Google Cloud – Professional Cloud Security Engineer Certification learning path
Continuing on the Google Cloud Journey, have just cleared the Professional Cloud Security certification. Google Cloud – Professional Cloud Security Engineer certification exam focuses on almost all of the Google Cloud security services with storage, compute, networking services with their security aspects only.
Google Cloud -Professional Cloud Security Engineer Certification Summary
- Has 50 questions to be answered in 2 hours.
- Covers a wide range of Google Cloud services mainly focusing on security and network services
- As mentioned for all the exams, Hands-on is a MUST, if you have not worked on GCP before make sure you do lots of labs else you would be absolutely clueless about some of the questions and commands
- I did Coursera and ACloud Guru which is really vast, but hands-on or practical knowledge is MUST.
Google Cloud – Professional Cloud Security Engineer Certification Resources
- Courses
- Udemy – Google Professional Cloud Security Engineer Certification
- Coursera – Preparing for Google Cloud Certification: Cloud Security Engineer
- Coursera – Security Best Practices in Google Cloud
- Coursera – Security in Google Cloud Platform
- Coursera – Hands-On Labs in Google Cloud for Security Engineers
- A Cloud Guru – Google Cloud Certified – Professional Cloud Security Engineer
- Practice tests
- Use Google Free Tier and Qwiklabs as much as possible.
Google Cloud – Professional Cloud Security Engineer Certification Topics
Security Services
- Google Cloud – Security Services Cheat Sheet
- Cloud Key Management Service – KMS
- Cloud KMS provides a centralized, scalable, fast cloud key management service to manage encryption keys
- KMS Key is a named object containing one or more key versions, along with metadata for the key.
- KMS KeyRing provides grouping keys with related permissions that allow you to grant, revoke, or modify permissions to those keys at the key ring level without needing to act on each key individually.
- Cloud Armor
- Cloud Armor protects the applications from multiple types of threats, including DDoS attacks and application attacks like XSS and SQLi
- works with the external HTTP(S) load balancer to automatically block network protocol and volumetric DDoS attacks such as protocol floods (SYN, TCP, HTTP, and ICMP) and amplification attacks (NTP, UDP, DNS)
- with GKE needs to be configured with GKE Ingress
- can be used to blacklist IPs
- supports preview mode to understand patterns without blocking the users
- Cloud Identity-Aware Proxy
- Identity-Aware Proxy IAP allows managing access to HTTP-based apps both on Google Cloud and outside of Google Cloud.
- IAP uses Google identities and IAM and can leverage external identity providers as well like OAuth with Facebook, Microsoft, SAML, etc.
- Signed headers using JWT provide secondary security in case someone bypasses IAP.
- Cloud Data Loss Prevention – DLP
- Cloud Data Loss Prevention – DLP is a fully managed service designed to help discover, classify, and protect the most sensitive data.
- provides two key features
- Classification is the process to inspect the data and know what data we have, how sensitive it is, and the likelihood.
- De-identification is the process of removing, masking, redaction, replacing information from data.
- supports text, image, and storage classification with scans on data stored in Cloud Storage, Datastore, and BigQuery
- supports scanning of binary, text, image, Microsoft Word, PDF, and Apache Avro files
- Web Security Scanner
- Web Security Scanner identifies security vulnerabilities in the App Engine, GKE, and Compute Engine web applications.
- scans provide information about application vulnerability findings, like OWASP, XSS, Flash injection, outdated libraries, cross-site scripting, clear-text passwords, or use of mixed content
- Security Command Center – SCC
- is a Security and risk management platform that helps generate curated insights and provides a unique view of incoming threats and attacks to the assets
- displays possible security risks, called findings, that are associated with each asset.
- Forseti Security
- the open-source security toolkit, and third-party security information and event management (SIEM) applications
- keeps track of the environment with inventory snapshots of GCP resources on a recurring cadence
- Access Context Manager
- Access Context Manager allows organization administrators to define fine-grained, attribute-based access control for projects and resources
- Access Context Manager helps reduce the size of the privileged network and move to a model where endpoints do not carry ambient authority based on the network.
- Access Context Manager helps prevent data exfiltration with proper access levels and security perimeter rules
Compliance
- FIPS 140-2 Validated
- FIPS 140-2 Validated certification was established to aid in the protection of digitally stored unclassified, yet sensitive, information.
- Google Cloud uses a FIPS 140-2 validated encryption module called BoringCrypto in the production environment. This means that both data in transit to the customer and between data centers, and data at rest are encrypted using FIPS 140-2 validated encryption.
- BoringCrypto module that achieved FIPS 140-2 validation is part of the BoringSSL library.
- BoringSSL library as a whole is not FIPS 140-2 validated
- PCI/DSS Compliance
- PCI/DSS compliance is a shared responsibility model
- Egress rules cannot be controlled for App Engine, Cloud Functions, and Cloud Storage. Google recommends using compute Engine and GKE to ensure that all egress traffic is authorized.
- Antivirus software and File Integrity monitoring must be used on all systems commonly affected by malware to protect systems from current and evolving malicious software threats including containers
- For payment processing, the security can be improved and compliance proved by isolating each of these environments into its own VPC network and reduce the scope of systems subject to PCI audit standards
Networking Services
- Refer Google Cloud Security Services Cheat Sheet
- Virtual Private Cloud
- Understand Virtual Private Cloud (VPC), subnets, and host applications within them
- Firewall rules control the Traffic to and from instances. HINT: rules with lower integers indicate higher priorities. Firewall rules can be applied to specific tags.
- Know implied firewall rules which deny all ingress and allow all egress
- Understand the difference between using Service Account vs Network Tags for filtering in Firewall rules. HINT: Use SA over tags as it provides access control while tags can be easily inferred.
- VPC Peering allows internal or private IP address connectivity across two VPC networks regardless of whether they belong to the same project or the same organization. HINT: VPC Peering uses private IPs and does not support transitive peering
- Shared VPC allows an organization to connect resources from multiple projects to a common VPC network so that they can communicate with each other securely and efficiently using internal IPs from that network
- Private Access options for services allow instances with internal IP addresses can communicate with Google APIs and services.
- Private Google Access allows VMs to connect to the set of external IP addresses used by Google APIs and services by enabling Private Google Access on the subnet used by the VM’s network interface.
- VPC Flow Logs records a sample of network flows sent from and received by VM instances, including instances used as GKE nodes.
- Firewall Rules Logging enables auditing, verifying, and analyzing the effects of the firewall rules
- Hybrid Connectivity
- Understand Hybrid Connectivity options in terms of security.
- Cloud VPN provides secure connectivity from the on-premises data center to the GCP network through the public internet. Cloud VPN does not provide internal or private IP connectivity
- Cloud Interconnect provides direct connectivity from the on-premises data center to the GCP network
- Cloud NAT
- Cloud NAT allows VM instances without external IP addresses and private GKE clusters to send outbound packets to the internet and receive any corresponding established inbound response packets.
- Requests would not be routed through Cloud NAT if they have an external IP address
- Cloud DNS
- Understand Cloud DNS and its features
- supports DNSSEC, a feature of DNS, that authenticates responses to domain name lookups and protects the domains from spoofing and cache poisoning attacks
- Cloud Load Balancing
- Google Cloud Load Balancing provides scaling, high availability, and traffic management for your internet-facing and private applications.
- Understand Google Load Balancing options and their use cases esp. which is global, internal and does they support SSL offloading
- Network Load Balancer – regional, external, pass through and supports TCP/UDP
- Internal TCP/UDP Load Balancer – regional, internal, pass through and supports TCP/UDP
- HTTP/S Load Balancer – regional/global, external, pass through and supports HTTP/S
- Internal HTTP/S Load Balancer – regional/global, internal, pass through and supports HTTP/S
- SSL Proxy Load Balancer – regional/global, external, proxy, supports SSL with SSL offload capability
- TCP Proxy Load Balancer – regional/global, external, proxy, supports TCP without SSL offload capability
Identity Services
- Resource Manager
- Understand Resource Manager the hierarchy Organization -> Folders -> Projects -> Resources
- IAM Policy inheritance is transitive and resources inherit the policies of all of their parent resources.
- Effective policy for a resource is the union of the policy set on that resource and the policies inherited from higher up in the hierarchy.
- Identity and Access Management
- Identify and Access Management – IAM provides administrators the ability to manage cloud resources centrally by controlling who can take what action on specific resources.
- A service account is a special kind of account used by an application or a virtual machine (VM) instance, not a person.
- Service Account, if accidentally deleted, can be recovered if the time gap is less than 30 days and a service account by the same name wasn’t created
- Understand IAM Best Practices
- Use groups for users requiring the same responsibilities
- Use service accounts for server-to-server interactions.
- Use Organization Policy Service to get centralized and programmatic control over the organization’s cloud resources.
- Domain-wide delegation of authority to grant third-party and internal applications access to the users’ data for e.g. Google Drive etc.
- Cloud Identity
- Cloud Identity provides IDaaS (Identity as a Service) and provides single sign-on functionality and federation with external identity provides like Active Directory.
- Cloud Identity supports federating with Active Directory using GCDS to implement the synchronization
Compute Services
- Compute services like Google Compute Engine and Google Kubernetes Engine are lightly covered more from the security aspects
- Google Compute Engine
- Google Compute Engine is the best IaaS option for compute and provides fine-grained control
- Managing access using OS Login or project and instance metadata
- Compute Engine is recommended to be used with Service Account with the least privilege to provide access to Google services and the information can be queried from instance metadata.
- Google Kubernetes Engine
- Google Kubernetes Engine, enables running containers on Google Cloud
- Understand Best Practices for Building Containers
- Package a single app per container
- Properly handle PID 1, signal handling, and zombie processes
- Optimize for the Docker build cache
- Remove unnecessary tools
- Build the smallest image possible
- Scan images for vulnerabilities
- Restrict using Public Image
- Managed Base Images
Storage Services
- Cloud Storage
- Cloud Storage is cost-effective object storage for unstructured data and provides an option for long term data retention
- Understand Cloud Storage Security features
- Understand various Data Encryption techniques including Envelope Encryption, CMEK, and CSEK. HINT: CSEK works with Cloud Storage and Persistent Disks only. CSEK manages KEK and not DEK.
- Cloud Storage default encryption uses AES256
- Understand Signed URL to give temporary access and the users do not need to be GCP users
- Understand access control and permissions – IAM (Uniform) vs ACLs (fine-grained control)
- Bucket Lock feature allows configuring a data retention policy for a bucket that governs how long objects in the bucket must be retained. The feature also allows locking the data retention policy, permanently preventing the policy from being reduced or removed
Monitoring
- Google Cloud Monitoring or Stackdriver
- provides everything from monitoring, alert, error reporting, metrics, diagnostics, debugging, trace.
- Google Cloud Logging or Stackdriver logging
- Audit logs are provided through Cloud logging using Admin Activity and Data Access Audit logs
- VPC Flow logs and Firewall Rules logs help monitor traffic to and from Compute Engine instances.
- log sinks can export data to external providers via Cloud Pub/Sub
All the Best !!
Congratulations !!!