Security in Google Cloud Platform, Austin

Description

Through lectures, demonstrations, and hands-on labs, participants explore and deploy the components of a secure GCP solution. Participants also learn mitigation techniques for attacks at many points in a GCP-based infrastructure, including Distributed Denial-of-Service attacks, phishing attacks, and threats involving content classification and use.

Duration

2 days, instructor-led
2 weeks, on-demand

Objectives:

This course teaches participants the following skills:

• Understanding the Google approach to security
• Managing administrative identities using Cloud Identity.
• Implementing least privilege administrative access using Google Cloud Resource Manager, Cloud IAM.
• Implementing IP traffic controls using VPC firewalls and Cloud Armor
• Implementing Identity Aware Proxy
• Analyzing changes to the configuration or metadata of resources with GCP audit logs
• Scanning for and redact sensitive data with the Data Loss Prevention API
• Scanning a GCP deployment with Forseti
• Remediating important types of vulnerabilities, especially in public access to data and VMs

Delivery Method

Online self-paced or instructor-led

Audience

This class is intended for the following job roles:

• Cloud information security analysts, architects, and engineers
• Information security/cybersecurity specialists
• Cloud infrastructure architects
• Developers of cloud applications.

Prerequisites

To get the most out of this course, participants should have:

• Prior completion of Google Cloud Platform Fundamentals: Core Infrastructureor equivalent experience
• Prior completion of Networking in Google Cloud Platform or equivalent experience
• Knowledge of foundational concepts in information security:
  • Fundamental concepts:
    • vulnerability, threat, attack surface
    • confidentiality, integrity, availability
  • Common threat types and their mitigation strategies
  
  
  • Public-key cryptography
    
    
    • Public and private key pairs
    
    
    • Certificates
    
    
    • Cipher types
    
    
    • Key width
    
    
  • Certificate authorities
  
  
  • Transport Layer Security/Secure Sockets Layer encrypted communication
  
  
  • Public key infrastructures
  
  
  • Security policy
  
  
  
  


• Basic proficiency with command-line tools and Linux operating system environments


• Systems Operations experience, including deploying and managing applications, either on-premises or in a public cloud environment


• Reading comprehension of code in Python or JavaScript

Course Outline

PART I: Managing Security in Google Cloud Platform

Module 1: Foundations of GCP Security

• Google Cloud's approach to security


• The shared security responsibility model


• Threats mitigated by Google and by GCP


• Access Transparency 

Module 2: Cloud Identity

• Cloud Identity


• Syncing with Microsoft Active Directory


• Choosing between Google authentication and SAML-based SSO


• GCP best practices 

Module 3: Identity and Access Management

• GCP Resource Manager: projects, folders, and organizations


• GCP IAM roles, including custom roles


• GCP IAM policies, including organization policies


• GCP IAM best practices 

Module 4: Configuring Google Virtual Private Cloud for Isolation and Security

• Configuring VPC firewalls (both ingress and egress rules)


• Load balancing and SSL policies


• Private Google API access


• SSL proxy use


• Best practices for structuring VPC networks


• Best security practices for VPNs


• Security considerations for interconnect and peering options


• Available security products from partners 

Module 5: Monitoring, Logging, Auditing, and Scanning

• Stackdriver monitoring and logging


• VPC flow logs


• Cloud audit logging


• Deploying and Using Forseti 

PART II: Mitigating Vulnerabilities on Google Cloud Platform

Module 6: Securing Compute Engine: techniques and best practices

• Compute Engine service accounts, default and customer-defined


• IAM roles for VMs


• API scopes for VMs


• Managing SSH keys for Linux VMs


• Managing RDP logins for Windows VMs


• Organization policy controls: trusted images, public IP address, disabling serial port


• Encrypting VM images with customer-managed encryption keys and with customer-supplied encryption keys


• Finding and remediating public access to VMs


• VM best practices


• Encrypting VM disks with customer-supplied encryption keys 

Module 7: Securing cloud data: techniques and best practices

• Cloud Storage and IAM permissions


• Cloud Storage and ACLs


• Auditing cloud data, including finding and remediating publicly accessible data


• Signed Cloud Storage URLs


• Signed policy documents


• Encrypting Cloud Storage objects with customer-managed encryption keys and with customer-supplied encryption keys


• Best practices, including deleting archived versions of objects after key rotation


• BigQuery authorized views


• BigQuery IAM roles


• Best practices, including preferring IAM permissions over ACLs 

Module 8: Protecting against Distributed Denial of Service Attacks: techniques and best practices

• How DDoS attacks work


• Mitigations: GCLB, Cloud CDN, autoscaling, VPC ingress and egress firewalls, Cloud Armor


• Types of complementary partner products

Module 9: Application Security: techniques and best practices

• Types of application security vulnerabilities


• DoS protections in App Engine and Cloud Functions


• Cloud Security Scanner


• Threat: Identity and Oauth phishing


• Identity Aware Proxy

Module 10: Content-related vulnerabilities: techniques and best practices

• Threat: Ransomware


• Mitigations: Backups, IAM, Data Loss Prevention API


• Threats: Data misuse, privacy violations, sensitive/restricted/unacceptable content


• Mitigations: Classifying content using Cloud ML APIs; scanning and redacting data using Data Loss Prevention API 

** Notice: Cancellations will be charged an administrative fee through Eventbrite.