Course
Digicomp Code GCPSEC
Security in Google Cloud («GCPSEC»)
This training course gives you a broad study of security controls and techniques in Google Cloud.
Duration
3 days
Price
2'550.–
Course documents
Official Google Cloud courseware
Course facts
- Identifying the foundations of Google Cloud security
- Managing administration identities with Google Cloud
- Implementing user administration with Identity and Access Management (IAM)
- Configuring Virtual Private Clouds (VPCs) for isolation, security, and logging
- Applying techniques and best practices for securely managing Compute Engine
- Applying techniques and best practices for securely managing Google Cloud data
- Applying techniques and best practices for securing Google Cloud applications
- Applying techniques and best practices for securing Google Kubernetes Engine (GKE) resources
- Managing protection against distributed denial-of-service attacks (DDoS)
- Managing content-related vulnerabilities
- Implementing Google Cloud monitoring, logging, auditing, and scanning solutions
You use services including Cloud Identity, Identity and Access Management (IAM), Cloud Load Balancing, Cloud IDS, Web Security Scanner, BeyondCorp Enterprise, and Cloud DNS.
1 Foundations of Google Cloud Security
- The approach of Google Cloud to security
- The shared security responsibility model
- Threats mitigated by Google and Google Cloud
- Access transparency
- Explain the shared security responsibility model of Google Cloud
- Describe how Google Cloud approaches security
- Recognize threats mitigated by Google and Google Cloud
- Identify Google Cloud’s commitments to regulatory compliance
2 Securing Access to Google Cloud
- Cloud Identity
- Google Cloud Directory Sync
- Managed Microsoft AD
- Google authentication versus SAML-based SSO
- Identity Platform
- Authentication best practices
- Describe what Cloud Identity is and what it does
- Explain how Google Cloud Directory Sync securely syncs users and permissions between your on-premises LDAP or AD server and the cloud
- Explore and apply best practices for managing groups, permissions, domains, and administrators with Cloud Identity
- Demo: Defining Users with Cloud Identity Console
3 Identity and Access Management (IAM)
- Resource Manager
- IAM roles
- Service accounts
- IAM and Organization policies
- Workload identity federation
- Policy Intelligence
- Identify IAM roles and permissions that can be used to organize resources in Google Cloud
- Explain the management-related features of Google Cloud projects
- Define IAM policies, including organization policies
- Implement access control with IAM
- Provide access to Google Cloud resources by using predefined and custom IAM roles
- Lab: Configuring IAM
4 Configuring Virtual Private Cloud for Isolation and Security
- VPC firewalls
- Load balancing and SSL policies
- Cloud Interconnect
- VPC Network Peering
- VPC Service Controls
- Access Context Manager
- VPC Flow Logs
- Cloud IDS
- Describe the function of VPC networks
- Recognize and implement best practices for configuring VPC firewalls (both ingress and egress rules)
- Secure projects with VPC Service Controls
- Apply SSL policies to load balancers
- Enable VPC flow logging, and then use Cloud Logging to access logs
- Deploy Cloud IDS, and view threat details in the Google Cloud console
5 Securing Compute Engine: Techniques and Best Practices
- Service accounts, IAM roles, and API scopes
- Managing VM logins
- Organization policy controls
- Shielded VMs and Confidential VMs
- Certificate Authority Service
- Compute Engine best practices
- Create and manage service accounts for Compute Engine instances (default and customer-defined)
- Detail IAM roles and scopes for VMs
- Explore and apply best practices for Compute Engine instances
- Explain the function of the Organization Policy Service
- Lab: Configuring, Using, and Auditing VM Service Accounts and Scopes
6 Securing Cloud Data: Techniques and Best Practices
- Cloud Storage IAM permissions and ACLs
- Auditing cloud data
- Signed URLs and policy documents
- Encrypting with Customer-managed encryption keys (CMEK) and Customersupplied encryption keys (CSEK)
- Cloud HSM
- BigQuery IAM roles and authorized views
- Storage best practices
- Use IAM permissions and roles to secure cloud resources
- Create and wrap encryption keys using the Compute Engine RSA public key certificate
- Encrypt and attach persistent disks to Compute Engine instances
- Manage keys and encrypted data by using Cloud Key Management Service (Cloud KMS) and Cloud HSM
- Create BigQuery authorized views
- Recognize and implement best practices for configuring storage options
- Lab: Using Customer-Supplied Encryption Keys with Cloud Storage
- Lab: Using Customer-Managed Encryption Keys with Cloud Storage and Cloud KMS
- Lab: Creating a BigQuery Authorized View
7 Securing Applications: Techniques and Best Practices
- Types of application security vulnerabilities
- Web Security Scanner
- Threat: Identity and OAuth phishing
- Identity-Aware Proxy
- Secret Manager
- Recall various types of application security vulnerabilities
- Detect vulnerabilities in App Engine applications by using Web Security Scanner
- Secure Compute Engine Applications by using BeyondCorp Enterprise
- Secure application credentials by using Secret Manager
- Identify the threats of OAuth and Identity Phishing
- Lab: Identify Application Vulnerabilities with Security Command Center
- Lab: Securing Compute Engine Applications with BeyondCorp Enterprise
- Lab: Configuring and Using Credentials with Secret Manager
8 Securing Google Kubernetes Engine: Techniques and Best Practices
- Types of application security vulnerabilities
- Web Security Scanner
- Threat: Identity and OAuth phishing
- Identity-Aware Proxy
- Secret Manager
- Explain the differences between Kubernetes service accounts and Google service accounts
- Recognize and implement best practices for securely configuring GKE
- Explain logging and monitoring options in Google Kubernetes Engine
9 Protecting against Distributed Denial-of-Service Attacks (DDoS)
- How DDoS attacks work
- Google Cloud mitigations
- Types of complementary partner products
- Identify the four layers of DDoS Mitigation
- Identify methods Google Cloud uses to mitigate the risk of DDoS for its customers
- Use Google Cloud Armor to blocklist an IP address and restrict access to an HTTP Load Balancer
- Lab: Configuring Traffic Blocklisting with Google Cloud Armor
10 Content-Related Vulnerabilities: Techniques and Best Practices
- Threat: Ransomware
- Ransomware mitigations
- Threats: data misuse, privacy violations, sensitive content
- Content-related mitigation
- Redacting Sensitive Data with the DLP API
- Discuss the threat of ransomware
- Explain ransomware mitigations strategies (backups, IAM, Cloud Data Loss Prevention API)
- Highlight common threats to content (data misuse; privacy violations; sensitive, restricted, or unacceptable content)
- Identify solutions for threats to content (classification, scanning, and redacting)
- Detect and redact sensitive data by using the Cloud DLP API
- Lab: Redacting Sensitive Data with the DLP API
11 Monitoring, Logging, Auditing, and Scanning
- Security Command Center
- Cloud Monitoring and Cloud Logging
- Cloud Audit Logs
- Cloud security automation
- Explain and use the Security Command Center
- Apply Cloud Monitoring and Cloud Logging to a project
- Apply Cloud Audit Logs to a project
- Identify methods for automating security in Google Cloud environments
- Lab: Configuring and Using Cloud Monitoring and Cloud Logging
- Lab: Configuring and Viewing Cloud Audit Logs
Through lectures, demonstrations, and labs, you explore and deploy the components of a secure Google Cloud solution.
- Cloud information security analysts, architects, and engineers
- Information security or cybersecurity specialists
- Cloud infrastructure architects
- Knowledge of foundational concepts in information security, through experience or online training such as SANS SEC301: Introduction to Cyber Security
- Basic proficiency with command-line tools and Linux operating system environments
- Systems Operations experience, including deploying and managing applications, either on-premises or in a public cloud environment
- Reading comprehension of code in Python or Javascript
- Basic understanding of Kubernetes terminology (preferred but not required)
- Prior completion of the following courses or equivalent experience:
Products
Cloud Identity, Resource Manager, Identity and Access Management (IAM), Cloud HSM, Cloud Secret Manager, Google Kubernetes Engine, Managed Service for Microsoft Active Directory Cloud Interconnect, Cloud Storage Web Security Scanner, Identity-Aware Proxy, VPC Service Controls, Google Cloud’s Operations suite (formerly Stackdriver), Google Cloud Armor, Compute Engine, Cloud Data Loss Prevention API, Cloud Intrusion Detection System (IDS), Cloud DNS, Identity Platform, Policy Intelligence, Workload identity federation, Cloud IDS, BeyondCorp Enterprise, Certificate Authority Service