Official Google Cloud Certified Professional Cloud Security Engineer Exam Guide E-Book

Official Google Cloud Certified Professional Cloud Security Engineer Exam Guide

Become an expert and get Google Cloud certified with this practitioner’s guide

Ankush Chowdhary and Prashant Kulkarni

BIRMINGHAM—MUMBAI

Official Google Cloud Certified Professional Cloud Security Engineer Exam Guide

Copyright © 2023 Packt Publishing

All rights reserved. No part of this book may be reproduced, stored in a retrieval system, or transmitted in any form or by any means, without the prior written permission of the publisher, except in the case of brief quotations embedded in critical articles or reviews.

Every effort has been made in the preparation of this book to ensure the accuracy of the information presented. However, the information contained in this book is sold without warranty, either express or implied. Neither the authors, nor Packt Publishing or its dealers and distributors, will be held liable for any damages caused or alleged to have been caused directly or indirectly by this book.

Packt Publishing has endeavored to provide trademark information about all of the companies and products mentioned in this book by the appropriate use of capitals. However, Packt Publishing cannot guarantee the accuracy of this information.

Authors: Ankush Chowdhary and Prashant Kulkarni

Reviewers: Hector Diaz, Assaf Namer, Lanre Ogunmola, and Holly Willey

Managing Editor: Arun Nadar

Development Editor: M Keerthi Nair

Production Editor:Shantanu Zagade

Editorial Board: Vijin Boricha, Megan Carlisle, Alex Mazonowicz, Aaron Nash, and Ankita Thakur

First published: August 2023

Production reference: 1220823

Published by Packt Publishing Ltd.

Grosvenor House

11 St Paul’s Square

Birmingham

B3 1RB

ISBN 978-1-83546-886-9

www.packtpub.com

Foreword

We are digitizing the planet at an increasing pace. Small and large businesses, governments, and other public institutions, and the daily fabric of our lives increasingly depend on reliable and secure systems.

More of these systems are now operating in one or more hyperscale cloud providers. Such cloud providers continue to invest in security as a reflection of their importance to customers in critical infrastructures and of their own desire to manage risk for large numbers of organizations. With increasing security, resilience, reliability, and compliance in the cloud, many organizations are moving more data and workloads to get these benefits.

At Google Cloud, we are committed to providing our customers with the most secure and reliable cloud platform possible and we have invested significantly in secure by design and secure by default approaches to provide higher assurance to help customers operate securely.

While our goal is to make Google Cloud as easy to secure as possible, we also know that designing, configuring, and operating large cloud deployments for real workloads requires solid expertise and experience. We also know that security is not just about technology. It’s also about people.

At Google, we have been focused on developing the cybersecurity workforce through our cybersecurity certificate programs and many other resources that not only grow the number of people available to organizations to improve cybersecurity, but also increase their depth and specialism in important fields like cloud security. Our Professional Cloud Security Engineer certification is one of the most comprehensive and respected cloud certifications in the industry. It is a valuable credential for professionals to demonstrate their expertise, and for organizations to know they’re working with someone who has validated expertise and is committed to the right security practices as encoded by Google Cloud security experts.

Ankush and Prashant, in developing this Official Google Cloud Certified Professional Cloud Security Engineer Exam Guide, are providing an immensely useful resource for professionals to learn and ready themselves for this important certification in a growing field with huge demand for such skills. The guide serves as the authoritative source aligned with the exam blueprint and offers professionals an easy way to study not just what’s relevant to the exam, but further reading material and paths to additional Google Cloud-provided training courses.

Well-configured cloud services represent a significantly increased level of security for many organizations that will bring continued societal benefits. We hope with the expertise gained from your Google Cloud Certified Professional Cloud Engineer status, you will be part of this security evolution.

Phil Venables

Chief Information Security Officer, Google Cloud

“One who can see that all activities are performed by the body, which is created of material nature, and sees that the self does nothing, truly sees”.

– Bhagavad Gita 13:30

Contributors

About the authors

Ankush Chowdhary, Vice President – CISO, HPE

With an unwavering focus on technology spanning over two decades, Ankush remains genuinely dedicated to the ever-evolving realm of cybersecurity. Throughout his career, he has consistently upheld a deep commitment to assisting businesses on their journey towards modernization and embracing the digital age. His guidance has empowered numerous enterprises to prioritize and implement essential cybersecurity measures. He has had the privilege of being invited as a speaker at various global cybersecurity events, where he had the opportunity to share his insights and exert influence on key decision-makers concerning cloud security and policy matters. Driven by an authentic passion for education and mentorship, he derives immense satisfaction from guiding, teaching, and mentoring others within the intricate domain of cybersecurity. The intent behind writing this book has been a modest endeavor to achieve the same purpose.

I want to express my deepest gratitude for the completion of this book. This accomplishment is not solely my own; it is the result of the collective contributions and support from many individuals in my professional and personal life.

To my family, friends, and all who have supported me, thank you for being the guiding forces and pillars of strength throughout this journey. Your unwavering support, encouragement, and belief in my abilities have fueled my determination and kept me grounded.

I am grateful for the wisdom and insights shared by my colleagues and mentors. Your contributions have added depth and richness to the content of this book.

I dedicate this book to all of you, for your invaluable presence and the influence you have had on its creation. Your collective efforts have shaped its realization and made it a reality.

Prashant Kulkarni, Cloud Security Architect, Google Cloud

In his career, Prashant has worked directly with customers, helping them overcome different security challenges in various product areas. These experiences have made him passionate about continuous learning, especially in the fast-changing security landscape. Joining Google 4 years back, he expanded his knowledge of Cloud Security. He is thankful for the support of customers, the infosec community, and his peers that have sharpened his technical skills and improved his ability to explain complex security concepts in a user-friendly way. This book aims to share his experiences and insights, empowering readers to navigate the ever-evolving security landscape with confidence. In his free time, Prashant indulges in his passion for astronomy, marveling at the vastness and beauty of the universe.

I would like to thank my loving family and friends, including my supportive wife, my two wonderful children, my parents, and our goofy labradoodle.

I would like to dedicate this book to all the passionate learners and seekers of knowledge who embrace the joy of learning. It is a tribute to those who see challenges as opportunities for growth and relish the journey of acquiring new skills and insights. May this book serve as a guiding light, empowering you to overcome hurdles and unlock the boundless potential within the world of Google Cloud security engineering. Your unwavering dedication to learning inspires us all!

Last but not least, I would like to thank our publisher, Packt, and the whole editing team who worked tirelessly to make this book the best we could!

About the reviewers

Hector Diaz is a Cloud Security Architect at Google, partnering with highly-regulated organizations to design and operate secure and compliant cloud environments. Before joining Google, Hector spent 15 years architecting security and Cloud solutions for customers in the financial, retail, and telecommunications industries to achieve their business goals.

Assaf Namer is a Cybersecurity leader, Principal Cloud Security Architect, security patent holder, and mentor. He has worked on a few startups as well as industry giants such as Intel, AWS, and Google. Assaf is the creator of a few security blueprints and has led some of the largest cloud agreements, and offers governments security advice. He holds a master’s degree in Cybersecurity, MBA, and a professional program in AI/ML from MIT.

Lanre Ogunmola is a Cloud Security Architect at Google Cloud and has more than 15 years of work experience with a strong focus on data protection, cryptography, threat modeling, and risk assessment. He holds an MS in Cybersecurity from the University of Nebraska and has earned CISSP, CCSP, CISA, CISM, CKA, CKS, and other Google Cloud certifications. Outside of work, he loves watching soccer and experiencing new cultures.

Holly Willey is a Cloud Security Architect who helps organizations craft secure, scalable, and resilient systems in the cloud that address their business needs. She has worked as an architect for Google Cloud, ServiceNow, and AWS, as well as in engineering roles at Splunk and F5 Networks. Her early career included more than a decade spent designing, building, and supporting mission-critical databases for financial services, telecommunications, and e-commerce companies. Holly holds an M.A. in Teaching Mathematics and Science from Seattle Pacific University and a B.A. in Business Administration from the University of Washington.

Table of Contents

Preface

1

About the GCP Professional Cloud Security Engineer Exam

Benefits of being certified

Registering for the exam

Some useful tips on how to prepare

Summary

Further reading

2

Google Cloud Security Concepts

Overview of Google Cloud security

Shared security responsibility

Addressing compliance on Google Cloud

Security by design

Operational security

Network security

Data security

Services and identity

Physical and hardware security

Threat and vulnerability management

Summary

Further reading

3

Trust and Compliance

Establishing and maintaining trust

Access Transparency and Access Approval

Access Transparency

Enabling Access Transparency

Access Approval

Configuring Access Approval

Security and privacy of data

Third-party risk assessments

Compliance in the cloud

Compliance reports

Continuous compliance

Summary

Further reading

4

Resource Management

Overview of Google Cloud Resource Manager

Understanding resource hierarchy

Organization

Folders

Projects

Applying constraints using the Organization Policy Service

Organization policy constraints

Policy inheritance

Asset management using Cloud Asset Inventory

Asset search

Asset export

Asset monitoring

Asset analyzer

Best practices and design considerations

Summary

Further reading

5

Understanding Google Cloud Identity

Overview of Cloud Identity

Cloud Identity domain setup

Super administrator best practices

Securing your account

2-step verification

User security settings

Session length control for Google Cloud

SAML-based SSO

Additional security features

Directory management

Google Cloud Directory Sync

GCDS features and capabilities

How does GCDS work?

Using GCDS Configuration Manager

User provisioning in Cloud Identity

Automating user lifecycle management with Cloud Identity as the IdP

Administering user accounts and groups programmatically

Summary

Further reading

6

Google Cloud Identity and Access Management

Overview of IAM

IAM roles and permissions

Policy binding

Service accounts

Creating a service account

Disabling a service account

Deleting a service account

Undeleting a service account

Service account keys

Key rotation

Service account impersonation

Cross-project service account access

Configuring Workload Identity Federation with Okta

Best practices for monitoring service account activity

Service agents

IAM policy bindings

Policy structure

Policy inheritance and resource hierarchy

IAM Conditions

Policy best practices

Policy Intelligence for better permission management

Tag-based access control

Tag structure

Best practices for tags

Cloud Storage ACLs

Access Control Lists (ACLs)

Uniform bucket-level access

IAM APIs

IAM logging

Log name

Service account logs

Summary

Further reading

7

Virtual Private Cloud

Overview of VPC

Google Cloud regions and zones

VPC deployment models

VPC modes

Shared VPC

VPC peering

Micro-segmentation

Subnets

Custom routing

Firewall rules

Cloud DNS

Configuring Cloud DNS – create a public DNS zone for a domain name

DNSSEC

Load balancers

Configuring external global HTTP(S) load balancers

Hybrid connectivity options

Best practices and design considerations

VPC best practices

Key decisions

Summary

Further reading

8

Advanced Network Security

Private Google Access

DNS configuration

Routing options

Firewall rules

Identity-Aware Proxy

Enabling IAP for on-premises

Using Cloud IAP for TCP forwarding

Cloud NAT

Google Cloud Armor

Security policies

Named IP lists

Summary

Further reading

9

Google Cloud Key Management Service

Overview of Cloud KMS

Current Cloud KMS encryption offerings

Encryption and key management in Cloud KMS

Key hierarchy

Envelope encryption

Key management options

Google Cloud’s default encryption

Customer-managed encryption keys (CMEKs)

Customer-supplied encryption key

Symmetric key encryption

Creating a symmetric key

Encrypting content with a symmetric key

Decrypting content with a symmetric key

Asymmetric key encryption

Step 1: Creating a key ring

Step 2: Creating an asymmetric decryption key

Step 3: (Optional) Creating an asymmetric signing key

Encrypting data with an asymmetric key

Decrypting data with an asymmetric key

Importing a key (BYOK)

Step 1: Creating a blank key

Step 2: Importing the key using an import job

Step 3: Verifying key encryption and decryption

Key lifecycle management

Key IAM permissions

Cloud HSM

HSM key hierarchy

Key creation flow in HSM

Cryptographic operation flow in HSM

Cloud EKM

The architecture of Cloud EKM

Cloud KMS best practices

Cloud KMS infrastructure decisions

Application data encryption

Integrated Google Cloud encryption

CMEKs

Importing keys into Cloud KMS

Cloud KMS API

Cloud KMS logging

Summary

Further reading

10

Cloud Data Loss Prevention

Overview of Cloud DLP

DLP architecture options

Content methods

Storage methods

Hybrid methods

Cloud DLP terminology

DLP infoTypes

Data de-identification

Creating a Cloud DLP inspection template

Defining the template

Configuring detection

Best practices for inspecting sensitive data

Inspecting and de-identifying PII data

De-identification transformations

Tutorial: How to de-identify and tokenize sensitive data

Step 1: Creating a key ring and a key

Step 2: Creating a base64-encoded AES key

Step 3: Wrapping the AES key using the Cloud KMS key

Step 4: Sending a de-identify request to the Cloud DLP API

Step 5: Sending a de-identity request to the Cloud DLP API

Step 6: Sending a re-identify request to the Cloud DLP API

DLP use cases

Best practices for Cloud DLP

Data exfiltration and VPC Service Controls

Architecture of VPC Service Controls

Allowing access to protected resources within the VPC Service Controls perimeter

Configuring a VPC Service Controls perimeter

Best practices for VPC Service Controls

Summary

Further reading

11

Secret Manager

Overview of Secret Manager

Secret Manager concepts

Managing secrets and versions

Creating a secret

Adding a new secret version

Disabling a secret

Enabling a secret

Accessing a secret

Accessing a binary secret version

Accessing secrets from your application

Secret replication policy

Automatic

User-managed (user-selected)

CMEKs for Secret Manager

Best practices for secret management

Best practices for development

Best practices for deployment

Secret Manager logs

Summary

Further reading

12

Cloud Logging

Introduction to Google Cloud logging

Log categories

Security logs

User logs

Platform logs

Log retention

Log management

Log producers

Log consumers

Log Router

Log sinks and exports

Log archiving and aggregation

Real-time log analysis and streaming

Exporting logs for compliance

Log compliance

Logging and auditing best practices

Summary

Further reading

13

Image Hardening and CI/CD Security

Overview of image management

Custom images for Google Compute Engine

Manual baking

Automated baking

Importing existing images

Encrypting images

Image management pipeline

Creating a VM image using Packer and Cloud Build

Step 1: Creating an infrastructure for the image creation

Step 2: Creating the Packer template

Step 3: Installing the Packer binary

Step 4: Creating the image

Step 5: Automating image creation with Cloud Build

Controlling access to the images

Image lifecycle

Image families

Deprecating an image

Enforcing lifecycle policies

Securing a CI/CD pipeline

CI/CD security

CI/CD security threats

How to secure a CI/CD pipeline

Source Composition Analysis (SCA)

Static Application Security Testing (SAST)

CI/CD IAM controls

Container registry scanning

Container runtime security

Binary authorization

Best practices for CI/CD security

Shielded VMs

Secure Boot

Virtual Trusted Platform Module (vTPM)

Integrity monitoring

IAM authorization

Organization policy constraints for Shielded VMs

Confidential computing

Key features of Google Cloud Confidential Computing

Benefits of Confidential Computing

Summary

Further reading

14

Security Command Center

Overview of SCC

Core services

Cloud Asset Inventory

Listing assets

Filtering assets

Exporting assets to BigQuery

Detecting security misconfigurations and vulnerabilities

Security Health Analytics

VM Manager

Rapid Vulnerability Detection

Web Security Scanner

Threat detection

Event Threat Detection

Container Threat Detection

VM Threat Detection

Anomaly detection

Continuous compliance monitoring

CIS benchmarks

Additional standards

Exporting SCC findings

One-time exports

Exporting data using the SCC API

Continuous exports

Automating a findings response

Summary

Further reading

15

Container Security

Overview of containers

Container basics

What are containers?

Advantages of containers

What is Kubernetes?

GKE

Container security

Threats and risks in containers

GKE security features

Namespaces

Access control

Kubernetes RBAC

IAM

Secrets

Auditing

Logging

Network Policies

GKE private clusters

Service mesh

Container image security

Cluster Certificate Authority (CA)

GKE Workload Identity

Center for Internet Security (CIS) best practices

Container security best practices

Summary

Further reading

Google Professional Cloud Security Engineer Exam – Mock Exam I

Google Professional Cloud Security Engineer Exam – Mock Exam II

Other Books You May Enjoy

Preface

Organizations are increasingly adopting cloud migration for several reasons, including scalability, cost-efficiency, and agility. Cloud platforms offer the ability to scale resources on demand, reduce infrastructure costs, and quickly adapt to changing business needs. As a result, businesses are seeking to leverage the benefits of cloud computing, leading to rising demand for cloud security. Cloud security plays a crucial role in cloud computing, and so cloud service providers such as Google Cloud invest heavily in security measures such as encryption, access controls, threat detection, and incident response. By migrating to the cloud, organizations can leverage the expertise and infrastructure of cloud providers to enhance their overall security posture, protecting against data breaches, unauthorized access, and other cyber threats. As a result, there is growing demand for skilled professionals who can ensure the security of these cloud environments.

Data breaches and security incidents have become a major concern for businesses. The role of a Google Cloud security engineer involves implementing robust security measures, designing secure architectures, and managing access controls to safeguard data from unauthorized access, breaches, and other security threats. The Google Professional Cloud Security Engineer Certification acts as a testament to your proficiency in securing cloud environments and demonstrates your commitment to professional development. It enhances your credibility and opens up new career opportunities in the field of cloud security.

This book will introduce you to a range of essential topics. It will provide an understanding of cloud security fundamentals and the shared responsibility model. The book will go in-depth into the security features and services offered by Google Cloud, such as IAM, network security, container security, and Security Command Center. It will also address secure cloud architecture and design, data protection and encryption, security operations compliance and governance, and best practices. Additionally, the book has two full mock exams to aid in exam preparation. By covering these topics thoroughly, the book prepares you to excel in the certification exam and thrive as a cloud security practitioner using Google Cloud.

By the end of this book, you will have gained the knowledge and skills required to pass the Google Professional Cloud Security Engineer Certification exam and implement architectural best practices and strategies in your day-to-day work.

Who this book is for

This book is for IT professionals, cybersecurity specialists, system administrators, and any technology enthusiasts aspiring to strengthen their understanding of Google Cloud security and elevate their career trajectory. We delve deep into the core elements needed to successfully attain the Google Cloud Professional Security Engineer certification—a credential that stands as a testament to your proficiency in leveraging Google Cloud technologies to design, develop, and manage a robust, secure infrastructure. As businesses increasingly migrate their operations to the cloud, the demand for certified professionals in this field has skyrocketed. Earning this certification not only validates your expertise but also makes you part of an elite group of GCP Security Engineers, opening doors to opportunities that can significantly advance your career. Whether you’re seeking to gain a competitive edge in the job market, earn higher pay, or contribute at a higher level to your current organization, this book will guide you every step of the way on your journey to becoming a certified Google Cloud Professional Security Engineer.

What this book covers

Chapter 1, About the Google Professional Cloud Security Engineer Exam, focuses on the Google Professional Cloud Security Engineer Certification and provides guidance on how to register for the exam. This chapter also covers the outline of the exam.

Chapter 2, Google Cloud Security Concepts, covers how Google secures its cloud infrastructure. You will learn how shared security responsibility is applied to the different Google Cloud services, the defense-in-depth model that Google deploys in securing its infrastructure at various layers, and how the isolation and security of data are achieved. Other areas covered include threat and vulnerability management, security monitoring, and data residency.

Chapter 3, Trust and Compliance, looks at two essential aspects of cloud architecture. The first part of the chapter focuses how Google builds security and privacy and provides customers with full transparency. Data security is all about control, and you will learn about how Google Cloud empowers its consumers to own, control, and protect their data. The second part of the chapter covers the different compliance standards and programs that Google Cloud is compliant with and how you can gain access to compliance reports. It also gives an introduction to some advanced topics that will be discussed later in the book when covering continuous monitoring and continuous compliance.

Chapter 4, Resource Management, covers Google Cloud Resource Manager and how resources are organized. It also covers of IAM policies, organizational policy controls, Cloud Asset Inventory, and firewall rules that can be applied and inherited via the resource hierarchy.

Chapter 5, Understanding Google Cloud Identity, introduces Google Cloud Identity. You will learn how to design and build your authentication strategy on Google Cloud using Cloud Identity. The topics include user lifecycle management, device security, cloud directory, account security, app management, identity federation, and single sign-on.

Chapter 6, Google Cloud Identity and Access Management, takes a deep dive into Google Cloud Identity and Access Management. It covers IAM roles, permissions and conditions, service accounts, how to manage service account keys, and IAM policy intelligence, along with best practices and design considerations.

Chapter 7, Virtual Private Cloud, covers network security concepts within Google Cloud. You will look at what a VPC is and the different types of VPC models, as well as how to do micro-segmentation using subnets, custom routing, and firewall rules. Furthermore, you will also look at DNSSEC in Google Cloud and different types of load balancers.

Chapter 8, Advanced Network Security, teaches you how to secure your content by using the advanced network security features that are available on Google Cloud. This chapter also covers Identity-Aware Proxy, Private Google Access, VPC Service Controls, DDoS, and the web application firewall.

Chapter 9, Google Cloud Key Management Service, lays the foundation for understanding the key hierarchy in Google Cloud Key Management Service (KMS) and how envelope encryption works. In this chapter, you will look at different types of encryption keys, their purpose, and how Google does encryption and key management, including coverage of the underlying cryptographic operation. The chapter also covers concepts such as bringing your own key to the cloud.

Chapter 10, Cloud Data Loss Prevention, guides you on how to use Google Cloud Data Loss Prevention (DLP) to secure sensitive data. It covers techniques used to scan for sensitive data by creating scan jobs and also how to enforce DLP rules to redact sensitive data using techniques such as masking, redaction, and tokenization.

Chapter 11, Secret Manager, guides you on how to use Google Cloud Secret Manager to create secrets that are used during runtime by your applications.

Chapter 12, Cloud Logging, covers how Cloud Logging works on Google Cloud. You will look at the different log types and key components for logging and learn how to build a centralized logging system for continuous monitoring.

Chapter 13, Image Hardening and CI/CD Security, teaches you how to harden compute images for both virtual machines and containers. It covers how to manage, secure, patch, and harden images, and how to build image management pipelines. Furthermore, you will look at building security scanning of the CI/CD pipeline. Finally, this chapter covers some Google Cloud Compute Engine security capabilities such as Shielded VMs and confidential computing.

Chapter 14, Security Command Center, explores the capabilities offered by Security Command Center and teaches you how to configure and use Security Command Center’s capabilities to detect threats, vulnerabilities, and misconfigurations. You will also look at how Security Command Center can be used to build automated incident response and ingest its findings with third-party security information and event management tools such as Splunk.

Chapter 15, Container Security, covers how to design, develop, and deploy containers securely on Google Cloud. The topics covered include various aspects of container security, such as image hardening, isolation, implementing a security policy, scanning containers, and Binary Authorization. It also covers various security features of Google Kubernetes Engine (GKE) and some best practices.

Mock Exam 1 is a full-length exam covering all certification areas. Pay attention to the language of the questions.

Mock Exam 2 is another full-length exam covering all certification areas. This exam should increase your confidence in passing the exam.

To get the most out of this book

To get the most out of a certification book like this, follow these strategies:

By implementing these strategies, you can maximize your learning experience with the certification book, deepen your knowledge, and increase your chances of success in the certification exam.

Download the color images

We also provide a PDF file that has color images of the screenshots and diagrams used in this book. You can download it here: https://packt.link/Wmiqu.

Conventions used

Code words in text, database table names, folder names, filenames, file extensions, pathnames, dummy URLs, user input, and Twitter handles are shown as follows: “The lifecycle state is displayed as ACTIVEor DELETE_REQUESTED.”

Words that you see on the screen, for example, in menus or dialog boxes, also appear in the text like this: “Navigate to Billing from the console menu on the left.”

A block of code is set as follows:

When we wish to draw your attention to a particular part of a code block, the relevant lines or items are set in bold:

Any command-line input or output is written as follows:

git secrets --add 'private_key'

git secrets --add 'private_key_id'

New terms and important words are shown like this: “The aim of this book is to help cloud security professionals pass the Google Cloud Platform (GCP) Professional Cloud Security Engineer exam.”

Tips or important notes

Appear like this.

If you are using the digital version of this book, we advise you to type the code yourself. Doing so will help you avoid any potential errors related to the copying and pasting of code.

Get in touch

Feedback from our readers is always welcome.

General feedback: If you have any questions about this book, please mention the book title in the subject of your message and email us at [email protected].

Errata: Although we have taken every care to ensure the accuracy of our content, mistakes do happen. If you have found a mistake in this book, we would be grateful if you could report this to us. Please visit www.packtpub.com/support/errata and complete the form.

Piracy: If you come across any illegal copies of our works in any form on the Internet, we would be grateful if you could provide us with the location address or website name. Please contact us at [email protected] with a link to the material.

If you are interested in becoming an author: If there is a topic that you have expertise in and you are interested in either writing or contributing to a book, please visit authors.packtpub.com.

Share your thoughts

Once you’ve read Google Professional Cloud Security Engineer Exam Guide, we’d love to hear your thoughts! Please click here to go straight to the Amazon review page for this book and share your feedback.

Your review is important to us and the tech community and will help us make sure we’re delivering excellent quality content.

1

About the GCP Professional Cloud Security Engineer Exam

The rate of migration to the cloud is growing exponentially. The cloud is something of a Masai Mara right now, and we don’t expect that this will slow down. New projects are often now born in the cloud and end up staying there.

Note

The Masai Mara is an iconic African savanna landscape characterized by an annual wildebeest and zebra migration of over 1.5 million animals.

This growing trend has created new opportunities, specifically for cloud security. There is now soaring demand for cloud security professionals. It is not news to those in the field of cybersecurity that cloud security skills are not only in demand but scarce. Cybersecurity professionals with cloud security skills are now very sought after. Security used to be the number one obstacle to organizations moving to the cloud. Now, security is the top reason that organizations want to move to the cloud. This only increases the demand for cloud security professionals.

Note

For more details see 13 Cloud Computing Risks & Challenges Businesses Are Facing In These Days by Bernardita Calzon, published on June 6, 2022 on the datapine website (https://packt.link/xlnX6).

The aim of this book is to help cloud security professionals to pass the Google Cloud Platform (GCP) Professional Cloud Security Engineer exam. The topics covered in this book not only include exam-specific content but also extend to some optional GCP cloud security topics.

This chapter covers why you should take this exam, how to register, and what to expect in the exam.

In this chapter, we will cover the following topics:

Benefits of being certified

As per Burning Glass, a leading labor market analytics firm, there is 115% projected growth for cloud security in the next five years. Not only are cloud security skills in demand, but it’s also a very lucrative field. For Google Cloud security skills more specifically, there is 113% growth expected. This makes having GCP cloud security knowledge a must for cybersecurity professionals. What’s more, earning the Professional Cloud Security Engineer certification will be a resounding endorsement of their skills.

Gaining a new skill or certification always helps boost your profile and increase your chances of being hired. The Google Cloud Professional Security Engineer certification validates a person’s proficiency in designing, developing, and managing a secure infrastructure that leverages Google Cloud Platform technologies. This globally recognized certification can offer various benefits, including the following:

Overall, being a certified Google Cloud Professional Security Engineer is a valuable credential that can open significant career opportunities and benefits in the rapidly growing field of cloud computing. Whether you’re looking to get certified or just acquire new skills, the aim of this book is to help you understand GCP’s cloud security capabilities.

Registering for the exam

The GCP Professional Cloud Security Engineer exam is two hours long and consists of multiple-choice questions. The exam can be taken at a testing center, or you can choose to have an online-proctored exam from a remote location. The cost of the exam is USD$200 plus tax and is only available in English. You can register for the exam by following these steps:

You will find many useful resources here, such as an exam guide, sample questions, training options, and links to community learning and the certification hub.

Figure 1.1 – Logging in to Webassessor

Figure 1.2 – Registration page

Figure 1.3 – Exam selection

Figure 1.4 – Select a testing center

Figure 1.5 – Book a date and time for the exam

Figure 1.6 – Review and pay

Once you have completed the process, you have the option to make changes to either the center or the date/time. Please refer to the instructions in the confirmation email on how to reschedule without incurring cancellation charges.

Each center has specific requirements as to the identification you need to provide. All this information will be included in the email. Do pay attention to the requirements as you will not be allowed to sit the exam, whether online-proctored or on-site, if you do not have the proper identification.

Some useful tips on how to prepare

Cloud security exams are different from those for other security certifications. They require both depth and breadth of knowledge in multiple security domains. Most vendor security certifications focus on the product, but the GCP Professional Cloud Security Engineer exam focuses on domains such as identity and access management, data protection, network security, logging and monitoring, and security operations. It is important for those attempting the exam to have a sound understanding of the foundational security concepts. This book assumes that you already have basic knowledge of these concepts; if you don’t, it’s highly encouraged that you gain that knowledge before attempting the exam.

Every individual has a different way to prepare and study, but it’s advised that you follow the structure laid out in this book and build knowledge in the areas covered. If you are familiar with GCP security, you can skip chapters and/or read them in any order. For those who are new to GCP, it is highly recommended that you follow the sequence of chapters.

The GCP certification page (https://packt.link/WlaJJ) for the Professional Cloud Security Engineer exam contains some helpful details on the exam syllabus, an exam guide, and sample questions. Do take the time to read those as they offer insights. The content of this book is based on the exam blueprint.

The exam questions are multiple-choice and based on real-world scenarios. The test is based on your knowledge of GCP security products and technology. The topics and options can range from cloud security best practices and security configuration to product-specific security controls and how you would meet compliance objectives. The exam is geared toward what cloud security engineers experience day to day while performing their roles.

This book will help you prepare for the range of questions in the exam, and each chapter has a section to test your knowledge. Nothing compares to having hands-on experience; therefore, it is highly encouraged that you create a free GCP account if you don’t already have one and spend some time playing around with GCP’s security products. Google Cloud Skills Boost has a great collection of GCP security labs, and that collection is recommended for you to get some hands-on experience. In each chapter, there are links to whitepapers and relevant Google Cloud Skills Boost for you to complete. Please note that Google Cloud Skills Boost is a paid service; you can either buy a subscription or pay for each lab.

Another useful resource is courses offered by Google Cloud Skills Boost. In the Further reading section of each chapter, you will find links to Google’s official courses that are offered through Google Cloud Skills Boost. For those who are new to GCP or familiar with another cloud provider, it is highly recommended that you do some introductory GCP courses from Google Cloud Skills Boost. They will help you build a sound understanding of how GCP is different and what capabilities are offered.

Finally, some key things to remember for the exam. Many of you will already know this, but remember to read the questions very carefully. Most questions have a scenario to paint a picture, but the actual question that is asked is usually in the last line. For example, a question may describe how developers in an organization are building an application that stores sensitive data and how developers and end users access it. It is important to focus on aspects such as who the user is (the developer), how they access the application (by identity and access control), and what needs to be protected (the sensitive data). Extracting such information will help you identify the solution that addresses all those areas.

Always use the option of marking the question for later if you are not sure. Sometimes, the next question is asked in a way that answers the previous question. In that case, you can mark both questions to come back to later and then revisit them before you hit submit. Do keep some time at the end to revisit the questions. Often, when you do 60+ questions, you tend to overlook certain things. Giving yourself an opportunity to check your answers will help.

Summary

In this chapter, we looked at how the GCP Professional Cloud Security Engineer certification is distinguished from others by the kinds of security domains it concerns. We also covered the benefits of getting certified and how to register for the exam.

The next chapter will cover aspects of Google Cloud security at the infrastructure level to help you understand how Google secures its cloud footprint and the various compliance programs and standards it is compliant with.

Further reading

Refer to the following links for further information and reading:

2

Google Cloud Security Concepts

In this chapter, we will cover Google Cloud’s security and compliance fundamentals. We will take a look at how Google Cloud secures its cloud infrastructure using strategies such as defense in depth and zero trust. On the compliance side, we will look at different compliance standards and frameworks that Google Cloud is compliant with. Google has a unique approach to shared security responsibility and recently adopted the shared fate concept. We will look at these ideas to get a better understanding of Google’s responsibility and the customer’s responsibility when it comes to security.

After that, we will look at the key pillars of security that Google applies to build a trusted infrastructure that doesn’t rely on a single technology but has multiple stacks. We will get a better understanding of each of those stacks and how and where they are applied. Finally, we will briefly cover aspects such as threat and vulnerability management from a Google infrastructure perspective.

The key topics in the chapter include the following:

Overview of Google Cloud security

The concepts in this chapter don’t appear in the exam and are not part of the exam blueprint. As a Google Cloud security professional who will be responsible for securing enterprise workloads and making them compliant, it’s important that you gain a sound understanding of how Google secures its infrastructure. As a security practitioner myself, I have seen many customers who like to understand aspects such as how the underlying infrastructure is secured, how the hypervisor is secured, how Google achieves multi-tenancy, and which compliance objectives are and are not met. To be able to advise your customers or internal teams, it’s essential to know about these topics.

Google Cloud provides a very comprehensive set of security documentation on these topics and it’s highly recommended that you take the time to read them. This chapter is a summary of some of the key topics that you must know. There are links at the end of this chapter for you to refer to these documents.

Google has the mission to build the most trusted cloud. In order to achieve this, Google has implemented multiple layers of security to protect its infrastructure, the data, and its users. Let’s further understand how Google Cloud doesn’t rely on single technologies to make it secure, but rather builds progressive layers of security that deliver true defense in depth.

Google, from the beginning, built its infrastructure to be multi-tenant, and the hardware is Google built, managed, hardened, and operated. All identities, whether they are users or services, are cryptographically authenticated, and only authorized application binaries are allowed to run. Google applies zero-trust principles whereby there is no trust between services, and multiple mechanisms are applied to establish trust. As a Google Cloud user, you have the option to use the Google-operated, -owned, and -managed end-to-end private encrypted network. Google enforces Transport Layer Security (TLS) for its externally exposed Application Programming Interfaces (APIs) across its network, and any data stored on Google Cloud is encrypted by default. This makes things much simpler for organizations as it removes the overhead of managing encryption infrastructure and the lifecycle management of the encryption keys. You can find more on encryption and key management in Chapter 9, Google Cloud Key Management Service. The scale of Google’s network allows it to absorb the largest of DDoS attacks; protection from volumetric attacks (Layers 3 and 4) is applied by default. Last and most importantly, Google operates 24x7 security operations to detect threats and respond to security incidents.

In order to further strengthen its security posture, Google has end-to-end provenance. Google servers are custom-built for the sole purpose of running Google services and don’t include unnecessary components such as video cards that can introduce vulnerabilities. The same applies to software, including the operating system (OS), which is a stripped-down, hardened version of Linux. Google has also built Titan, a custom security chip that offers first-nanosecond boot integrity and allows for both server and peripherals to establish a hardware root of trust. Titan uses cryptographic signatures to validate low-level components such as the BIOS, bootloader, kernel, and base OS image during each boot or update cycle. Titan is embedded across Google’s hardware infrastructure, servers, storage arrays, and even Pixelbooks and the latest Pixel phones. Google has developed its own network hardware and software to enhance performance and security, resulting in custom data center designs that incorporate various layers of physical and logical protection. Moreover, by maintaining end-to-end control over its hardware stack, Google minimizes the risk of third-party vendors interfering. In the event of a vulnerability, Google’s security teams can promptly create and deploy a solution without relying on external parties.

Figure 2.1 – End-to-end provenance and attestation

Data privacy is an important aspect for many customers using the cloud. A key Google Cloud differentiator is how Google Cloud has built-in privacy controls to earn customer trust. One of those services is Access Transparency; this service allows customers to gain visibility if and when Google engineers try to access a customer environment. A typical use case would be when a customer contacts Google Cloud support and an engineer is assigned to work to resolve the case and requires access to customer cloud components. In this case, Google can provide full transparency logs to the customer. All these cloud privacy commitments are backed by contractual agreements and commitments, including third-party independent assessments.

The data privacy commitments include the fact that as a customer you own and control your data; Google does not access your data or move it to another location. As a customer, you are responsible for securing and controlling access to your data. Furthermore, Google does not sell or use your data for advertising. There is no backdoor access to Google services for government or law enforcement. As covered earlier, Google encrypts all communications across physical boundaries and encrypts data at rest automatically without customer intervention, adding a further layer of security by default. Lastly, a unique and key differentiation of Google Cloud is how transparent Google is in sharing the logs of any activity that may have led to a Google engineer accessing customer data. This is done by a service that Google offers called Access Transparency. We will cover more on this in the coming chapters.

Shared security responsibility

Google offers a range of services on its cloud platform, including traditional Infrastructure as a Service (IaaS) services such as Google Compute Engine, Platform as a Service (PaaS) services such as managed databases, and also Software as a Service (SaaS). Besides these, Google Cloud offers a rich set of security products and services that customers can use to secure their workloads on Google Cloud. Broadly, when we talk about security on the cloud, we divide it into two parts: security of the cloud and security in the cloud. These are standard industry terms, where security of the cloud refers to what the cloud service provider is responsible for and security in the cloud is about the customer having the responsibility to use security products and services offered natively in the cloud or third-party products. As shown in Figure 2.2, the boundaries of responsibility between the customer and the cloud provider change based on the services selected. If the customer is using IaaS to host their workload, then the customer is responsible for protecting the virtual infrastructure, data, users, and monitoring. The responsibility shifts based on the type of service being used.

Figure 2.2 – Google Cloud’s shared security responsibility (IaaS)

Google has more recently adopted a shared fate rather than shared responsibility mindset. The premise of this is to operate using a shared fate model for risk management in conjunction with customers. Google believes that it’s their responsibility to be active partners as their customers deploy securely on Google Cloud, not to be delineators of where Google’s responsibility ends. Google is committed to standing with customers from day one, helping them implement best practices for safely migrating to and operating in a trusted cloud. This is a big step, with Google extending help to customers using Google Cloud and providing assurance that they will help customers not only when they are adopting the cloud but also if and when there are security incidents that require collaboration between Google and the customer. There is a great whitepaper on how Google responds to incidents and how the responsibility model works; do check out the link in the Further reading section for more details.

Addressing compliance on Google Cloud

Google is committed to building trust with customers through certifications and compliance across Google Cloud. A full list of compliance badges can be found here: https://packt.link/abHuN. As part of Google’s compliance commitments, all of Google’s products undergo various third-party independent assessments against compliance controls in order to achieve certifications for standards such as PCI-DSS, ISO, SOC 2, and so on. A full list of all compliance certifications and their relevant reports can be found on the Google Cloud website.

As a customer who is looking to adopt Google Cloud, compliance is key. In order to be compliant, Google implements hundreds of security controls to meet those compliance objectives. As a customer, when you move to Google Cloud, whether you host a single virtual machine or hundreds, you end up inheriting all of these security controls. This not only makes your security posture better but also takes the cost and complexity out of your project scope, making things much simpler from a compliance perspective.

Similar to security being a shared responsibility, compliance is also shared. Google is compliant with a number of international and local standards and privacy guidelines, such as the Personal Data Protection Act (PDPA), for various countries. Let’s take a look at PCI-DSS as an example of how shared responsibility for compliance works. As a customer, if you have the requirement to be PCI-DSS compliant, you can use Google Cloud to run your compliant workloads, by consuming Google Cloud services that are PCI compliant. A list of PCI compliance services can be found here: https://packt.link/nZhGL. From an infrastructure perspective, Google Cloud is compliant with PCI-DSS. Your responsibility as a customer includes securing and making your applications and services compliant. These applications and services are not part of Google’s core infrastructure, so they fall under the customer’s set of responsibilities. It should not be assumed that just because Google Cloud is compliant with PCI-DSS, you will automatically be compliant; although you do inherit compliance-specific controls, they are limited to Google infrastructure.

The next section will further explain how Google’s security and compliance controls are built into its cloud infrastructure.

Security by design

Google’s approach to security by design is to ensure that multiple technology stacks are deployed to secure the infrastructure, identities, services, and users. Figure 2.3 highlights the different layers of security that are built into the Google Cloud infrastructure.

Figure 2.3 – Google defense in depth

In this section, we will cover the key concepts, from operational security to physical security, that Google uses to deliver true defense in depth and at scale.

Operational security

Google’s operational security covers aspects such as how Google deploys software services, secures devices and credentials, addresses insider threats, and manages intrusion detection. Let’s look at each of these concepts briefly.

In order to securely deploy software services, Google has a secure central control and conducts two-way reviews. Furthermore, Google also provides libraries that prevent developers from introducing certain vulnerabilities such as XSS attacks in web applications. In addition to using automated tools for source code static analysis and identifying bugs, manual security testing is also conducted. These manual tests are run by experts covering areas such as web security, cryptography, and operating systems.

Google also runs a Vulnerability Rewards Program where they pay anyone who discovers and discloses bugs in Google’s infrastructure or applications.

Google implements robust security measures to protect employee devices and credentials. In fact, Google leverages a service accessible to all cloud users to safeguard its own devices and user credentials. Through BeyondCorp Enterprise, Google ensures that appropriate users have timely access to designated applications. This approach involves continuous monitoring of devices and users, regular patching and updates, enforcement of strong authentication measures, and utilization of two-factor authentication (2FA) at Google. Additionally, application-level access controls restrict access to internal applications solely for authorized users accessing the service from managed devices and from network addresses or geolocations that align with the established policy.

To address insider risk, all privileged user access is actively monitored. To further limit employee access, any privileged action that can be safely performed using automation is done so. All users who have access to end-user data have their activity logged and monitored by the security team for access patterns and to investigate anomalies. More details on how Google Cloud does this can be found here: https://packt.link/PuBbM.

Google uses very sophisticated intrusion detection techniques, where all data processing pipelines integrate with both host- and network-level signals. These signals are combined with detection rules and machine learning to identify potential threats that are monitored and actioned by security operation teams around the clock. Google also conducts an active Red Team exercise to improve security and its overall effectiveness.

Network security

We have already covered how Google owns, operates, and manages its own global private network, which is fully encrypted and has TLS enforced. This not only delivers lower latency but improves security. Once customers’ traffic is on Google’s network, it no longer transits the public internet, making it less likely to be attacked, intercepted, or manipulated in transit. Besides this, Google also secures its Google Front Ends (GFEs). When a service wants to make itself available on the internet, it can register itself with the GFE. The GFE performs a number of functions, such as ensuring that the correct certificates are used for terminating TLS and applying best practices such as perfect forward secrecy. GFEs also provide protection against DDoS attacks. Google has multi-tier and multi-layer protection for DDoS to ensure that the services behind GFEs are protected from such volumetric attacks. Besides GFEs, there are multiple layers of hardware- and software-based load balancers that are both network- and application-aware. All these security controls, together with Google’s global-scale infrastructure, ensure that the largest of the DDoS attacks can be absorbed and mitigated.

Besides these network-based security controls, Google further enforces user authentication before it allows any access to its network. The user authentication goes beyond a simple username and password and also intelligently challenges users for additional information based on risk factors. These risk factors include information about the device the user is logging in from, such as the IP address and geographical location of the device. Once past these controls, the user is then prompted for a second factor before access is granted.

Data security

Google ensures that data in motion and data at rest are both secured. We’ve already covered how Google enforces TLS for all data in motion and encryption by default for data at rest. In addition to the default encryption of data at rest, as a Google Cloud user, you also get the option to select a variety of different options for how you can encrypt data. Recall the previous section on data privacy and Google’s commitment to establishing itself as a trusted cloud provider; you as a Google Cloud customer have full control and ownership over your data, meaning you can choose to use the default encryption or use Cloud Key Management Service, which can perform the entire key lifecycle management. Alternatively, you can use Cloud Key Management Service and import your own key material, or you can go the Bring Your Own Key (BYOK) route or use multi-tenant Cloud HSM, which provides FIPS 140-2 Level 3 protection for your keys. If you operate in a highly regulated environment and need to retain full control of the keys and the infrastructure, you do have the option to use a Google-partner-provided external HSM that is integrated with an external key management service and is accessed via Google’s Cloud Key Management Service. More on this in Chapter 9, Google Cloud Key Management Service.

The challenge with data security is that the data has to remain secure throughout its lifecycle. Whether the data is being created, shared, stored, analyzed, archived, or deleted, it has to be secure. This brings us to how Google manages the data deletion side of things. A key concern from customers is that when you stop using a service that you’ve used to store sensitive data, even when you have deleted the data, how can you be sure that the data will be wiped from physical media as well? Let’s take a quick look at the controls and compliance side of data deletion. When you want to delete data on Google Cloud, it’s not immediately deleted but is marked as scheduled for deletion; so, if you have accidentally deleted your data, you have the option to recover it. After the data is scheduled for deletion, it is deleted in accordance with service-specific policies.

Google details the entire data handling and data governance as part of their whitepaper called Trusting your Data with Google Cloud Platform; a link to this resource can be found in the Further reading section of this chapter. We will be covering the data management side of things in more detail in the next chapter on trust and compliance on Google Cloud.

Services and identity