{"course":{"productid":22865,"modality":1,"active":true,"language":"fr","title":"Security in Google Cloud","productcode":"SGCP-3D","vendorcode":"GO","vendorname":"Google","fullproductcode":"GO-SGCP-3D","courseware":{"has_ekit":false,"has_printkit":true,"language":""},"url":"https:\/\/portal.flane.ch\/course\/google-sgcp-3d","objective":"<p>This course teaches participants the following skills:\n<\/p>\n<ul>\n<li>Understanding the Google approach to security<\/li><li>Managing administrative identities using Cloud Identity.<\/li><li>Implementing least privilege administrative access using Google Cloud Resource Manager, Cloud IAM.<\/li><li>Implementing IP traffic controls using VPC firewalls and Cloud Armor<\/li><li>Implementing Identity Aware Proxy<\/li><li>Analyzing changes to the configuration or metadata of resources with GCP audit logs<\/li><li>Scanning for and redact sensitive data with the Data Loss Prevention API<\/li><li>Scanning a GCP deployment with Forseti<\/li><li>Remediating important types of vulnerabilities, especially in public access to data and VMs<\/li><\/ul>","essentials":"<p>To get the most out of this course, participants should have:\n<\/p>\n<ul>\n<li>Prior completion of <span class=\"cms-link-marked\"><a class=\"fl-href-prod\" href=\"\/swisscom\/fr\/course\/google-gcf-ci\"><svg role=\"img\" aria-hidden=\"true\" focusable=\"false\" data-nosnippet class=\"cms-linkmark\"><use xlink:href=\"\/css\/img\/icnset-linkmarks.svg#linkmark\"><\/use><\/svg>Google Cloud Fundamentals: Core Infrastructure <span class=\"fl-prod-pcode\">(GCF-CI)<\/span><\/a><\/span> or equivalent experience<\/li><li>Prior completion of <span class=\"cms-link-marked\"><a class=\"fl-href-prod\" href=\"\/swisscom\/fr\/course\/google-ngcp\"><svg role=\"img\" aria-hidden=\"true\" focusable=\"false\" data-nosnippet class=\"cms-linkmark\"><use xlink:href=\"\/css\/img\/icnset-linkmarks.svg#linkmark\"><\/use><\/svg>Networking in Google Cloud Platform <span class=\"fl-prod-pcode\">(NGCP)<\/span><\/a><\/span> or equivalent experience<\/li><li>Knowledge of foundational concepts in information security:\n<ul>\n<li>Fundamental concepts:\n<ul>\n<li>vulnerability, threat, attack surface<\/li><li>confidentiality, integrity, availability<\/li><\/ul><\/li><li>Common threat types and their mitigation strategies<\/li><li>Public-key cryptography\n<ul>\n<li>Public and private key pairs<\/li><li>Certificates<\/li><li>Cipher types<\/li><li>Key width<\/li><\/ul><\/li><li>Certificate authorities<\/li><li>Transport Layer Security\/Secure Sockets Layer encrypted communication<\/li><li>Public key infrastructures<\/li><li>Security policy<\/li><\/ul><\/li><li>Basic proficiency with command-line tools and Linux operating system environments<\/li><li>Systems Operations experience, including deploying and managing applications, either on-premises or in a public cloud environment<\/li><li>Reading comprehension of code in Python or JavaScript<\/li><\/ul>","audience":"<p>This class is intended for the following job roles:\n<\/p>\n<ul>\n<li>Cloud information security analysts, architects, and engineers<\/li><li>Information security\/cybersecurity specialists<\/li><li>Cloud infrastructure architects<\/li><li>Developers of cloud applications.<\/li><\/ul>","contents":"<p>PART I: MANAGING SECURITY IN GOOGLE CLOUD<\/p>\n<p>Module 1 Foundations of GCP Security\n<\/p>\n<ul>\n<li>Understand the GCP shared security responsibility model<\/li><li>Understand Google Cloud&rsquo;s approach to security<\/li><li>Understand the kinds of threats mitigated by Google and by GCP<\/li><li>Define and Understand Access Transparency and Access Approval (beta)<\/li><\/ul><p>Module 2 Cloud Identity\n<\/p>\n<ul>\n<li>Cloud Identity<\/li><li>Syncing with Microsoft Active Directory using Google Cloud Directory Sync<\/li><li>Using Managed Service for Microsoft Active Directory (beta )<\/li><li>Choosing between Google authentication and SAML-based SSO<\/li><li>Best practices, including DNS configuration, super admin accounts<\/li><li>Lab: Defining Users with Cloud Identity Console<\/li><\/ul><p>Module 3 Identity, Access, and Key Management\n<\/p>\n<ul>\n<li>GCP Resource Manager: projects, folders, and organizations<\/li><li>GCP IAM roles, including custom roles<\/li><li>GCP IAM policies, including organization policies<\/li><li>GCP IAM Labels<\/li><li>GCP IAM Recommender<\/li><li>GCP IAM Troubleshooter<\/li><li>GCP IAM Audit Logs<\/li><li>Best practices, including separation of duties and least privilege, the use of Google groups in policies, and avoiding the use of primitive roles<\/li><li>Labs: Configuring Cloud IAM, including custom roles and organization policies<\/li><\/ul><p>Module 4 Configuring Google Virtual Private Cloud for Isolation and Security\n<\/p>\n<ul>\n<li>Configuring VPC firewalls (both ingress and egress rules)<\/li><li>Load balancing and SSL policies<\/li><li>Private Google API access<\/li><li>SSL proxy use<\/li><li>Best practices for VPC networks, including peering and shared VPC use, correct use of subnetworks<\/li><li>Best security practices for VPNs<\/li><li>Security considerations for interconnect and peering options<\/li><li>Available security products from partners<\/li><li>Defining a service perimeter, including perimeter bridges<\/li><li>Setting up private connectivity to Google APIs and services<\/li><li>Lab: Configuring VPC firewalls<\/li><\/ul><p>\nPART II: SECURITY BEST PRACTICES ON GOOGLE CLOUD<\/p>\n<p>Module 5 Securing Compute Engine: techniques and best practices\n<\/p>\n<ul>\n<li>Compute Engine service accounts, default and customer-defined<\/li><li>IAM roles for VMs<\/li><li>API scopes for VMs<\/li><li>Managing SSH keys for Linux VMs<\/li><li>Managing RDP logins for Windows VMs<\/li><li>Organization policy controls: trusted images, public IP address, disabling serial port<\/li><li>Encrypting VM images with customer-managed encryption keys and with customer-supplied encryption keys<\/li><li>Finding and remediating public access to VMs<\/li><li>Best practices, including using hardened custom images, custom service accounts (not the default service account), tailored API scopes, and the use of application default credentials instead of user-managed keys<\/li><li>Lab: Configuring, using, and auditing VM service accounts and scopes<\/li><li>Encrypting VM disks with customer-supplied encryption keys<\/li><li>Lab: Encrypting disks with customer-supplied encryption keys<\/li><li>Using Shielded VMs to maintain the integrity of virtual machines<\/li><\/ul><p>Module 6 Securing cloud data: techniques and best practices\n<\/p>\n<ul>\n<li>Cloud Storage and IAM permissions<\/li><li>Cloud Storage and ACLs<\/li><li>Auditing cloud data, including finding and remediating publicly accessible data<\/li><li>Signed Cloud Storage URLs<\/li><li>Signed policy documents<\/li><li>Encrypting Cloud Storage objects with customer-managed encryption keys and with customer-supplied encryption keys<\/li><li>Best practices, including deleting archived versions of objects after key rotation<\/li><li>Lab: Using customer-supplied encryption keys with Cloud Storage<\/li><li>Lab: Using customer-managed encryption keys with Cloud Storage and Cloud KMS<\/li><li>BigQuery authorized views<\/li><li>BigQuery IAM roles<\/li><li>Best practices, including preferring IAM permissions over ACLs<\/li><li>Lab: Creating a BigQuery authorized view<\/li><\/ul><p>Module 7 Securing Applications: techniques and best practices\n<\/p>\n<ul>\n<li>Types of application security vulnerabilities<\/li><li>DoS protections in App Engine and Cloud Functions<\/li><li>Cloud Security Scanner<\/li><li>Lab: Using Cloud Security Scanner to find vulnerabilities in an App Engine application<\/li><li>Identity Aware Proxy<\/li><li>Lab: Configuring Identity Aware Proxy to protect a project<\/li><\/ul><p>Module 8 Securing Kubernetes: techniques and best practices\n<\/p>\n<ul>\n<li>Authorization<\/li><li>Securing Workloads<\/li><li>Securing Clusters<\/li><li>Logging and Monitoring<\/li><\/ul><p>PART III: MITIGATING VULNERABILITIES IN GOOGLE CLOUD<\/p>\n<p>Module 9 Protecting against Distributed Denial of Service Attacks\n<\/p>\n<ul>\n<li>How DDoS attacks work<\/li><li>Mitigations: GCLB, Cloud CDN, autoscaling, VPC ingress and egress firewalls, Cloud Armor (including its rules language)<\/li><li>Types of complementary partner products<\/li><li>Lab: Configuring GCLB, CDN, traffic blacklisting with Cloud Armor<\/li><\/ul><p>Module 10 Protecting against content-related vulnerabilities\n<\/p>\n<ul>\n<li>Threat: Ransomware<\/li><li>Mitigations: Backups, IAM, Data Loss Prevention API<\/li><li>Threats: Data misuse, privacy violations, sensitive\/restricted\/unacceptable content<\/li><li>Threat: Identity and Oauth phishing<\/li><li>Mitigations: Classifying content using Cloud ML APIs; scanning and redacting data using Data Loss Prevention API<\/li><li>Lab: Redacting Sensitive Data with Data Loss Prevention API<\/li><\/ul><p>Module 11 Monitoring, Logging, Auditing, and Scanning \n<\/p>\n<ul>\n<li>Security Command Center<\/li><li>Stackdriver monitoring and logging<\/li><li>Lab: Installing Stackdriver agents<\/li><li>Lab: Configuring and using Stackdriver monitoring and logging<\/li><li>VPC flow logs<\/li><li>Lab: Viewing and using VPC flow logs in Stackdriver<\/li><li>Cloud audit logging<\/li><li>Lab: Configuring and viewing audit logs in Stackdriver<\/li><li>Deploying and Using Forseti<\/li><li>Lab: Inventorying a Deployment with Forseti Inventory (demo)<\/li><li>Lab: Scanning a Deployment with Forseti Scanner (demo)<\/li><\/ul>","outline":"<p>PART I: MANAGING SECURITY IN GOOGLE CLOUD<\/p>\n<p>Module 1 Foundations of GCP Security\n<\/p>\n<ul>\n<li>Understand the GCP shared security responsibility model<\/li><li>Understand Google Cloud&rsquo;s approach to security<\/li><li>Understand the kinds of threats mitigated by Google and by GCP<\/li><li>Define and Understand Access Transparency and Access Approval (beta)<\/li><\/ul><p>Module 2 Cloud Identity\n<\/p>\n<ul>\n<li>Cloud Identity<\/li><li>Syncing with Microsoft Active Directory using Google Cloud Directory Sync<\/li><li>Using Managed Service for Microsoft Active Directory (beta )<\/li><li>Choosing between Google authentication and SAML-based SSO<\/li><li>Best practices, including DNS configuration, super admin accounts<\/li><li>Lab: Defining Users with Cloud Identity Console<\/li><\/ul><p>Module 3 Identity, Access, and Key Management\n<\/p>\n<ul>\n<li>GCP Resource Manager: projects, folders, and organizations<\/li><li>GCP IAM roles, including custom roles<\/li><li>GCP IAM policies, including organization policies<\/li><li>GCP IAM Labels<\/li><li>GCP IAM Recommender<\/li><li>GCP IAM Troubleshooter<\/li><li>GCP IAM Audit Logs<\/li><li>Best practices, including separation of duties and least privilege, the use of Google groups in policies, and avoiding the use of primitive roles<\/li><li>Labs: Configuring Cloud IAM, including custom roles and organization policies<\/li><\/ul><p>Module 4 Configuring Google Virtual Private Cloud for Isolation and Security\n<\/p>\n<ul>\n<li>Configuring VPC firewalls (both ingress and egress rules)<\/li><li>Load balancing and SSL policies<\/li><li>Private Google API access<\/li><li>SSL proxy use<\/li><li>Best practices for VPC networks, including peering and shared VPC use, correct use of subnetworks<\/li><li>Best security practices for VPNs<\/li><li>Security considerations for interconnect and peering options<\/li><li>Available security products from partners<\/li><li>Defining a service perimeter, including perimeter bridges<\/li><li>Setting up private connectivity to Google APIs and services<\/li><li>Lab: Configuring VPC firewalls<\/li><\/ul><p>\nPART II: SECURITY BEST PRACTICES ON GOOGLE CLOUD<\/p>\n<p>Module 5 Securing Compute Engine: techniques and best practices\n<\/p>\n<ul>\n<li>Compute Engine service accounts, default and customer-defined<\/li><li>IAM roles for VMs<\/li><li>API scopes for VMs<\/li><li>Managing SSH keys for Linux VMs<\/li><li>Managing RDP logins for Windows VMs<\/li><li>Organization policy controls: trusted images, public IP address, disabling serial port<\/li><li>Encrypting VM images with customer-managed encryption keys and with customer-supplied encryption keys<\/li><li>Finding and remediating public access to VMs<\/li><li>Best practices, including using hardened custom images, custom service accounts (not the default service account), tailored API scopes, and the use of application default credentials instead of user-managed keys<\/li><li>Lab: Configuring, using, and auditing VM service accounts and scopes<\/li><li>Encrypting VM disks with customer-supplied encryption keys<\/li><li>Lab: Encrypting disks with customer-supplied encryption keys<\/li><li>Using Shielded VMs to maintain the integrity of virtual machines<\/li><\/ul><p>Module 6 Securing cloud data: techniques and best practices\n<\/p>\n<ul>\n<li>Cloud Storage and IAM permissions<\/li><li>Cloud Storage and ACLs<\/li><li>Auditing cloud data, including finding and remediating publicly accessible data<\/li><li>Signed Cloud Storage URLs<\/li><li>Signed policy documents<\/li><li>Encrypting Cloud Storage objects with customer-managed encryption keys and with customer-supplied encryption keys<\/li><li>Best practices, including deleting archived versions of objects after key rotation<\/li><li>Lab: Using customer-supplied encryption keys with Cloud Storage<\/li><li>Lab: Using customer-managed encryption keys with Cloud Storage and Cloud KMS<\/li><li>BigQuery authorized views<\/li><li>BigQuery IAM roles<\/li><li>Best practices, including preferring IAM permissions over ACLs<\/li><li>Lab: Creating a BigQuery authorized view<\/li><\/ul><p>Module 7 Securing Applications: techniques and best practices\n<\/p>\n<ul>\n<li>Types of application security vulnerabilities<\/li><li>DoS protections in App Engine and Cloud Functions<\/li><li>Cloud Security Scanner<\/li><li>Lab: Using Cloud Security Scanner to find vulnerabilities in an App Engine application<\/li><li>Identity Aware Proxy<\/li><li>Lab: Configuring Identity Aware Proxy to protect a project<\/li><\/ul><p>Module 8 Securing Kubernetes: techniques and best practices\n<\/p>\n<ul>\n<li>Authorization<\/li><li>Securing Workloads<\/li><li>Securing Clusters<\/li><li>Logging and Monitoring<\/li><\/ul><p>PART III: MITIGATING VULNERABILITIES IN GOOGLE CLOUD<\/p>\n<p>Module 9 Protecting against Distributed Denial of Service Attacks\n<\/p>\n<ul>\n<li>How DDoS attacks work<\/li><li>Mitigations: GCLB, Cloud CDN, autoscaling, VPC ingress and egress firewalls, Cloud Armor (including its rules language)<\/li><li>Types of complementary partner products<\/li><li>Lab: Configuring GCLB, CDN, traffic blacklisting with Cloud Armor<\/li><\/ul><p>Module 10 Protecting against content-related vulnerabilities\n<\/p>\n<ul>\n<li>Threat: Ransomware<\/li><li>Mitigations: Backups, IAM, Data Loss Prevention API<\/li><li>Threats: Data misuse, privacy violations, sensitive\/restricted\/unacceptable content<\/li><li>Threat: Identity and Oauth phishing<\/li><li>Mitigations: Classifying content using Cloud ML APIs; scanning and redacting data using Data Loss Prevention API<\/li><li>Lab: Redacting Sensitive Data with Data Loss Prevention API<\/li><\/ul><p>Module 11 Monitoring, Logging, Auditing, and Scanning \n<\/p>\n<ul>\n<li>Security Command Center<\/li><li>Stackdriver monitoring and logging<\/li><li>Lab: Installing Stackdriver agents<\/li><li>Lab: Configuring and using Stackdriver monitoring and logging<\/li><li>VPC flow logs<\/li><li>Lab: Viewing and using VPC flow logs in Stackdriver<\/li><li>Cloud audit logging<\/li><li>Lab: Configuring and viewing audit logs in Stackdriver<\/li><li>Deploying and Using Forseti<\/li><li>Lab: Inventorying a Deployment with Forseti Inventory (demo)<\/li><li>Lab: Scanning a Deployment with Forseti Scanner (demo)<\/li><\/ul>","summary":"<p>This course gives participants broad study of security controls and techniques on Google Cloud Platform. Through lectures, demonstrations, and hands-on labs, participants explore and deploy the components of a secure GCP solution. Participants also learn mitigation techniques for attacks at many points in a GCP-based infrastructure, including Distributed Denial-of-Service attacks, phishing attacks, and threats involving content classification and use.<\/p>","objective_plain":"This course teaches participants the following skills:\n\n\n\n- Understanding the Google approach to security\n- Managing administrative identities using Cloud Identity.\n- Implementing least privilege administrative access using Google Cloud Resource Manager, Cloud IAM.\n- Implementing IP traffic controls using VPC firewalls and Cloud Armor\n- Implementing Identity Aware Proxy\n- Analyzing changes to the configuration or metadata of resources with GCP audit logs\n- Scanning for and redact sensitive data with the Data Loss Prevention API\n- Scanning a GCP deployment with Forseti\n- Remediating important types of vulnerabilities, especially in public access to data and VMs","essentials_plain":"To get the most out of this course, participants should have:\n\n\n\n- Prior completion of Google Cloud Fundamentals: Core Infrastructure (GCF-CI) or equivalent experience\n- Prior completion of Networking in Google Cloud Platform (NGCP) or equivalent experience\n- Knowledge of foundational concepts in information security:\n\n- Fundamental concepts:\n\n- vulnerability, threat, attack surface\n- confidentiality, integrity, availability\n- Common threat types and their mitigation strategies\n- Public-key cryptography\n\n- Public and private key pairs\n- Certificates\n- Cipher types\n- Key width\n- Certificate authorities\n- Transport Layer Security\/Secure Sockets Layer encrypted communication\n- Public key infrastructures\n- Security policy\n- Basic proficiency with command-line tools and Linux operating system environments\n- Systems Operations experience, including deploying and managing applications, either on-premises or in a public cloud environment\n- Reading comprehension of code in Python or JavaScript","audience_plain":"This class is intended for the following job roles:\n\n\n\n- Cloud information security analysts, architects, and engineers\n- Information security\/cybersecurity specialists\n- Cloud infrastructure architects\n- Developers of cloud applications.","contents_plain":"PART I: MANAGING SECURITY IN GOOGLE CLOUD\n\nModule 1 Foundations of GCP Security\n\n\n\n- Understand the GCP shared security responsibility model\n- Understand Google Cloud\u2019s approach to security\n- Understand the kinds of threats mitigated by Google and by GCP\n- Define and Understand Access Transparency and Access Approval (beta)\nModule 2 Cloud Identity\n\n\n\n- Cloud Identity\n- Syncing with Microsoft Active Directory using Google Cloud Directory Sync\n- Using Managed Service for Microsoft Active Directory (beta )\n- Choosing between Google authentication and SAML-based SSO\n- Best practices, including DNS configuration, super admin accounts\n- Lab: Defining Users with Cloud Identity Console\nModule 3 Identity, Access, and Key Management\n\n\n\n- GCP Resource Manager: projects, folders, and organizations\n- GCP IAM roles, including custom roles\n- GCP IAM policies, including organization policies\n- GCP IAM Labels\n- GCP IAM Recommender\n- GCP IAM Troubleshooter\n- GCP IAM Audit Logs\n- Best practices, including separation of duties and least privilege, the use of Google groups in policies, and avoiding the use of primitive roles\n- Labs: Configuring Cloud IAM, including custom roles and organization policies\nModule 4 Configuring Google Virtual Private Cloud for Isolation and Security\n\n\n\n- Configuring VPC firewalls (both ingress and egress rules)\n- Load balancing and SSL policies\n- Private Google API access\n- SSL proxy use\n- Best practices for VPC networks, including peering and shared VPC use, correct use of subnetworks\n- Best security practices for VPNs\n- Security considerations for interconnect and peering options\n- Available security products from partners\n- Defining a service perimeter, including perimeter bridges\n- Setting up private connectivity to Google APIs and services\n- Lab: Configuring VPC firewalls\n\nPART II: SECURITY BEST PRACTICES ON GOOGLE CLOUD\n\nModule 5 Securing Compute Engine: techniques and best practices\n\n\n\n- Compute Engine service accounts, default and customer-defined\n- IAM roles for VMs\n- API scopes for VMs\n- Managing SSH keys for Linux VMs\n- Managing RDP logins for Windows VMs\n- Organization policy controls: trusted images, public IP address, disabling serial port\n- Encrypting VM images with customer-managed encryption keys and with customer-supplied encryption keys\n- Finding and remediating public access to VMs\n- Best practices, including using hardened custom images, custom service accounts (not the default service account), tailored API scopes, and the use of application default credentials instead of user-managed keys\n- Lab: Configuring, using, and auditing VM service accounts and scopes\n- Encrypting VM disks with customer-supplied encryption keys\n- Lab: Encrypting disks with customer-supplied encryption keys\n- Using Shielded VMs to maintain the integrity of virtual machines\nModule 6 Securing cloud data: techniques and best practices\n\n\n\n- Cloud Storage and IAM permissions\n- Cloud Storage and ACLs\n- Auditing cloud data, including finding and remediating publicly accessible data\n- Signed Cloud Storage URLs\n- Signed policy documents\n- Encrypting Cloud Storage objects with customer-managed encryption keys and with customer-supplied encryption keys\n- Best practices, including deleting archived versions of objects after key rotation\n- Lab: Using customer-supplied encryption keys with Cloud Storage\n- Lab: Using customer-managed encryption keys with Cloud Storage and Cloud KMS\n- BigQuery authorized views\n- BigQuery IAM roles\n- Best practices, including preferring IAM permissions over ACLs\n- Lab: Creating a BigQuery authorized view\nModule 7 Securing Applications: techniques and best practices\n\n\n\n- Types of application security vulnerabilities\n- DoS protections in App Engine and Cloud Functions\n- Cloud Security Scanner\n- Lab: Using Cloud Security Scanner to find vulnerabilities in an App Engine application\n- Identity Aware Proxy\n- Lab: Configuring Identity Aware Proxy to protect a project\nModule 8 Securing Kubernetes: techniques and best practices\n\n\n\n- Authorization\n- Securing Workloads\n- Securing Clusters\n- Logging and Monitoring\nPART III: MITIGATING VULNERABILITIES IN GOOGLE CLOUD\n\nModule 9 Protecting against Distributed Denial of Service Attacks\n\n\n\n- How DDoS attacks work\n- Mitigations: GCLB, Cloud CDN, autoscaling, VPC ingress and egress firewalls, Cloud Armor (including its rules language)\n- Types of complementary partner products\n- Lab: Configuring GCLB, CDN, traffic blacklisting with Cloud Armor\nModule 10 Protecting against content-related vulnerabilities\n\n\n\n- Threat: Ransomware\n- Mitigations: Backups, IAM, Data Loss Prevention API\n- Threats: Data misuse, privacy violations, sensitive\/restricted\/unacceptable content\n- Threat: Identity and Oauth phishing\n- Mitigations: Classifying content using Cloud ML APIs; scanning and redacting data using Data Loss Prevention API\n- Lab: Redacting Sensitive Data with Data Loss Prevention API\nModule 11 Monitoring, Logging, Auditing, and Scanning \n\n\n\n- Security Command Center\n- Stackdriver monitoring and logging\n- Lab: Installing Stackdriver agents\n- Lab: Configuring and using Stackdriver monitoring and logging\n- VPC flow logs\n- Lab: Viewing and using VPC flow logs in Stackdriver\n- Cloud audit logging\n- Lab: Configuring and viewing audit logs in Stackdriver\n- Deploying and Using Forseti\n- Lab: Inventorying a Deployment with Forseti Inventory (demo)\n- Lab: Scanning a Deployment with Forseti Scanner (demo)","outline_plain":"PART I: MANAGING SECURITY IN GOOGLE CLOUD\n\nModule 1 Foundations of GCP Security\n\n\n\n- Understand the GCP shared security responsibility model\n- Understand Google Cloud\u2019s approach to security\n- Understand the kinds of threats mitigated by Google and by GCP\n- Define and Understand Access Transparency and Access Approval (beta)\nModule 2 Cloud Identity\n\n\n\n- Cloud Identity\n- Syncing with Microsoft Active Directory using Google Cloud Directory Sync\n- Using Managed Service for Microsoft Active Directory (beta )\n- Choosing between Google authentication and SAML-based SSO\n- Best practices, including DNS configuration, super admin accounts\n- Lab: Defining Users with Cloud Identity Console\nModule 3 Identity, Access, and Key Management\n\n\n\n- GCP Resource Manager: projects, folders, and organizations\n- GCP IAM roles, including custom roles\n- GCP IAM policies, including organization policies\n- GCP IAM Labels\n- GCP IAM Recommender\n- GCP IAM Troubleshooter\n- GCP IAM Audit Logs\n- Best practices, including separation of duties and least privilege, the use of Google groups in policies, and avoiding the use of primitive roles\n- Labs: Configuring Cloud IAM, including custom roles and organization policies\nModule 4 Configuring Google Virtual Private Cloud for Isolation and Security\n\n\n\n- Configuring VPC firewalls (both ingress and egress rules)\n- Load balancing and SSL policies\n- Private Google API access\n- SSL proxy use\n- Best practices for VPC networks, including peering and shared VPC use, correct use of subnetworks\n- Best security practices for VPNs\n- Security considerations for interconnect and peering options\n- Available security products from partners\n- Defining a service perimeter, including perimeter bridges\n- Setting up private connectivity to Google APIs and services\n- Lab: Configuring VPC firewalls\n\nPART II: SECURITY BEST PRACTICES ON GOOGLE CLOUD\n\nModule 5 Securing Compute Engine: techniques and best practices\n\n\n\n- Compute Engine service accounts, default and customer-defined\n- IAM roles for VMs\n- API scopes for VMs\n- Managing SSH keys for Linux VMs\n- Managing RDP logins for Windows VMs\n- Organization policy controls: trusted images, public IP address, disabling serial port\n- Encrypting VM images with customer-managed encryption keys and with customer-supplied encryption keys\n- Finding and remediating public access to VMs\n- Best practices, including using hardened custom images, custom service accounts (not the default service account), tailored API scopes, and the use of application default credentials instead of user-managed keys\n- Lab: Configuring, using, and auditing VM service accounts and scopes\n- Encrypting VM disks with customer-supplied encryption keys\n- Lab: Encrypting disks with customer-supplied encryption keys\n- Using Shielded VMs to maintain the integrity of virtual machines\nModule 6 Securing cloud data: techniques and best practices\n\n\n\n- Cloud Storage and IAM permissions\n- Cloud Storage and ACLs\n- Auditing cloud data, including finding and remediating publicly accessible data\n- Signed Cloud Storage URLs\n- Signed policy documents\n- Encrypting Cloud Storage objects with customer-managed encryption keys and with customer-supplied encryption keys\n- Best practices, including deleting archived versions of objects after key rotation\n- Lab: Using customer-supplied encryption keys with Cloud Storage\n- Lab: Using customer-managed encryption keys with Cloud Storage and Cloud KMS\n- BigQuery authorized views\n- BigQuery IAM roles\n- Best practices, including preferring IAM permissions over ACLs\n- Lab: Creating a BigQuery authorized view\nModule 7 Securing Applications: techniques and best practices\n\n\n\n- Types of application security vulnerabilities\n- DoS protections in App Engine and Cloud Functions\n- Cloud Security Scanner\n- Lab: Using Cloud Security Scanner to find vulnerabilities in an App Engine application\n- Identity Aware Proxy\n- Lab: Configuring Identity Aware Proxy to protect a project\nModule 8 Securing Kubernetes: techniques and best practices\n\n\n\n- Authorization\n- Securing Workloads\n- Securing Clusters\n- Logging and Monitoring\nPART III: MITIGATING VULNERABILITIES IN GOOGLE CLOUD\n\nModule 9 Protecting against Distributed Denial of Service Attacks\n\n\n\n- How DDoS attacks work\n- Mitigations: GCLB, Cloud CDN, autoscaling, VPC ingress and egress firewalls, Cloud Armor (including its rules language)\n- Types of complementary partner products\n- Lab: Configuring GCLB, CDN, traffic blacklisting with Cloud Armor\nModule 10 Protecting against content-related vulnerabilities\n\n\n\n- Threat: Ransomware\n- Mitigations: Backups, IAM, Data Loss Prevention API\n- Threats: Data misuse, privacy violations, sensitive\/restricted\/unacceptable content\n- Threat: Identity and Oauth phishing\n- Mitigations: Classifying content using Cloud ML APIs; scanning and redacting data using Data Loss Prevention API\n- Lab: Redacting Sensitive Data with Data Loss Prevention API\nModule 11 Monitoring, Logging, Auditing, and Scanning \n\n\n\n- Security Command Center\n- Stackdriver monitoring and logging\n- Lab: Installing Stackdriver agents\n- Lab: Configuring and using Stackdriver monitoring and logging\n- VPC flow logs\n- Lab: Viewing and using VPC flow logs in Stackdriver\n- Cloud audit logging\n- Lab: Configuring and viewing audit logs in Stackdriver\n- Deploying and Using Forseti\n- Lab: Inventorying a Deployment with Forseti Inventory (demo)\n- Lab: Scanning a Deployment with Forseti Scanner (demo)","summary_plain":"This course gives participants broad study of security controls and techniques on Google Cloud Platform. Through lectures, demonstrations, and hands-on labs, participants explore and deploy the components of a secure GCP solution. Participants also learn mitigation techniques for attacks at many points in a GCP-based infrastructure, including Distributed Denial-of-Service attacks, phishing attacks, and threats involving content classification and use.","skill_level":"Intermediate","version":"3.0.5","duration":{"unit":"d","value":3,"formatted":"3 jours"},"pricelist":{"List Price":{"US":{"country":"US","currency":"USD","taxrate":null,"price":1995},"IT":{"country":"IT","currency":"EUR","taxrate":20,"price":1950},"DE":{"country":"DE","currency":"EUR","taxrate":19,"price":1950},"CH":{"country":"CH","currency":"CHF","taxrate":8.1,"price":2490},"SG":{"country":"SG","currency":"USD","taxrate":8,"price":1995},"GB":{"country":"GB","currency":"GBP","taxrate":20,"price":1980},"IL":{"country":"IL","currency":"ILS","taxrate":17,"price":6770},"BE":{"country":"BE","currency":"EUR","taxrate":21,"price":2095},"NL":{"country":"NL","currency":"EUR","taxrate":21,"price":2095},"PL":{"country":"PL","currency":"PLN","taxrate":23,"price":5200},"SI":{"country":"SI","currency":"EUR","taxrate":20,"price":1950},"CA":{"country":"CA","currency":"CAD","taxrate":null,"price":2755},"FR":{"country":"FR","currency":"EUR","taxrate":19.6,"price":2450}}},"lastchanged":"2025-09-30T15:08:40+02:00","parenturl":"https:\/\/portal.flane.ch\/swisscom\/fr\/json-courses","nexturl_course_schedule":"https:\/\/portal.flane.ch\/swisscom\/fr\/json-course-schedule\/22865","source_lang":"fr","source":"https:\/\/portal.flane.ch\/swisscom\/fr\/json-course\/google-sgcp-3d"}}