Security in Google Cloud

Module 01: Foundations of Google Cloud Security

Topics

• Google Cloud’s Approach to Security
• The Shared Security Responsibility Model
• Threats Mitigated by Google and Google Cloud
• Access Transparency

Objectives

• Learn about Google Cloud’s approach to security.
• Understand the shared security responsibility model.
• Understand the kinds of threats mitigated by Google and by Google Cloud.
• Define and understand access transparency.

Module 02 Cloud Identity

Topics

• Cloud Identity
• Cloud Identity
• Google Cloud Directory Sync
• Google Authentication Versus SAML-based SSO
• Authentication Best Practices

Objectives

• Learn what Cloud Identity is and what it does.
• Learn how Directory Sync securely syncs users and permissions between your on-prem LDAP or AD server and the cloud.
• Understand the two ways Google Cloud handles authentication and how to set up SSO.
• Explore best practices for managing groups, permissions, domains and admins with Cloud Identity.

Module 03 Identity and Access Management (IAM)

Topics

• Resource Manager
• IAM Roles
• IAM Policies
• IAM Recommender
• IAM Troubleshooter
• IAM Audit Logs
• IAM Best Practices

Objectives

• Understand Resource Manager: projects, folders, and organizations.
• Learn how to implement IAM roles, including custom roles.
• Understand IAM policies, including organization policies.
• Understand best practices, including separation of duties and least privilege, the use of Google groups in policies, and avoiding the use of basic roles.
• Learn how to configure IAM, including custom roles and organization policies.

Activity

• Lab: Configuring IAM

Module 04 Configuring Virtual Private Cloud for Isolation and Security

Topics

• VPC Firewalls
• Load Balancing and SSL Policies
• Interconnect and Peering Policies
• Best Practices for VPC Networks
• VPC Flow Logs

Objectives

• Learn best practices for configuring VPC firewalls (both ingress and egress rules).
• Understand load balancing and SSL policies.
• Understand how to set up private Google API access.
• Understand SSL proxy use.
• Learn best practices for VPC networks, including peering and shared VPC use, and the correct use of subnetworks.
• Learn best security practices for VPNs.
• Understand security considerations for interconnect and peering options.
• Become familiar with available security products from partners.
• Learn to configure VPC firewalls.
• Prevent data exfiltration with VPC Service Controls.

Activities

• Lab: Configuring VPC Firewalls
• Lab: Configuring and Using VPC Flow Logs in Cloud Logging

Module 05 Securing Compute Engine: Techniques and Best Practices

Topics

• Service Accounts, IAM Roles and API Scopes
• Managing VM Logins
• Organization Policy Controls
• Compute Engine Best Practices
• Encrypting Disks with CSEK

Objectives

• Learn about Compute Engine service accounts, default and customer-defined.
• Understand IAM roles and scopes for VMs.
• Understand how Shielded VMs help maintain your system and application integrity

Activities

• Lab: Configuring, Using, and Auditing VM Service Accounts and Scopes
• Lab: Encrypting Disks with Customer-Supplied Encryption Keys

Module 06 Securing Cloud Data: Techniques and Best Practices

Topics

• Cloud Storage IAM permissions and ACLs
• Auditing Cloud Data
• Signed URLs and Policy Documents
• Encrypting with CMEK and CSEK
• Cloud HSM
• BigQuery IAM Roles and Authorized Views
• Storage Best Practices

Objectives

• Use cloud permissions and roles to secure cloud resources.
• Audit cloud data.
• Use signed URLs to give access to objects in a Cloud Storage bucket.
• Manage what can be placed in a Cloud Storage bucket using Signed Policy Document.
• Encrypt cloud data using customer managed encryption keys (CMEK), customer supplied encryption keys (CSEK), and Cloud HSM.
• Protecting data in BigQuery using IAM roles and authorized views

Activities

• Lab: Using Customer-Supplied Encryption Keys with Cloud Storage
• Lab: Using Customer-Managed Encryption Keys with Cloud Storage and Cloud KMS
• Lab: Creating a BigQuery Authorized View

Module 07 Application Security: Techniques and Best Practices

Topics

• Types of Application Security Vulnerabilities
• Web Security Scanner
• Threat: Identity and Oauth Phishing
• Identity-Aware Proxy
• Secret Manager

Objectives

• Recall various types of application security vulnerabilities.
• Understand DoS protections in App Engine and Cloud Functions.
• Understand the role of Web Security Scanner in mitigating risks.
• Define and recall the threats posed by Identity and Oauth phishing.
• Understand the role of Identity-Aware Proxy in mitigating risks.
• Store application credentials and metadata securely using Secret Manager.

Activities

• Lab: Using Web Security Scanner to Find Vulnerabilities in an App Engine Application
• Lab: Configuring Identity-Aware Proxy to Protect a Project
• Lab: Configuring and Using Credentials with Secret Manager

Module 08 Securing Google Kubernetes Engine: Techniques and Best Practices

Topics

• Introduction to Kubernetes/GKE
• Authentication and Authorization
• Hardening Your Clusters
• Securing Your Workloads
• Monitoring and Logging

Objectives

• Understand the basic components of a Kubernetes environment.
• Understand how authentication and authorization works in Google Kubernetes Engine.
• Recall how to harden Kubernetes Clusters against attacks.
• Recall how to harden Kubernetes workloads against attacks.
• Understand logging and monitoring options in Google Kubernetes Engine.

Module 09 Protecting against Distributed Denial of Service Attacks (DDoS)

Topics

• How DDoS Attacks Work
• Google Cloud Mitigations
• Types of Complementary Partner Products

Objectives

• Understand how DDoS attacks work.
• Recall common mitigations: Cloud Load Balancing, Cloud CDN, autoscaling, VPC ingress and egress firewalls, Google Cloud Armor.
• Recall the various types of complementary partner products available.
• Use Google Cloud Armor to blocklist an IP address and restrict access to an HTTP load balancer

Activities

• Lab: Configuring Traffic Blocklisting with Google Cloud Armor

Module 10 Content-Related Vulnerabilities: Techniques and Best Practices

Topics

• Threat Ransomware
• Ransomware Mitigations
• Threats: Data Misuse, Privacy Violations, Sensitive Content
• Content-Related Mitigations

Objectives

• Discuss the threat of ransomware.
• Understand ransomware mitigations: Backups, IAM, Cloud Data Loss Prevention API.
• Understand threats to content: Data misuse, privacy violations, sensitive/restricted/unacceptable content.
• Recall mitigations for threats to content: Classifying content using Cloud ML APIs; scanning and redacting data using the DLP API.

Activities

• Lab: Redacting Sensitive Data with the DLP AP

Module 11 Monitoring, Logging, Auditing, and Scanning

Topics

• Cloud Audit Logs
• Deploying and Using Forseti

Objectives

• Understand and use Security Command Center.
• Understand and use Cloud Monitoring and Cloud Logging.
• Install the Monitoring and Logging Agents.
• Understand Cloud Audit Logs.
• Gain experience configuring and viewing Cloud Audit Logs.
• Gain experience deploying and using Forseti.
• Learn how to inventory a deployment with Forseti Inventory.
• Learn how to scan a deployment with Forseti Scanner

Activities

• Lab: Installing Cloud Logging and Monitoring Agents
• Lab: Configuring and Using Cloud Logging and Monitoring
• Lab: Configuring and Viewing Cloud Audit Logs