Page Cloud

Menu

Google Cloud Certified Professional Cloud Security Engineer

Categories: Google Cloud Platform
Wishlist Share
Share Course
Page Link
Share On Social Media

About Course

Google Cloud Certified Professional Cloud Security Engineer Course Overview 

 

Section 1: Conguring access (~25% of the exam)

 

1.1 Managing Cloud Identity. Considerations include:

● Conguring Google Cloud Directory Sync and implement single sign-on (SSO) with a
third-party identity provider.
● Managing a super administrator account.
● Automating the user lifecycle management process.
● Administering user accounts and groups programmatically.
● Conguring Workforce Identity Federation
1.2 Managing service accounts. Considerations include:
● Securing and protecting service accounts (including default service accounts).
● Identifying scenarios requiring service accounts.
● Creating, disabling, and authorizing service accounts.
● Securing, auditing, and mitigating the usage of service account keys.
● Managing and creating short-lived credentials.
● Conguring Workload Identity Federation.
● Managing service account impersonation.
1.3 Managing authentication. Considerations include:
● Creating a password and session management policy for user accounts.
● Seing up Security Assertion Markup Language (SAML) and OAuth.
● Conguring and enforcing 2-step verication.

1.4 Managing and implementing authorization controls. Considerations include:

● Managing privileged roles and separation of duties with Identity and Access
Management (IAM) roles and permissions.
● Managing IAM and access control list (ACL) permissions.
● Granting permissions to dierent types of identities using IAM conditions and IAM deny
policies.
● Dening access control at the organization, folder, project, and resource level using the
principle of least privilege.
● Conguring Access Context Manager.
● Applying Policy Intelligence.
● Managing permissions through groups.
● Identifying use cases and conguring Privileged Access Manager.
1.5 Dening the resource hierarchy. Considerations include:
● Managing folders and projects at scale.
● Managing pre-built or custom organization policies for the organization, folders, and
projects.
● Using the resource hierarchy for access control and permissions inheritance.

 

Section 2: Securing communications and establishing boundary protection (~22% of
the exam)

 

2.1 Designing and conguring perimeter security. Considerations include:

● Conguring network perimeter controls (e.g., Cloud Next Generation Firewall [Cloud
NGFW] rules and policies, Identity-Aware Proxy [IAP], load balancers, and Certicate
Authority Service).
● Seing up application layer inspection on Cloud NGFW (e.g., layer 7).
● Dierentiating between private and public IP addressing.
● Conguring web application rewalls (e.g., Google Cloud Armor).
● Deploying Secure Web Proxy.
● Conguring Cloud DNS security seings.
● Continually monitoring and restricting congured APIs.

2.2 Conguring boundary segmentation. Considerations include:

● Conguring security properties of a VPC network, VPC peering, Shared VPC, and
rewall rules.
● Conguring network isolation and data encapsulation for N-tier applications.
● Identifying use cases and conguring VPC Service Controls.

2.3 Establishing private connectivity. Considerations include:
● Designing and conguring private connectivity between VPC networks and Google
Cloud projects (Shared VPC, VPC peering, and Private Google Access for on-premises
hosts).
● Designing and conguring private connectivity and encryption between data centers
and VPC network (e.g., HA VPN, Cloud Interconnect).
● Establishing private connectivity between VPC and Google APIs (Private Google
Access, Private Google Access for on-premises hosts, restricted Google access, Private
Service Connect).
● Using Cloud NAT to enable outbound trac.

 

Section 3: Ensuring data protection (~23% of the exam)

 

3.1 Protecting sensitive data and preventing data loss. Considerations include:
● Conguring Sensitive Data Protection (SDP) (e.g., discovering and redacting personally
identiable information (PII), conguring pseudonymization and format preserving
encryption).
● Restricting access to Google Cloud data services (e.g., BigQuery, Cloud Storage, and
Cloud SQL datastores).
● Securing secrets with Secret Manager.
● Protecting and managing compute instance metadata.
3.2 Managing encryption at rest, in transit, and in use. Considerations include:
● Identifying use cases for Google default encryption, customer-managed encryption
keys (CMEK), and Cloud External Key Manager (EKM).
● Determining when to use soware and hardware keys
● Creating and managing encryption keys for CMEK and EKM (e.g., key rotation and
revocation, key import).
● Applying encryption methods to various use cases.
● Conguring object lifecycle policies for Cloud Storage.
● Enabling Condential Computing.

3.3 Securing AI workloads. Considerations include:

● Implementing security and privacy controls for AI/ML systems to protect against
unintentional exploitation of data or models.
● Determining security requirements for IaaS-hosted and PaaS-hosted training models.
● Implementing security controls for Vertex AI.

 

Section 4: Managing operations (~19% of the exam)

 

4.1 Automating infrastructure and application security. Considerations include:

● Automating security scanning for Common Vulnerabilities and Exposures (CVEs)
through a continuous integration and delivery (CI/CD) pipeline.
● Conguring Binary Authorization to secure GKE clusters or Cloud Run.
● Automating virtual machine and container image creation (e.g., hardening,
maintenance, VM patch management).
● Managing policy and dri detection at scale (e.g., cloud security posture management,
custom organization policies and custom modules for Security Health Analytics).
4.2 Conguring logging, monitoring, and detection. Considerations include:
● Conguring and analyzing network logs (Cloud Next Generation Firewall [Cloud
NGFW], VPC ow logs, Packet Mirroring, Cloud Intrusion Detection System [Cloud IDS],
Log Analytics).
● Designing an eective logging strategy.
● Logging, monitoring, responding to, and remediating security incidents.
● Designing secure access to logs.
● Exporting logs to external security systems.
● Conguring and analyzing Google Cloud Audit Logs and data access logs.
● Conguring log exports (log sinks and aggregated sinks).
● Conguring and monitoring Security Command Center.

 

Section 5: Supporting compliance requirements (~11% of the exam)

 

5.1 Adhering to regulatory and industry standards requirements for the cloud. Considerations
include:

● Determining technical needs relative to compute, data, network, and storage.
● Evaluating the shared responsibility model.
● Conguring security controls within cloud environments to support compliance
requirements (e.g., Assured Workloads, organizational policies, Access Transparency,
Access Approval, regionalization of data and services).
● Determining the Google Cloud environment in scope for regulatory compliance.
● Mapping compliance requirements to Google Cloud services and security controls (e.g.,
network and access segmentation, audit log coverage).

Show More

What Will You Learn?

  • Cloud Architecture and Design:
  • Learn to design secure, scalable, and cost-effective Google Cloud network architectures, including implementing hub-and-spoke topologies and applying best practices for cloud-only, multi-cloud, and hybrid environments.
  • Cloud Data Security:
  • Gain proficiency in protecting data at rest and in transit, including encryption, access control, and data governance practices.
  • Cloud Platform and Infrastructure Security:
  • Master securing the underlying infrastructure, including virtual machines, networks, and storage, using Google Cloud's security features.
  • Cloud Application Security:
  • Develop expertise in securing web applications, APIs, and other cloud-based applications, including vulnerability management and threat detection.
  • Legal, Risk, and Compliance:
  • Understand legal and compliance requirements related to cloud security, including industry regulations and standards.
  • Cloud Security Operations:
  • Learn to monitor, detect, and respond to security threats and incidents, including using security tools and automation.
  • Identity and Access Management (IAM):
  • Become proficient in configuring and managing user access to Google Cloud resources, ensuring least privilege access and role-based access control.
  • Security Automation:
  • Learn to automate security tasks and processes, such as vulnerability scanning, incident response, and security policy enforcement.
  • Securing AI Workloads:
  • Understand the security considerations for AI and machine learning workloads on Google Cloud.
  • Linux Experience:
  • Develop proficiency in Linux environments, which are common in cloud infrastructure.
  • Programming Language Proficiency:
  • Gain familiarity with programming languages used for automation and scripting in cloud environments.
  • Cloud Security Tools Experience:
  • Become familiar with cloud security tools and services, such as vulnerability scanners, SIEM systems, and cloud security automation tools.

Student Ratings & Reviews

No Review Yet
No Review Yet