Security in Google Cloud Platform (SGCP-3D) – Outline

Detailed Course Outline

Module 1 Foundations of Google Cloud Security

  • Google Cloud’s approach to security
  • The shared security responsibility model
  • Threats mitigated by Google and Google Cloud
  • Access transparency

Module 2 Securing Access to Google Cloud

  • Cloud Identity
  • Google Cloud Directory Sync
  • Managed Microsoft AD
  • Google authentication versus SAML-based SSO
  • Identity Platform
  • Authentication best practices

Module 3 Identity and Access Management (IAM)

  • Resource Manager
  • IAM roles
  • Service accounts
  • IAM and Organization policies
  • Workload Identity Federation
  • Policy Intelligence
  • Lab: Configuring IAM

Module 4 Configuring Virtual Private Cloud for Isolation and Security

  • VPC firewalls
  • Load balancing and SSL policies
  • Interconnect and Peering options
  • VPC Service Controls
  • Access Context Manager
  • VPC Flow Logs
  • Cloud IDS
  • Labs:
    • Configuring VPC firewalls
    • Configuring and Using VPC Flow Logs in Cloud Logging
    • Demo: Securing Projects with VPC Service Controls
    • Getting Started with Cloud IDS

Module 5 Securing Compute Engine: Techniques and Best Practices

  • Service accounts, IAM roles, and API scopes
  • Managing VM logins
  • Organization policy controls
  • Shielded VMs and Confidential VMs
  • Certificate Authority Service
  • Compute Engine best practices
  • Lab: Configuring, Using, and Auditing VM Service Accounts and Scopes

Module 6 Securing Cloud Data: Techniques and Best Practices

  • Cloud Storage IAM permissions, and ACLs
  • Auditing cloud data
  • Signed URLs and policy documents
  • Encrypting with CMEK and CSEK
  • Cloud HSM
  • BigQuery IAM roles and authorized views
  • Storage best practices
  • Lab: Using customer-supplied encryption keys with Cloud Storage
  • Lab: Using customer-managed encryption keys with Cloud Storage and Cloud KMS
  • Lab: Creating a BigQuery authorized view

Module 7 Securing Applications: techniques and best practices

  • Types of application security vulnerabilities
  • Web Security Scanner
  • Threat Identity and Oauth phishing
  • Identity Aware Proxy
  • Secret Manager
  • Lab: Using Web Security Scanner to Find Vulnerabilities in an App Engine Application
  • Lab: Securing Compute Engine Applications with BeyondCorp Enterprise
  • Lab: Configuring and Using Credentials with Secret Manager

Module 8 Securing Google Kubernetes Engine: techniques and best practices

  • Authentication and authorization
  • Hardening your clusters
  • Securing your workloads
  • Monitoring and logging

Module 9 Protecting against Distributed Denial of Service Attacks (DDoS)

  • How DDoS attacks work
  • Google Cloud mitigations
  • Types of complementary partner products
  • Lab: Configuring Traffic Blocklisting with Google Cloud Armor

Module 10 Content-Related Vulnerabilities: Techniques and Best Practices

  • Threat: Ransomware
  • Ransomware mitigations
  • Threats: Data misuse, privacy violations, sensitive content
  • Content-related mitigation
  • Redacting Sensitive Data with the DLP API
  • Lab: Redacting Sensitive Data with DLP API

Module 11 Monitoring, Logging, Auditing, and Scanning

  • Security Command Center
  • Cloud Monitoring and Cloud Logging
  • Cloud Audit Logs
  • Cloud security automation
  • Lab: Configuring and Using Cloud Monitoring and Cloud Logging
  • Lab: Configuring and Viewing Cloud Audit Logs