Module Details
| Module Code: |
CYBR9023 |
| Title: |
Cloud Security Architecting
|
|
Long Title:
|
Cloud Security Architecting
|
| NFQ Level: |
Expert |
| Valid From: |
Semester 2 - 2023/24 ( January 2024 ) |
| Field of Study: |
4811 - Computer Science
|
| Module Delivered in: |
no programmes
|
| Module Description: |
In this module, students will explore the world of cloud security and the critical importance it holds in today's digital landscape. Students will gain an understanding of approaches to designing and implementing rigorous security strategies, complemented by monitoring and detection methodologies that provide real-time insights and proactive responses. Students will gain an understanding of Identity and Access Management (IAM) best practices, including centralized management of authentication, authorisation, roles and policies, logging and auditing. Students will be equipped with necessary practical expertise to protect varied cloud resources such as storage services (Object, Block, File, Queue), database platforms, compute offerings (Virtual Machines, serverless functions, containers), and networking configurations (Virtual Networks, Subnets, Firewalls, VPNs). Students will develop a holistic understanding of the challenges and intricacies of securing multi-faceted cloud-hosted environments and an awareness of the encompassing compliance and regulatory landscapes. This module was developed under the Cyber Skills HCI Pillar 3 Project. Please refer to consortium agreement for ownership.
|
| Learning Outcomes |
| On successful completion of this module the learner will be able to: |
| # |
Learning Outcome Description |
| LO1 |
Examine the foundational principles of cloud security, distinguishing it from traditional IT security and the nuances of various cloud architectures and service models. |
| LO2 |
Recognize the role of identity & access control in cloud environments as the security perimeter in the cloud, and design strategies for effective identity management and access controls. |
| LO3 |
Evaluate and secure the components that comprise cloud-hosted solutions ensuring the confidentiality, integrity and availability of digital assets. |
| LO4 |
Design and implement an overarching Cloud Security Posture Management (CSPM) strategy tailored to specific business needs and cloud architectures. |
| LO5 |
Examine the implications and complexities of compliance and regulatory standards in cloud security, adapting strategies to ensure adherence. |
| Dependencies |
Module Recommendations
This is prior learning (or a practical skill) that is strongly recommended before enrolment in this module. You may enrol in this module if you have not acquired the recommended learning but you will have considerable difficulty in passing (i.e. achieving the learning outcomes of) the module. While the prior learning is expressed as named MTU module(s) it also allows for learning (in another module or modules) which is equivalent to the learning specified in the named module(s).
|
|
Incompatible Modules
These are modules which have learning outcomes that are too similar to the learning outcomes of this module. You may not earn additional credit for the same learning and therefore you may not enrol in this module if you have successfully completed any modules in the incompatible list.
|
| No incompatible modules listed |
Co-requisite Modules
|
| No Co-requisite modules listed |
Requirements
This is prior learning (or a practical skill) that is mandatory before enrolment in this module is allowed. You may not enrol on this module if you have not acquired the learning specified in this section.
|
| No requirements listed |
| Indicative Content |
|
Evolution of Cloud Security
Origins and rise of cloud platforms & responsibility shifts. Major cloud providers. Cloud architectures: Public, Private, and Hybrid. Cloud service models: IaaS, PaaS, and SaaS. Threat vectors specific to cloud environments. Importance of cloud security & distinction from traditional IT security. Strategic alignment of security controls with business objectives. Cloud security best practices.
|
|
Cloud Identity and Access Management
History of identity management. The application of the principle of least privilege in the cloud. User and role management in cloud platforms. Access strategies for cloud services. Modern authentication protocols such as OIDC, OAUTH,SAML/WSFED. Single Sign-On (SSO) and Multi-Factor Authentication (MFA) in the cloud. The different levels of MFA security, from gold standard phishing-resistant MFA (FIDO) to less secure Time-Based One-Time Password (TOTP) and SMS/Email MFA. Service and resource-based policies.
|
|
Data Security, Integrity, and Storage:
CIA triad, Zero trust. Data residency and sovereignty. Cloud storage security. Secure key and secret management.
|
|
Database Platforms & Security
Database offerings, encryption types & methods, data masking, auditing, threat detection, best practices.
|
|
Compute & Application Security
Virtual Machines, serverless functions, containers, app hosting, API hosting, threat detection, best practices.
|
|
Network Security
Virtual networks, network topology, subnets, peering, firewalls, VPNs, DDoS, monitoring, Multi-Cloud & Hybrid Cloud security.
|
|
Cloud Security Posture Management (CSPM)
CSPM strategies suited to diverse cloud architectures; real-time monitoring and threat detection systems; incident response integration; adoption of "Shift Left" security practices to integrate security earlier in the development lifecycle; application of Continuous Security methodologies; intertwining of these approaches with scalable security policies embedded within CI/CD pipelines using tools like Terraform/CloudFormation while centralizing security policy management.
|
|
Compliance and Regulatory Frameworks
Interpreting and adhering to compliance and regulatory standards including GDPR, HIPAA, PCI DSS & SOC2; ensuring cloud operation compliance; managing data sovereignty across multiple global jurisdictions within Azure, AWS, and other cloud services; tailoring security frameworks to specific organizational needs; staying up to date with changes in cloud security regulations and best practices. Compliance assessments & audits.
|
|
Security Management and Automation
Examination of security management tools; Infrastructure as Code (IaC) for security consistency (Security Policy as Code); Automated Threat Detection and incident response mechanisms; incorporation of security within DevSecOps workflows; securing CI/CD pipelines; understanding compliance intersections with security automation; keeping pace with emerging trends in the automation of cloud security.
|
|
Module Content & Assessment
|
| Assessment Breakdown | % |
|---|
| Coursework | 100.00% |
Assessments
| No End of Module Formal Examination |
| Reassessment Requirement |
Coursework Only
This module is reassessed solely on the basis of re-submitted coursework. There is no repeat written examination.
|
The University reserves the right to alter the nature and timings of assessment
Module Workload
| Workload: Full Time |
| Workload Type |
Contact Type |
Workload Description |
Frequency |
Average Weekly Learner Workload |
Hours |
| Lecture |
Contact |
Lectures covering the theoretical concepts underpinning the learning outcomes |
Every Week |
2.00 |
2 |
| Lab |
Contact |
Lab assignments based on preceding lecture material to provide practical experience working with the major
cloud-hosted resource type. Student-provided AWS and Azure account, using free tier services. |
Every Week |
2.00 |
2 |
| Independent & Directed Learning (Non-contact) |
Non Contact |
Independent learning by the student |
Every Week |
3.00 |
3 |
| Total Hours |
7.00 |
| Total Weekly Learner Workload |
7.00 |
| Total Weekly Contact Hours |
4.00 |
| Workload: Part Time |
| Workload Type |
Contact Type |
Workload Description |
Frequency |
Average Weekly Learner Workload |
Hours |
| Lecture |
Contact |
Lectures covering the theoretical concepts underpinning the learning outcomes |
Every Week |
2.00 |
2 |
| Lab |
Contact |
Lab assignments based on preceding lecture material to provide practical experience working with the major
cloud-hosted resource type. Student-provided AWS and Azure account, using free tier services. |
Every Week |
2.00 |
2 |
| Independent & Directed Learning (Non-contact) |
Non Contact |
Independent learning by the student |
Every Week |
3.00 |
3 |
| Total Hours |
7.00 |
| Total Weekly Learner Workload |
7.00 |
| Total Weekly Contact Hours |
4.00 |
|
Module Resources
|
| Recommended Book Resources |
|---|
-
Aditya K. Sood. (2021), Empirical Cloud Security, Mercury Learning and Information, p.450, [ISBN: 978-1683926856].
| | Supplementary Book Resources |
|---|
-
MIHIR. SHAH. (2023), Cloud Native Software Security Handbook, Packt Publishing, p.372, [ISBN: 978-1837636983].
-
Tim Mather, Subra Kumaraswamy,Shahed Latif. (2009), Cloud Security and Privacy, "O'Reilly Media, Inc.", p.338, [ISBN: 9781449379513].
| | Supplementary Article/Paper Resources |
|---|
-
Singh, Ashish, and Kakali Chatterjee. (2017), Cloud security issues and challenges: A
survey, Journal of Network and Computer
Applications, 79.
| | Other Resources |
|---|
-
Website, Microsoft. Microsoft Security Reference
Architectures,
-
Website, Amazon. Amazon Security Reference Architecture,
-
Website, Microsoft. Azure Architecture Center, Microsoft,
-
Website, Amazon. AWS Architecture Center, Amazon,
-
Website, NIST. NIST Cybersecurity Framework,
-
Website, ISO/IEC. ISO/IEC 27017 Information technology —
Security techniques — Code of practice
for information security controls based
on ISO/IEC 27002 for cloud services.
International Organization for
Standardization (ISO),
-
Website, CIS. CIS Critical Security Controls,
-
Website, Open ID Foundation. OpenID Specifications,
| |
