menu

Security in Google Cloud

Advanced 3日

このトレーニング コースでは、Google Cloud のセキュリティ制御と手法について広範に学習します。録画された講義、デモ、ハンズオンラボにより、Cloud Identity、Resource Manager、Identity and Access Management (IAM)、Virtual Private Cloud ファイアウォール、Cloud Load Balancing、ダイレクト ピアリング、キャリア ピアリング、Cloud Interconnect、VPC Service Controls など、セキュアな Google Cloud ソリューションのコンポーネントを確認してデプロイを行います。

取り上げるトピック

Infrastructure Application Development Security

前提条件:

●「Google Cloud Fundamentals: Core Infrastructure」を受講済み、 または同等の経験がある ●「Networking in Google Cloud」を修了しているか、同等の経験がある ● Kubernetes の用語の基本的な理解(推奨されるが必須ではない) ● 実務経験または SANS の「SEC301: Introduction to Cyber Security」などのオンライン トレーニングを通して、情報セキュリティに関する基本概念を理解している ● コマンドライン ツールと Linux オペレーティング システム環境に関する 基本スキル ● オンプレミスまたはパブリック クラウドのいずれかの環境でのアプリケーションのデプロイと管理など、システム運用の経験がある ● Python や JavaScript のコードを読んで理解できる

目標:

Google でのセキュリティ対策について理解します。 ● Cloud Identity を使用して管理 ID を管理します。 ● Resource Manager と IAM を使用して、最小権限による管理を実装します。 ● Identity-Aware Proxy を実装します。 ● VPC ファイアウォールと Google Cloud Armor を使用して IP トラフィック 制御を実装します。 ● セキュリティの脆弱性、特にデータおよび仮想マシンへの公開アクセスを 修正します。 ● Cloud Data Loss Prevention API を使用し、機密データをスキャンして修正します。 ● 監査ログを使用して、リソースのメタデータ構成の変更を分析します。 ● Forseti を使用して Google Cloud デプロイ環境をスキャンし、重要な種類の脆弱性、特にデータや VM への公開アクセスを修復します。

対象:

● クラウド情報のセキュリティ アナリスト、アーキテクト、エンジニア ● 情報セキュリティやサイバーセキュリティの専門家 ● クラウド インフラストラクチャ アーキテクト

コースの概要

The course includes presentations, demonstrations, and hands-on labs.

Module 1: Foundations of GCP Security

  • Understand the GCP shared security responsibility model.
  • Understand Google Cloud’s approach to security.
  • Understand the kinds of threats mitigated by Google and by GCP.
  • Define and Understand Access Transparency and Access Approval (beta).

Module 2:Cloud Identity

  • Cloud Identity.
  • Syncing with Microsoft Active Directory using Google Cloud Directory Sync.
  • Using Managed Service for Microsoft Active Directory (beta).
  • Choosing between Google authentication and SAML-based SSO.
  • Best practices, including DNS configuration, super admin accounts.
  • Lab: Defining Users with Cloud Identity Console.

Module 3: Identity, Access, and Key Management

  • GCP Resource Manager: projects, folders, and organizations.
  • GCP IAM roles, including custom roles.
  • GCP IAM policies, including organization policies.
  • GCP IAM Labels.
  • GCP IAM Recommender.
  • GCP IAM Troubleshooter.
  • GCP IAM Audit Logs.
  • Best practices, including separation of duties and least privilege, the use of Google groups in policies, and avoiding the use of primitive roles.
  • Labs: Configuring Cloud IAM, including custom roles and organization policies.

Module 4: Configuring Google Virtual Private Cloud for Isolation and Security

  • Configuring VPC firewalls (both ingress and egress rules).
  • Load balancing and SSL policies.
  • Private Google API access.
  • SSL proxy use.
  • Best practices for VPC networks, including peering and shared VPC use, correct use of subnetworks.
  • Best security practices for VPNs.
  • Security considerations for interconnect and peering options.
  • Available security products from partners.
  • Defining a service perimeter, including perimeter bridges.
  • Setting up private connectivity to Google APIs and services.
  • Lab: Configuring VPC firewalls.

Module 5: Securing Compute Engine:techniques and best practices

  • Compute Engine service accounts, default and customer-defined.
  • IAM roles for VMs.
  • API scopes for VMs.
  • Managing SSH keys for Linux VMs.
  • Managing RDP logins for Windows VMs.
  • Organization policy controls: trusted images, public IP address, disabling serial port.
  • Encrypting VM images with customer-managed encryption keys and with customer-supplied encryption keys.
  • Finding and remediating public access to VMs.
  • Best practices, including using hardened custom images, custom service accounts (not the default service account), tailored API scopes, and the use of application default credentials instead of user-managed keys.
  • Lab: Configuring, using, and auditing VM service accounts and scopes.
  • Encrypting VM disks with customer-supplied encryption keys.
  • Lab: Encrypting disks with customer-supplied encryption keys.
  • Using Shielded VMs to maintain the integrity of virtual machines.

Module 6: Advanced Logging and Analysis

  • Cloud Storage and IAM permissions.
  • Cloud Storage and ACLs.
  • Auditing cloud data, including finding and remediating publicly accessible data.
  • Signed Cloud Storage URLs.
  • Signed policy documents.
  • Encrypting Cloud Storage objects with customer-managed encryption keys and with customer-supplied encryption keys.
  • Best practices, including deleting archived versions of objects after key rotation.
  • Lab: Using customer-supplied encryption keys with Cloud Storage.
  • Lab: Using customer-managed encryption keys with Cloud Storage and Cloud KMS.
  • BigQuery authorized views.
  • BigQuery IAM roles.
  • Best practices, including preferring IAM permissions over ACLs.
  • Lab: Creating a BigQuery authorized view.

Module 7: Securing Applications: techniques and best practices

  • Types of application security vulnerabilities.
  • DoS protections in App Engine and Cloud Functions.
  • Cloud Security Scanner.
  • Lab: Using Cloud Security Scanner to find vulnerabilities in an App Engine application.
  • Identity Aware Proxy.
  • Lab: Configuring Identity Aware Proxy to protect a project.

Module 8: Securing Kubernetes: techniques and best practices

  • Authorization.
  • Securing Workloads.
  • Securing Clusters.
  • Logging and Monitoring.

Module 9: Protecting against Distributed Denial of Service Attacks

  • How DDoS attacks work.
  • Mitigations: GCLB, Cloud CDN, autoscaling, VPC ingress and egress firewalls, Cloud Armor (including its rules language).
  • Types of complementary partner products.
  • Lab: Configuring GCLB, CDN, traffic blacklisting with Cloud Armor.

Module 10: Protecting against content-related vulnerabilities

  • Threat: Ransomware.
  • Mitigations: Backups, IAM, Data Loss Prevention API.
  • Threats: Data misuse, privacy violations, sensitive/restricted/unacceptable content.
  • Threat: Identity and Oauth phishing.
  • Mitigations: Classifying content using Cloud ML APIs; scanning and redacting data using Data Loss Prevention API.
  • Lab: Redacting Sensitive Data with Data Loss Prevention API.

Module 11: Monitoring, Logging, Auditing, and Scanning

  • Security Command Center.
  • Stackdriver monitoring and logging.
  • Lab: Installing Stackdriver agents.
  • Lab: Configuring and using Stackdriver monitoring and logging.
  • VPC flow logs.
  • Lab: Viewing and using VPC flow logs in Stackdriver.
  • Cloud audit logging.
  • Lab: Configuring and viewing audit logs in Stackdriver.
  • Deploying and Using Forseti.
  • Lab: Inventorying a Deployment with Forseti Inventory (demo).
  • Lab: Scanning a Deployment with Forseti Scanner (demo).

予定されているクラスルーム

現時点では、予定されているクラスルーム セッションはありません。しばらくしてから再度ご確認ください。