Cloud Security Auditing: AWS, AZURE, GOOGLE
Published by Pearson
Tips and Techniques for IT Auditing in AWS, Azure, and GCP
- Learn how to assess and define IT general computing controls for cloud environments as part of effective audit and compliance controls
- Learn how to navigate cloud customer environments from the perspective of an auditor for AWS, Microsoft Azure, and Google Cloud
- Understand and navigate both native and open-source tools available for auditing the AWS, Microsoft Azure, and Google Cloud
Resources on how to perform IT control audits for cloud customer environments are limited. In this class, IT auditors and those who provide compliance evidence for audits (Cloud Engineers, DevSecOps, Identity and Access Management Analysts, IT admins, Cloud Security Architects) will learn more about areas within cloud that should be assessed for effective compliance controls, receive guidance on how traditional on-prem audit programs can be adjusted for cloud environments, and understand tools that are available to help with auditing in a cloud environment. Participants will walk away with actionable guidance on navigating within customer cloud environments, reviewing environments for compliance, and ways to streamline or automate assessments.
What you’ll learn and how you can apply it
By the end of the live online course, you’ll understand:
- How to navigate and identify security and compliance related controls in a cloud customer environment within the three major cloud vendor environments
- Tools and features that are available to help with auditing a cloud customer environment
- The roles and responsibilities when validating compliance controls within a cloud customer environment
And you’ll be able to:
- Apply best practices on assessing IT general computing controls for a cloud customer in the three major cloud providers
- Confidently apply and assess security and compliance controls in a cloud customer environment
- Successfully navigate through the three major cloud providers to areas relevant for security and compliance
- Build a cloud-focused audit plan and perform a basic IT general computing controls assessment for a cloud customer in the three major cloud providers
This live event is for you because...
- As many companies move to the cloud and/or multi-cloud environments, it’s important for auditors to understand how to assess those environments
- This training will help an IT auditor to understand where security controls can/do exist and procedures for reviewing them
- This training will help an IT auditor feel more comfortable navigating within a cloud environment and know what questions to ask regarding a cloud architecture setup so that they can build an effective audit plan
Prerequisites
- Basic IT Knowledge
- Basic auditing or compliance knowledge
- Basic knowledge on risk and risk assessments
Course Set-up
- Attendees will establish some free cloud environments as part of the session. It is recommended but not required that you set up your lab environments before the start of class.
Recommended Preparation
- Read: How to Measure Anything in Cybersecurity Risk by Douglas W. Hubbard, Richard Seiersen, Daniel E. Geer Jr. and Stuart McClure
- Read: Audit Risk Alert, 2nd Edition by AICPA
- Attend: Certified ISO 31000 Internal Controls Risk Analyst (CICRA) Crash SuperReview by Allen Keele
Recommended Follow-up
- Read: Beyond Audit by Robert L. Mainardi
- Attend: CCSP - Certified Cloud Security Professional Crash Course by Michael Shannon
Schedule
The time frames are only estimates and may vary according to how the class is progressing.
Day 1
Segment 1: Cloud Architecture and Navigation (60 minutes)
- Understanding Cloud Auditing
- Understanding Cloud Architecture, Deployments, and Terminology
- Navigating Cloud Portal Environments
Break (15 minutes)
Segment 2: Setting Up Your Personal Cloud Environments (30 minutes)
- Setting up an AWS Environment
- Setting up an Azure Environment
- Setting up a Google Cloud Environment
Lab Setup (15 minutes) – Use this time to set up your cloud environments
Segment 3: Basic Cloud Auditing Tools and Frameworks (45 minutes)
- Industry Frameworks for Cloud Auditing
- Native Cloud Auditing Tools
- Open Source and Other Cloud Auditing Tools
Break (15 minutes)
Segment 4: Preparing to Perform a Customer Cloud Assessment (45 minutes)
- Effective Techniques for Controls Alignments
- Leveraging Policy and Automation for Compliance
Course wrap-up, Q&A, and next steps (15 minutes)
Day 2
Segment 5: Deeper Dive – Identity and Access Management Controls (50 minutes)
- User Authentication and Authorization
- Permissions, Roles, Groups
- Device Management
- Reviewing Activity
Break (10 minutes)
Segment 6: Deeper Dive – Network, Infrastructure, and Security Controls (50 minutes)
- Security Control Centers
- Network Controls
- Security Policies
- Data Security
Break (10 minutes)
Segment 7: Deeper Dive – Financial Resource and Change Management (50 minutes)
- Policies for Resource Management
- Change Management Integration and Workflows
- Financial Billing and Cost Controls
- Reviewing Change History
Break (10 minutes)
Segment 8: Tips, Techniques and Auditing Walkthrough (40 minutes)
- Common Pitfalls
- Tips, Tricks, and Techniques
- Preparing for More Advanced Auditing
- Other Clouds – IBM, Oracle, Alibaba
Course wrap-up, Q&A, and next steps (20 minutes)
Your Instructor
Shinesa Cambric
Shinesa Cambric (CISSP, CCSP, CISA, CISM, CDPSE) is a Cloud Security, Compliance, and Digital Identity Architect with strategic expertise in technical design and implementation of security architecture and controls. Her experience includes designing identity management and governance solutions for cloud-based platforms, building insider threat programs, and providing unique subject matter expertise on the intersection of governance, risk, and compliance with IT and application security.
As a Principal Product Manager within Microsoft’s Intelligent Protections team, Shinesa currently focuses on architecting solutions for global organizations to identify, detect, protect, and respond to threats against identity and access. She is a task and certification content advisor for CertNexus and CompTIA, on the content review committee for Cloud Security Alliance, volunteers as the training lead for the Dallas chapter of Women’s Society of Cyberjutsu, and on the operational support team for Cloud Girls. She is an active member of several other organizations, including Women in CyberSecurity (WiCyS), ISACA, ISC2, and Information Systems Security Association (ISSA).