Description

This curriculum spans the technical and procedural rigor of a multi-workshop cloud security engagement, addressing the same network architecture, identity integration, and compliance challenges encountered during actual enterprise migrations.

Module 1: Assessing Cloud Readiness and Security Posture

Conducting a network dependency mapping exercise to identify on-premises services that must remain in place during phased migration.
Evaluating existing firewall rules and segmentation policies for applicability in cloud environments with dynamic workloads.
Defining acceptable data residency and sovereignty requirements based on regulatory obligations across cloud regions.
Inventorying legacy authentication mechanisms that may not integrate with cloud-native identity providers.
Assessing encryption standards in use and determining compatibility with cloud provider key management systems.
Establishing a baseline of network performance metrics to detect anomalies post-migration.

Module 2: Designing Secure Cloud Network Architecture

Selecting between hub-and-spoke and mesh VPC architectures based on inter-account data flow requirements and compliance boundaries.
Implementing private subnets with NAT gateways while restricting public IP assignments to non-critical workloads.
Configuring DNS resolution across hybrid environments to prevent split-brain scenarios during cutover.
Defining routing policies for traffic between VPCs, on-premises data centers, and third-party SaaS platforms.
Enforcing network segmentation using security groups and NACLs with least-privilege ingress/egress rules.
Planning for failover paths and redundant connectivity using multiple Direct Connect or ExpressRoute circuits.

Module 3: Identity and Access Management Integration

Integrating on-premises Active Directory with cloud identity providers using federation protocols like SAML or OIDC.
Mapping legacy role-based access controls to cloud IAM policies with condition keys for time and location.
Implementing just-in-time (JIT) privilege elevation for administrative access to cloud consoles and APIs.
Enforcing MFA for all console logins and sensitive API operations, including exceptions for automated workflows.
Rotating long-lived access keys and replacing them with temporary credentials via role assumption.
Monitoring and auditing IAM policy changes using cloud-native logging and alerting on high-risk actions.

Module 4: Securing Data in Transit and at Rest

Enforcing TLS 1.2+ for all client-to-service and service-to-service communications using certificate pinning.
Implementing VPC flow logs with packet header sampling to detect unencrypted internal traffic.
Configuring server-side encryption with customer-managed keys (CMK) for database and object storage tiers.
Validating that database connection strings use encrypted endpoints and reject plaintext fallbacks.
Deploying client-side encryption for sensitive data before upload to cloud storage services.
Establishing data classification policies to determine encryption strength and key lifecycle management.

Module 5: Threat Detection and Network Monitoring

Deploying intrusion detection systems (IDS) in promiscuous mode on virtual network taps or VPC mirrors.
Correlating cloud-native logs (e.g., CloudTrail, VPC Flow Logs) with SIEM rules to detect lateral movement.
Setting up anomaly detection thresholds for outbound data transfers to flag potential exfiltration.
Integrating third-party threat intelligence feeds into firewall and WAF rule updates.
Validating that security agents on cloud instances do not introduce network latency or packet loss.
Conducting red team exercises to test detection coverage across hybrid network segments.

Module 6: Governance, Compliance, and Audit Enforcement

Implementing infrastructure-as-code (IaC) scanning to prevent deployment of non-compliant network configurations.
Enforcing tagging standards for network resources to support cost allocation and security classification.
Configuring automated remediation for drift in firewall rules using policy-as-code frameworks.
Generating audit trails for network configuration changes with immutable log storage in a separate account.
Mapping cloud network controls to regulatory frameworks such as HIPAA, PCI-DSS, or GDPR.
Conducting quarterly access reviews for cross-account network peering and shared services.

Module 7: Incident Response and Business Continuity

Isolating compromised cloud workloads by revoking security group access instead of terminating instances.
Preserving network artifacts such as flow logs, DNS queries, and load balancer access logs during investigations.
Testing backup connectivity paths to on-premises systems when cloud provider outages affect network services.
Documenting escalation procedures for DDoS events with cloud provider support teams and third-party scrubbing centers.
Validating that incident responders can access console and CLI tools without relying on potentially compromised endpoints.
Conducting tabletop exercises for data exfiltration scenarios involving encrypted tunnels to external IPs.

Module 8: Optimizing and Scaling Secure Cloud Networks

Right-sizing NAT gateways and load balancers based on observed throughput and connection concurrency.
Migrating from legacy ACLs to distributed firewall solutions that scale with microservices architecture.
Implementing DNS-based traffic steering with health checks to route around degraded availability zones.
Evaluating the security implications of adopting service mesh for east-west encryption and mTLS enforcement.
Automating IP address management (IPAM) across multiple regions and accounts to prevent overlap and misrouting.
Integrating network performance monitoring with autoscaling policies to prevent denial-of-service from legitimate traffic spikes.