Graduate Certificate Programs: Cloud Security

Graduate Certificate Programs: Cloud Security
sti cloud security

Graduate Certificate Program in
Cloud Security

Large and critical segments of enterprise networks are outsourced to cloud service providers (CSPs) such as Amazon Web Services (AWS), Azure, and Google Cloud Platform (GCP). This creates new types of vulnerabilities and incredible opportunities for cybersecurity professionals with specialized skills.

Designed for working information security professionals, the highly technical 12-credit-hour graduate certificate in Cloud Security prepares you to navigate your organization through the security challenges and opportunities presented by cloud service, and identify the risks of the various services offered by CSPs. You'll learn from some of the world's top cybersecurity experts, gain hands-on technical experience you can apply immediately on the job, and emerge with 4 industry-recognized GIAC certifications.


A 100% online option is available.

Applications are accepted monthly. Learn more.

Join Us for a Free Online Info Session

Overview of SANS.edu Graduate Programs
Thursday, August 12, 1:00 pm (ET)
Register here.

Cybersecurity Management Graduate Certificate
Featuring SANS Fellows David Hoelzer and Frank Kim
Thursday, August 26, 5:30 pm (ET)
Register here.

Learn How To

  • Identify the risks and risk control ownership offered by cloud service providers (CSPs), including Amazon Web Services (AWS), Azure, and Google Cloud Platform (GCP), based on the deployment models and service delivery models of the various products.
  • Articulate the business and security implications of a multi-cloud strategy.
  • Use hardening benchmarks, patching, and configuration management to achieve and maintain an engineered state of security for the cloud environment.
  • Leverage the Cloud Security Alliance Cloud Controls Matrix to select the appropriate security controls for a given cloud network security architecture and assess a CSP's implementation of those controls.
  • Evaluate the logging services of various CSPs and use those logs to provide the necessary accountability for events that occur in the cloud environment.
  • Use basic Bash and Python scripts to automate tasks in the cloud.
  • Implement network security controls that are native to both AWS and Azure.
  • Use Terraform to deploy a complete "infrastructure as code" environment to multiple cloud providers.
  • Perform a preliminary forensic file system analysis of a compromised virtual machine to identify indicators of compromise and create a file system timeline.
  • "I firmly believe, had it not been for SANS, my career would not be what it is today. My SANS education has enabled me to compete on a completely new level and given me the chance to network with industry greats."

    Steven Romero
    Engineer, Chevron

  • "I have my master's in computer science, but I completed
    two graduate certificate programs with SANS so I could
    truly dive deep into technical areas of cybersecurity
    and learn from instructors who are leading the industry."

    Jeff Sass
    Senior Engineering Manager, Adobe

  • "Earning a graduate certificate from SANS is what really
    accelerated my career. The technical skills I learned in the
    program have given me the confidence to successfully lead
    my team and prepare them for new challenges."

    David Cox
    Manager, Cyber Threat Management, EY

Curriculum | 12 credit hours

Click on each course title for a full description.

Required Core Courses | 6 credit hours:
ISE 6610: Cloud Security Essentials | SEC 488, GCLD

SANS class: SEC 488 Cloud Security Essentials
Assessment: GIAC GCLD
3 Credit Hours

ISE 6610: Cloud Security Essentials will equip you to implement appropriate security controls in the cloud, often using automation to “inspect what you expect.” Mature cloud service providers (CSPs) have created a variety of security services that can help customers use their products in a more secure manner, but much about cloud security still resides with the customer organization. This course covers real-world lessons using security services created by the CSPs as well as open-source tools. Each lesson features hands-on lab exercises to help you practice the lessons learned. You will progressively layer multiple security controls in order to end the course with a functional security architecture implemented in the cloud. The course begins by addressing one of the most crucial aspects of the cloud — Identity and Access Management (IAM). From there, you will learn to secure the cloud through discussion and practical, hands-on exercises related to several key topics to defend various cloud workloads operating in the different CSP models of: Infrastructure as a Service (IaaS), Platform as a Service (PaaS), and Software as a Service (SaaS).

You will be able to:

  • Identify the risks and risk control ownership based on the deployment models and service delivery models of the various products offered by cloud service providers (CSPs)
  • Evaluate the trustworthiness of CSPs based on their security documentation, service features, third-party attestations, and position in the global cloud ecosystem
  • Create accounts and use the services of any one the leading CSPs and be comfortable with the self-service nature of the public cloud, including finding documentation, tutorials, pricing, and security features
  • Articulate the business and security implications of a multi-cloud strategy
  • Secure access to the consoles used to access the CSP environments
  • Use command line interfaces to query assets and identities in the cloud environment
  • Use hardening benchmarks, patching, and configuration management to achieve and maintain an engineered state of security for the cloud environment
  • Evaluate the logging services of various CSPs and use those logs to provide the necessary accountability for events that occur in the cloud environment
  • Configure the command line interface (CLI) and properly protect the access keys to minimize the risk of compromised credentials
  • Use basic Bash and Python scripts to automate tasks in the cloud
  • Implement network security controls that are native to both AWS and Azure
  • Employ an architectural pattern to automatically create and provision patched and hardened virtual machine images to multiple AWS accounts
  • Use Azure Security Center to audit the configuration in an Azure deployment and identify security issues
  • Use Terraform to deploy a complete "infrastructure as code" environment to multiple cloud providers
  • Leverage the Cloud Security Alliance Cloud Controls Matrix to select the appropriate security controls for a given cloud network security architecture and assess a CSP's implementation of those controls using audit reports and the CSP's shared responsibility model
  • Follow the penetration testing guidelines put forth by AWS and Azure to invoke your “inner red teamer” to compromise a full stack cloud application
  • Use logs from cloud services and virtual machines hosted in the cloud to detect a security incident and take appropriate steps as a first responder according to a recommended incident response methodology
  • Perform a preliminary forensic file system analysis of a compromised virtual machine to identify indicators of compromise and create a file system timeline
ISE 6612: Public Cloud Security: AWS, Azure, and GCP | SEC 510, GPCS

SANS class: SEC 510 Public Cloud Security: AWS, Azure, and GCP
Assessment: GIAC GPCS
3 Credit Hours

ISE 6620, Public Cloud Security: Amazon Web Services (AWS), Azure, and Google Cloud Platform (GCP) teaches students how the major cloud providers work and how to securely configure and use their services and Platform as a Service (PaaS) offerings.

ISE 6620, Public Cloud Security: Amazon Web Services (AWS), Azure, and Google Cloud Platform (GCP) teaches students how the major cloud providers work and how to securely configure and use their services and Platform as a Service (PaaS) offerings. This course provides cloud security practitioners, analysts, and researchers with an in-depth understanding of the inner workings of the most popular public cloud providers: AWS, Microsoft Azure, and GCP. You will learn industry-renowned standards and methodologies, such as the MITRE ATT&CK Cloud Matrix and CIS Cloud Benchmarks, then apply that knowledge in hands-on exercises to assess a modern web application that leverages the cloud native offerings of each provider. Through this process you will learn the philosophies that undergird each provider and how these have influenced their services.

You will be prepared to:

  • Understand the inner workings of cloud services and Platform as a Service (PaaS) offerings in order to make more informed decisions in the cloud
  • Understand the design philosophies that undergird each provider and how these have influenced their services in order to properly prescribe security solutions for them
  • Discover the unfortunate truth that many cloud services are adopted before their security controls are fully fleshed out
  • Understand Amazon Web Services (AWS), Azure, and Google Cloud Platform (GCP) in depth
  • Understand the intricacies of Identity and Access Management, one of the most fundamental concepts in the cloud and yet one of the last understood
  • Understand cloud networking and how locking it down is a critical aspect of defense in depth in the cloud
  • Analyze how each provider handles encryption at rest and in transit in order to prevent sensitive data loss
  • Explore the service offering landscape to discover what is driving the adoption of multiple cloud platforms and to assess the security of services at the bleeding edge
  • Understand the complex connections between cloud accounts, providers, and on-premise systems and the cloud
  • Perform secure data migration to and from the cloud
  • Understand Terraform Infrastructure-as-Code well enough to share it with your engineering team as a starting point for implementing the controls discussed in the course
Elective Courses | 6 credit hours:

Students select two of the following.

ISE 6615: Defending Web Applications Security Essentials | SEC 522, GWEB

SANS class: SEC 522 Defending Web Applications Security Essentials
Assessment: GIAC GWEB
3 Credit Hours

ISE 6615 presents mitigation strategies from an infrastructure, architecture, and coding perspective alongside real-world techniques that have been proven to work. The course introduces the nature of each vulnerability to help you understand why it happens, then shows you how to identify the vulnerability and provide options to mitigate it.

To maximize the benefit for a wider range of audiences, the discussions in this course will be programming language agnostic. The focus will be maintained on security strategies rather than coding-level implementation.

The course is particularly well suited to application security analysts, developers, application architects, pen testers, auditors who are interested in recommending proper mitigations for web security issues, and infrastructure security professionals who have an interest in enhancing the defense of web applications. The course will also cover additional issues the authors have found to be important in their day-to-day web application development practices.

The topics covered include:

  • The OWASP Top 10
  • Selected specific web application issues from the Common Weakness Enumeration (CWE) Top 25 Most Dangerous Software Errors
  • Infrastructure security and configuration management
  • Securely integrating cloud components into a web application
  • Authentication and authorization mechanisms, including single sign-on patterns
  • Application language configuration
  • Application coding errors like SQL injection, cross-site request forgery, and cross-site scripting
  • Web 2.0 and its use of web services (REST/SOAP)
  • Cross-domain web request security
  • Business logic flaws
  • Protective HTTP headers
ISE 6630: Cloud Penetration Testing | SEC 588, GCPN

SANS class: SEC 588 Cloud Penetration Testing
Assessment: GIAC GCPN
3 Credit Hours

ISE 6630 dives into the latest in penetration testing techniques focused on the cloud, how to assess cloud environments, as well as other new topics that appear in the cloud like microservices, in-memory data stores, files in the cloud, serverless functions, Kubernetes meshes, and containers. The course also specifically covers Azure and AWS penetration testing, which is particularly important given that Amazon Web Services and Microsoft account for more than half of the market. The goal is not to demonstrate these technologies, but rather to teach you how to assess and report on the true risk that the organization could face if these services are left insecure.

Students will be able to:

  • Conduct cloud-based penetration tests
  • Assess cloud environments and bring value back to the business by locating vulnerabilities
  • Understand how cloud environments are constructed and how to scale factors into the gathering of evidence
  • Assess security risks in Amazon and Microsoft Azure environments
ISE 6650: Cloud Security and DevOps Automation | SEC 540, GCSA

SANS class: SEC 540 Cloud Security and DevOps Automation
Assessment: GIAC GCSA
3 Credit Hours

ISE 6650 provides development, operations, and security professionals with a methodology to build and deliver secure infrastructure and software using DevOps and cloud services. Students will explore how DevOps principles, practices, and tools of DevOps can improve the reliability, integrity, and security of on-premise and cloud-hosted applications. You will gain hands-on experience using popular tools such as Jenkins, GitLab, Puppet, Vault, and Grafana to automate Configuration Management ("Infrastructure as Code"), Continuous Integration (CI), Continuous Delivery (CD), cloud infrastructure, containerization, micro-segmentation, Functions as a Service (FaaS), Compliance as Code, and Continuous Monitoring.

You will be prepared to:

  • Recognize how DevOps works and identify keys to success
  • Utilize Continuous Integration, Continuous Delivery, and Continuous Deployment workflows, patterns, and tools
  • Identify the security risks and issues associated with DevOps and Continuous Delivery
  • Use DevOps practices to secure DevOps tools and workflows
  • Conduct effective risk assessments and threat modeling in a rapidly changing environment
  • Design and write automated security tests and checks in CI/CD
  • Understand the strengths and weaknesses of different automated testing approaches in Continuous Delivery
  • Implement self-serve security services for developers
  • Inventory and patch your software dependencies
  • Threat model and secure your build and deployment environment
  • Automate configuration management using Infrastructure as Code
  • Secure container technologies (such as Docker and Kubernetes)
  • Build continuous monitoring feedback loops from production to engineering
  • Securely manage secrets for continuous integration servers and applications
  • Automate compliance and security policy scanning
  • Understand how to automate cloud architecture components
  • Use CloudFormation and Terraform to create Infrastructure as Code
  • Build CI/CD pipelines using Jenkins and CodePipeline
  • Wire security scanning into Jenkins and CodePipeline workflows
  • Containerize applications with Elastic Container Service and Azure Kubernetes Service
  • Integrate cloud logging and metrics with Grafana
  • Create Slack alerts from CloudWatch metrics
  • Manage secrets with Vault, KMS, and the SSM Parameter store
  • Protect static content with CloudFront Signatures
  • Leverage Elastic Container Service for blue/green deployments
  • Secure REST APIs with API Gateway
  • Implement an API Gateway custom authorization Lambda function
  • Deploy the AWS WAF and build custom WAF rules
  • Perform continuous compliance scans with CloudMapper
  • Enforce cloud configuration policies with Cloud Custodian

The SANS Technology Institute Advantage

Online and In-Person Study Options

Flexibility for Working Professionals

  • Monthly admissions windows mean you can start on your schedule and earn the graduate certificate in roughly two years.

Credentials that Showcase Your Skills

  • Earn 4 industry-recognized GIAC certifications that validate your skill set in critical, specialized areas of InfoSec.

World-class Faculty

Pathway to a Master's Degree

  • Credits earned in the certificate program may be applied directly toward the master's degree program should you later apply and be accepted.

Success Stories

Video gaming was the start of what would lead to Jeff Sass's decades-long career at Adobe.

Discover why he chose to pursue 3 graduate certificates at SANS.edu — and how the experience helped him win a promotion to manager.

Read Jeff’s story and other SANS.edu profiles here.

Quick Links

Admissions Deadlines & Application Requirements
Tuition & Options for Funding

Questions?

We're happy to help.
Email info@sans.edu or call (301) 241-7665.