Security
Reader small image

You're reading from  Official Google Cloud Certified Professional Cloud Security Engineer Exam Guide

Product typeBook
Published inAug 2023
PublisherPackt
ISBN-139781835468869
Edition1st Edition
Concepts
Information Security
Right arrow
Authors (2):
Ankush Chowdhary
Ankush Chowdhary
author image
Ankush Chowdhary

With an unwavering focus on technology spanning over two decades, Ankush remains genuinely dedicated to the ever-evolving realm of cybersecurity. Throughout his career, he has consistently upheld a deep commitment to assisting businesses on their journey towards modernization and embracing the digital age. His guidance has empowered numerous enterprises to prioritize and implement essential cybersecurity measures. He has had the privilege of being invited as a speaker at various global cybersecurity events, where he had the opportunity to share his insights and exert influence on key decision-makers concerning cloud security and policy matters. Driven by an authentic passion for education and mentorship, he derives immense satisfaction from guiding, teaching, and mentoring others within the intricate domain of cybersecurity. The intent behind writing this book has been a modest endeavor to achieve the same purpose.
Read more about Ankush Chowdhary

Prashant Kulkarni
Prashant Kulkarni
author image
Prashant Kulkarni

In his career, Prashant has worked directly with customers, helping them overcome different security challenges in various product areas. These experiences have made him passionate about continuous learning, especially in the fast-changing security landscape. Joining Google 4 years back, he expanded his knowledge of Cloud Security. He is thankful for the support of customers, the infosec community, and his peers that have sharpened his technical skills and improved his ability to explain complex security concepts in a user-friendly way. This book aims to share his experiences and insights, empowering readers to navigate the ever-evolving security landscape with confidence. In his free time, Prashant indulges in his passion for astronomy, marveling at the vastness and beauty of the universe.
Read more about Prashant Kulkarni

View More author details
Right arrow

8

Advanced Network Security

In this chapter, we will look at advanced network security. This chapter is an extension of the previous chapter and part of the overall network security domain. The chapter will focus more on how to secure your Google Cloud environment using the advanced network security features that are available on Google Cloud. In this chapter, we will be discussing context-aware security and its related topics, such as Identity-Aware Proxy and Private Google Access. We will explore their purpose and learn how to configure them for various use cases.

After that, we will look at Google Cloud Virtual Private Cloud (VPC), where you can define a context-aware approach to secure your cloud resources. To secure your web applications on Google Cloud, we will look at web application firewalls, followed by learning how you can use services such as Cloud Armor to protect your environment from distributed denial-of-service attacks. We conclude this chapter by looking at...

Private Google Access

Private Google Access addresses the challenge where you want your virtual machines (VMs)/Google Compute Engine (GCE) instances that do not have external IP addresses but private addresses to access Google APIs. Instances without public IP addresses can’t access Google Cloud’s public API endpoints – but the Private Google Access service enables that capability. Let’s look at some use cases on why Private Google Access is required before we learn how to configure the service.

VMs often have to communicate with managed services, for example, Google Cloud Storage, BigQuery, and GCE. Managed services have a public endpoint, for example, storage.googleapis.com. Assigning an external IP address to every VM that needs to communicate with a public API wouldn’t be a practical or secure approach due to the shortage of valid IPv4 addresses. Private Google Access allows communication with Google API public endpoints without requiring an...

Identity-Aware Proxy

IAP lets you configure centralized authorization to manage secure remote access to your VMs and applications. IAP and load balancers are in front of all your data requests. This provides a much simpler administration process, with less operational overhead, than more traditional VPN solutions. There is no VPN to implement and no VPN clients to install and maintain. It also makes the end user experience more streamlined as the user no longer has to launch the VPN client and sign in to the VPN.

In comparison to a traditional VPN, IAP takes the approach of application-based access control instead of network-based access control. Access is only possible through IAP by users who have been configured with the right IAM role. Authentication is done via Google Cloud Identity or a federated identity provider, including 2FA. To configure authorization using Cloud IAM, users need the IAP-secured Web App User role on the resource project to be configured. We will look at...

Cloud NAT

Cloud NAT is a topic that does not appear a lot in the exam. However, it is important to know how it works and the use cases for why you would need NAT. We will also look at the Google Cloud implementation of NAT architecture, which is different from the traditional NAT architecture.

Figure 8.15 – Cloud NAT allowing outbound connections only to the internet

Figure 8.15 – Cloud NAT allowing outbound connections only to the internet

Figure 8.15 shows how Google Cloud NAT works. Cloud NAT is offered as a managed service that provides high availability and seamless scalability. It allows outbound connections only to the internet, whereas inbound traffic is allowed only if it is in response to a connection initiated by an instance. Cloud NAT is a regional resource, fully distributed and software-defined. There are no intermediate NAT proxies in the data path. NAT configuration is stored in the control plane and is pushed to the hosts; this means NAT keeps working regardless of the control plane state, and there are...

Google Cloud Armor

This section covers DDoS protection and the use of WAFs to provide safety for your web-based infrastructure. You can protect your Google Cloud workloads from a wide range of threats, including DDoS attacks and application attacks, such as XSS and SQL injection, with Cloud Armor (SQLi). Some capabilities are built in to provide automated protection, while others require manual configuration. We will look at those capabilities of WAFs in more detail in this section:

Figure 8.18 – How Google Cloud Armor secures your infrastructure

Figure 8.18 – How Google Cloud Armor secures your infrastructure

Cloud Armor leverages Google’s global and distributed infrastructure to detect and absorb attacks and filter traffic through configurable security policies at the edge. It should be kept in mind that several aspects of Google Cloud Armor are only available for applications running behind an external HTTP(S) load balancer. Figure 8.18 illustrates the placement of Cloud Armor, which is in line with...

Summary

In this chapter, we looked at some advanced network security concepts. We covered the usage and configuration of Private Google Access, IAP and its use cases, and Cloud NAT. Finally, we looked at Cloud Armor and how it provides protection against DDoS and web-application-based attacks. We also covered additional details related to Cloud Armor, such as security policies, WAF rules, and named IP lists.

In the next chapter, we will cover data security, which is an important topic for the exam. We will look at the Google Cloud Key Management system and then cover data loss prevention and Secret Manager in the subsequent chapters.

Further reading

For more information on Google Cloud advanced network security, refer to the following links:

lock icon
The rest of the chapter is locked
Previous Chapter
Chapter 9 of 19
Next Chapter
You have been reading a chapter from
Official Google Cloud Certified Professional Cloud Security Engineer Exam Guide
Published in: Aug 2023Publisher: PacktISBN-13: 9781835468869
© 2023 Packt Publishing Limited All Rights Reserved
Register for a free Packt account to unlock a world of extra content!
A free Packt account unlocks extra newsletters, articles, discounted offers, and much more. Start advancing your knowledge today.
Sign up now
undefined
Unlock this book and the full library FREE for 7 days
Get unlimited access to 7000+ expert-authored eBooks and videos courses covering every tech area you can think of
Start free trial
Renews at $15.99/month. Cancel anytime

Authors (2)

author image
Ankush Chowdhary

With an unwavering focus on technology spanning over two decades, Ankush remains genuinely dedicated to the ever-evolving realm of cybersecurity. Throughout his career, he has consistently upheld a deep commitment to assisting businesses on their journey towards modernization and embracing the digital age. His guidance has empowered numerous enterprises to prioritize and implement essential cybersecurity measures. He has had the privilege of being invited as a speaker at various global cybersecurity events, where he had the opportunity to share his insights and exert influence on key decision-makers concerning cloud security and policy matters. Driven by an authentic passion for education and mentorship, he derives immense satisfaction from guiding, teaching, and mentoring others within the intricate domain of cybersecurity. The intent behind writing this book has been a modest endeavor to achieve the same purpose.
Read more about Ankush Chowdhary

author image
Prashant Kulkarni

In his career, Prashant has worked directly with customers, helping them overcome different security challenges in various product areas. These experiences have made him passionate about continuous learning, especially in the fast-changing security landscape. Joining Google 4 years back, he expanded his knowledge of Cloud Security. He is thankful for the support of customers, the infosec community, and his peers that have sharpened his technical skills and improved his ability to explain complex security concepts in a user-friendly way. This book aims to share his experiences and insights, empowering readers to navigate the ever-evolving security landscape with confidence. In his free time, Prashant indulges in his passion for astronomy, marveling at the vastness and beauty of the universe.
Read more about Prashant Kulkarni

Personalised recommendations for you

Based on your interests and search pattern

Attacking and Exploiting Modern Web Applications

Attacking and Exploiting Modern Web Applications

Attacking and Exploiting Modern Web Attacks will help you understand how to identify attack surfaces and detect vulnerabilities. This book takes a hands-on approach to implementation and associated methodologies and equips you with the knowledge and skills needed to effectively combat web attacks.

BookAug 2023338 pages
Automotive Cybersecurity Engineering Handbook

Automotive Cybersecurity Engineering Handbook

This Automotive Cybersecurity Engineering Handbook untangles the complexities of building secure automotive products and helps you to comply with cybersecurity standards. It provides practical tools, tips, and techniques coupled with real-world examples to enable you to create cyber-resilient automotive products with ease.

BookOct 2023392 pages
Official Google Cloud Certified Professional Cloud Security Engineer Exam Guide

Official Google Cloud Certified Professional Cloud Security Engineer Exam Guide

This book will help you to design, develop, and operate security controls on Google Cloud as well as discover best practices for relevant security domains, including identity and access management, network, and data.

BookAug 2023496 pages
Cloud Penetration Testing for Red Teamers

Cloud Penetration Testing for Red Teamers

The advent of cloud networks and the AWS, Azure, and GCP platforms has revolutionized how companies of all sizes in all industries do business online. This book will help you meet the emerging demand for pentesting as it guides you through the tools, techniques, and security measures used by pentesters and red teamers in the 2020s and beyond.

BookNov 2023298 pages
ISACA Certified in Risk and Information Systems Control (CRISC®) Exam Guide

ISACA Certified in Risk and Information Systems Control (CRISC®) Exam Guide

ISACA Certified in Risk and Information Systems Control (CRISC®) Certification Guide is an enterprise IT risk management professional’s dream. With its in-depth approach and various self-assessment exercises, this book arms you with knowledge of every single aspect of the certification, and is a fantastic career companion after you’re certified.

BookSep 2023316 pages5
Burp Suite Cookbook

Burp Suite Cookbook

Burp Suite is an immensely powerful and popular tool for web application security testing. This book provides a collection of recipes that address vulnerabilities in web applications and APIs. It offers guidance on how to configure Burp Suite, make the most of its tools, and explore into its extensions.

BookOct 2023450 pages
Building and Automating Penetration Testing Labs in the Cloud

Building and Automating Penetration Testing Labs in the Cloud

This hands-on guide will help you design and build a variety of penetration testing labs that mimic modern cloud environments running on AWS, Azure, and GCP. In addition to these, you will explore a number of practical strategies on how to manage the complexity, cost, and security risks involved when setting up vulnerable cloud lab environments.

BookOct 2023562 pages
Ethical Hacking Workshop

Ethical Hacking Workshop

As cyber-attacks grow and APT groups advance their skillset, you need to be able to protect your enterprise against cyber-attacks. In order to limit your attack surface, you need to ensure that you leverage the same skills and tools that an adversary may use to hack your environment and discover the security gaps. This book will teach you how to think like a hacker, use state-of-the-art hacking tools, and protect yourself and your organizaiton.

BookOct 2023220 pages
Windows Forensics Analyst Field Guide

Windows Forensics Analyst Field Guide

This book contains step-by-step processes to guide you in any investigation related to Windows OS. You’ll find out how to acquire evidence using multiple tools as well as examine and analyze the collected artifacts, while discovering multiple techniques used in real-world forensic incidents.

BookOct 2023318 pages
Implementing DevSecOps Practices

Implementing DevSecOps Practices

This book is a comprehensive, hands-on guide for individuals new to DevSecOps who want to implement DevSecOps practices successfully and efficiently. With its help, you’ll be able to shift security toward the left, enabling you to merge security into coding in no time.

BookDec 2023258 pages