Security in Google CloudSGCP-3DGOGoogleGO-SGCP-3D3.0.5<p>This course teaches participants the following skills:
</p>
<ul>
<li>Understanding the Google approach to security</li><li>Managing administrative identities using Cloud Identity.</li><li>Implementing least privilege administrative access using Google Cloud Resource Manager, Cloud IAM.</li><li>Implementing IP traffic controls using VPC firewalls and Cloud Armor</li><li>Implementing Identity Aware Proxy</li><li>Analyzing changes to the configuration or metadata of resources with GCP audit logs</li><li>Scanning for and redact sensitive data with the Data Loss Prevention API</li><li>Scanning a GCP deployment with Forseti</li><li>Remediating important types of vulnerabilities, especially in public access to data and VMs</li></ul><p>To get the most out of this course, participants should have:
</p>
<ul>
<li>Prior completion of <span class="cms-link-marked"><a class="fl-href-prod" href="/swisscom/fr/course/google-gcf-ci"><svg role="img" aria-hidden="true" focusable="false" data-nosnippet class="cms-linkmark"><use xlink:href="/css/img/icnset-linkmarks.svg#linkmark"></use></svg>Google Cloud Fundamentals: Core Infrastructure <span class="fl-prod-pcode">(GCF-CI)</span></a></span> or equivalent experience</li><li>Prior completion of <span class="cms-link-marked"><a class="fl-href-prod" href="/swisscom/fr/course/google-ngcp"><svg role="img" aria-hidden="true" focusable="false" data-nosnippet class="cms-linkmark"><use xlink:href="/css/img/icnset-linkmarks.svg#linkmark"></use></svg>Networking in Google Cloud Platform <span class="fl-prod-pcode">(NGCP)</span></a></span> or equivalent experience</li><li>Knowledge of foundational concepts in information security:
<ul>
<li>Fundamental concepts:
<ul>
<li>vulnerability, threat, attack surface</li><li>confidentiality, integrity, availability</li></ul></li><li>Common threat types and their mitigation strategies</li><li>Public-key cryptography
<ul>
<li>Public and private key pairs</li><li>Certificates</li><li>Cipher types</li><li>Key width</li></ul></li><li>Certificate authorities</li><li>Transport Layer Security/Secure Sockets Layer encrypted communication</li><li>Public key infrastructures</li><li>Security policy</li></ul></li><li>Basic proficiency with command-line tools and Linux operating system environments</li><li>Systems Operations experience, including deploying and managing applications, either on-premises or in a public cloud environment</li><li>Reading comprehension of code in Python or JavaScript</li></ul><p>This class is intended for the following job roles:
</p>
<ul>
<li>Cloud information security analysts, architects, and engineers</li><li>Information security/cybersecurity specialists</li><li>Cloud infrastructure architects</li><li>Developers of cloud applications.</li></ul><p>PART I: MANAGING SECURITY IN GOOGLE CLOUD</p>
<p>Module 1 Foundations of GCP Security
</p>
<ul>
<li>Understand the GCP shared security responsibility model</li><li>Understand Google Cloud’s approach to security</li><li>Understand the kinds of threats mitigated by Google and by GCP</li><li>Define and Understand Access Transparency and Access Approval (beta)</li></ul><p>Module 2 Cloud Identity
</p>
<ul>
<li>Cloud Identity</li><li>Syncing with Microsoft Active Directory using Google Cloud Directory Sync</li><li>Using Managed Service for Microsoft Active Directory (beta )</li><li>Choosing between Google authentication and SAML-based SSO</li><li>Best practices, including DNS configuration, super admin accounts</li><li>Lab: Defining Users with Cloud Identity Console</li></ul><p>Module 3 Identity, Access, and Key Management
</p>
<ul>
<li>GCP Resource Manager: projects, folders, and organizations</li><li>GCP IAM roles, including custom roles</li><li>GCP IAM policies, including organization policies</li><li>GCP IAM Labels</li><li>GCP IAM Recommender</li><li>GCP IAM Troubleshooter</li><li>GCP IAM Audit Logs</li><li>Best practices, including separation of duties and least privilege, the use of Google groups in policies, and avoiding the use of primitive roles</li><li>Labs: Configuring Cloud IAM, including custom roles and organization policies</li></ul><p>Module 4 Configuring Google Virtual Private Cloud for Isolation and Security
</p>
<ul>
<li>Configuring VPC firewalls (both ingress and egress rules)</li><li>Load balancing and SSL policies</li><li>Private Google API access</li><li>SSL proxy use</li><li>Best practices for VPC networks, including peering and shared VPC use, correct use of subnetworks</li><li>Best security practices for VPNs</li><li>Security considerations for interconnect and peering options</li><li>Available security products from partners</li><li>Defining a service perimeter, including perimeter bridges</li><li>Setting up private connectivity to Google APIs and services</li><li>Lab: Configuring VPC firewalls</li></ul><p>
PART II: SECURITY BEST PRACTICES ON GOOGLE CLOUD</p>
<p>Module 5 Securing Compute Engine: techniques and best practices
</p>
<ul>
<li>Compute Engine service accounts, default and customer-defined</li><li>IAM roles for VMs</li><li>API scopes for VMs</li><li>Managing SSH keys for Linux VMs</li><li>Managing RDP logins for Windows VMs</li><li>Organization policy controls: trusted images, public IP address, disabling serial port</li><li>Encrypting VM images with customer-managed encryption keys and with customer-supplied encryption keys</li><li>Finding and remediating public access to VMs</li><li>Best practices, including using hardened custom images, custom service accounts (not the default service account), tailored API scopes, and the use of application default credentials instead of user-managed keys</li><li>Lab: Configuring, using, and auditing VM service accounts and scopes</li><li>Encrypting VM disks with customer-supplied encryption keys</li><li>Lab: Encrypting disks with customer-supplied encryption keys</li><li>Using Shielded VMs to maintain the integrity of virtual machines</li></ul><p>Module 6 Securing cloud data: techniques and best practices
</p>
<ul>
<li>Cloud Storage and IAM permissions</li><li>Cloud Storage and ACLs</li><li>Auditing cloud data, including finding and remediating publicly accessible data</li><li>Signed Cloud Storage URLs</li><li>Signed policy documents</li><li>Encrypting Cloud Storage objects with customer-managed encryption keys and with customer-supplied encryption keys</li><li>Best practices, including deleting archived versions of objects after key rotation</li><li>Lab: Using customer-supplied encryption keys with Cloud Storage</li><li>Lab: Using customer-managed encryption keys with Cloud Storage and Cloud KMS</li><li>BigQuery authorized views</li><li>BigQuery IAM roles</li><li>Best practices, including preferring IAM permissions over ACLs</li><li>Lab: Creating a BigQuery authorized view</li></ul><p>Module 7 Securing Applications: techniques and best practices
</p>
<ul>
<li>Types of application security vulnerabilities</li><li>DoS protections in App Engine and Cloud Functions</li><li>Cloud Security Scanner</li><li>Lab: Using Cloud Security Scanner to find vulnerabilities in an App Engine application</li><li>Identity Aware Proxy</li><li>Lab: Configuring Identity Aware Proxy to protect a project</li></ul><p>Module 8 Securing Kubernetes: techniques and best practices
</p>
<ul>
<li>Authorization</li><li>Securing Workloads</li><li>Securing Clusters</li><li>Logging and Monitoring</li></ul><p>PART III: MITIGATING VULNERABILITIES IN GOOGLE CLOUD</p>
<p>Module 9 Protecting against Distributed Denial of Service Attacks
</p>
<ul>
<li>How DDoS attacks work</li><li>Mitigations: GCLB, Cloud CDN, autoscaling, VPC ingress and egress firewalls, Cloud Armor (including its rules language)</li><li>Types of complementary partner products</li><li>Lab: Configuring GCLB, CDN, traffic blacklisting with Cloud Armor</li></ul><p>Module 10 Protecting against content-related vulnerabilities
</p>
<ul>
<li>Threat: Ransomware</li><li>Mitigations: Backups, IAM, Data Loss Prevention API</li><li>Threats: Data misuse, privacy violations, sensitive/restricted/unacceptable content</li><li>Threat: Identity and Oauth phishing</li><li>Mitigations: Classifying content using Cloud ML APIs; scanning and redacting data using Data Loss Prevention API</li><li>Lab: Redacting Sensitive Data with Data Loss Prevention API</li></ul><p>Module 11 Monitoring, Logging, Auditing, and Scanning
</p>
<ul>
<li>Security Command Center</li><li>Stackdriver monitoring and logging</li><li>Lab: Installing Stackdriver agents</li><li>Lab: Configuring and using Stackdriver monitoring and logging</li><li>VPC flow logs</li><li>Lab: Viewing and using VPC flow logs in Stackdriver</li><li>Cloud audit logging</li><li>Lab: Configuring and viewing audit logs in Stackdriver</li><li>Deploying and Using Forseti</li><li>Lab: Inventorying a Deployment with Forseti Inventory (demo)</li><li>Lab: Scanning a Deployment with Forseti Scanner (demo)</li></ul><p>PART I: MANAGING SECURITY IN GOOGLE CLOUD</p>
<p>Module 1 Foundations of GCP Security
</p>
<ul>
<li>Understand the GCP shared security responsibility model</li><li>Understand Google Cloud’s approach to security</li><li>Understand the kinds of threats mitigated by Google and by GCP</li><li>Define and Understand Access Transparency and Access Approval (beta)</li></ul><p>Module 2 Cloud Identity
</p>
<ul>
<li>Cloud Identity</li><li>Syncing with Microsoft Active Directory using Google Cloud Directory Sync</li><li>Using Managed Service for Microsoft Active Directory (beta )</li><li>Choosing between Google authentication and SAML-based SSO</li><li>Best practices, including DNS configuration, super admin accounts</li><li>Lab: Defining Users with Cloud Identity Console</li></ul><p>Module 3 Identity, Access, and Key Management
</p>
<ul>
<li>GCP Resource Manager: projects, folders, and organizations</li><li>GCP IAM roles, including custom roles</li><li>GCP IAM policies, including organization policies</li><li>GCP IAM Labels</li><li>GCP IAM Recommender</li><li>GCP IAM Troubleshooter</li><li>GCP IAM Audit Logs</li><li>Best practices, including separation of duties and least privilege, the use of Google groups in policies, and avoiding the use of primitive roles</li><li>Labs: Configuring Cloud IAM, including custom roles and organization policies</li></ul><p>Module 4 Configuring Google Virtual Private Cloud for Isolation and Security
</p>
<ul>
<li>Configuring VPC firewalls (both ingress and egress rules)</li><li>Load balancing and SSL policies</li><li>Private Google API access</li><li>SSL proxy use</li><li>Best practices for VPC networks, including peering and shared VPC use, correct use of subnetworks</li><li>Best security practices for VPNs</li><li>Security considerations for interconnect and peering options</li><li>Available security products from partners</li><li>Defining a service perimeter, including perimeter bridges</li><li>Setting up private connectivity to Google APIs and services</li><li>Lab: Configuring VPC firewalls</li></ul><p>
PART II: SECURITY BEST PRACTICES ON GOOGLE CLOUD</p>
<p>Module 5 Securing Compute Engine: techniques and best practices
</p>
<ul>
<li>Compute Engine service accounts, default and customer-defined</li><li>IAM roles for VMs</li><li>API scopes for VMs</li><li>Managing SSH keys for Linux VMs</li><li>Managing RDP logins for Windows VMs</li><li>Organization policy controls: trusted images, public IP address, disabling serial port</li><li>Encrypting VM images with customer-managed encryption keys and with customer-supplied encryption keys</li><li>Finding and remediating public access to VMs</li><li>Best practices, including using hardened custom images, custom service accounts (not the default service account), tailored API scopes, and the use of application default credentials instead of user-managed keys</li><li>Lab: Configuring, using, and auditing VM service accounts and scopes</li><li>Encrypting VM disks with customer-supplied encryption keys</li><li>Lab: Encrypting disks with customer-supplied encryption keys</li><li>Using Shielded VMs to maintain the integrity of virtual machines</li></ul><p>Module 6 Securing cloud data: techniques and best practices
</p>
<ul>
<li>Cloud Storage and IAM permissions</li><li>Cloud Storage and ACLs</li><li>Auditing cloud data, including finding and remediating publicly accessible data</li><li>Signed Cloud Storage URLs</li><li>Signed policy documents</li><li>Encrypting Cloud Storage objects with customer-managed encryption keys and with customer-supplied encryption keys</li><li>Best practices, including deleting archived versions of objects after key rotation</li><li>Lab: Using customer-supplied encryption keys with Cloud Storage</li><li>Lab: Using customer-managed encryption keys with Cloud Storage and Cloud KMS</li><li>BigQuery authorized views</li><li>BigQuery IAM roles</li><li>Best practices, including preferring IAM permissions over ACLs</li><li>Lab: Creating a BigQuery authorized view</li></ul><p>Module 7 Securing Applications: techniques and best practices
</p>
<ul>
<li>Types of application security vulnerabilities</li><li>DoS protections in App Engine and Cloud Functions</li><li>Cloud Security Scanner</li><li>Lab: Using Cloud Security Scanner to find vulnerabilities in an App Engine application</li><li>Identity Aware Proxy</li><li>Lab: Configuring Identity Aware Proxy to protect a project</li></ul><p>Module 8 Securing Kubernetes: techniques and best practices
</p>
<ul>
<li>Authorization</li><li>Securing Workloads</li><li>Securing Clusters</li><li>Logging and Monitoring</li></ul><p>PART III: MITIGATING VULNERABILITIES IN GOOGLE CLOUD</p>
<p>Module 9 Protecting against Distributed Denial of Service Attacks
</p>
<ul>
<li>How DDoS attacks work</li><li>Mitigations: GCLB, Cloud CDN, autoscaling, VPC ingress and egress firewalls, Cloud Armor (including its rules language)</li><li>Types of complementary partner products</li><li>Lab: Configuring GCLB, CDN, traffic blacklisting with Cloud Armor</li></ul><p>Module 10 Protecting against content-related vulnerabilities
</p>
<ul>
<li>Threat: Ransomware</li><li>Mitigations: Backups, IAM, Data Loss Prevention API</li><li>Threats: Data misuse, privacy violations, sensitive/restricted/unacceptable content</li><li>Threat: Identity and Oauth phishing</li><li>Mitigations: Classifying content using Cloud ML APIs; scanning and redacting data using Data Loss Prevention API</li><li>Lab: Redacting Sensitive Data with Data Loss Prevention API</li></ul><p>Module 11 Monitoring, Logging, Auditing, and Scanning
</p>
<ul>
<li>Security Command Center</li><li>Stackdriver monitoring and logging</li><li>Lab: Installing Stackdriver agents</li><li>Lab: Configuring and using Stackdriver monitoring and logging</li><li>VPC flow logs</li><li>Lab: Viewing and using VPC flow logs in Stackdriver</li><li>Cloud audit logging</li><li>Lab: Configuring and viewing audit logs in Stackdriver</li><li>Deploying and Using Forseti</li><li>Lab: Inventorying a Deployment with Forseti Inventory (demo)</li><li>Lab: Scanning a Deployment with Forseti Scanner (demo)</li></ul>This course teaches participants the following skills:
- Understanding the Google approach to security
- Managing administrative identities using Cloud Identity.
- Implementing least privilege administrative access using Google Cloud Resource Manager, Cloud IAM.
- Implementing IP traffic controls using VPC firewalls and Cloud Armor
- Implementing Identity Aware Proxy
- Analyzing changes to the configuration or metadata of resources with GCP audit logs
- Scanning for and redact sensitive data with the Data Loss Prevention API
- Scanning a GCP deployment with Forseti
- Remediating important types of vulnerabilities, especially in public access to data and VMsTo get the most out of this course, participants should have:
- Prior completion of Google Cloud Fundamentals: Core Infrastructure (GCF-CI) or equivalent experience
- Prior completion of Networking in Google Cloud Platform (NGCP) or equivalent experience
- Knowledge of foundational concepts in information security:
- Fundamental concepts:
- vulnerability, threat, attack surface
- confidentiality, integrity, availability
- Common threat types and their mitigation strategies
- Public-key cryptography
- Public and private key pairs
- Certificates
- Cipher types
- Key width
- Certificate authorities
- Transport Layer Security/Secure Sockets Layer encrypted communication
- Public key infrastructures
- Security policy
- Basic proficiency with command-line tools and Linux operating system environments
- Systems Operations experience, including deploying and managing applications, either on-premises or in a public cloud environment
- Reading comprehension of code in Python or JavaScriptThis class is intended for the following job roles:
- Cloud information security analysts, architects, and engineers
- Information security/cybersecurity specialists
- Cloud infrastructure architects
- Developers of cloud applications.PART I: MANAGING SECURITY IN GOOGLE CLOUD
Module 1 Foundations of GCP Security
- Understand the GCP shared security responsibility model
- Understand Google Cloud’s approach to security
- Understand the kinds of threats mitigated by Google and by GCP
- Define and Understand Access Transparency and Access Approval (beta)
Module 2 Cloud Identity
- Cloud Identity
- Syncing with Microsoft Active Directory using Google Cloud Directory Sync
- Using Managed Service for Microsoft Active Directory (beta )
- Choosing between Google authentication and SAML-based SSO
- Best practices, including DNS configuration, super admin accounts
- Lab: Defining Users with Cloud Identity Console
Module 3 Identity, Access, and Key Management
- GCP Resource Manager: projects, folders, and organizations
- GCP IAM roles, including custom roles
- GCP IAM policies, including organization policies
- GCP IAM Labels
- GCP IAM Recommender
- GCP IAM Troubleshooter
- GCP IAM Audit Logs
- Best practices, including separation of duties and least privilege, the use of Google groups in policies, and avoiding the use of primitive roles
- Labs: Configuring Cloud IAM, including custom roles and organization policies
Module 4 Configuring Google Virtual Private Cloud for Isolation and Security
- Configuring VPC firewalls (both ingress and egress rules)
- Load balancing and SSL policies
- Private Google API access
- SSL proxy use
- Best practices for VPC networks, including peering and shared VPC use, correct use of subnetworks
- Best security practices for VPNs
- Security considerations for interconnect and peering options
- Available security products from partners
- Defining a service perimeter, including perimeter bridges
- Setting up private connectivity to Google APIs and services
- Lab: Configuring VPC firewalls
PART II: SECURITY BEST PRACTICES ON GOOGLE CLOUD
Module 5 Securing Compute Engine: techniques and best practices
- Compute Engine service accounts, default and customer-defined
- IAM roles for VMs
- API scopes for VMs
- Managing SSH keys for Linux VMs
- Managing RDP logins for Windows VMs
- Organization policy controls: trusted images, public IP address, disabling serial port
- Encrypting VM images with customer-managed encryption keys and with customer-supplied encryption keys
- Finding and remediating public access to VMs
- Best practices, including using hardened custom images, custom service accounts (not the default service account), tailored API scopes, and the use of application default credentials instead of user-managed keys
- Lab: Configuring, using, and auditing VM service accounts and scopes
- Encrypting VM disks with customer-supplied encryption keys
- Lab: Encrypting disks with customer-supplied encryption keys
- Using Shielded VMs to maintain the integrity of virtual machines
Module 6 Securing cloud data: techniques and best practices
- Cloud Storage and IAM permissions
- Cloud Storage and ACLs
- Auditing cloud data, including finding and remediating publicly accessible data
- Signed Cloud Storage URLs
- Signed policy documents
- Encrypting Cloud Storage objects with customer-managed encryption keys and with customer-supplied encryption keys
- Best practices, including deleting archived versions of objects after key rotation
- Lab: Using customer-supplied encryption keys with Cloud Storage
- Lab: Using customer-managed encryption keys with Cloud Storage and Cloud KMS
- BigQuery authorized views
- BigQuery IAM roles
- Best practices, including preferring IAM permissions over ACLs
- Lab: Creating a BigQuery authorized view
Module 7 Securing Applications: techniques and best practices
- Types of application security vulnerabilities
- DoS protections in App Engine and Cloud Functions
- Cloud Security Scanner
- Lab: Using Cloud Security Scanner to find vulnerabilities in an App Engine application
- Identity Aware Proxy
- Lab: Configuring Identity Aware Proxy to protect a project
Module 8 Securing Kubernetes: techniques and best practices
- Authorization
- Securing Workloads
- Securing Clusters
- Logging and Monitoring
PART III: MITIGATING VULNERABILITIES IN GOOGLE CLOUD
Module 9 Protecting against Distributed Denial of Service Attacks
- How DDoS attacks work
- Mitigations: GCLB, Cloud CDN, autoscaling, VPC ingress and egress firewalls, Cloud Armor (including its rules language)
- Types of complementary partner products
- Lab: Configuring GCLB, CDN, traffic blacklisting with Cloud Armor
Module 10 Protecting against content-related vulnerabilities
- Threat: Ransomware
- Mitigations: Backups, IAM, Data Loss Prevention API
- Threats: Data misuse, privacy violations, sensitive/restricted/unacceptable content
- Threat: Identity and Oauth phishing
- Mitigations: Classifying content using Cloud ML APIs; scanning and redacting data using Data Loss Prevention API
- Lab: Redacting Sensitive Data with Data Loss Prevention API
Module 11 Monitoring, Logging, Auditing, and Scanning
- Security Command Center
- Stackdriver monitoring and logging
- Lab: Installing Stackdriver agents
- Lab: Configuring and using Stackdriver monitoring and logging
- VPC flow logs
- Lab: Viewing and using VPC flow logs in Stackdriver
- Cloud audit logging
- Lab: Configuring and viewing audit logs in Stackdriver
- Deploying and Using Forseti
- Lab: Inventorying a Deployment with Forseti Inventory (demo)
- Lab: Scanning a Deployment with Forseti Scanner (demo)PART I: MANAGING SECURITY IN GOOGLE CLOUD
Module 1 Foundations of GCP Security
- Understand the GCP shared security responsibility model
- Understand Google Cloud’s approach to security
- Understand the kinds of threats mitigated by Google and by GCP
- Define and Understand Access Transparency and Access Approval (beta)
Module 2 Cloud Identity
- Cloud Identity
- Syncing with Microsoft Active Directory using Google Cloud Directory Sync
- Using Managed Service for Microsoft Active Directory (beta )
- Choosing between Google authentication and SAML-based SSO
- Best practices, including DNS configuration, super admin accounts
- Lab: Defining Users with Cloud Identity Console
Module 3 Identity, Access, and Key Management
- GCP Resource Manager: projects, folders, and organizations
- GCP IAM roles, including custom roles
- GCP IAM policies, including organization policies
- GCP IAM Labels
- GCP IAM Recommender
- GCP IAM Troubleshooter
- GCP IAM Audit Logs
- Best practices, including separation of duties and least privilege, the use of Google groups in policies, and avoiding the use of primitive roles
- Labs: Configuring Cloud IAM, including custom roles and organization policies
Module 4 Configuring Google Virtual Private Cloud for Isolation and Security
- Configuring VPC firewalls (both ingress and egress rules)
- Load balancing and SSL policies
- Private Google API access
- SSL proxy use
- Best practices for VPC networks, including peering and shared VPC use, correct use of subnetworks
- Best security practices for VPNs
- Security considerations for interconnect and peering options
- Available security products from partners
- Defining a service perimeter, including perimeter bridges
- Setting up private connectivity to Google APIs and services
- Lab: Configuring VPC firewalls
PART II: SECURITY BEST PRACTICES ON GOOGLE CLOUD
Module 5 Securing Compute Engine: techniques and best practices
- Compute Engine service accounts, default and customer-defined
- IAM roles for VMs
- API scopes for VMs
- Managing SSH keys for Linux VMs
- Managing RDP logins for Windows VMs
- Organization policy controls: trusted images, public IP address, disabling serial port
- Encrypting VM images with customer-managed encryption keys and with customer-supplied encryption keys
- Finding and remediating public access to VMs
- Best practices, including using hardened custom images, custom service accounts (not the default service account), tailored API scopes, and the use of application default credentials instead of user-managed keys
- Lab: Configuring, using, and auditing VM service accounts and scopes
- Encrypting VM disks with customer-supplied encryption keys
- Lab: Encrypting disks with customer-supplied encryption keys
- Using Shielded VMs to maintain the integrity of virtual machines
Module 6 Securing cloud data: techniques and best practices
- Cloud Storage and IAM permissions
- Cloud Storage and ACLs
- Auditing cloud data, including finding and remediating publicly accessible data
- Signed Cloud Storage URLs
- Signed policy documents
- Encrypting Cloud Storage objects with customer-managed encryption keys and with customer-supplied encryption keys
- Best practices, including deleting archived versions of objects after key rotation
- Lab: Using customer-supplied encryption keys with Cloud Storage
- Lab: Using customer-managed encryption keys with Cloud Storage and Cloud KMS
- BigQuery authorized views
- BigQuery IAM roles
- Best practices, including preferring IAM permissions over ACLs
- Lab: Creating a BigQuery authorized view
Module 7 Securing Applications: techniques and best practices
- Types of application security vulnerabilities
- DoS protections in App Engine and Cloud Functions
- Cloud Security Scanner
- Lab: Using Cloud Security Scanner to find vulnerabilities in an App Engine application
- Identity Aware Proxy
- Lab: Configuring Identity Aware Proxy to protect a project
Module 8 Securing Kubernetes: techniques and best practices
- Authorization
- Securing Workloads
- Securing Clusters
- Logging and Monitoring
PART III: MITIGATING VULNERABILITIES IN GOOGLE CLOUD
Module 9 Protecting against Distributed Denial of Service Attacks
- How DDoS attacks work
- Mitigations: GCLB, Cloud CDN, autoscaling, VPC ingress and egress firewalls, Cloud Armor (including its rules language)
- Types of complementary partner products
- Lab: Configuring GCLB, CDN, traffic blacklisting with Cloud Armor
Module 10 Protecting against content-related vulnerabilities
- Threat: Ransomware
- Mitigations: Backups, IAM, Data Loss Prevention API
- Threats: Data misuse, privacy violations, sensitive/restricted/unacceptable content
- Threat: Identity and Oauth phishing
- Mitigations: Classifying content using Cloud ML APIs; scanning and redacting data using Data Loss Prevention API
- Lab: Redacting Sensitive Data with Data Loss Prevention API
Module 11 Monitoring, Logging, Auditing, and Scanning
- Security Command Center
- Stackdriver monitoring and logging
- Lab: Installing Stackdriver agents
- Lab: Configuring and using Stackdriver monitoring and logging
- VPC flow logs
- Lab: Viewing and using VPC flow logs in Stackdriver
- Cloud audit logging
- Lab: Configuring and viewing audit logs in Stackdriver
- Deploying and Using Forseti
- Lab: Inventorying a Deployment with Forseti Inventory (demo)
- Lab: Scanning a Deployment with Forseti Scanner (demo)3 jours1995.001950.001950.002490.001995.001980.006770.002095.002095.005200.001950.002755.002450.00