Security in Google Cloud Platform

$1,995.00 USD

3 Days


Delivery Methods
Virtual Instructor Led
Private Group

Course Overview

This course gives participants broad study of security controls and techniques on Google Cloud Platform. Through lectures, demonstrations, and hands-on labs, participants explore and deploy the components of a secure GCP solution. Participants also learn mitigation techniques for attacks at many points in a GCP-based infrastructure, including Distributed Denial-of-Service attacks, phishing attacks, and threats involving content classification and use.

Course Objectives

  • Understanding the Google approach to security
  • Managing administrative identities using Cloud Identity.
  • Implementing least privilege administrative access using Google Cloud Resource Manager, Cloud IAM.
  • Implementing IP traffic controls using VPC firewalls and Cloud Armor Implementing Identity Aware Proxy
  • Analyzing changes to the configuration or metadata of resources with GCP audit logs
  • Scanning for and redact sensitive data with the Data Loss Prevention API
  • Scanning a GCP deployment with Forseti
  • Remediating important types of vulnerabilities, especially in public access to data and VMs
  • Who Should Attend?

  • Cloud information security analysts, architects, and engineers
  • Information security/cybersecurity specialists
  • Cloud infrastructure architects
  • Developers of cloud applications.
    • Top-rated instructors: Our crew of subject matter experts have an average instructor rating of 4.8 out of 5 across thousands of reviews.
    • Authorized content: We maintain more than 35 Authorized Training Partnerships with the top players in tech, ensuring your course materials contain the most relevant and up-to date information.
    • Interactive classroom participation: Our virtual training includes live lectures, demonstrations and virtual labs that allow you to participate in discussions with your instructor and fellow classmates to get real-time feedback.
    • Post Class Resources: Review your class content, catch up on any material you may have missed or perfect your new skills with access to resources after your course is complete.
    • Private Group Training: Let our world-class instructors deliver exclusive training courses just for your employees. Our private group training is designed to promote your team’s shared growth and skill development.
    • Tailored Training Solutions: Our subject matter experts can customize the class to specifically address the unique goals of your team.

    Course Prerequisites

  • Prior completion of Google Cloud Fundamentals: Core Infrastructure (GCF-CI) or equivalent experience
  • Prior completion of Networking in Google Cloud Platform (NGCP) or equivalent experience
  • Knowledge of foundational concepts in information security
  • Basic proficiency with command-line tools and Linux operating system environments
  • Systems Operations experience, including deploying and managing applications, either on-premises or in a public cloud environment
  • Reading comprehension of code in Python or JavaScript
  • Agenda

    1 - Foundations of GCP Security

    • Understand the GCP shared security responsibility model
    • Understand Google Cloud’s approach to security
    • Understand the kinds of threats mitigated by Google and by GCP
    • Define and Understand Access Transparency and Access Approval (beta)

    2 - Cloud Identity

    • Cloud Identity
    • Syncing with Microsoft Active Directory using Google Cloud Directory Sync
    • Using Managed Service for Microsoft Active Directory (beta )
    • Choosing between Google authentication and SAML-based SSO
    • Best practices, including DNS configuration, super admin accounts
    • Lab: Defining Users with Cloud Identity Console

    3 - Identity, Access, and Key Management

    • GCP Resource Manager: projects, folders, and organizations
    • GCP IAM roles, including custom roles
    • GCP IAM policies, including organization policies
    • GCP IAM Labels
    • GCP IAM Recommender
    • GCP IAM Troubleshooter
    • GCP IAM Audit Logs
    • Best practices, including separation of duties and least privilege, the use of Google groups in policies, and avoiding the use of primitive roles
    • Labs: Configuring Cloud IAM, including custom roles and organization policies

    4 - Configuring Google Virtual Private Cloud for Isolation and Security

    • Configuring VPC firewalls (both ingress and egress rules)
    • Load balancing and SSL policies
    • Private Google API access
    • SSL proxy use
    • Best practices for VPC networks, including peering and shared VPC use, correct use of subnetworks
    • Best security practices for VPNs
    • Security considerations for interconnect and peering options
    • Available security products from partners
    • Defining a service perimeter, including perimeter bridges
    • Setting up private connectivity to Google APIs and services
    • Lab: Configuring VPC firewalls

    5 - Securing Compute Engine: techniques and best practices

    • Compute Engine service accounts, default and customer-defined
    • IAM roles for VMs
    • API scopes for VMs
    • Managing SSH keys for Linux VMs
    • Managing RDP logins for Windows VMs
    • Organization policy controls: trusted images, public IP address, disabling serial port
    • Encrypting VM images with customer-managed encryption keys and with customer-supplied encryption keys
    • Finding and remediating public access to VMs
    • Best practices, including using hardened custom images, custom service accounts (not the default service account), tailored API scopes, and the use of application default credentials instead of user-managed keys
    • Lab: Configuring, using, and auditing VM service accounts and scopes
    • Encrypting VM disks with customer-supplied encryption keys
    • Lab: Encrypting disks with customer-supplied encryption keys
    • Using Shielded VMs to maintain the integrity of virtual machines

    6 - Securing cloud data: techniques and best practices

    • Cloud Storage and IAM permissions
    • Cloud Storage and ACLs
    • Auditing cloud data, including finding and remediating publicly accessible data
    • Signed Cloud Storage URLs
    • Signed policy documents
    • Encrypting Cloud Storage objects with customer-managed encryption keys and with customer-supplied encryption keys
    • Best practices, including deleting archived versions of objects after key rotation
    • Lab: Using customer-supplied encryption keys with Cloud Storage
    • Lab: Using customer-managed encryption keys with Cloud Storage and Cloud KMS
    • BigQuery authorized views
    • BigQuery IAM roles
    • Best practices, including preferring IAM permissions over ACLs
    • Lab: Creating a BigQuery authorized view

    7 - Securing Applications: techniques and best practices

    • Types of application security vulnerabilities
    • DoS protections in App Engine and Cloud Functions
    • Cloud Security Scanner
    • Lab: Using Cloud Security Scanner to find vulnerabilities in an App Engine application
    • Identity Aware Proxy
    • Lab: Configuring Identity Aware Proxy to protect a project

    8 - Securing Kubernetes: techniques and best practices

    • Authorization
    • Securing Workloads
    • Securing Clusters
    • Logging and Monitoring

    9 - Protecting against Distributed Denial of Service Attacks

    • How DDoS attacks work
    • Mitigations: GCLB, Cloud CDN, autoscaling, VPC ingress and egress firewalls, Cloud Armor (including its rules language)
    • Types of complementary partner products
    • Lab: Configuring GCLB, CDN, traffic blacklisting with Cloud Armor

    10 - Protecting against content-related vulnerabilities

    • Threat: Ransomware
    • Mitigations: Backups, IAM, Data Loss Prevention API
    • Threats: Data misuse, privacy violations, sensitive/restricted/unacceptable content
    • Threat: Identity and Oauth phishing
    • Mitigations: Classifying content using Cloud ML APIs; scanning and redacting data using Data Loss Prevention API
    • Lab: Redacting Sensitive Data with Data Loss Prevention API

    11 - Monitoring, Logging, Auditing, and Scanning

    • Security Command Center
    • Stackdriver monitoring and logging
    • Lab: Installing Stackdriver agents
    • Lab: Configuring and using Stackdriver monitoring and logging
    • VPC flow logs
    • Lab: Viewing and using VPC flow logs in Stackdriver
    • Cloud audit logging
    • Lab: Configuring and viewing audit logs in Stackdriver
    • Deploying and Using Forseti
    • Lab: Inventorying a Deployment with Forseti Inventory (demo)
    • Lab: Scanning a Deployment with Forseti Scanner (demo)

    Upcoming Class Dates and Times

    Aug 28, 29, 30
    8:00 AM - 5:00 PM
    ENROLL $1,995.00 USD

    Do You Have Additional Questions? Please Contact Us Below.

    contact us contact us 
    Contact Us about Starting Your Business Training Strategy with New Horizons