學習目標和取得技能
- 了解Google提供的安全方法
- 使用Cloud Identity控管管理者身份。
- 使用Google Cloud Resource Manager、Cloud IAM實現最低權限之管理性質的訪問權限
- 使用VPC防火牆和Cloud Armor實施IP流量控制
- 實現Identity Aware Proxy
- 使用GCP審核日誌(logs)分析對資源配置或metadata數據的更改
- 使用Data Loss Prevention API掃描和編輯敏感數據
- 使用Forseti掃描GCP部署
- 修復重要類型的漏洞,尤其是在公共訪問數據資料和虛擬機(VMs)時
教學方式
Google認證講師課堂中文指導
教材與實驗
Google原廠教材與Qwiklabs實驗室
課程適合對象
- 雲端資訊安全分析師,架構師和工程師
- 資訊安全/網絡安全專家
- 雲端基礎架構師
- 雲端應用程序的開發人員
前備知識
- 資訊安全基本知識:
- 基礎概念:
- 漏洞,威脅,攻擊面 (vulnerability, threat, attack surface)
- 機密性,統整性,可用性 (confidentiality, integrity, availability)
- 常見威脅類型及其緩解策略 (threat types and mitigation strategies)
- Public-key 加密 (cryptography)
- Public and private key pairs
- Certificates
- Cipher types
- Key width
- Certificate authorities
- 傳輸安全 (Transport Layer Security)/ Secure Sockets Layer 加密通訊 (encrypted communication)
- Public key infrastructures
- 安全政策 (Security policy)
- 熟悉命令行工具(command-line tools)和Linux系統環境操作
- 系統運營經驗,包括在本地或公有雲環境中部署和管理應用程序
- 能閱讀且理解Python或JavaScript中的程式碼
課程大綱
課程包括課堂講解,演示和學員實作實驗
PART I: Managing Security in Google Cloud Platform
Module 1: Foundations of GCP Security
主題 | 實作 |
- Google Cloud's approach to security
- The shared security responsibility model
- Threats mitigated by Google and by GCP
- Access Transparency
| -- |
Module 2: Cloud Identity
主題 | 實作 |
- Cloud Identity
- Syncing with Microsoft Active Directory
- Choosing between Google authentication and SAML-based SSO
- GCP best practices
| -- |
Module 3: Identity and Access Management
主題 | 實作 |
- GCP Resource Manager: projects, folders, and organizations
- GCP IAM roles, including custom roles
- GCP IAM policies, including organization policies
- GCP IAM best practices
| |
Module 4: Configuring Google Virtual Private Cloud for Isolation and Security
主題 | 實作 |
- Configuring VPC firewalls (both ingress and egress rules)
- Load balancing and SSL policies
- Private Google API access
- SSL proxy use
- Best practices for structuring VPC networks
- Best security practices for VPNs
- Security considerations for interconnect and peering options
- Available security products from partners
| - Configuring VPC Firewalls
- Viewing and using VPC flow logs in Stackdriver
|
Module 5: Monitoring, Logging, Auditing, and Scanning
主題 | 實作 |
- Stackdriver monitoring and logging
- VPC flow logs
- Cloud audit logging
- Deploying and Using Forseti
| - Installing Stackdriver Agents
- Configuring and using Stackdriver logging and monitoring
- Configuring and Viewing Audit Logs in Stackdriver
|
PART II: Mitigating Vulnerabilities on Google Cloud Platform
Module 6: Securing Compute Engine: techniques and best practices
主題 | 實作 |
- Compute Engine service accounts, default and customer-defined
- IAM roles for VMs
- API scopes for VMs
- Managing SSH keys for Linux VMs
- Managing RDP logins for Windows VMs
- Organization policy controls: trusted images, public IP address, disabling serial port
- Encrypting VM images with customer-managed encryption keys and with customer-supplied encryption keys
- Finding and remediating public access to VMs
- VM best practices
- Encrypting VM disks with customer-supplied encryption keys
| - Configuring, using, and auditing VM service accounts and scopes
- Encrypting Disks with Customer-Supplied Encryption Keys
|
Module 7: Securing cloud data: techniques and best practices
主題 | 實作 |
- Cloud Storage and IAM permissions
- Cloud Storage and ACLs
- Auditing cloud data, including finding and remediating publicly accessible data
- Signed Cloud Storage URLs
- Signed policy documents
- Encrypting Cloud Storage objects with customer-managed encryption keys and with customer-supplied encryption keys
- Best practices, including deleting archived versions of objects after key rotation
- BigQuery authorized views
- BigQuery IAM roles
- Best practices, including preferring IAM permissions over ACLs
| - Using Customer-Supplied Encryption Keys with Cloud Storage
- Using Customer-Managed Encryption Keys with Cloud Storage and Cloud KMS
- Creating a BigQuery authorized view
|
Module 8: Protecting against Distributed Denial of Service Attacks: techniques and best practices
主題 | 實作 |
- How DDoS attacks work
- Mitigations: GCLB, Cloud CDN, autoscaling, VPC ingress and egress firewalls, Cloud Armor
- Types of complementary partner products
| - Configuring GCLB, CDN, traffic blacklisting with Cloud Armor
|
Module 9: Application Security: techniques and best practices
主題 | 實作 |
- Types of application security vulnerabilities
- DoS protections in App Engine and Cloud Functions
- Cloud Security Scanner
- Threat: Identity and Oauth phishing
- Identity Aware Proxy
| - Using Cloud Security Scanner to find vulnerabilities in an App Engine application
- Configuring Identity Aware Proxy to Protect a Project
|
Module 10: Content-related vulnerabilities: techniques and best practices
主題 | 實作 |
- Threat: Ransomware
- Mitigations: Backups, IAM, Data Loss Prevention API
- Threats: Data misuse, privacy violations, sensitive/restricted/unacceptable content
- Mitigations: Classifying content using Cloud ML APIs; scanning and redacting data using Data Loss Prevention API
| - Redacting Sensitive Data with Data Loss Prevention API
|
