Course 767:
Google Cloud Advanced Skills & Certification Workshop: Professional Cloud Security Engineer

 

Google Cloud Certification Training Description

This workshop is designed to help IT professionals prepare for the Google Professional Cloud Security Engineer certification exam. In this workshop, we review the exam guidelines and cover the main topics you may be tested on.  

The Professional Cloud Security Engineer exam assesses your ability to design and implement a secure infrastructure on Google Cloud Platform. The exam, and hence this course, focuses on many aspects of Cloud Security including managing identity and access management, defining organizational structure and policies, using Google technologies to provide data protection, configuring network security defenses, collecting and analyzing Google Cloud Platform logs, managing incident responses, and an understanding of regulatory concerns.

Learning Objectives

  • Prepare for the Google Professional Cloud Security Engineer certification exam
  • Configure access within a cloud solution environment
  • Configure network security
  • Ensure data protection
  • Manage operations within a cloud solution environment
  • Ensure compliance

Prerequisites

This workshop assumes prior knowledge of Google Cloud Platform (GCP) and is not an introduction to GCP. We strongly recommend taking the Architecting with Google Compute Engine and Security in Google Cloud Platform courses prior to attending this workshop.

To see the full Google Cloud Platform curriculum, click here. 

Prior to taking the Professional Cloud Security Engineer certification exam, students must have experience developing applications and services that run on Google Cloud Platform. The exam tests ability in all aspects of Cloud Security including managing identity and access management, defining organizational structure and policies, using Google technologies to provide data protection, configuring network security defenses, collecting and analyzing Google Cloud Platform logs, managing incident responses, and an understanding of regulatory concerns

Practice Quizzes and Hands-On Exercises

This workshop includes instructor lecture, demos, labs, practice quizzes, and links to recommended study materials, videos, and tutorials. Homework assignments are also included to help students further prepare for the exam.

Course Outline

 

Module 1: Professional Cloud Security Engineer Certification Overview 

  • Exam Overview and Expectations
    • What You are Tested On
    • Exam Format
    • Registering for the Exam

Module 2: Identity and Access Management

  • Google Cloud Identity
    • Centrally Manage Users and Groups 
    • Google Admin Console
    • Configuring Google Cloud Directory Sync (GCDS)
    • Google Authentication vs. SAML-based SSO
    • Configuring and Enforcing Two-Factor Authentication
    • Setting Password Policy for User Accounts
    • Cloud Identity Best Practices
  • Cloud IAM
    • Managing User Access at the Project and Organization Level
    • Leveraging Primitive, Predefined, and Custom Roles
    • Creating, Authorizing, and Securing Service Accounts
    • Managing Service Accounts and Keys
    • Rotating User-Managed Service Account Keys
  • Managing Resource Hierarchy
    • Using Resource Hierarchy for Access Control and Permissions Inheritance
    • Creating and Managing Organizations
    • Resource Structures (Orgs, Folders, Projects, and Resources)
    • Defining and Managing Organization Constraints
  • Exam Prep
    • Quiz

Module 3: VPC Network Security

  • Network Design
    • VPCs and Subnets
    • Private vs. Public Addresses
  • Controlling Network Access
    • Firewall Rules
    • Routes
    • SSH
    • RDP
    • Cloud NAT
  • Connecting Networks
    • VPNs
    • VPC Peering
    • Shared VPCs 
    • Serverless VPC Access
    • Accessing Google APIs from Private IPs
  • Exam Prep
    • Quiz

Module 4: Network Services Security

  • Securing Access to Instances
    • OS Login
    • IAP SSH Tunnel
    • Shielded VMs
  • Configuring Secure Load Balancers
    • Load Balancer Types
    • Internal Load Balances
    • External Load Balancers
    • SSL
    • DNSSEC
  • Mitigating DDOS
    • CDN
    • Cloud Armor
    • Basic Rules
    • WAF Rules
  • Exam Prep
    • Quiz

Module 5: Data Security

  • Encryption at Rest
    • Envelope Encryption
    • GCP Default Encryption at Rest
    • Customer-Managed Encryption Keys (CMEK)
    • Customer-Supplied Encryption Keys (CSEK)
    • Managing Keys in Google’s KMS 
    • Using CMEKs with Cloud Storage
    • Using CMEKs with Persistent Disks
    • Using CMEKs with BigQuery
    • Using CMEKs with Cloud SQL
    • Managing Application Secrets
  • Managing Storage Buckets
    • Understanding Google Cloud Storage IAM Permissions and ACLs
    • Bucket-Only Policies
    • Managing Cloud Storage Object Lifecycle
    • Retention Policies
    • Bucket Locks
  • Data Loss Prevention
    • Identifying Sensitive or PII Data
    • Defining Custom Info Types
    • Redacting Data from Various File Formats
    • Using Tokenization and Format Preserving Substitution
  • Exam Prep
    • Quiz

Module 6: Securing Applications

  • Application Security 
    • Cloud Security Scanner 
    • Static Code Analysis
    • Automate Security Scanning with a CI/CD Pipeline
    • Hardening Virtual Machines
    • Creating and Maintaining Container Images
    • Binary Authorization
    • Monitoring Application Logs 
    • Backup and Data Loss Strategy
  • Authentication and Authorization
    • Identity Platform
    • Identity Aware Proxy
    • Context Aware Proxy
  • PaaS Security
    • App Engine Security
    • IAM Roles
    • Firewall Rules
    • SSL
    • Runtime Service Account
    • Cloud Functions Security
    • IAM Roles
    • Runtime Service Account
    • Cloud Run Security
  • Kubernetes Security
    • Configuring Nodes
    • Node Service Account
    • RBAC
    • Kubernetes Networking
    • Configuring Ingresses for TLS
    • Secrets
    • Secret Manager
  • Exam Prep
    • Quiz

Module 7: Managing Operations 

  • Logging, Monitoring, and Alerting
    • Organizational Policies
    • Cloud Audit Logging
    • Installing Logging and Monitoring Agents in AWS and GCP
    • Integrating Monitoring, Logging, and Diagnostics
    • Exporting Logs for Near Real-time Monitoring and Long-Term Storage
    • Monitoring for Security Events
    • Detect Violations of Policies at Scale with Forseti
    • Alerting
  • Security Command Center
    • Assets
    • Findings 
    • Vulnerabilities
    • Threat Detection
    • Data Loss Prevention
  • VPC Service Controls
    • Define a Security Perimeter Around GCP Resources
    • Mitigate the Risk of Data Exfiltration
  • Exam Prep
    • Quiz

Module 8: Compliance

  • Legal and Regulatory Compliance
    • Regulatory Concerns
    • PCI-DSS
    • Determining Which Compute Environment Is Appropriate Based on Company Compliance Standards  
  • Shared Responsibility Model
    • Guarantees and Constraints for Each Compute Environment (Compute Engine, Kubernetes Engine, App Engine)
    • Limiting Compute and Data for Regulatory Compliance
  • Exam Prep
    • Quiz