Security
Reader small image

You're reading from  Official Google Cloud Certified Professional Cloud Security Engineer Exam Guide

Product typeBook
Published inAug 2023
PublisherPackt
ISBN-139781835468869
Edition1st Edition
Concepts
Information Security
Right arrow
Authors (2):
Ankush Chowdhary
Ankush Chowdhary
author image
Ankush Chowdhary

With an unwavering focus on technology spanning over two decades, Ankush remains genuinely dedicated to the ever-evolving realm of cybersecurity. Throughout his career, he has consistently upheld a deep commitment to assisting businesses on their journey towards modernization and embracing the digital age. His guidance has empowered numerous enterprises to prioritize and implement essential cybersecurity measures. He has had the privilege of being invited as a speaker at various global cybersecurity events, where he had the opportunity to share his insights and exert influence on key decision-makers concerning cloud security and policy matters. Driven by an authentic passion for education and mentorship, he derives immense satisfaction from guiding, teaching, and mentoring others within the intricate domain of cybersecurity. The intent behind writing this book has been a modest endeavor to achieve the same purpose.
Read more about Ankush Chowdhary

Prashant Kulkarni
Prashant Kulkarni
author image
Prashant Kulkarni

In his career, Prashant has worked directly with customers, helping them overcome different security challenges in various product areas. These experiences have made him passionate about continuous learning, especially in the fast-changing security landscape. Joining Google 4 years back, he expanded his knowledge of Cloud Security. He is thankful for the support of customers, the infosec community, and his peers that have sharpened his technical skills and improved his ability to explain complex security concepts in a user-friendly way. This book aims to share his experiences and insights, empowering readers to navigate the ever-evolving security landscape with confidence. In his free time, Prashant indulges in his passion for astronomy, marveling at the vastness and beauty of the universe.
Read more about Prashant Kulkarni

View More author details
Right arrow

4

Resource Management

In this chapter, we will look at resource management and understand some of the key components, such as projects, folders, and organizations. When building your environment on Google Cloud, these components can help you do segmentation at a macro level. We will also look at organizational policy constraints, some of the pre-built constraints that are available, and how the inheritance of policy works for Identity and Access Management (IAM) and firewall rules. We will also cover Cloud Asset Inventory, which is an essential part of resource management, and its role from a security perspective. We will end the chapter with some best practices and design considerations for resource management.

In this chapter, we will cover the following topics:

  • Overview of Google Cloud Resource Manager
  • The resource hierarchy
  • The Organization Policy Service
  • Organization Policy constraints
  • Policy inheritance
  • Hierarchical firewall policies
  • Cloud...

Overview of Google Cloud Resource Manager

Google Cloud Resource Manager acts like a container for your cloud resources, allowing you to group your resources in a hierarchical way within the project, folder, or organization. Think of Resource Manager as a high-level way to perform macro-level segmentation. This not only helps you define the entire organization’s structure but also the implementation of security guardrails that can be inherited. More on this in the Policy inheritance section.

Figure 4.1 is an example of how you can structure your organization on Google Cloud. The top-level organization is where all your other components such as folders and projects are created. Organizing your resources in a hierarchical way lets you manage aspects such as access control and other configuration settings. The same applies to IAM policies, which can be applied at different levels and are then inherited top-down.

Figure 4.1 – Organization hierarchy

Figure 4.1 – Organization hierarchy...

Understanding resource hierarchy

The key components that make up the resource hierarchy are as follows:

  • Organization: The top-level component—all other components are linked to this.
  • Folders: Used to group similar projects to consistently apply policies. These are optional but highly recommended.
  • Projects: Where all the resources, such as your compute instances, databases, and others, exist.

Now, let’s look at each of these components in detail. From a certification standpoint, you will be tested on resource hierarchy and the topics covered in this chapter. It’s important to understand how to manage and create resources and apply access policies and organizational constraints. We will cover all these topics in this chapter.

Organization

This is the root node and hierarchical super-node of the project. It is closely associated with the Workspace / Cloud Identity account. It’s a single directory containing the organization’...

Applying constraints using the Organization Policy Service

The Organization Policy Service provides you with a centralized and programmatic method to apply constraints across your organization and the respective cloud resources. We often dictate requirements that need to be applied organization-wide; these constraints are non-negotiable and every resource in your cloud environment has to adhere. This is where Organization Policy Service constraints come in, giving you the ability to centrally apply these policies to avoid or mitigate misconfigurations downstream in your projects and cloud resources. This helps you create guardrails that you can define, which can be based on regulatory requirements or internal compliance. The development teams who are consuming Google Cloud services do not have to worry about applying these policies and duplicating the effort. This further reduces the number of errors that may happen as you are now centrally in control of applying organization-wide...

Asset management using Cloud Asset Inventory

Cloud Asset Inventory plays a key role in security as it gives you the ability to view your assets in near real time and also to detect the associated changes to the asset. Previously, Cloud Asset Inventory was accessible either via the CLI or Security Command Center, but with recent changes, you can now access Cloud Asset Inventory via the Google Cloud console.

Cloud Asset Inventory is a metadata inventory service that lets you search, export, monitor, and analyze metadata related to supported Google Cloud assets. All metadata information related to an asset is presented on a timeline where you can view historical information (the past five weeks) to get insights into changes to an asset. Before we look at some use cases that Cloud Asset Inventory can help with, let’s understand some key concepts.

An asset is a Google Cloud resource or a policy object. Cloud Asset Inventory collects metadata about resources, such as for Compute...

Best practices and design considerations

Some of the design considerations are to understand how the resources will be managed inside the project. Using one project might be a good idea to keep it simple, but the isolation and separation of duties will not be achieved. On the flip side, if you use too many projects, there will be a lot of overhead to manage the projects, but you will achieve the separation of duties and the isolation required.

Some of the design considerations to follow when breaking down resources and workloads into projects are as follows. Bear in mind that all considerations are correlated:

  • You don’t want a misconfiguration or a compromise in one operating environment to impact the other. A key consideration is how to reduce the blast radius.
  • Quotas and limits are applied at the project level. It’s undesirable for a dev/test project to consume the quota required by a prod project, or that one app consumes the quota of another.
  • You...

Summary

In this chapter, we learned how to organize our Google Cloud infrastructure and manage our available resources. We discussed the basics of creating folders and projects, as well as the features available to you if you want to enforce organizational policy constraints on them. If you’re planning on using IAM or firewall rules in your infrastructure, we also went over how policy inheritance works and how it might aid in your organizational structure. We wrapped up by reviewing Cloud Asset Inventory and some best practices for managing your resources.

In the next chapter, we will do a deep dive into Cloud Identity.

Further reading

For more information on GCP compliance, refer to the following links:

lock icon
The rest of the chapter is locked
Previous Chapter
Chapter 5 of 19
Next Chapter
You have been reading a chapter from
Official Google Cloud Certified Professional Cloud Security Engineer Exam Guide
Published in: Aug 2023Publisher: PacktISBN-13: 9781835468869
© 2023 Packt Publishing Limited All Rights Reserved
Register for a free Packt account to unlock a world of extra content!
A free Packt account unlocks extra newsletters, articles, discounted offers, and much more. Start advancing your knowledge today.
Sign up now
undefined
Unlock this book and the full library FREE for 7 days
Get unlimited access to 7000+ expert-authored eBooks and videos courses covering every tech area you can think of
Start free trial
Renews at €14.99/month. Cancel anytime

Authors (2)

author image
Ankush Chowdhary

With an unwavering focus on technology spanning over two decades, Ankush remains genuinely dedicated to the ever-evolving realm of cybersecurity. Throughout his career, he has consistently upheld a deep commitment to assisting businesses on their journey towards modernization and embracing the digital age. His guidance has empowered numerous enterprises to prioritize and implement essential cybersecurity measures. He has had the privilege of being invited as a speaker at various global cybersecurity events, where he had the opportunity to share his insights and exert influence on key decision-makers concerning cloud security and policy matters. Driven by an authentic passion for education and mentorship, he derives immense satisfaction from guiding, teaching, and mentoring others within the intricate domain of cybersecurity. The intent behind writing this book has been a modest endeavor to achieve the same purpose.
Read more about Ankush Chowdhary

author image
Prashant Kulkarni

In his career, Prashant has worked directly with customers, helping them overcome different security challenges in various product areas. These experiences have made him passionate about continuous learning, especially in the fast-changing security landscape. Joining Google 4 years back, he expanded his knowledge of Cloud Security. He is thankful for the support of customers, the infosec community, and his peers that have sharpened his technical skills and improved his ability to explain complex security concepts in a user-friendly way. This book aims to share his experiences and insights, empowering readers to navigate the ever-evolving security landscape with confidence. In his free time, Prashant indulges in his passion for astronomy, marveling at the vastness and beauty of the universe.
Read more about Prashant Kulkarni

Personalised recommendations for you

Based on your interests and search pattern

Attacking and Exploiting Modern Web Applications

Attacking and Exploiting Modern Web Applications

Attacking and Exploiting Modern Web Attacks will help you understand how to identify attack surfaces and detect vulnerabilities. This book takes a hands-on approach to implementation and associated methodologies and equips you with the knowledge and skills needed to effectively combat web attacks.

BookAug 2023338 pages
Automotive Cybersecurity Engineering Handbook

Automotive Cybersecurity Engineering Handbook

This Automotive Cybersecurity Engineering Handbook untangles the complexities of building secure automotive products and helps you to comply with cybersecurity standards. It provides practical tools, tips, and techniques coupled with real-world examples to enable you to create cyber-resilient automotive products with ease.

BookOct 2023392 pages
Official Google Cloud Certified Professional Cloud Security Engineer Exam Guide

Official Google Cloud Certified Professional Cloud Security Engineer Exam Guide

This book will help you to design, develop, and operate security controls on Google Cloud as well as discover best practices for relevant security domains, including identity and access management, network, and data.

BookAug 2023496 pages
Cloud Penetration Testing for Red Teamers

Cloud Penetration Testing for Red Teamers

The advent of cloud networks and the AWS, Azure, and GCP platforms has revolutionized how companies of all sizes in all industries do business online. This book will help you meet the emerging demand for pentesting as it guides you through the tools, techniques, and security measures used by pentesters and red teamers in the 2020s and beyond.

BookNov 2023298 pages
ISACA Certified in Risk and Information Systems Control (CRISC®) Exam Guide

ISACA Certified in Risk and Information Systems Control (CRISC®) Exam Guide

ISACA Certified in Risk and Information Systems Control (CRISC®) Certification Guide is an enterprise IT risk management professional’s dream. With its in-depth approach and various self-assessment exercises, this book arms you with knowledge of every single aspect of the certification, and is a fantastic career companion after you’re certified.

BookSep 2023316 pages5
Burp Suite Cookbook

Burp Suite Cookbook

Burp Suite is an immensely powerful and popular tool for web application security testing. This book provides a collection of recipes that address vulnerabilities in web applications and APIs. It offers guidance on how to configure Burp Suite, make the most of its tools, and explore into its extensions.

BookOct 2023450 pages
Building and Automating Penetration Testing Labs in the Cloud

Building and Automating Penetration Testing Labs in the Cloud

This hands-on guide will help you design and build a variety of penetration testing labs that mimic modern cloud environments running on AWS, Azure, and GCP. In addition to these, you will explore a number of practical strategies on how to manage the complexity, cost, and security risks involved when setting up vulnerable cloud lab environments.

BookOct 2023562 pages
Ethical Hacking Workshop

Ethical Hacking Workshop

As cyber-attacks grow and APT groups advance their skillset, you need to be able to protect your enterprise against cyber-attacks. In order to limit your attack surface, you need to ensure that you leverage the same skills and tools that an adversary may use to hack your environment and discover the security gaps. This book will teach you how to think like a hacker, use state-of-the-art hacking tools, and protect yourself and your organizaiton.

BookOct 2023220 pages
Windows Forensics Analyst Field Guide

Windows Forensics Analyst Field Guide

This book contains step-by-step processes to guide you in any investigation related to Windows OS. You’ll find out how to acquire evidence using multiple tools as well as examine and analyze the collected artifacts, while discovering multiple techniques used in real-world forensic incidents.

BookOct 2023318 pages
Implementing DevSecOps Practices

Implementing DevSecOps Practices

This book is a comprehensive, hands-on guide for individuals new to DevSecOps who want to implement DevSecOps practices successfully and efficiently. With its help, you’ll be able to shift security toward the left, enabling you to merge security into coding in no time.

BookDec 2023258 pages