Security in Google Cloud
Advanced 3 days
Module 1: Foundations of GCP Security
- Understand the GCP shared security responsibility model.
- Understand Google Cloud’s approach to security.
- Understand the kinds of threats mitigated by Google and by GCP.
- Define and Understand Access Transparency and Access Approval (beta).
Module 2:Cloud Identity
- Cloud Identity.
- Syncing with Microsoft Active Directory using Google Cloud Directory Sync.
- Using Managed Service for Microsoft Active Directory (beta).
- Choosing between Google authentication and SAML-based SSO.
- Best practices, including DNS configuration, super admin accounts.
- Lab: Defining Users with Cloud Identity Console.
Module 3: Identity, Access, and Key Management
- GCP Resource Manager: projects, folders, and organizations.
- GCP IAM roles, including custom roles.
- GCP IAM policies, including organization policies.
- GCP IAM Labels.
- GCP IAM Recommender.
- GCP IAM Troubleshooter.
- GCP IAM Audit Logs.
- Best practices, including separation of duties and least privilege, the use of Google groups in policies, and avoiding the use of primitive roles.
- Labs: Configuring Cloud IAM, including custom roles and organization policies.
Module 4: Configuring Google Virtual Private Cloud for Isolation and Security
- Configuring VPC firewalls (both ingress and egress rules).
- Load balancing and SSL policies.
- Private Google API access.
- SSL proxy use.
- Best practices for VPC networks, including peering and shared VPC use, correct use of subnetworks.
- Best security practices for VPNs.
- Security considerations for interconnect and peering options.
- Available security products from partners.
- Defining a service perimeter, including perimeter bridges.
- Setting up private connectivity to Google APIs and services.
- Lab: Configuring VPC firewalls.
Module 5: Securing Compute Engine:techniques and best practices
- Compute Engine service accounts, default and customer-defined.
- IAM roles for VMs.
- API scopes for VMs.
- Managing SSH keys for Linux VMs.
- Managing RDP logins for Windows VMs.
- Organization policy controls: trusted images, public IP address, disabling serial port.
- Encrypting VM images with customer-managed encryption keys and with customer-supplied encryption keys.
- Finding and remediating public access to VMs.
- Best practices, including using hardened custom images, custom service accounts (not the default service account), tailored API scopes, and the use of application default credentials instead of user-managed keys.
- Lab: Configuring, using, and auditing VM service accounts and scopes.
- Encrypting VM disks with customer-supplied encryption keys.
- Lab: Encrypting disks with customer-supplied encryption keys.
- Using Shielded VMs to maintain the integrity of virtual machines.
Module 6: Advanced Logging and Analysis
- Cloud Storage and IAM permissions.
- Cloud Storage and ACLs.
- Auditing cloud data, including finding and remediating publicly accessible data.
- Signed Cloud Storage URLs.
- Signed policy documents.
- Encrypting Cloud Storage objects with customer-managed encryption keys and with customer-supplied encryption keys.
- Best practices, including deleting archived versions of objects after key rotation.
- Lab: Using customer-supplied encryption keys with Cloud Storage.
- Lab: Using customer-managed encryption keys with Cloud Storage and Cloud KMS.
- BigQuery authorized views.
- BigQuery IAM roles.
- Best practices, including preferring IAM permissions over ACLs.
- Lab: Creating a BigQuery authorized view.
Module 7: Securing Applications: techniques and best practices
- Types of application security vulnerabilities.
- DoS protections in App Engine and Cloud Functions.
- Cloud Security Scanner.
- Lab: Using Cloud Security Scanner to find vulnerabilities in an App Engine application.
- Identity Aware Proxy.
- Lab: Configuring Identity Aware Proxy to protect a project.
Module 8: Securing Kubernetes: techniques and best practices
- Securing Workloads.
- Securing Clusters.
- Logging and Monitoring.
Module 9: Protecting against Distributed Denial of Service Attacks
- How DDoS attacks work.
- Mitigations: GCLB, Cloud CDN, autoscaling, VPC ingress and egress firewalls, Cloud Armor (including its rules language).
- Types of complementary partner products.
- Lab: Configuring GCLB, CDN, traffic blacklisting with Cloud Armor.
Module 10: Protecting against content-related vulnerabilities
- Threat: Ransomware.
- Mitigations: Backups, IAM, Data Loss Prevention API.
- Threats: Data misuse, privacy violations, sensitive/restricted/unacceptable content.
- Threat: Identity and Oauth phishing.
- Mitigations: Classifying content using Cloud ML APIs; scanning and redacting data using Data Loss Prevention API.
- Lab: Redacting Sensitive Data with Data Loss Prevention API.
Module 11: Monitoring, Logging, Auditing, and Scanning
- Security Command Center.
- Stackdriver monitoring and logging.
- Lab: Installing Stackdriver agents.
- Lab: Configuring and using Stackdriver monitoring and logging.
- VPC flow logs.
- Lab: Viewing and using VPC flow logs in Stackdriver.
- Cloud audit logging.
- Lab: Configuring and viewing audit logs in Stackdriver.
- Deploying and Using Forseti.
- Lab: Inventorying a Deployment with Forseti Inventory (demo).
- Lab: Scanning a Deployment with Forseti Scanner (demo).