Security in Google Cloud (SGCP-3D) – Outline

Detailed Course Outline

Module 1: Foundations of Google Cloud Security

  • The approach of Google Cloud to security
  • The shared security responsibility model
  • Threats mitigated by Google and Google Cloud
  • Access transparency

Module 2: Securing Access to Google Cloud

  • Cloud Identity
  • Google Cloud Directory Sync
  • Managed Microsoft AD
  • Google authentication versus SAML-based SSO
  • Identity Platform
  • Authentication best practices

Module 3: Identity and Access Management (IAM)

  • Resource Manager
  • IAM roles
  • Service accounts
  • IAM and Organization policies
  • Workload identity federation
  • Policy Intelligence
  • Lab: Configuring IAM

Module 4: Configuring Virtual Private Cloud for Isolation and Security

  • VPC firewalls
  • Load balancing and SSL policies
  • Cloud Interconnect
  • VPC Network Peering
  • VPC Service Controls
  • Access Context Manager
  • VPC Flow Logs
  • Cloud IDS
  • Labs:
    • Configuring VPC firewalls
    • Configuring and Using VPC Flow Logs in Cloud Logging
    • Demo: Securing Projects with VPC Service Controls
    • Getting Started with Cloud IDS

Module 5: Securing Compute Engine: Techniques and Best Practices

  • Service accounts, IAM roles, and API scopes
  • Managing VM logins
  • Organization policy controls
  • Shielded VMs and Confidential VMs
  • Certificate Authority Service
  • Compute Engine best practices
  • Lab: Configuring, Using, and Auditing VM Service Accounts and Scopes

Module 6: Securing Cloud Data: Techniques and Best Practices

  • Cloud Storage IAM permissions and ACLs
  • Auditing cloud data
  • Signed URLs and policy documents
  • Encrypting with Customer-managed encryption keys (CMEK) and Customer-supplied encryption keys (CSEK)
  • Cloud HSM
  • BigQuery IAM roles and authorized views
  • Storage best practices
  • Lab: Using Customer-Supplied Encryption Keys with Cloud Storage
  • Lab: Using Customer-Managed Encryption Keys with Cloud Storage and Cloud KMS
  • Lab: Creating a BigQuery Authorized View

Module 7: Securing Applications: Techniques and Best Practices

  • Types of application security vulnerabilities
  • Web Security Scanner
  • Threat Identity and OAuth phishing
  • Identity-Aware Proxy
  • Secret Manager
  • Lab: Identity Application Vulnerabilities with Security Command Center
  • Lab: Securing Compute Engine Applications with BeyondCorp Enterprise
  • Lab: Configuring and Using Credentials with Secret Manager

Module 8: Securing Google Kubernetes Engine: Techniques and Best Practices

  • Types of application security vulnerabilities
  • Web Security Scanner
  • Threat: Identity and OAuth phishing
  • Identity-Aware Proxy
  • Secret Manager

Module 9: Protecting against Distributed Denial of Service Attacks (DDoS)

  • How DDoS attacks work
  • Google Cloud mitigations
  • Types of complementary partner products
  • Lab: Configuring Traffic Blocklisting with Google Cloud Armor

Module 10: Content-Related Vulnerabilities: Techniques and Best Practices

  • Threat: Ransomware
  • Ransomware mitigations
  • Threats: data misuse, privacy violations, sensitive content
  • Content-related mitigation
  • Redacting Sensitive Data with the DLP API
  • Lab: Redacting Sensitive Data with DLP API

Module 11: Monitoring, Logging, Auditing, and Scanning

  • Security Command Center
  • Cloud Monitoring and Cloud Logging
  • Cloud Audit Logs
  • Cloud security automation
  • Lab: Configuring and Using Cloud Monitoring and Cloud Logging
  • Lab: Configuring and Viewing Cloud Audit Logs