Security in Google Cloud Platform (SGCP-3D)

Module 1: Foundations of GCP Security

• The approach of Google Cloud to security
• The shared security responsibility model
• Threats mitigated by Google and Google Cloud
• Access transparency

Module 2: Securing Access to Google Cloud

• Cloud Identity
• Google Cloud Directory Sync
• Managed Microsoft AD
• Google authentication versus SAML-based SSO
• Identity Platform
• Authentication best practices

Module 3: Identity and Access Management (IAM)

• Resource Manager
• IAM roles
• Service accounts
• IAM and Organization policies
• Workload identity federation
• Policy Intelligence
• Lab: Configuring IAM

Module 4: Configuring Virtual Private Cloud for Isolation and Security

• VPC firewalls
• Load balancing and SSL policies
• Cloud Interconnect
• VPC Network Peering
• VPC Service Controls
• Access Context Manager
• VPC Flow Logs
• Cloud IDS
• Labs:
• Configuring VPC firewalls
• Configuring and Using VPC Flow Logs in Cloud Logging
• Demo: Securing Projects with VPC Service Controls
• Getting Started with Cloud IDS

Module 5: Securing Compute Engine: techniques and best practices

• Service accounts, IAM roles, and API scopes
• Managing VM logins
• Organization policy controls
• Shielded VMs and Confidential VMs
• Certificate Authority Service
• Compute Engine best practices
• Lab: Configuring, Using, and Auditing VM Service Accounts and Scopes

Module 6: Securing cloud data: techniques and best practices

• Cloud Storage IAM permissions and ACLs
• Auditing cloud data
• Signed URLs and policy documents
• Encrypting with Customer-managed encryption keys (CMEK) and Customer-supplied encryption keys (CSEK)
• Cloud HSM
• BigQuery IAM roles and authorized views
• Storage best practices
• Lab: Using Customer-Supplied Encryption Keys with Cloud Storage
• Lab: Using Customer-Managed Encryption Keys with Cloud Storage and Cloud KMS
• Lab: Creating a BigQuery Authorized View

Module 7 Securing Applications: techniques and best practices

• Types of application security vulnerabilities
• Web Security Scanner
• Threat Identity and OAuth phishing
• Identity-Aware Proxy
• Secret Manager
• Lab: Identity Application Vulnerabilities with Security Command Center
• Lab: Securing Compute Engine Applications with BeyondCorp Enterprise
• Lab: Configuring and Using Credentials with Secret Manager

Module 8: Securing Google Kubernetes Engine: Techniques and Best Practices

• Types of application security vulnerabilities
• Web Security Scanner
• Threat: Identity and OAuth phishing
• Identity-Aware Proxy
• Secret Manager

Module 9: Protecting against Distributed Denial of Service Attacks

• How DDoS attacks work
• Google Cloud mitigations
• Types of complementary partner products
• Lab: Configuring Traffic Blocklisting with Google Cloud Armor

Module 10:Content-Related Vulnerabilities: Techniques and Best Practices

• Threat: Ransomware
• Ransomware mitigations
• Threats: data misuse, privacy violations, sensitive content
• Content-related mitigation
• Redacting Sensitive Data with the DLP API
• Lab: Redacting Sensitive Data with DLP API

Module 11 Monitoring, Logging, Auditing, and Scanning

• Security Command Center
• Cloud Monitoring and Cloud Logging
• Cloud Audit Logs
• Cloud security automation
• Lab: Configuring and Using Cloud Monitoring and Cloud Logging
• Lab: Configuring and Viewing Cloud Audit Logs