Security in Google Cloud (SGCP-3D)

PART I: MANAGING SECURITY IN GOOGLE CLOUD

Module 1 Foundations of GCP Security

• Understand the GCP shared security responsibility model
• Understand Google Cloud’s approach to security
• Understand the kinds of threats mitigated by Google and by GCP
• Define and Understand Access Transparency and Access Approval (beta)

Module 2 Cloud Identity

• Cloud Identity
• Syncing with Microsoft Active Directory using Google Cloud Directory Sync
• Using Managed Service for Microsoft Active Directory (beta )
• Choosing between Google authentication and SAML-based SSO
• Best practices, including DNS configuration, super admin accounts
• Lab: Defining Users with Cloud Identity Console

Module 3 Identity, Access, and Key Management

• GCP Resource Manager: projects, folders, and organizations
• GCP IAM roles, including custom roles
• GCP IAM policies, including organization policies
• GCP IAM Labels
• GCP IAM Recommender
• GCP IAM Troubleshooter
• GCP IAM Audit Logs
• Best practices, including separation of duties and least privilege, the use of Google groups in policies, and avoiding the use of primitive roles
• Labs: Configuring Cloud IAM, including custom roles and organization policies

Module 4 Configuring Google Virtual Private Cloud for Isolation and Security

• Configuring VPC firewalls (both ingress and egress rules)
• Load balancing and SSL policies
• Private Google API access
• SSL proxy use
• Best practices for VPC networks, including peering and shared VPC use, correct use of subnetworks
• Best security practices for VPNs
• Security considerations for interconnect and peering options
• Available security products from partners
• Defining a service perimeter, including perimeter bridges
• Setting up private connectivity to Google APIs and services
• Lab: Configuring VPC firewalls

PART II: SECURITY BEST PRACTICES ON GOOGLE CLOUD

Module 5 Securing Compute Engine: techniques and best practices

• Compute Engine service accounts, default and customer-defined
• IAM roles for VMs
• API scopes for VMs
• Managing SSH keys for Linux VMs
• Managing RDP logins for Windows VMs
• Organization policy controls: trusted images, public IP address, disabling serial port
• Encrypting VM images with customer-managed encryption keys and with customer-supplied encryption keys
• Finding and remediating public access to VMs
• Best practices, including using hardened custom images, custom service accounts (not the default service account), tailored API scopes, and the use of application default credentials instead of user-managed keys
• Lab: Configuring, using, and auditing VM service accounts and scopes
• Encrypting VM disks with customer-supplied encryption keys
• Lab: Encrypting disks with customer-supplied encryption keys
• Using Shielded VMs to maintain the integrity of virtual machines

Module 6 Securing cloud data: techniques and best practices

• Cloud Storage and IAM permissions
• Cloud Storage and ACLs
• Auditing cloud data, including finding and remediating publicly accessible data
• Signed Cloud Storage URLs
• Signed policy documents
• Encrypting Cloud Storage objects with customer-managed encryption keys and with customer-supplied encryption keys
• Best practices, including deleting archived versions of objects after key rotation
• Lab: Using customer-supplied encryption keys with Cloud Storage
• Lab: Using customer-managed encryption keys with Cloud Storage and Cloud KMS
• BigQuery authorized views
• BigQuery IAM roles
• Best practices, including preferring IAM permissions over ACLs
• Lab: Creating a BigQuery authorized view

Module 7 Securing Applications: techniques and best practices

• Types of application security vulnerabilities
• DoS protections in App Engine and Cloud Functions
• Cloud Security Scanner
• Lab: Using Cloud Security Scanner to find vulnerabilities in an App Engine application
• Identity Aware Proxy
• Lab: Configuring Identity Aware Proxy to protect a project

Module 8 Securing Kubernetes: techniques and best practices

• Authorization
• Securing Workloads
• Securing Clusters
• Logging and Monitoring

PART III: MITIGATING VULNERABILITIES IN GOOGLE CLOUD

Module 9 Protecting against Distributed Denial of Service Attacks

• How DDoS attacks work
• Mitigations: GCLB, Cloud CDN, autoscaling, VPC ingress and egress firewalls, Cloud Armor (including its rules language)
• Types of complementary partner products
• Lab: Configuring GCLB, CDN, traffic blacklisting with Cloud Armor

Module 10 Protecting against content-related vulnerabilities

• Threat: Ransomware
• Mitigations: Backups, IAM, Data Loss Prevention API
• Threats: Data misuse, privacy violations, sensitive/restricted/unacceptable content
• Threat: Identity and Oauth phishing
• Mitigations: Classifying content using Cloud ML APIs; scanning and redacting data using Data Loss Prevention API
• Lab: Redacting Sensitive Data with Data Loss Prevention API

Module 11 Monitoring, Logging, Auditing, and Scanning

• Security Command Center
• Stackdriver monitoring and logging
• Lab: Installing Stackdriver agents
• Lab: Configuring and using Stackdriver monitoring and logging
• VPC flow logs
• Lab: Viewing and using VPC flow logs in Stackdriver
• Cloud audit logging
• Lab: Configuring and viewing audit logs in Stackdriver
• Deploying and Using Forseti
• Lab: Inventorying a Deployment with Forseti Inventory (demo)
• Lab: Scanning a Deployment with Forseti Scanner (demo)