Security in Google Cloud
This training course gives you a broad study of security controls and techniques in Google Cloud. Through lectures, demonstrations, and hands-on labs, you’ll explore and deploy the components of a secure Google Cloud solution, using services like Cloud Identity, Identity and Access Management (IAM), Cloud Load Balancing, Cloud IDS, Web Security Scanner, BeyondCorp Enterprise, Cloud DNS, and much more.
- Identify the foundations of Google Cloud security.
- Manage administration identities with Google Cloud.
- Implement user administration with Identity and Access Management (IAM).
- Configure Virtual Private Clouds (VPCs) for isolation, security, and logging.
- Apply techniques and best practices for securely managing Compute Engine.
- Apply techniques and best practices for securely managing Google Cloud data.
- Apply techniques and best practices for securing Google Cloud applications.
- Apply techniques and best practices for securing Google Kubernetes Engine (GKE) resources.
- Manage protection against distributed denial of service attacks (DDoS).
- Manage content-related vulnerabilities.
- Implement Google Cloud monitoring, logging, auditing, and scanning solutions.
This class is intended for the following job roles:
- Cloud information security analysts, architects, and engineers
- Information security/cybersecurity specialists
- Cloud infrastructure architects
To get the most out of this course, participants should have:
- Prior completion of Google Cloud Platform Fundamentals: Core Infrastructure or equivalent experience.
- Prior completion of Networking in Google Cloud or equivalent experience.
- Knowledge of foundational concepts in information security, through experience or through online training such as SANS’s SEC301: Introduction to Cyber Security.
- Basic proficiency with command-line tools and Linux operating system environments.
- Systems Operations experience, including deploying and managing applications, either on-premises or in a public cloud environment.
- Basic understanding of Kubernetes terminology (preferred but not required).
Module 1: Foundations of Google Cloud Security
- Explain Google Cloud’s shared security responsibility model.
- Describe Google Cloud’s approach to security.
- Recognize the kinds of threats mitigated by Google and by Google Cloud.
- Identify Google Cloud’s commitments to regulatory compliance.
Module 2: Securing Access to Google Cloud
- Describe what Cloud Identity is and what it does.
- Explain how Google Cloud Directory Sync securely syncs users and permissions between your on-premises LDAP or AD server and the cloud.
- Explore and apply best practices for managing groups, permissions, domains and admins with Cloud Identity.
- Demo: Defining Users with Cloud Identity Console
Module 3: Identity and Access Management (IAM)
- Identify IAM Objects that can be used to organize resources in Google Cloud.
- Explain the management-related features of Google Cloud projects.
- Define IAM policies, including organization policies.
- Implement access control with Cloud IAM.
- Provide access to Google Cloud resources using predefined and custom IAM roles.
- Lab: Configuring IAM
Module 4: Configuring Virtual Private Cloud for Isolation and Security
- Describe the function of VPC networks.
- Recognize and implement best practices for configuring VPC firewalls (both ingress and egress rules).
- Secure projects with VPC Service Controls.
- Apply SSL policies to load balancers.
- Enable VPC flow logging and then use Cloud Logging to access logs.
- Deploy Cloud IDS and view threat details in the Cloud Console.
- Lab: Configuring VPC Firewalls
- Lab: Configuring and Using VPC Flow Logs in Cloud Logging
- Demo: Securing Projects with VPC Service Controls
- Lab: Getting Started with Cloud IDS
Module 5: Securing Compute Engine: Techniques and Best Practices
- Create and manage service accounts for Compute Engine instances (default and customer-defined).
- Detail IAM roles and scopes for VMs.
- Explore and apply best practices for Compute Engine instances.
- Explain the function of the Organization Policy service.
- Lab: Configuring, Using, and Auditing VM Service Accounts and Scopes
Module 6: Securing Cloud Data: Techniques and Best Practices
- Use IAM permissions and roles to secure cloud resources.
- Create and wrap encryption keys using the Google Compute Engine RSA public key certificate.
- Encrypt persistent disks and attach them to Compute Engine instances.
- Manage keys and encrypted data using Cloud Key Management Service (Cloud KMS) and Cloud HSM.
- Create BigQuery authorized views.
- Recognize and implement best practices for configuring storage options.
- Lab: Using Customer-Supplied Encryption Keys with Cloud Storage
- Lab: Using Customer-Managed Encryption Keys with Cloud Storage and Cloud KMS
- Lab: Creating a BigQuery Authorized View
Module 7: Security Applications: Techniques and Best Practices
- Recall various types of application security vulnerabilities.
- Detect vulnerabilities in App Engine applications using Web Security Scanner.
- Secure Compute Engine Applications using BeyondCorp Enterprise.
- Secure application credentials using Secret Manager.
- Identify the threats of OAuth and Identity Phishing.
- Lab: Using Web Security Scanner to Find Vulnerabilities in an App Engine Application
- Lab: Securing Compute Engine Applications with BeyondCorp Enterprise
- Lab: Configuring and Using Credentials with Secret Manager
Module 8: Securing Google Kubernetes: Techniques and Best Practices
- Explain the differences between Kubernetes service accounts and Google service accounts.
- Recognize and implement best practices for securely configuring GKE.
- Explain logging and monitoring options in Google Kubernetes Engine.
Module 9: Protecting against Distributed Denial of Service Attacks (DDoS)
- Identify the four layers of DDoS Mitigation.
- Identify methods Google Cloud uses to mitigate the risk of DDoS for its customers.
- Use Google Cloud Armor to blocklist an IP address and restrict access to an HTTP Load Balancer.
- Lab: Configuring Traffic Blocklisting with Google Cloud Armor
Module 10: Content-Related Vulnerabilities: Techniques and Best Practices
- Discuss the threat of ransomware.
- Explain ransomware mitigations strategies (backups, IAM, Cloud Data Loss Prevention API).
- Highlight common threats to content (data misuse, privacy violations, sensitive/restricted/unacceptable content).
- Identify solutions for threats to content (classification, scanning, redacting).
- Detect and redact sensitive data using the Cloud DLP API.
- Lab: Redacting Sensitive Data with the DLP API
Module 11: Monitoring, Logging, Auditing, and Scanning
- Explain and use the Security Command Center.
- Apply Cloud Monitoring and Cloud Logging to a project.
- Apply Cloud Audit Logs to a project.
- Identify methods for automating security in Google Cloud environments.
- Lab: Configuring and Using Cloud Monitoring and Cloud Logging
- Lab: Configuring and Viewing Cloud Audit Logs