𝔖 Scriptorium
✦   LIBER   ✦
πŸ“

Official Google Cloud Certified Professional Cloud Security Engineer Exam Guide: Become an expert and get Google Cloud certified with this practitioner's guide

✍ Scribed by Ankush Chowdhary, Prashant Kulkarni

Publisher
Packt Publishing
Year
2023
Tongue
English
Leaves
496
Category
Library
⬇  Acquire This Volume

No coin nor oath required. For personal study only.

✦ Synopsis

Master designing, developing, and operating secure infrastructures on Google cloud

Key Features

  • Prepare for the certification exam with clear explanations, real-world examples, and self-assessment questions
  • Review Google Cloud security best practices for building a secure and compliant cloud environment
  • Explore advanced concepts like Security Command Center, BeyondCorp Zero Trust, and container security

Book Description

Google Cloud security offers powerful controls to assist organizations in establishing secure and compliant cloud environments. With this book, you'll gain in-depth knowledge of the Professional Cloud Security Engineer certification exam objectives, including Google Cloud security best practices, identity and access management (IAM), network security, data security, and security operations.

The chapters go beyond the exam essentials, helping you explore advanced topics such as Google Cloud Security Command Center, the BeyondCorp Zero Trust architecture, and container security. With step-by-step explanations, practical examples, and practice exams to help you tighten up your skills for the exam, you'll be able to efficiently review and apply key concepts of the shared security responsibility model. Finally, you'll get to grips with securing access, organizing cloud resources, network and data security, and logging and monitoring.

By the end of this book, you'll be proficient in designing, developing, and operating security controls on Google Cloud and gain insights into emerging concepts for future exams.

What you will learn

  • Understand how Google secures infrastructure with shared responsibility
  • Use resource hierarchy for access segregation and implementing policies
  • Utilize Google Cloud Identity for authentication and authorizations
  • Build secure networks with advanced network features
  • Encrypt/decrypt data using Cloud KMS and secure sensitive data
  • Gain visibility and extend security with Google's logging and monitoring capabilities

Who this book is for

This book is for IT professionals, cybersecurity specialists, system administrators, and any technology enthusiasts aspiring to strengthen their understanding of Google Cloud security and elevate their career trajectory. We delve deep into the core elements needed to successfully attain the Google Cloud Professional Security Engineer certificationβ€”a credential that stands as a testament to your proficiency in leveraging Google Cloud technologies to design, develop, and manage a robust, secure infrastructure. As businesses increasingly migrate their operations to the cloud, the demand for certified professionals in this field has skyrocketed. Earning this certification not only validates your expertise but also makes you part of an elite group of GCP Security Engineers, opening doors to opportunities that can significantly advance your career. Whether you're seeking to gain a competitive edge in the job market, earn higher pay, or contribute at a higher level to your current organization, this book will guide you every step of the way on your journey to becoming a certified Google Cloud Professional Security Engineer.

Table of Contents

  1. About the GCP Professional Cloud Security Engineer Exam
  2. Google Cloud Security Concepts
  3. Trust and Compliance
  4. Resource Management
  5. Understanding Google Cloud Identity
  6. Google Cloud Identity and Access Management
  7. Virtual Private Cloud
  8. Advanced Network Security
  9. Google Cloud Key Management Service
  10. Cloud Data Loss Prevention
  11. Secret Manager
  12. Cloud Logging

(N.B. Please use the Look Inside option to see further chapters)

✦ Table of Contents

Cover
FM
Copyright
Foreword
Contributors
Table of Contents
Preface
Chapter 1: About the GCP Professional Cloud Security Engineer Exam
Benefits of being certified
Registering for the exam
Some useful tips on how to prepare
Summary
Further reading
Chapter 2: Google Cloud Security Concepts
Overview of Google Cloud security
Shared security responsibility
Addressing compliance on Google Cloud
Security by design
Operational security
Network security
Data security
Services and identity
Physical and hardware security
Threat and vulnerability management
Summary
Further reading
Chapter 3: Trust and Compliance
Establishing and maintaining trust
Access Transparency and Access Approval
Access Transparency
Enabling Access Transparency
Access Approval
Configuring Access Approval
Security and privacy of data
Third-party risk assessments
Compliance in the cloud
Compliance reports
Continuous compliance
Summary
Further reading
Chapter 4: Resource Management
Overview of Google Cloud Resource Manager
Understanding resource hierarchy
Organization
Folders
Projects
Applying constraints using the Organization Policy Service
Organization policy constraints
Policy inheritance
Asset management using Cloud Asset Inventory
Asset search
Asset export
Asset monitoring
Asset analyzer
Best practices and design considerations
Summary
Further reading
Chapter 5: Understanding Google Cloud Identity
Overview of Cloud Identity
Cloud Identity domain setup
Super administrator best practices
Securing your account
2-step verification
User security settings
Session length control for Google Cloud
SAML-based SSO
Additional security features
Directory management
Google Cloud Directory Sync
GCDS features and capabilities
How does GCDS work?
Using GCDS Configuration Manager
User provisioning in Cloud Identity
Automating user lifecycle management with Cloud Identity as the IdP
Administering user accounts and groups programmatically
Summary
Further reading
Chapter 6: Google Cloud Identity and Access Management
Overview of IAM
IAM roles and permissions
Policy binding
Service accounts
Creating a service account
Disabling a service account
Deleting a service account
Undeleting a service account
Service account keys
Key rotation
Service account impersonation
Cross-project service account access
Configuring Workload Identity Federation with Okta
Best practices for monitoring service account activity
Service agents
IAM policy bindings
Policy structure
Policy inheritance and resource hierarchy
IAM Conditions
Policy best practices
Policy Intelligence for better permission management
Tag-based access control
Tag structure
Best practices for tags
Cloud Storage ACLs
Access Control Lists (ACLs)
Uniform bucket-level access
IAM APIs
IAM logging
Log name
Service account logs
Summary
Further reading
Chapter 7: Virtual Private Cloud
Overview of VPC
Google Cloud regions and zones
VPC deployment models
VPC modes
Shared VPC
VPC peering
Micro-segmentation
Subnets
Custom routing
Firewall rules
Cloud DNS
Configuring Cloud DNS – create a public DNS zone for a domain name
DNSSEC
Load balancers
Configuring external global HTTP(S) load balancers
Hybrid connectivity options
Best practices and design considerations
VPC best practices
Key decisions
Summary
Further reading
Chapter 8: Advanced Network Security
Private Google Access
DNS configuration
Routing options
Firewall rules
Identity-Aware Proxy
Enabling IAP for on-premises
Using Cloud IAP for TCP forwarding
Cloud NAT
Google Cloud Armor
Security policies
Named IP lists
Summary
Further reading
Chapter 9: Google Cloud Key Management Service
Overview of Cloud KMS
Current Cloud KMS encryption offerings
Encryption and key management in Cloud KMS
Key hierarchy
Envelope encryption
Key management options
Google Cloud’s default encryption
Customer-managed encryption keys (CMEKs)
Customer-supplied encryption key
Symmetric key encryption
Creating a symmetric key
Encrypting content with a symmetric key
Decrypting content with a symmetric key
Asymmetric key encryption
Step 1: Creating a key ring
Step 2: Creating an asymmetric decryption key
Step 3: (Optional) Creating an asymmetric signing key
Encrypting data with an asymmetric key
Decrypting data with an asymmetric key
Importing a key (BYOK)
Step 1: Creating a blank key
Step 2: Importing the key using an import job
Step 3: Verifying key encryption and decryption
Key lifecycle management
Key IAM permissions
Cloud HSM
HSM key hierarchy
Key creation flow in HSM
Cryptographic operation flow in HSM
Cloud EKM
The architecture of Cloud EKM
Cloud KMS best practices
Cloud KMS infrastructure decisions
Application data encryption
Integrated Google Cloud encryption
CMEKs
Importing keys into Cloud KMS
Cloud KMS API
Cloud KMS logging
Summary
Further reading
Chapter 10: Cloud Data Loss Prevention
Overview of Cloud DLP
DLP architecture options
Content methods
Storage methods
Hybrid methods
Cloud DLP terminology
DLP infoTypes
Data de-identification
Creating a Cloud DLP inspection template
Defining the template
Configuring detection
Best practices for inspecting sensitive data
Inspecting and de-identifying PII data
De-identification transformations
Tutorial: How to de-identify and tokenize sensitive data
Step 1: Creating a key ring and a key
Step 2: Creating a base64-encoded AES key
Step 3: Wrapping the AES key using the Cloud KMS key
Step 4: Sending a de-identify request to the Cloud DLP API
Step 5: Sending a de-identity request to the Cloud DLP API
Step 6: Sending a re-identify request to the Cloud DLP API
DLP use cases
Best practices for Cloud DLP
Data exfiltration and VPC Service Controls
Architecture of VPC Service Controls
Allowing access to protected resources within the VPC Service Controls perimeter
Configuring a VPC Service Controls perimeter
Best practices for VPC Service Controls
Summary
Further reading
Chapter 11: Secret Manager
Overview of Secret Manager
Secret Manager concepts
Managing secrets and versions
Creating a secret
Adding a new secret version
Disabling a secret
Enabling a secret
Accessing a secret
Accessing a binary secret version
Accessing secrets from your application
Secret replication policy
Automatic
User-managed (user-selected)
CMEKs for Secret Manager
Best practices for secret management
Best practices for development
Best practices for deployment
Secret Manager logs
Summary
Further reading
Chapter 12: Cloud Logging
Introduction to Google Cloud logging
Log categories
Security logs
User logs
Platform logs
Log retention
Log management
Log producers
Log consumers
Log Router
Log sinks and exports
Log archiving and aggregation
Real-time log analysis and streaming
Exporting logs for compliance
Log compliance
Logging and auditing best practices
Summary
Further reading
Chapter 13: Image Hardening and CI/CD Security
Overview of image management
Custom images for Google Compute Engine
Manual baking
Automated baking
Importing existing images
Encrypting images
Image management pipeline
Creating a VM image using Packer and Cloud Build
Step 1: Creating an infrastructure for the image creation
Step 2: Creating the Packer template
Step 3: Installing the Packer binary
Step 4: Creating the image
Step 5: Automating image creation with Cloud Build
Controlling access to the images
Image lifecycle
Image families
Deprecating an image
Enforcing lifecycle policies
Securing a CI/CD pipeline
CI/CD security
CI/CD security threats
How to secure a CI/CD pipeline
Source Composition Analysis (SCA)
Static Application Security Testing (SAST)
CI/CD IAM controls
Container registry scanning
Container runtime security
Binary authorization
Best practices for CI/CD security
Shielded VMs
Secure Boot
Virtual Trusted Platform Module (vTPM)
Integrity monitoring
IAM authorization
Organization policy constraints for Shielded VMs
Confidential computing
Key features of Google Cloud Confidential Computing
Benefits of Confidential Computing
Summary
Further reading
Chapter 14: Security Command Center
Overview of SCC
Core services
Cloud Asset Inventory
Listing assets
Filtering assets
Exporting assets to BigQuery
Detecting security misconfigurations and vulnerabilities
Security Health Analytics
VM Manager
Rapid Vulnerability Detection
Web Security Scanner
Threat detection
Event Threat Detection
Container Threat Detection
VM Threat Detection
Anomaly detection
Continuous compliance monitoring
CIS benchmarks
Additional standards
Exporting SCC findings
One-time exports
Exporting data using the SCC API
Continuous exports
Automating a findings response
Summary
Further reading
Chapter 15: Container Security
Overview of containers
Container basics
What are containers?
Advantages of containers
What is Kubernetes?
GKE
Container security
Threats and risks in containers
GKE security features
Namespaces
Access control
Kubernetes RBAC
IAM
Secrets
Auditing
Logging
Network Policies
GKE private clusters
Service mesh
Container image security
Cluster Certificate Authority (CA)
GKE Workload Identity
Center for Internet Security (CIS) best practices
Container security best practices
Summary
Further reading
Google Professional Cloud Security Engineer Exam – Mock Exam I
Google Professional Cloud Security Engineer Exam – Mock Exam II
Index
Other Books You May Enjoy

πŸ“œ SIMILAR VOLUMES

Official Google Cloud Certified Professi
πŸ“ Official Google Cloud Certified Professional Cloud Security Engineer Exam Guide: Become an expert and get Google Cloud certified with this practitioner's guide
✍ Ankush Chowdhary, Prashant Kulkarni πŸ“‚ Library πŸ“… 2023 πŸ› Packt Publishing 🌐 English

<p><span>Master designing, developing, and operating secure infrastructures on Google cloud</span></p><h4><span>Key Features</span></h4><ul><li><span><span>Prepare for the certification exam with clear explanations, real-world examples, and self-assessment questions</span></span></li><li><span><span

Official Google Cloud Certified Professi
πŸ“ Official Google Cloud Certified Professional Cloud Security Engineer Exam Guide: Become an expert and get Google Cloud certified with this practitioner's guide
✍ Ankush Chowdhary, Prashant Kulkarni πŸ“‚ Library πŸ“… 2023 πŸ› Packt Publishing 🌐 English

<p><span>Master designing, developing, and operating secure infrastructures on Google cloud</span></p><h4><span>Key Features</span></h4><ul><li><span><span>Prepare for the certification exam with clear explanations, real-world examples, and self-assessment questions</span></span></li><li><span><span

Official Google Cloud Certified Professi
πŸ“ Official Google Cloud Certified Professional Cloud Architect Study Guide
✍ Dan Sullivan πŸ“‚ Library πŸ“… 2019 πŸ› Sybex 🌐 English

In Google Cloud Certified Associate Cloud Engineer Study Guide, readers get ready for this important exam from Google and master the skills they need to be prepared to tackle Google Cloud Architecture jobs. With 100% coverage of all exam objectives readers will learn:<br /><br />Designing for Busine

Official Google Cloud Certified Professi
πŸ“ Official Google Cloud Certified Professional Cloud Architect Study Guide
✍ Dan Sullivan πŸ“‚ Library πŸ“… 2019 πŸ› John Wiley & Sons 🌐 English

Sybex's proven Study Guide format teaches Google Cloud Architect job skills and prepares you for this important new Cloud exam. The Google Cloud Certified Professional Cloud Architect Study Guide is the essential resource for anyone preparing for this highly sought-after, professional-level certific

Official Google Cloud Certified Associat
πŸ“ Official Google Cloud Certified Associate Cloud Engineer Study Guide
✍ Dan Sullivan πŸ“‚ Library πŸ“… 2019 πŸ› Sybex 🌐 English

<b>The Only Official Google Cloud Study Guide</b><br /><br />The<i>Official?Google Cloud Certified Associate Cloud Engineer Study Guide</i>, provides everything you need to prepare for this important exam and master the skills necessary to land that coveted Google Cloud Engineering certification. Be