Performance Communication Requirements for Cloud Cloud Security Physical vs. Virtual Security Cloud Application Security Best Practices Prerequisites for Building your Cloud Infrastructure Cloud Computing Reference Architecture, Models and Framework Cloud Cube Model Types of Data Centers Cloud Storage Networks Cloud Computing Providers Google s Cloud Build, Debug and Deploy Apps for Google App Engine using exo Cloud IDE Open Source Data Center and Cloud Software Pros and Cons in Deploying Open- Source Cloud Systems Cloud-based Server Capacity Cloud Server Capacity Providers Do s and Don ts of Cloud-based Server Capacity Cloud Server Virtualization Cloud Capacity Planning Tool: Server File System Analytics Utility: CopperEgg Xeround Cloud Database for MySQL Applications Data Center Design Standards Data Center and Cloud Cloud Computing and Cloud Storage
10 Module 03: Cloud Computing Standards Why Cloud Environment Need Standards? Benefits of Standardized Policies Cloud Ecosystem and Standards Role of Cloud Standard Organizations Standards Development Organizations in Cloud Computing
11 Module 04: Cloud Uptime and Availability Terminology Data Backup on Cloud Cloud Outage/Failure and Cloud Backup and Disaster their Impacts Recovery Benefits Lessons to be Learnt from Cloud Outages Rackspace Cloud Load Balancer Control Panel Importance of Uptime High Availability Definition Guarantee Fault Tolerance Load Balancing Solutions Recommendations for Fault Tolerance Techniques Best Practices for Optimal HAProxy - The Reliable, Maximizing Uptime Pingdom Cloud Uptime Monitoring High Performance TCP / HTTP Load Balancer Tools Cloud Failover Policy Cloud Availability SaaS-Specific Rider Recommendations PaaS-Specific Rider IaaS-Specific Rider Geminare s Cloud for Cloud Providers to Improve Availability Recommendations for Cloud Users to Improve Availability Recovery/Auto Failover Load Balancing Cloud Performance
12 Module 05: Virtualization on Cloud Virtualization Terminologies Introduction to Virtualization Virtualization Vendors Importance of Virtualization Datacenter & Cloud Infrastructure Product: vsphere Characteristics of Virtualization Virtualization Vendors Virtualization Techniques Virtualization Security Best Practices for Administrators Type 1 and Type 2 Hypervisors Why we need Virtualization for Cloud? Best Practices for VM Security
13 Module 06: Cloud Security What is Cloud Security? Top Ten Threats to Cloud Security Data Breach Data Loss Account Hijacking Insecure Interfaces and APIs Denial-of-Service (DoS) Malicious Insiders Abuse of Cloud Services Password Cracking Services on Cloud Insufficient Due Diligence Shared Technology Issues Unknown Risk Profile Cloud Sprawl Cloud Security Controls Cloud Security Control Layers Placement of Security Controls in the Cloud Cloud Security is the Responsibility of both Cloud Provider and Consumer Encryption and Key Management Tips to Protect Encryption Keys Enhancing Encryption Strength: Hardware/Software Protection Identity and Access Management (IAM) Securing Identity Provisioning Securing Authentication in Saas and Paas Environments Securing Authentication in Saas and IDaaS Environments Federated Identity Management Securing Federated Identity Management Securing Access in Clouds Using Security Assertion Markup Language (SAML) for Federated Single Sign-on Using Service Provisioning Markup Language (SPML) for IAM Using exensible Access Control Markup Language (XACML) for IAM Using Open Authentication (OAuth) for IAM IAM Standards for Consumers CloudPassage Cloud Security Vendors Best Practices for Securing Cloud
14 Module 07: Cloud Configuration and Patch Management Cloud Configuration Management Cloud Configuration Management Approaches VMware vcenter Configuration Manager NephoScale s Configuration Management Configuration Management Systems Patch Management Challenges in Cloud Vulnerable Areas that need Patch in Cloud Patch Management Process Workflow Patch Management Process Flow Overview Patch Management Process Major Challenges to the Patch Management Flow Key Considerations for Patch Management in Cloud Creating Standardized Patch Management Policies Cloud-based Patch Management tools Checklist for Selecting a Cloud Patch Service Provider
15 Module 08: Penetration Testing and Risk Assessment Cloud Computing Risk Assessment Cloud Computing Risk Categories Risk Assessment Metrics What is Cloud Pen Testing? Why Penetration Testing? Penetration Test vs. Security Assessment Phases of Penetration Testing Key Considerations for Pen Testing in the Cloud Scope of Cloud Pen Testing Cloud Penetration Testing Steps Recommendations for Cloud Testing Introduction to Virtualization Prerequisites to Virtual Machine Pen Testing Virtual Environment Pen Testing Virtual Machine Penetration Testing Steps Vulnerability Assessment Tool Configuration Management Tools Virtualization Assessment Toolkit Virtualization Best Practices
16 Module 09: Cloud Computing Legal Issues Key Legal Issues Cloud Computing Contracts General Terms used in Cloud Contracts Non Negotiable Contracts Issues with Sub Contracts Business Continuity Issues Interoperability Issues Getting through SLAs Vendor Transitioning Tracking and Auditing Cloud Data Privacy and Confidentiality Geographic Jurisdiction Limitations on Vendor Liability Ending the Arrangement Compliance and Audit Compliance Contract Challenges Recommendations for Compliance and Audit Taxation Challenges Cloud Computing Legal Checklist Checklist for Invalidating Legal Issues in Cloud Provider Selection 9 Questions to Ask Before Signing a Cloud Computing Contract 9 Best Practices for Cloud Computing Contracts Cloud Computing Acts
17 Module 10: Using iphones, Tablets and other devices to Access Cloud Mobile Cloud Computing (MCC) Mobile Cloud Computing Applications Operating Systems for Smartphones Mobile Web Browsers Cloud Apps on Smartphones Benefits of Mobile Access to Cloud Limitations of Mobile Access to Cloud Mobile Virtualization Platform (MVP) Mobile E-commerce Security Checkpoints Virtual Terminal Working of a Virtual Terminal Virtual Terminal Security Benefits Mobile Cloud Collaboration Applications iphone apps for Business Collaboration Android apps for Collaboration Mobile Spy Stolen Mobile Tracking Software Threats of Mobile Malware Mobile Cloud Threats and Countermeasures Mobile Client Security Software How to Set a Passcode on Lock Screen of iphone 5 Secured Mobile Cloud Access Mobile Device Security Guidelines for Administrator General Guidelines for Mobile Platform Security Best Practices for Secured Mobile Cloud Access
18 Master Trainer: Haja Mohideen VP- TECHNOLOGY, EC- COUNCIL Mr. Haja Mohideen is the VP- Technology and Co-Founder of EC-Council. He manages the certifications and training programs for EC-Council, and leads the product development team. He is known worldwide as the creator of the popular EC-Council certification programs Certified Ethical Hacker (C EH), Computer Hacking Forensics Investigator (CHFI), EC-Council Certified System Analyst / Licensed Penetration Tester (ECSA/LPT) and EC-Council Certified Secure Programmer (ECSP), among others. Haja has 17 years of experience specializing in the development, support and project management of PC software and hardware. He has trained various Fortune 500 companies as well as US government agencies. He is also the Master Trainer for EC-Council courses, and his training is often sought after globally. He has led training in many countries including Greece, India, USA, Indonesia, Singapore, England, Mexico, amongst others. Haja is also one of few who are qualified to conduct train the trainer sessions for EC-Council courses. Haja holds a Masters Degree in Software Engineering and has numerous industry-wide IT certifications from Microsoft, IBM, Cisco, Motorola, 3COM, Adobe, Intel and many others. He carries over 90 vendor certifications.
Data Protection Act 1998 Guidance on the use of cloud computing Contents Overview... 2 Introduction... 2 What is cloud computing?... 3 Definitions... 3 Deployment models... 4 Service models... 5 Layered
Security Threats in Cloud Computing Environments 1 Kangchan Lee Electronics and Telecommunications Research Institute email@example.com Abstract Cloud computing is a model for enabling service user s ubiquitous,
GOVERNANCE STRATEGIES New Requirements for Security and Compliance Auditing in the Cloud Cloud computing poses new challenges for IT security, compliance, and audit professionals who must protect corporate
CLOUD COMPUTING: IS YOUR COMPANY WEIGHING BOTH BENEFITS & RISKS? Toby Merrill CLOUD COMPUTING: IS YOUR COMPANY WEIGHING BOTH BENEFITS & RISKS? Toby Merrill Toby Merrill, Thomas Kang April 2014 Cloud computing
Investigation of IT Auditing and Checklist Generation Approach to Assure a Secure Cloud Computing Framework Rajni Maheshwari M.Tech (Computer) College of Engineering, Bharati Vidyapeeth Deemed University
November 09 Benefits, risks and recommendations for information security ABOUT ENISA The European Network and Information Security Agency (ENISA) is an EU agency created to advance the functioning of the
INTRODUCTION Legal practices are increasingly using cloud storage and software systems as an alternative to in-house data storage and IT programmes. The cloud has a number of advantages particularly flexibility
Special Publication 800-146 DRAFT Cloud Computing Synopsis and Recommendations Recommendations of the National Institute of Standards and Technology Lee Badger Tim Grance Robert Patt-Corner Jeff Voas NIST
Thought Leadership Paper Cloud Computing in the Hedge Fund Industry About Eze Castle Integration Eze Castle Integration is the leading provider of IT solutions and private cloud services to more than 600
WHITE PAPER Staying Secure in the Cloud Considerations for Migrating Communications Solutions to Cloud Services Table of Contents 1. Overview...3 2. Introduction...3 3. Privacy vs. security... 3 4. What
Risk perception and risk management in cloud computing: Results from a case study of Swiss companies Nathalie Brender Haute Ecole de Gestion de Genève Campus de Battelle, Bâtiment F 7 route de Drize, 1227
1 October 2013 Cloud Security Whitepaper A Briefing on Cloud Security Challenges and Opportunities SINTEF ICT Software Engineering, Safety and Security Martin Gilje Jaatun, Per Håkon Meland, Karin Bernsmed
White Paper Information Security, Virtualization, and the Journey to the Cloud By Jon Oltsik August, 2010 This ESG White Paper was commissioned by Trend Micro and is distributed under license from ESG.
IT@Intel White Paper Intel IT IT Best Practices Cloud Computing and Information Security January 2012 Virtualizing High-Security Servers in a Private Cloud Executive Overview Our HTZ architecture and design
Enterprise Mobility Management: A Data Security Checklist Executive Summary Secure file sharing, syncing and productivity solutions enable mobile workers to access the files they need from any source at
Checklist to Assess Security in IT Contracts Federal Agencies that outsource or contract IT services or solutions must determine if security is adequate in existing and new contracts. Executive Summary
Cloud Service Level Agreement Standardisation Guidelines Brussels 24/06/2014 1 Table of Contents Preamble... 4 1. Principles for the development of Service Level Agreement Standards for Cloud Computing...
The Critical Security Controls for Effective Cyber Defense Version 5.0 1 Introduction... 3 CSC 1: Inventory of Authorized and Unauthorized Devices... 8 CSC 2: Inventory of Authorized and Unauthorized Software...
Xerox Litigation Services In the Cybersecurity Hot Seat: How Law Firms are Optimizing Security While Reducing Cost and Risk Your Highest Priority is also Your Greatest Challenge Data breaches are not just
Firewall Strategies June 2003 (Updated May 2009) 1 Table of Content Executive Summary...4 Brief survey of firewall concepts...4 What is the problem?...4 What is a firewall?...4 What skills are necessary
[DRAFT] A Model Curriculum for Programs of Study A Model Curriculum for Programs of Study in Information Security and Assurance in Information Security and Assurance v. 6.0 February 2013 [DRAFT] http://infosec.kennesaw.edu/infoseccurriculummodel.pdf
Securing software systems in the health care domain Monika Katrin Kosmo Master of Science in Communication Technology Submission date: June 2014 Supervisor: Poul Einar Heegaard, ITEM Co-supervisor: Karin
Cyber Security Planning Guide The below entities collaborated in the creation of this guide. This does not constitute or imply an endorsement by the FCC of any commercial product, service or enterprise
CLOUD COMPUTING READINESS VOLKER RATH VOLKER RATH 1 CONTENTS HOW SHOULD THIS GUIDE BE USED? 2 WILL MY COMPANY BENEFIT FROM 2 TRANSITIONING SERVICES TO THE CLOUD? CLOUD READINESS OVERVIEW 3 SECURITY CONCERNS