This training course gives you a broad study of security controls and techniques in Google Cloud. Through recorded lectures, demonstrations, and hands-on labs, you’ll explore and deploy the components of a secure Google Cloud solution, including Cloud Identity, Resource Manager, Identity and Access Management (IAM), Virtual Private Cloud firewalls, Cloud Load Balancing, Direct Peering, Carrier Peering, Cloud Interconnect, and VPC Service Controls.

What you'll learn

• Understand Google’s approach to security.
• Manage administration identities using Cloud Identity.
• Implement least privilege administration using Resource Manager and IAM.
• Implement Identity-Aware Proxy.
• Implement IP traffic controls using VPC firewalls and Google Cloud Armor.
• Remediate security vulnerabilities, especially public access to data and virtual machines.
• Scan for and redact sensitive data using the Cloud Data Loss Prevention API.
• Analyze changes to resource metadata configuration using audit logs.
• Scan a Google Cloud deployment with Forseti, to remediate important types of vulnerabilities, especially in public access to data and VMs.

Target Audience

• Cloud information security analysts, architects, and engineers
• Information security/cybersecurity specialists
• Cloud infrastructure architects

Prerequisites

• Prior completion of Google Cloud Fundamentals: Core Infrastructure or equivalent experience
• Prior completion of Networking in Google Cloud or equivalent experience
• Basic understanding of Kubernetes terminology (preferred but not required)
• Knowledge of foundational concepts in information security, through experience or through online training such as SANS’s SEC301: Introduction to Cyber Security
• Basic proficiency with command-line tools and Linux operating system environments
• Systems Operations experience, including deploying and managing applications, either on-premises or in a public cloud environment
• Reading comprehension of code in Python or Javascript

Products

• Google: Cloud Identity, Resource Manager, IAM, HSM, Secret Manager, Google Kubernetes Engine, Managed Service for Microsoft Active Directory, Cloud Interconnect, Cloud Storage, Web Security Scanner, Identity-Aware Proxy, VPC Service Controls, Google Cloud’s operations suite (formerly Stackdriver), Google Cloud Armor, Compute Engine, Cloud Data Loss Prevention API
• Third party: Forseti Inventory, Forseti Scanner

Course Modules

Module 1: Foundations of Google Cloud Security

• Google Cloud’s Approach to Security
• The Shared Security Responsibility Model
• Threats Mitigated by Google and Google Cloud
• Access Transparency

Module 2: Cloud Identity

• Cloud Identity
• Google Cloud Directory Sync
• Google Authentication Versus SAML-based SSO
• Authentication Best Practices

Module 3: Identity and Access Management (IAM)

• Resource Manager
• IAM Roles
• IAM Policies
• IAM Recommender
• IAM Troubleshooter
• IAM Audit Logs
• IAM Best Practices

Module 4: Configuring Virtual Private Cloud for Isolation and Security

• VPC Firewalls
• Load Balancing and SSL Policies
• Interconnect and Peering Policies
• Best Practices for VPC Networks
• VPC Flow Logs

Module 5: Securing Compute Engine: Techniques and Best Practices

• Service Accounts, IAM Roles and API Scopes
• Managing VM Logins
• Organization Policy Controls
• Compute Engine Best Practices
• Encrypting Disks with CSEK

Module 6: Securing Cloud Data: Techniques and Best Practices

• Cloud Storage IAM permissions and ACLs
• Auditing Cloud Data
• Signed URLs and Policy Documents
• Encrypting with CMEK and CSEK
• Cloud HSM
• BigQuery IAM Roles and Authorized Views
• Storage Best Practices

Module 7: Application Security: Techniques and Best Practices

• Types of Application Security Vulnerabilities
• Web Security Scanner
• Threat: Identity and Oauth Phishing
• Identity-Aware Proxy
• Secret Manager

Module 8: Securing Google Kubernetes Engine: Techniques and Best Practices

• Introduction to Kubernetes/GKE
• Authentication and Authorization
• Hardening Your Clusters
• Securing Your Workloads
• Monitoring and Logging

Module 9: Protecting against Distributed Denial of Service Attacks (DDoS)

• How DDoS Attacks Work
• Google Cloud Mitigations
• Types of Complementary Partner Products

Module 10: Content-Related Vulnerabilities: Techniques and Best Practices

• Threat Ransomware
• Ransomware Mitigations
• Threats: Data Misuse, Privacy Violations, Sensitive Content
• Content-Related Mitigations

Module 11: Monitoring, Logging, Auditing, and Scanning

• Cloud Audit Logs
• Deploying and Using Forseti