DESCRIPTION
THROUGH LECTURES, DEMONSTRATIONS, AND HANDS-ON LABS, PARTICIPANTS
EXPLORE AND DEPLOY THE COMPONENTS OF A SECURE GCP SOLUTION.
PARTICIPANTS ALSO LEARN MITIGATION TECHNIQUES FOR ATTACKS AT MANY
POINTS IN A GCP-BASED INFRASTRUCTURE, INCLUDING DISTRIBUTED
DENIAL-OF-SERVICE ATTACKS, PHISHING ATTACKS, AND THREATS INVOLVING
CONTENT CLASSIFICATION AND USE.
DURATION
2 days, instructor-led
2 weeks, on-demand
OBJECTIVES:
This course teaches participants the following skills:
* Understanding the Google approach to security
* Managing administrative identities using Cloud Identity.
* Implementing least privilege administrative access using Google
Cloud Resource Manager, Cloud IAM.
* Implementing IP traffic controls using VPC firewalls and Cloud
Armor
* Implementing Identity Aware Proxy
* Analyzing changes to the configuration or metadata of resources
with GCP audit logs
* Scanning for and redact sensitive data with the Data Loss
Prevention API
* Scanning a GCP deployment with Forseti
* Remediating important types of vulnerabilities, especially in
public access to data and VMs
DELIVERY METHOD
Online self-paced or instructor-led
AUDIENCE
This class is intended for the following job roles:
* Cloud information security analysts, architects, and engineers
* Information security/cybersecurity specialists
* Cloud infrastructure architects
* Developers of cloud applications.
PREREQUISITES
To get the most out of this course, participants should have:
* Prior completion of Google Cloud Platform Fundamentals: Core
Infrastructure
[https://cloud.google.com/training/courses/core-fundamentals/]or
equivalent experience
* Prior completion of Networking in Google Cloud Platform
[https://cloud.google.com/training/courses/networking-gcp/] or
equivalent experience
* Knowledge of foundational concepts in information SECURITY:
* Fundamental concepts:
* vulnerability, threat, attack surface
* confidentiality, integrity, availability
* Common threat types and their mitigation strategies
* Public-key cryptography
* Public and private key pairs
* Certificates
* Cipher types
* Key width
* Certificate authorities
* Transport Layer Security/Secure Sockets Layer encrypted
communication
* Public key infrastructures
* Security policy
* Basic proficiency with command-line tools and Linux operating
system environments
* Systems Operations experience, including deploying and managing
applications, either on-premises or in a public cloud environment
* Reading comprehension of code in Python or JavaScript
COURSE OUTLINE
PART I: MANAGING SECURITY IN GOOGLE CLOUD PLATFORM
Module 1: Foundations of GCP Security
* Google Cloud's approach to security
* The shared security responsibility model
* Threats mitigated by Google and by GCP
* Access Transparency
Module 2: Cloud Identity
* Cloud Identity
* Syncing with Microsoft Active Directory
* Choosing between Google authentication and SAML-based SSO
* GCP best practices
Module 3: Identity and Access Management
* GCP Resource Manager: projects, folders, and organizations
* GCP IAM roles, including custom roles
* GCP IAM policies, including organization policies
* GCP IAM best practices
Module 4: Configuring Google Virtual Private Cloud for Isolation and
Security
* Configuring VPC firewalls (both ingress and egress rules)
* Load balancing and SSL policies
* Private Google API access
* SSL proxy use
* Best practices for structuring VPC networks
* Best security practices for VPNs
* Security considerations for interconnect and peering options
* Available security products from partners
Module 5: Monitoring, Logging, Auditing, and Scanning
* Stackdriver monitoring and logging
* VPC flow logs
* Cloud audit logging
* Deploying and Using Forseti
PART II: MITIGATING VULNERABILITIES ON GOOGLE CLOUD PLATFORM
Module 6: Securing Compute Engine: techniques and best practices
* Compute Engine service accounts, default and customer-defined
* IAM roles for VMs
* API scopes for VMs
* Managing SSH keys for Linux VMs
* Managing RDP logins for Windows VMs
* Organization policy controls: trusted images, public IP address,
disabling serial port
* Encrypting VM images with customer-managed encryption keys and
with customer-supplied encryption keys
* Finding and remediating public access to VMs
* VM best practices
* Encrypting VM disks with customer-supplied encryption keys
Module 7: Securing cloud data: techniques and best practices
* Cloud Storage and IAM permissions
* Cloud Storage and ACLs
* Auditing cloud data, including finding and remediating publicly
accessible data
* Signed Cloud Storage URLs
* Signed policy documents
* Encrypting Cloud Storage objects with customer-managed encryption
keys and with customer-supplied encryption keys
* Best practices, including deleting archived versions of objects
after key rotation
* BigQuery authorized views
* BigQuery IAM roles
* Best practices, including preferring IAM permissions over ACLs
Module 8: Protecting against Distributed Denial of Service Attacks:
techniques and best practices
* How DDoS attacks work
* Mitigations: GCLB, Cloud CDN, autoscaling, VPC ingress and egress
firewalls, Cloud Armor
* Types of complementary partner products
Module 9: Application Security: techniques and best practices
* Types of application security vulnerabilities
* DoS protections in App Engine and Cloud Functions
* Cloud Security Scanner
* Threat: Identity and Oauth phishing
* Identity Aware Proxy
Module 10: Content-related vulnerabilities: techniques and best
practices
* Threat: Ransomware
* Mitigations: Backups, IAM, Data Loss Prevention API
* Threats: Data misuse, privacy violations,
sensitive/restricted/unacceptable content
* Mitigations: Classifying content using Cloud ML APIs; scanning and
redacting data using Data Loss Prevention API
** Notice: Cancellations will be charged an administrative fee through
Eventbrite.
sports
976
Views
22/01/2020 Last update