Skip to main content

Google Cloud Certified Professional Cloud Security Engineer

Course

Intro Video

Photo of Antoni Tzavelas

Antoni Tzavelas

Training Architect

Length

13:55:10

Difficulty

Advanced

Videos

58

Hands-on Labs

7

Quizzes/Exams

1

Course Details

Today’s businesses are concerned about the shortage of skilled talent available to manage cloud technology, verify that security controls are in place, and set up access control to protect computing workloads and data. To address the high-stakes issue of cloud security and the demand for cloud security professionals, Google Cloud has created the Professional Cloud Security Engineer certification.

The Professional Cloud Security Engineer certification is all about designing and implementing secure infrastructure on the Google Cloud Platform. The certification focuses on five areas for secure design and operation in Google Cloud:

Configuring access within a cloud solution environmentConfiguring network securityEnsuring data protectionManaging operations within a cloud solution environmentEnsuring compliance

This course is designed to provide you with the knowledge you need to not only pass the Professional Cloud Security Engineer certification exam but also gain the hands-on experience you need to become a qualified Google Cloud security specialist in the real world.

If you have questions or feedback about the course, be sure to connect with us on the #google-cloud channel of the Linux Academy Slack.

Interactive Diagram: https://interactive.linuxacademy.com/diagrams/TheGCPLockdownGuide.html

Syllabus

Google Cloud Certified Professional Cloud Security Engineer

Introduction

Important Information About This Early Access Course

00:01:37

Lesson Description:

Welcome to the Google Cloud Certified Professional Cloud Security Engineer course! To help you get started learning as quickly as possible, we've launched this course in Early Access. We'll be adding content to this course over the coming weeks, so keep an eye out for updates. This video will explain how to use our Course Scheduler tool to get the most out of your learning journey.

Course Introduction

00:05:15

Lesson Description:

Welcome to the Google Cloud Professional Cloud Security Engineer certification prep course! This introductory lesson will help you understand what to expect and go over the prerequisite knowledge you'll need in order to be successful in this course. Required or recommended prerequisites: Google Cloud EssentialsGoogle Cloud Security EssentialsGoogle Cloud Associate Cloud Engineer Connect with us! Join our community Slack at: http://slack.linuxacademy.com Connect with me on LinkedIn and Twitter: LinkedInTwitter

About the Training Architect

00:01:23

Lesson Description:

Hello there! My name is Antoni, and I'll be your instructor for this course. This short video will give you some background on my interests and experience. I look forward to learning with you!

Resource Manager

Resource Hierarchy

00:06:15

Lesson Description:

In this lesson, we will learn what Organizations, Folders, and Projects are and how they are structured within the Google Cloud Platform.

Policies and Constraints

00:04:11

Lesson Description:

In this lesson, we will learn how policies and restrictions flow through the GCP resource hierarchy.

Resource Manager Hands-On

00:05:03

Lesson Description:

In this lesson, we will take a brief tour of the layers of a Google Cloud organization. Specifically, we will take a look at the Organization, Folder, and Project layers.

Super Admin Best Practices

00:03:52

Lesson Description:

This lesson covers some basic but important security best practices for super admin accounts on the Google Cloud Platform.

Cloud IAM

Cloud IAM Overview

00:10:30

Lesson Description:

Managing user and application access to resources is a crucial skill for anyone working on the GCP platform. In this lesson, we will take a deep dive into Cloud IAM.

Cloud IAM Hands-On

00:17:02

Lesson Description:

In this lesson, we will take a hands-on tour of Cloud IAM in the Google Cloud console. We will explore the different layers of the hierarchy and how Cloud IAM interacts with them. We will also observe how members are affected by changes to policies.

Service Accounts

00:07:21

Lesson Description:

A service account is a special member account that is used for applications and instances instead of an individual user. In this lesson, we will talk about why service accounts—which are both a member and a resource at the same time—are so unique.

Service Accounts Hands-On

00:19:08

Lesson Description:

In this lesson, we'll take a deep dive into service accounts and put what we've learned into practice in the context of Compute Engine.

Cloud Identity

00:08:35

Lesson Description:

Cloud Identity is a central location for managing users, groups, and security settings. In this lesson, we will take a closer look at how Cloud Identity fits into IAM.

Cloud IAM Best Practices

00:05:58

Lesson Description:

In this lesson, we will go over best practices for IAM, focusing on the principle of least privilege.

Hands-on Labs are real live environments that put you in a real scenario to practice what you have learned without any other extra charge or account to manage.

00:45:00

Network Security

Virtual Private Cloud (VPC)

00:08:40

Lesson Description:

This lesson provides an overview of virtual private cloud (VPC) networking and related networking concepts. For more information on VPCs, see: https://cloud.google.com/vpc/docs/

VPC Hands-On

00:11:09

Lesson Description:

In this lesson, we'll put what we've learned into practice by launching both a default and a custom VPC.

VPC Peering

00:11:12

Lesson Description:

VPC network peering allows private connectivity between two VPC networks. In this lesson, we will learn about VPC peering features and use cases in depth.

VPC Peering Hands-On

00:14:48

Lesson Description:

In this lesson, we will get hands-on with VPC network peering and see how routes are automatically created for connectivity between two VPCs in two separate projects.

Shared VPC

00:09:33

Lesson Description:

Shared VPC allows you to share VPCs across multiple projects while still being able to separate billing and access for these projects. In this lesson, we will explore Shared VPC and learn how it can be used.

Network Isolation and Firewall Rules

00:09:01

Lesson Description:

Network isolation is a key factor in keeping your GCP environment secure. In this lesson, we will learn how to isolate instances on your network using firewall rules, network tags, and Private Google Access.

Firewall Rules Hands-On

00:08:38

Lesson Description:

In this hands-on demonstration of firewall rules, we will put what we've learned into practice by creating both broad- and narrow-ranged firewall rules on a set of instances.

Load Balancing

00:19:06

Lesson Description:

Load balancers allow you to distribute traffic across different instances in different regions for high availability. In this lesson, we will go through the types of load balancing and load balancers that are available for the Google Cloud Platform, as well as explore these features in the GCP console.

Cloud Interconnect and Cloud VPN

00:09:50

Lesson Description:

Cloud Interconnect and Cloud VPN are the two options for connecting your on-premises network to the Google Cloud network. In this lesson, we will discuss each of these options, their unique features, and how to apply them to different use cases.

Cloud DNS and DNSSEC

00:07:03

Lesson Description:

In this lesson, we will learn about Google Cloud DNS and DNSSEC. While Cloud DNS is not covered in depth on the exam, it is closely tied to DNSSEC. We will discuss Cloud DNS at a high level as well as go over the features of DNSSEC.

VPC Best Practices

00:03:00

Lesson Description:

Although not covered on the exam, VPC best practices can help you understand what makes a good security stance when securing your network on Google Cloud. This lesson provides a quick overview of VPC best practices. You can read more about VPC best practices here: https://cloud.google.com/solutions/best-practices-vpc-design

Hands-on Labs are real live environments that put you in a real scenario to practice what you have learned without any other extra charge or account to manage.

01:00:00

Hands-on Labs are real live environments that put you in a real scenario to practice what you have learned without any other extra charge or account to manage.

00:30:00

Encryption on Google Cloud Platform

Encryption Overview

00:03:43

Lesson Description:

This lesson provides an introduction to encryption. We will talk about what encryption is, how it works, and how we can use it to protect our data.

Encryption at Rest

00:11:36

Lesson Description:

Encryption at rest is a default option on Google Cloud, but other options are also available. In this lesson, we will cover all of these options in detail, as well as go over how data is encrypted.

Encryption in Transit

00:11:09

Lesson Description:

In this lesson, we will cover encryption in transit on the Google Cloud Network, all of the available routing options, and the different methods of encryption.

Cloud KMS

00:12:09

Lesson Description:

Cloud KMS is a cloud-hosted key management service that lets you manage cryptographic keys for every service in Google Cloud. You can generate, use, rotate, and destroy cryptographic keys with Cloud KMS. In this lesson, we will dive into the components of Cloud KMS and how they are used in conjuction with cryptographic keys.

Creating and Managing Encryption Keys Hands-On

00:11:13

Lesson Description:

In this lesson, we will demonstrate using the Cloud Key Management Service (Cloud KMS) to create a new custom key ring and key. We will then encrypt a text file, decrypt it, and output it to a new file. The following link is a PDF version of Google’s quick start, which you can use to follow along at your own pace: https://linuxacademy.com/cp/guides/download/refsheets/guides/refsheets/quickstart---cloud-kms-documentation---google-cloud_1521842513.pdf Below are the encoding and encrypt/decrypt commands I used in this lesson: Encode secret.txt into base64 format:

 cat secret.txt | base64
Encrypt the base64 string into a new encrypted file called secret.encrypted. You will need to update the project, key ring, key, and base64 string if you’re following along on your end:
 curl -s -X POST "https://cloudkms.googleapis.com/v1/projects/pw-sec-engineer/locations/global/keyRings/sec-keyring/cryptoKeys/key1:encrypt" 
 -d "{"plaintext":"VGhpcyBpcyBhIHNlY3JldCBmaWxlCgpQYXNzcGhyYXNlOiBCb3d0aWVzIGFyZSBjb29sIQoK"}" 
   -H "Authorization:Bearer $(gcloud auth print-access-token)" 
   -H "Content-Type:application/json" 
 | jq .ciphertext -r > secret.encrypted
This is the command used to decrypt the above file, and then output it into a new unencrypted file:
 curl -v "https://cloudkms.googleapis.com/v1/projects/pwnet-nms/locations/global/keyRings/pwnet-keyring/cryptoKeys/key1:decrypt" 
   -d "{"ciphertext":"$(cat top-secret.encrypted)"}" 
   -H "Authorization:Bearer $(gcloud auth application-default print-access-token)"
   -H "Content-Type:application/json" 
 | jq .plaintext -r | base64 -d > newfile.txt

Data Protection

Identity-Aware Proxy (IAP)

00:08:26

Lesson Description:

Cloud Identity-Aware Proxy (Cloud IAP) controls access to applications and VMs running on Google Cloud Platform (GCP). In this lesson, we will dive in to how it works and the features that make it such a powerful authorization layer.

Cloud Data Loss Prevention (DLP)

00:15:26

Lesson Description:

In this lesson, we will learn about Cloud DLP and how it can help us discover, classify, and redact sensitive data. More information can be found here: https://cloud.google.com/dlp/

Cloud Data Loss Prevention (DLP) Hands-On

00:07:49

Lesson Description:

In this lesson, we will practice using DLP in the console by running a job that will find sensitive data in a storage bucket. Note: At the time of recording, the DLP console was in beta. You may notice some slight differences in the version of the DLP console you see.

Distributed Denial of Service Attacks (DDoS) Mitigation

00:08:34

Lesson Description:

Distributed Denial of Service (DDoS) is an attack that can take out your server by exhausting its resources to make it unavailable. In this lesson, we'll learn about the Google mechanisms and best practices that can mitigate these types of attacks. Google whitepaper on DDoS mitigation: https://cloud.google.com/files/GCPDDoSprotection-04122016.pdf

Security Partner Products

00:03:06

Lesson Description:

In this lesson, we'll learn about Google's Security Partner Ecosystem and the different categories of partner products.

Cloud Armor

00:06:06

Lesson Description:

Google Cloud Armor is a service that helps mitigate DDoS attacks on Google Cloud. Cloud Armor uses security policies made up of rules that allow or prohibit traffic from specific IP addresses or ranges defined in the rule. In this lesson, we will learn what Cloud Armor is and how these rules are applied to mitigate DDoS attacks.

Cloud Security Scanner

00:02:59

Lesson Description:

Cloud Security Scanner (CSS) is a web security scanner for common vulnerabilities in applications running on App Engine, Compute Engine, and Google Kubernetes Engine. In this lesson, we will go over how CSS works and discuss its features.

Cloud Security Command Center

00:05:37

Lesson Description:

Cloud Security Command Center (SCC) is a GCP Security product that provides consolidated visibility into all your GCP assets as well as insights into security. In this lesson, we will learn about the features of this product.

Forseti

00:06:38

Lesson Description:

Forseti Security is a collection of community-driven, open-source tools that can be used to improve the security of your GCP environments. In this lesson, we will go over the core modules of Forseti, their features, and how they interact with each other. Forseti GitHub repo: https://github.com/forseti-security/forseti-security

Compute and Storage Security

Compute Engine Best Practices

00:07:11

Lesson Description:

When creating and running Compute Engine instances, we should always use Google-recommended best practices to secure our instances. In this lesson, we will go over these best practices in detail.

Google Kubernetes Engine (GKE) Security

00:19:36

Lesson Description:

Google Kubernetes Engine (GKE) is a container orchestration tool for deploying containerized applications. In this lesson, we'll cover Kubernetes security and best practices for the different components of the Kubernetes infrastructure as well as the containers that house your applications.

Secrets Management

00:07:53

Lesson Description:

In this lesson, we will learn the basics of secrets management and go over Google's approach to managing secrets with Cloud Key Management Service (Cloud KMS).

Cloud Storage and Storage Types

00:07:29

Lesson Description:

Cloud Storage is Google Cloud's highly durable and highly available object storage service. Objects are stored in buckets (basic containers that hold your data) and created with a default storage class. The storage class you set for an object affects the object's availability and pricing model. In this lesson, we will go over the different storage classes as well as object lifecycles that can automatically move objects from one storage class to another.

Cloud Storage Permissions and Access Control Lists (ACLs)

00:04:52

Lesson Description:

In this lesson, we will go over the different options for granting access to objects in a Cloud Storage bucket.

Data Retention Policies using Bucket Lock

00:04:34

Lesson Description:

Bucket Lock allows you to configure a data retention policy for a Cloud Storage bucket that governs how long objects in the bucket must be retained. In this lesson, we will go over how this works.

BigQuery Security

00:03:24

Lesson Description:

Security is needed in BigQuery when granting users access to view tables and queries. In this lesson, we will go over what BigQuery is, how to grant access to BigQuery data, and how to export BigQuery data to different formats.

Managing Operations in a Cloud Environment

Managing GCP Migrations

00:10:28

Lesson Description:

Migrating workloads to GCP requires considerable planning, design, and implementation. In this lesson, we'll go over the steps Google recommends for planning a migration to GCP from an on-premises or private-hosting environment, or from another cloud provider.

Disaster Recovery

00:05:56

Lesson Description:

In this lesson, we will learn about disaster recovery (DR) and how to determine which DR pattern is right for you. Further reading: https://cloud.google.com/solutions/dr-scenarios-planning-guide

Backup and Recovery

00:04:50

Lesson Description:

In this lesson, we will go over the methods of backup and recovery on the GCP platform that will be covered on the exam.

Stackdriver

Stackdriver Overview

00:03:21

Lesson Description:

Stackdriver is a suite of tools that work together to monitor, log, and give you insights into your applications. In this lesson, we will talk about what Stackdriver is and the tools that it consists of.

Stackdriver Logging

00:06:01

Lesson Description:

Stackdriver Logging is a central repository for log data from multiple sources that allows for real-time log management and analysis. In this lesson, we will dive into how Stackdriver Logging works.

VPC Flow Logs

00:02:56

Lesson Description:

VPC flow logs allow you greater insights and visibility into your network activity. In this lesson, we will go over the features of this log type and how they can be used.

Stackdriver Monitoring and Alerting

00:03:44

Lesson Description:

Stackdriver collects metrics and events and gives you visibility into the performance, uptime, and overall health of your environment. This lesson provides an overview of the monitoring and alerting tools in the Stackdriver suite.

Stackdriver APM and Error Reporting

00:04:48

Lesson Description:

Stackdriver APM (a suite of tools that includes Stackdriver Trace, Debugger, and Profiler) gives you insights into how your code is running and allows you to proactively mitigate errors in your application. Error reporting also notifies you of errors in your code so you can fix the root cause faster. This lesson provides an overview of these tools.

Exporting Stackdriver Logs

00:02:09

Lesson Description:

Some Stackdriver logs are only stored for 30 days. To store your logs for a longer period of time, you need to export them from Stackdriver to another service. This is also helpful if you plan to analyze your logs with an external SIEM. In this lesson, we will go over how to export Stackdriver logs.

Hands-on Labs are real live environments that put you in a real scenario to practice what you have learned without any other extra charge or account to manage.

01:00:00

Compliance

Google's Shared Responsibility Model

00:02:50

Lesson Description:

When moving your data to the public cloud, who is responsible for your data depends on which services you're using. This is known as the Shared Responsibility Model. In this lesson, we will go over the different service models that are available for the Google Cloud Platform.

Google Security Overview

00:08:14

Lesson Description:

In this lesson, we will talk about how security is built into Google’s technical infrastructure and the security layers that support it. Further reading: https://cloud.google.com/security/infrastructure/design/

Standards, Regulations, and Certifications

00:03:52

Lesson Description:

In this lesson, we will go over some regulations that Google products are certified on and talk about what each of these regulations does.

Next Steps

Preparing for the Exam

00:07:53

Lesson Description:

Congratulations on completing this course! This lesson will go over how to prepare for and pass the Google Cloud Security Engineer certification exam. Helpful links: Exam Preparation Exam overview Exam guide Official practice exam Further Study Resource Manager https://www.youtube.com/watch?v=tNG4RUpBUso Cloud IAM https://www.youtube.com/watch?v=L5_GyNtMvbg&t=126shttps://www.youtube.com/watch?v=ZMC8Ng3E3LQhttps://www.youtube.com/watch?v=L5_GyNtMvbg&list=PLIivdWyY5sqJbqze_8sohTh2U9wtZ6JNH&index=8https://www.youtube.com/watch?v=ZMC8Ng3E3LQ&list=PLAFY3hrExHFF4Df4TTXlvKCdiKIF7SZz2&index=10&t=0s Cloud VPC https://www.youtube.com/watch?v=wmP6SQe5J7g&list=PLMgVo51QxLKKX4QzdHW4g5etj8KQvKviL&index=4&t=0s Firewall Rules https://www.youtube.com/watch?v=HTVV9YzGw5k Network Security https://www.youtube.com/watch?v=0XbQG2QX6mY&list=PLIivdWyY5sqJbqze_8sohTh2U9wtZ6JNH&index=2https://www.youtube.com/watch?v=as9mXNEcaDo Private Google Access https://www.youtube.com/watch?v=wHvL_48ZhM8 Encryption at Rest and In Transit https://www.youtube.com/watch?v=vxMwuL0hX3Uhttps://www.youtube.com/watch?v=StJ1NOQjAjo Cloud Load Balancing https://www.youtube.com/watch?v=HUHBq_VGgFg Cloud Armor and DDoS Mitigation https://www.youtube.com/watch?v=0XbQG2QX6mY&list=PLIivdWyY5sqJbqze_8sohTh2U9wtZ6JNH&index=2 Compliance https://www.youtube.com/watch?v=MpUcyEZR8Tc&t=702s Identity-Aware Proxy https://www.youtube.com/watch?v=XqMY-rPk3MY Data Loss Prevention https://www.youtube.com/watch?v=42OadxG7p3khttps://www.youtube.com/watch?v=GArEb2e9jGk Shared Responsibility Model https://www.youtube.com/watch?v=D2zf0SgNdUw&list=PLIivdWyY5sqJbqze_8sohTh2U9wtZ6JNH&index=15 Cloud VPN / Cloud Interconnect https://www.youtube.com/watch?v=28ildhOzMSI GKE Security https://www.youtube.com/watch?v=yIbyMUjsPLA Cloud Security Command Center https://www.youtube.com/watch?v=1ibeCQjjpBw&t=18s Cloud Storage https://www.youtube.com/watch?v=eDH_ogypBUA&list=PLAFY3hrExHFF4Df4TTXlvKCdiKIF7SZz2&index=12&t=0shttps://www.youtube.com/watch?v=izq-5aRfS3w Exporting Stackdriver Logs to Splunk https://www.youtube.com/watch?v=O5tmSHCJNp8 Stackdriver Logging https://www.youtube.com/watch?v=6GQqneNFVkUhttps://www.youtube.com/watch?v=dqoZEfJ7UbM&t=1548s BigQuery Best Practices https://www.youtube.com/watch?v=ZVgt1-LfWW4

Google Cloud Professional Cloud Security Engineer

02:00:00

Take this course and learn a new skill today.

Transform your learning with our all access plan.

Start 7-Day Free Trial