Security in Google Cloud Platform
Duration : 3 Days (24 Hours)
Security in Google Cloud Platform Course Overview:
In this 3-day course, participants will engage in demonstrations and hands-on labs to explore and deploy various components of a secure Google Cloud solution. The course covers essential topics such as Cloud Identity, Resource Manager, Identity and Access Management (IAM), Virtual Private Cloud firewalls, Cloud Load Balancing, Direct Peering, Carrier Peering, Cloud Interconnect, and VPC Service Controls. By actively participating in the course, participants will gain practical experience in implementing these components to enhance the security of their Google Cloud environment.
- Cloud information security analysts, architects, and engineers
- Information security/cybersecurity specialists
- Cloud infrastructure architects
- Understand Google’s approach to security.
- Manage administration identities using Cloud Identity.
- Implement least privilege administration using Resource Manager and IAM
- Implement Identity-Aware Proxy.• Implement IP traffic controls using VPC firewalls and Google Cloud Armor
- Remediate security vulnerabilities, especially public access to data and virtual machines.
- Scan for and redact sensitive data using the Cloud Data Loss Prevention API
- Analyze changes to resource metadata configuration using audit logs.
- Scan a GCP deployment with Forseti, to remediate important types of vulnerabilities, especially in public access to data and VMs.
Module 01: Foundations of GCP Security
Google Cloud Platform’s Approach to Security, The Shared Security Responsibility Model, Threats Mitigated by Google and GCP, Access Transparency
- Learn about Google Cloud’s approach to security.
- Understand the shared security responsibility model
- Understand the kinds of threats mitigated by Google and by GCP.
- Define and understand access transparency
- 4 lectures
Module 02: Cloud Identity
Cloud Identity Overview, Google Cloud Directory Sync, Google authentication vs. SAML-based SSO. Authentication Best Practices
- Learn what Cloud Identity is and what it does.
- Learn how Directory Sync securely syncs users and permissions between your on-prem LDAP or AD server and the cloud.
- Understand the two ways GCP handles authentication and how to set up SSO.
- Explore best practices for managing groups, permissions, domains and admins with Cloud Identity.
- 4 lectures and 1 demo
Module 03: Identity and Access Management (IAM)
Resource Manager, IAM Roles, IAM Policies, IAM Recommender, IAM Trouble shooter, IAM Audit Logs, IAM Best Practices, Configuring IAM and Custom Roles
- Understand Resource Manager: projects, folders, and organizations.
- Learn how to implement IAM roles, including custom roles
- Understand IAM policies, including organization policies.
- Understand best practices, including separation of duties and least privilege, the use of Google groups in policies, and avoiding the use of primitive roles.
- Learn how to configure IAM, including custom roles and organization policies.
- 8 lectures and 1 lab
Module 04: VPCs for Isolation and Security
VPC Firewalls, Load Balancing and SSL Policies, Interconnect and Peering Policies, Best Practices for VPC Networks, VPC Service Controls, VPC Flow Logs
- Learn best practices for configuring VPC firewalls (both ingress and egress rules).
- Understand load balancing and SSL policies
- Understand how to set up private Google API access.
- Understand SSL proxy use.
- Learn best practices for VPC networks, including peering and shared VPC use, and the correct use of subnetworks
- Learn best security practices for VPNs.
- Understand security considerations for interconnect and peering options.
- Become familiar with available security products from partners.
- Learn to configure VPC firewalls.
- Prevent data exfiltration with VPC Service Controls.
- 5 lectures, 1 demo and 2 labs
Module 5: Securing Compute Engine: Techniques and Best Practices
Service Accounts, IAM Roles and API Scopes, Managing VM Logins, Organization Policy Controls, Compute Engine Best Practices, Encrypting Disks with CSEK
- Learn about Compute Engine service accounts, default and customer-defined
- Understand IAM roles and scopes for VMs
- Understand how Shielded VMs help maintain your system and application integrity.
- 5 lectures and 2 labs
Module 6: Securing Cloud Data: Techniques and Best Practices
Cloud Storage IAM permissions and ACLs, Auditing Cloud Data, Signed URLs and Policy Documents, Encrypting with CMEK and CSEK, Cloud HSM, BigQuery IAM Roles and Authorized Views, Storage Best Practices
- Use cloud permissions and roles to secure cloud resources.
- Audit cloud data.
- Use signed URLs to give access to objects in a Cloud Storage bucket.
- Manage what can be placed in a Cloud Storage bucket using Signed Policy Document.
- Encrypt cloud data using customer managed encryption keys (CMEK), customer supplied encryption keys (CSEK), and Cloud HS
- Protecting data in BigQuery using IAM roles and authorized views.
- 7 lectures, 1 demo and 3 labs
Module 7: Application Security: Techniques and Best Practices
Types of Application Security Vulnerabilities, Cloud Security Scanner, Threat: Identity and Oauth Phishing, Identity-Aware Proxy, Secret Manager
- Recall various types of application security vulnerabilities.
- Understand DoS protections in App Engine and Cloud Functions
- Understand the role of Web Security Scanner in mitigating risks
- Define and recall the threats posed by Identity and Oauth phishing.
- Understand the role of Identity-Aware Proxy in mitigating risks
- Store application credentials and metadata securely using Secret Manager.
- 5 lectures and 3 labs
Module 8: Securing Kubernetes: Techniques and Best Practices
GKE/Kubernetes Overview, Securing Google Kubernetes Engine, Monitoring Google Kubernetes Engine
- Understand the basic components of a Kubernetes environment.
- Understand how authentication and authorization works in Google Kubernetes Engine.
- Recall how to harden Kubernetes Clusters against attack.
- Recall how to harden Kubernetes workloads against attack.
- Understand logging and monitoring options in Google Kubernetes Engine.
- 3 lectures
Module 9: Protecting against Distributed Denial of Service Attacks (DDoS)
How DDoS Attacks Work, GCP Mitigations, Types of Complementary Partner Products
- Understand how DDoS attacks work.
- Recall common mitigations: GCLB, Cloud CDN, autoscaling, VPC ingress and egress firewalls, Cloud Armor.
- Recall the various types of complementary partner products available.
- Use Cloud Armor to blacklist an IP address and restrict access to an HTTP Load Balancer.
- 3 lectures and 1 lab
Module 10: Content-Related Vulnerabilities: Techniques and Best Practices
Threat Ransomware, Ransomware Mitigations, Content Related Mitigations
- Discuss the threat of Ransomware.
- Understand Ransomware Mitigations: Backups, IAM, Data Loss Prevention API.
- Understand Threats to Content: Data misuse, privacy violations, sensitive/restricted/unacceptable content.
- Recall Mitigations for threats to Content: Classifying content using Cloud ML APIs; scanning and redacting data using Cloud Data Loss Prevention API
- 4 lectures and 1 lab
Module 11: Monitoring, Logging, Auditing, and Scanning
Security Command Center, Operations Monitoring and Logging, Cloud Audit Logging, Deploying and Using Forseti
- Understand and use Security Command Center
- Understand and use Cloud Monitoring and Logging.
- Install the Monitoring and Logging Agents.
- Understand Cloud Audit logging.• Gain experience configuring and viewing Cloud Audit logs.
- Gain experience deploying and using Forseti.
- Learn how to inventory a deployment with Forseti Inventory.
- Learn how to scan a deployment with Forseti Scanner.
- 4 lectures, 2 demos and 3 labs
- Prior completion of Google Cloud Fundamentals: Core Infrastructure or equivalent experience
- Prior completion of Networking in Google Cloud or equivalent experience
- Basic understanding of Kubernetes terminology (preferred but not required)
- Knowledge of foundational concepts in information security, through experience or through online training such as SANS’s SEC301: Introduction to Cyber Security• Basic proficiency with command-line tools and Linux operating system environments
- Systems Operations experience, including deploying and managing applications, either on-premises or in a public cloud environment• Reading comprehension of code in Python or Java script
Discover the perfect fit for your learning journey
Choose Learning Modality
This course comes with following benefits:
- Practice Labs.
- Get Trained by Certified Trainers.
- Access to the recordings of your class sessions for 90 days.
- Digital courseware
- Experience 24*7 learner support.
Got more questions? We’re all ears and ready to assist!