可選擇實體或遠距上課
Google Cloud Certified: Professional Cloud Security Engineer認證考試推薦學習課程
學習目標和取得技能
- 了解 Google 的安全性方法與使用 Cloud Identity 管理身份
- 使用 Google Cloud Resource Manager 和 Cloud IAM 實施最低權限管理訪問
- 使用 VPC 防火牆和 Cloud Armor 實施 IP 流量控制
- 實施身份識別代理
- 使用 GCP 審核日誌分析資源的配置或元數據
- 建立安全的 Kubernetes 環境
- 使用 Data Loss Prevention API 掃描並編輯敏感數據
- 使用 Forseti 掃描 GCP 部署
- 緩解重要類型的漏洞,尤其是在公開訪問數據和 VM 時
教學方式
Google認證講師課堂中文指導
教材與實驗
Google原廠教材與Qwiklabs實驗室
課程適合對象
- 雲端資訊安全分析師,架構師和工程師
- 資訊安全/網絡安全專家
- 雲端基礎架構師
- 雲端應用程序的開發人員
前備知識
- 完成 Google Cloud Platform Fundamentals: Core Infrastructure 課程或具備同等知識
- 完成 Networking in Google Cloud Platform 課程或具備同等知識
- 資訊安全基本知識:
- 基礎概念:
- 漏洞,威脅,攻擊面 (vulnerability, threat, attack surface)
- 機密性,統整性,可用性 (confidentiality, integrity, availability)
- 常見威脅類型及其緩解策略 (threat types and mitigation strategies)
- Public-key 加密 (cryptography)
- Public and private key pairs
- Certificates
- Cipher types
- Key width
- Certificate authorities
- 傳輸安全 (Transport Layer Security)/ Secure Sockets Layer 加密通訊 (encrypted communication)
- Public key infrastructures
- 安全政策 (Security policy)
- 基礎概念:
- 熟悉命令行工具(command-line tools)和Linux系統環境操作
- 系統運營經驗,包括在本地或公有雲環境中部署和管理應用程序
- 能閱讀且理解Python或JavaScript中的程式碼
課程大綱
課程包括課堂講解,演示和學員實作實驗
Module 1: Foundations of GCP Security
- Understand the GCP shared security responsibility model.
- Understand Google Cloud’s approach to security.
- Understand the kinds of threats mitigated by Google and by GCP.
- Define and Understand Access Transparency and Access Approval.
Module 2: Cloud Identity
- Cloud Identity.
- Syncing with Microsoft Active Directory using Google Cloud Directory Sync.
- Using Managed Service for Microsoft Active Directory (beta).
- Choosing between Google authentication and SAML-based SSO.
- Best practices, including DNS configuration, super admin accounts.
Module 3: Identity, Access, and Key Management
- GCP Resource Manager: projects, folders, and organizations.
- GCP IAM roles, including custom roles.
- GCP IAM policies, including organization policies.
- GCP IAM Labels.
- GCP IAM Recommender.
- GCP IAM Troubleshooter.
- GCP IAM Audit Logs.
- Best practices, including separation of duties and least privilege, the use of Google groups in policies, and avoiding the use of primitive roles.
Module 4: Configuring Google Virtual Private Cloud for Isolation and Security
- Configuring VPC firewalls (both ingress and egress rules).
- Load balancing and SSL policies.
- Private Google API access.
- SSL proxy use.
- Best practices for VPC networks, including peering and shared VPC use, correct use of subnetworks.
- Best security practices for VPNs.
- Security considerations for interconnect and peering options.
- Available security products from partners.
- Defining a service perimeter, including perimeter bridges.
- Setting up private connectivity to Google APIs and services.
Module 5: Securing Compute Engine:techniques and best practices
- Compute Engine service accounts, default and customer-defined.
- IAM roles for VMs.
- API scopes for VMs.
- Managing SSH keys for Linux VMs.
- Managing RDP logins for Windows VMs.
- Organization policy controls: trusted images, public IP address, disabling serial port.
- Encrypting VM images with customer-managed encryption keys and with customer-supplied encryption keys.
- Finding and remediating public access to VMs.
- Best practices, including using hardened custom images, custom service accounts (not the default service account), tailored API scopes, and the use of application default credentials instead of user-managed keys.
- Encrypting VM disks with customer-supplied encryption keys.
- Using Shielded VMs to maintain the integrity of virtual machines.
Module 6: Advanced Logging and Analysis
- Cloud Storage and IAM permissions.
- Cloud Storage and ACLs.
- Auditing cloud data, including finding and remediating publicly accessible data.
- Signed Cloud Storage URLs.
- Signed policy documents.
- Encrypting Cloud Storage objects with customer-managed encryption keys and with customer-supplied encryption keys.
- Best practices, including deleting archived versions of objects after key rotation.
- BigQuery authorized views.
- BigQuery IAM roles.
- Best practices, including preferring IAM permissions over ACLs.
Module 7: Securing Applications: techniques and best practices
- Types of application security vulnerabilities.
- DoS protections in App Engine and Cloud Functions.
- Cloud Security Scanner.
- Identity Aware Proxy.
Module 8: Securing Kubernetes: techniques and best practices
- Authorization.
- Securing Workloads.
- Securing Clusters.
- Logging and Monitoring.
Module 9: Protecting against Distributed Denial of Service Attacks
- How DDoS attacks work.
- Mitigations: GCLB, Cloud CDN, autoscaling, VPC ingress and egress firewalls, Cloud Armor (including its rules language).
- Types of complementary partner products.
Module 10: Protecting against content-related vulnerabilities
- Threat: Ransomware.
- Mitigations: Backups, IAM, Data Loss Prevention API.
- Threats: Data misuse, privacy violations, sensitive/restricted/unacceptable content.
- Threat: Identity and Oauth phishing.
- Mitigations: Classifying content using Cloud ML APIs; scanning and redacting data using Data Loss Prevention API.
Module 11: Monitoring, Logging, Auditing, and Scanning
- Security Command Center.
- Stackdriver monitoring and logging.
- VPC flow logs.
- Cloud audit logging.
- Deploying and Using Forseti.
