On Thursday 24th of January, I woke up to great news. Firstly, I’ve become GCP certified “Professional Cloud Developer” by passing my 3rd certification and 2nd beta exam. Secondly, Google announced two new beta certifications. On the same day I’ve registered for both Google Cloud Certified - Professional Cloud Network Engineer and Google Cloud Certified - Professional Cloud Security Engineer exams.
I had an opportunity to sit Professional Cloud Security Engineer BETA on 9th of February and here is an outline of my journey.
My GCP experience to date
I’ve been learning about GCP from around February 2018 and got fully committed to it from May onwards. I’ve chosen GCP cloud vs AWS as it was better suited for current and future company needs @ Loveholidays.com. We’ve successfully migrated from physical servers with KVM VMs environment to GCP where we are running most of our workloads inside of GKE. Since May I’ve worked with HTTP(S), TCP, Internal load-balancers, firewall rules, regular and hosted/service network VPCs, GKE (including VPC-Native alias IP clusters), VPNs, NAT Instances, Cloud Routers, Cloud Armor, Hybrid Connectivity with Interconnect, GCE instances with private IPs, network tagging, static routes, VPC peering, Stackdriver and few more technologies.
While hands-on experience is invaluable, sometimes you miss on a bigger picture of the available infrastructure when you find yourself working only with a subset of available GCP network technologies. Here is what I’ve used:
Architecting with Google Cloud Platform - I’ve done this Specialization while preparing for Cloud Architect Professional exam, course materials are fundamental to every GCP certification I’ve done so far.
Security in Google Cloud Platform - brand new Specialization that I’ve started a day before the exam, but it is filled with security content related to networking and permissions which you’ll be questioned about.
I’ve covered below material in preparation for previous certifications, but find it very valuable in the security exam too.
An actual exam
Beta exam is 4 hours long and consisted out of 113 questions. This is significantly more than 96 questions in the Network Engineer beta exam. Having attempted Network Engineer exam a week earlier, I felt that the majority of the security questions were more accessible. A lot of this was due to questions and answers being shorter - so you spend less time focusing and comprehending. There were no questions long enough to justify scrolling - which is welcome. I felt like a lot of questions were quite binary, and it was apparent what the correct answer is. Fewer questions were of “most correct” type which usually takes longer to answer right. Few questions forced me to rely on pure luck. In 1 hour 30 minutes, I’ve completed my first pass of the exam, and I’ve spent around 15-20 minutes more to review 20 of the questions which I’ve marked for the review.
The exam was reasonably challenging but mostly fair. The biggest challenge is breadth of the GCP products which have their own security quirks. I have substantial practical experience with IAP, Cloud Identity, Cloud Builds, GKE and Cloud Armor, yet, the number of questions went in such detail and depth that made me doubt my prior knowledge. Just like in the Network Engineer exam there was a question about Firewall rules and priority which was very confusing. I would much preffer if proposed answers contained concrete numerical values, then phrases like “lower priority”.
- Cloud Identity-Aware Proxy
- Shared VPC
- VPC Network Peering
- [Cloud Identity & Access Management (IAM)](Cloud Identity & Access Management)
- Cloud Data Loss Prevention (DLP)
- Stackdriver Logging
- Cloud Storage
- Cloud Armor
- Configuring Private Google Access - private IP instances, access GCP services.
- Shared VPC - security and firewalls, subnets, IAM predefined and custom roles.
- Firewalls - priorities, default rules, tags vs SA targets, ways to deny all outbound internet traffic.
- VPC Network Peering - within the same Organisation, across Organisations, qualities of Peering vs other interconnectivity options, firewall rules across two peered projects.
- Flow logs
- Next Generation Firewalls
Cloud Data Loss Prevention (DLP)
- How to prevent / discover PII when logging into BigQuery, Cloud Storage, Stackdriver.
- How to remove customer’s PII while ignoring the company’s employees PII.
- How to mask PII for analysis and unmask selected items when the analysis is completed.
- RegEx vs DLP
- Where to use Cloud Armor vs Firewall rules
- Know types of attacks that Cloud Armor protects against
Cloud Identity-Aware Proxy
- How can app verify that request originates from the IAP
- How do you allow access via IAP? Groups, users, projects, folders, organisation
GKE and Cloud Build
- Methods for scheduling pods on selected nodes and for nodes to accept only certain types of pods
- Security patching containers running in GKE
- Using Google’s best practices when using secure and patched base images
- Best practices for building secure docker images
- Scanning built docker images for vulnerabilities
- Notifying on failed security scan
- Organisational, Folder, Project permissions
- Managing access levels between dev, stage and prod
- Permissions for working with Shared VPCs, firewall rules, subnets, Cloud Storage as the whole and individual buckets
- Know about Encryption at Rest
- Encrypting Compute Engine disks
- Cloud KMS and encryption standards used
- Cloud HSM
- Envelope Encryption - this will be questioned over and over again. Know this really well.
- Cloud Storage with CSEK
- Object Lifecycle (including gsutil commands to achieve this)
- Google vs Customer managed encryption keys
- Storage types and cost-effectiveness of each vs access frequency
- Retention Policies Using Bucket Lock
- Google Cloud Directory Sync
- What to do when company’s domain is taken
- How to deal with 3rd party app access, limit access
- Cloud Identity as your IdP
- Cloud Identity and external IdP
- Exporting logs into on-prem SIEM e.g. Splunk
- Log aggregation techniques across multiple projects
- Methods of notification on security violation in logs
- Shared Responsibility Model
- How to securely backup on-prem to GCP
- VPNs vs Cloud Interconnect
- Load-balancers - know regionality, ports, protocols and level of security provided.
- Managing DDOS by you and by GCP
- Know about Forseti security
- Know about Cloud Security Command Center
- High-level understanding of ISO 27XXX standards, GDPR, PCI
- Know about ways to achieve FIPS 140-2. Disk encryption and TLS.
- Security patching Compute Engine instances
- Organization Policy Constraint
- Authorized outbound networking (PCI)
- Google Cloud Services most fit (least effort) for PCI
- BigQuery security wasn’t included