The Google Cloud Platform Professional Security Certification is perhaps on the more difficult exams I have taken in quite a while. It makes the AWS Security Specialty look like an exam for kindergarten.

Matter of fact, you may want to go get a root canal instead.

The Professional Cloud Security Engineer certification is focused on designing, validating and implementing secure infrastructure on the Google Cloud Platform.

The certification focuses on five areas for secure design and operation in Google Cloud

Configuring access within a cloud solution environment
Configuring network security
Ensuring data protection
Managing operations within a cloud solution environment
Ensuring compliance

Now if I did not scare you away, lets move on to the Top Ten areas of focus and also Ive provide a good amount of links below as well.

One of the main things I noticed on the exam was the level of detail you really needed to understand about various security products. The one thing I found easier about this exam than the AWS Security exam is just the fact that GCP is easier overall to do just about anything especially handling security and for that matter there are less products to remember.

The exam objectives are here. https://cloud.google.com/certification/cloud-security-engineer

As a courtesy Ive put together a top ten list of areas that you really want to focus on before taken the exam. Lets get started.

10. Cloud Identity and GSuite Organizations

Now this is one area that I find a lot of customers and students do not know well because they just dont use. This exam will test you somewhat thoroughly on this area.

For example, in GCP all you have to do to allow an outside user is to add their Gmail or GSuite user account to a project You can also add a Gsuite domain as a user and create what is really effectively an admin domain and there your organization is linked to your G Suite domain.

From an ownership perspective all billing accounts, projects, and resources created by domain members belong to the organization instead of users who create them.

Know what Google Cloud Directory Sync (GCDS) is, how the GSuite Admin can automatically add, modify, and delete users, groups, and non employee contacts to synchronize the data in a GSuite domain with an LDAP directory server or MS Active Directory. Note that data in the LDAP directory server is never modified or compromised. (one way update) GCDS is a secure tool that help keep track of users and groups.

Cloud Platform is extremely flexible, secure and of course useful even without Organizations. However, to enable the full sprectrum of services in Google Cloud Platform an “Organization” is really needed and here comes GSuite.

An organization node is top-level node of the hierarchy is the Organization resource hierarchy. The Organization resource represents an organization such as yourcompany.com. The Organization resource provides central visibility and control over all resources further down the hierarchy.

Figure 1 GCP Hierarchy

This image has an empty alt attribute; its file name is image-15.png

Some of the security related services that could be enabled with an organization are

Cloud IAM Folders
Security Command Center
Threat Detection
Content-Award Proxy
Access Context Manager
VPC Service Controls

Another option is to consider using Cloud Identity which is an Identity as A Service from Google.

Below is the link for Cloud Identity comparing with Gsuite https://gsuiteupdates.googleblog.com/2017/06/enterprise-identity-made-easy-in-g-suite-with-cloud-identity.html

9. IAM Commands

You will be expected to know gcloud and how to use it for IAM related information. Here a few commands.

Get IAM Policy for project

gcloud projects get-iam-policy my-project-test

Copy IAM roles..

gcloud iam roles copy

8. Authentication Process

This decision tree that Google Cloud has provided really does a great job at helping you prepare.

Figure 2. GCP Authorization Workflow

Here is a link you really need to review.

https://cloud.google.com/blog/products/identity-security/identity-and-authentication-the-google-cloud-way

7. Understanding Roles inside and out.

Yes, sounds simple but sometimes not. Heres the simple part and read on for the hard part.

Googles best practice is to create a group and then a role.

“We recommend collecting users with the same responsibilities into groups and assigning Cloud IAM roles to the groups rather than to individual users.”

Chuck Schumer once stated “Let me tell you, you take on the intelligence community, they have six ways from Sunday at getting back at you,”

Figure 3. Chucky

Google Cloud has at least seven ways of getting you around implementing and knowing roles. For example, you need to know better than the back of your hand roles for specific services. I wont disclose of course which ones but expect the common ones in Compute and data services to focus on.

Figure 4 GCP App Engine Roles

I wont disclose of course exactly which ones but expect the common ones in Compute and data services to focus on. For example

Cloud Storage – Admin vs Creator vs Viewer
Compute Engine – Admin vs Instance Admin
Spanner – Viewer vs Database User
BigQuery – User vs JobUser
App Engine – Viewer vs Deployer

Understand the difference between Primitive, Pre-defined and Custom roles and their use cases

Project Roles to give to Auditors such as Org viewer, project viewer

6. Compliance and Handling Auditors

Auditors are a part of life in IT. We should expect to deal with them, plus as a contractor its great for extra billing hours

As on any exam, Google Cloud Enterprise Best practices are well tested. Read this page of course many times over.

https://cloud.google.com/docs/enterprise/best-practices-for-enterprise-organizations

Figure 5 Auditors Best Practices.

Remember ensure you memorize the Project Roles to give to Auditors such as Org viewer, project viewer

Googles best practice is to create a group and then a role.

“We recommend collecting users with the same responsibilities into groups and assigning Cloud IAM roles to the groups rather than to individual users.”

Create a ROLE for Auditors after you create a group and they will inherit the defined permissions. You can create and manage groups through the Admin Console.

5. Identity Aware Proxy (IAP)

Do the “IAP baby.”.. Its not a dance, just something you really need to know really well. Better than the bankers know money laundering.

Out of all seriousness IAP is serious stuff. Know it and use it.

Cloud IAP works by verifying user identity and context of the request to determine if a user should be allowed to access an application or a VM. Think of Cloud IAP as both an efficiency since it provides faster sign in but also a security feature that will block unauthorized VM access.

The main selling point for IAP is to control access to your enterprise applications from unauthorized external networks while integrating with existing IAM policies. Effectively whitelisting meaning that your choosing your winners on the list.

SSH/TCP access can be used with App Engine, Kubernetes Engine and Compute Engine. HTTP based acces can used with the HTTPS Load balancer.

Figure 6 Cloud IAP

IAP provides two distinct levels of security authorization goodness.

Resource Authorization — Uses what are Oauth2 flows which generate a signed access token. As expected IAP will use this token to validate identity for application level access.
App Validation — This works at a user’s identity level by using signed headers that are generated by IAP. Consider this as a secondary level of protection since it would catch a bypass IAP attempt

Cloud IAP sessions are tied to the underlying Google login session and Cloud IAP uses this cookie to confirm that the user is still signed into their Google account. Note that standard Cloud IAP login flow has a one-hour expire time in the Cloud IAP session cookie and is ignored after. Login sessions are instead secured with account state checks.

Figure 7 GCP Session Process

Cloud IAP requires a user to sign back into their Google account before accessing a Cloud IAP-secured app.

The following are a few situations that require the user to sign back in:

•The user signed out of their account

•Their account was suspended

•The account requires a password reset

If a user is signed out, Cloud IAP detects a Google account state change within a couple minutes. Once detected, Cloud IAP invalidates the session.

4. VPC Flow Logs

Capturing traffic packets that are moving through your VPC network interfaces is still a secret. I am surprised by how few implementations I have seen where this is a known option.

Cloud administrators need to enable flow logs for network subnets which are hosting VM instances. The main reason to use these flow logs are to identify, troubleshoot and analyze specific traffic when it is not reaching an instance. Flow logs are an essential way to identify traffic patterns, overspending, application issues and overall provide transparency.

The logs can be viewed via Stackdriver Logging and for that matter should be exported to BigQuery for analysis. The breadth of network logging is critical for a solid cloud security posture and performing security analytics. Flow Logs could be used with security analysis tools to investigate patterns that could indicate an Advanced Persistent Threat or the run of the mill threats. Use it or you could lose more.

3. Know what Web Security Scanner can really do and how it works

Utilizing Cloud Web Security Scanner (Formerly Security Scanner)- In a true DevOps environment its always better to test applications before you deploy them. This tool can help you find security problems in your app so you can head off potential vulnerabilities such as

Figure 8 Cloud Web Security Scanner

Cross-site scripting (XSS)
Flash injection
Mixed-content
Clear text passwords
Usage of insecure JavaScript libraries

Web Security Scanner API currently supports the App Engine standard environment and App Engine flexible environments, Compute Engine instances, and GKE resources.

It is important to note that Web Security Scanner does not replace a manual security review process nor does it not guarantee that your application is free from security flaws. Think of this solution as the check before the check..

2. Managing SSH keys for Linux VMs

One area that you may want to play around with before the exam is to know the many different approachs for securing and logging into you VMS

If you just want to give a user the ability to connect to a virtual machine instance using SSH, but don’t want to grant them the ability to manage Compute Engine resources, add the user’s public key to the project, or add a user’s public key to a specific instance.

You can avoid adding a user as a project member, while still granting them access to specific instances.

OS Login simplifies SSH access management by linking your Linux user account to your Google identity.

Use OS Login to manage SSH access to your instances using IAM without having to create and manage individual SSH keys.

OS Login maintains a consistent Linux user identity across VM instances and is the recommended way to manage many users across multiple instances or projects.

https://cloud.google.com/compute/docs/oslogin/

1 Cloud Audit Logs and Transparency Logs

Stackdriver Logging – Audit Logs

Note that not all GCP services provide audit logs, for a list of GCP services that provide audit logs, go to Google services with audit logs.

Transparency Logging can be enabled if your GCP organization has one of the following role-based support packages:

Enterprise Support
Four or more Development roles
Four or more Production roles
A combination of four or more Development or Production roles

Cloud Audit Logs maintains three audit logs for each Google Cloud Platform project, folder, and organization: Admin Activity, Data Access, and System Event.

They write audit log entries to these logs to help you answer the questions of “who did what, where, and when?” within your GCP resources.

Cloud Audit Logging returns two types of logs:

Admin activity logs: Contains log entries for operations that modify the configuration or metadata of a Compute Engine resource. Any API call that modifies a resource such as creation, deletion, updating, or modifying a resource using a custom verb fall into this category.
Data access logs: Contains log entries for operations that perform read-only operations do not modify any data, such as get, list, and aggregated list methods

https://cloud.google.com/logging/docs/audit/

Additional Links

Now this is a far from an exclusive list of what you need to study. Just the areas of focus you may to ensure you know well.

Other areas are focus. Application Security, Stackdriver, DDos, Oath, Managing secrets, Know best practice, Changing Secrets – Rotating or using cache , Encryption at Rest options – Application Level via Cloud KMS is recommended for buckets and Default encryption is via Cloud Storage for Buckets.

Google Cloud has provided a FREE practice exam.. (Unlike AWS).

https://cloud.google.com/certification/practice-exam/cloud-security-engineer

Additional Links for Study

https://blog.paloaltonetworks.com/2019/04/8-google-cloud-security-best-practices/

https://www.nccgroup.trust/uk/about-us/newsroom-and-events/blogs/2018/october/securing-google-cloud-platform-ten-best-practices/

https://cloud.google.com/blog/products/identity-security/identity-and-authentication-the-google-cloud-way

https://cloud.google.com/docs/enterprise/best-practices-for-enterprise-organizations