Radical Technologies

Radical Logo
Radical Logo

The Syllabus

Curriculum Designed by Experts

Configuring access within a cloud solution environment

Configuring Cloud Identity. Considerations include:

  • Managing Cloud Identity
  • Configuring Google Cloud Directory Sync
  • Managing super administrator account
  • Automating user lifecycle management process
  • Administering user accounts and groups programmatically

Managing service accounts. Considerations include:

  • Protecting and auditing service accounts and keys
  • Automating the rotation of user-managed service account keys
  • Identifying scenarios requiring service accounts
  • Creating, authorizing, and securing service accounts
  • Securely managing API access management
  • Managing and creating short-lived credentials

Managing authentication. Considerations include:

  • Creating a password policy for user accounts
  • Establishing Security Assertion Markup Language (SAML)
  • Configuring and enforcing two-factor authentication

Managing and implementing authorization controls. Considerations include:

  • Managing privileged roles and separation of duties
  • Managing IAM permissions with basic, predefined, and custom roles
  • Granting permissions to different types of identities
  • Understanding the difference between Cloud Storage IAM and ACLs
  • Designing identity roles at the organization, folder, project, and resource level
  • Configuring Access Context Manager

Defining resource hierarchy. Considerations include:

  • Creating and managing organizations
  • Designing resource policies for organizations, folders, projects, and resources
  • Managing organization constraints
  • Using resource hierarchy for access control and permissions inheritance
  • Designing and managing trust and security boundaries within Google Cloud projects
Configuring network security

Designing network security. Considerations include:

  • Configuring network perimeter controls (firewall rules; Identity-Aware Proxy (IAP))
  • Configuring load balancing (global, network, HTTP(S), SSL proxy, and TCP proxy load balancers)
  • Identifying Domain Name System Security Extensions (DNSSEC)
  • Identifying differences between private versus public addressing
  • Configuring web application firewall (Google Cloud Armor)
  • Configuring Cloud DNS

Configuring network segmentation. Considerations include:

  • Configuring security properties of a VPC network, VPC peering, Shared VPC, and firewall rules
  • Configuring network isolation and data encapsulation for N-tier application design
  • Configuring app-to-app security policy

Establishing private connectivity. Considerations include:

  • Designing and configuring private RFC1918 connectivity between VPC networks and Google Cloud projects (Shared VPC, VPC peering)
  • Designing and configuring private RFC1918 connectivity between data centers and VPC networks (IPSEC and Cloud Interconnect)
  • Establishing private connectivity between VPC and Google APIs (Private Google Access, Private Google Access for on-premises hosts, Private Service Connect)
  • Configuring Cloud NAT
Ensuring data protection

Protecting sensitive data. Considerations include:

  • Inspecting and redacting personally identifiable information (PII)
  • Configuring pseudonymization
  • Configuring format-preserving substitution
  • Restricting access to BigQuery datasets
  • Configuring VPC Service Controls
  • Securing secrets with Secret Manager
  • Protecting and managing compute instance metadata

Managing encryption at rest. Considerations include:

  • Understanding use cases for Google default encryption, customer-managed encryption keys (CMEK), customer-supplied encryption keys (CSEK), Cloud External Key Manager (EKM), and Cloud HSM
  • Creating and managing encryption keys for CMEK, CSEK, and EKM
  • Applying Google’s encryption approach to use cases
  • Configuring object lifecycle policies for Cloud Storage
  • Enabling confidential computing
 
Managing operations in a cloud solution environment

Building and deploying secure infrastructure and applications. Considerations include:

  • Automating security scanning for Common Vulnerabilities and Exposures (CVEs) through a CI/CD pipeline
  • Automating virtual machine image creation, hardening, and maintenance
  • Automating container image creation, verification, hardening, maintenance, and patch management

Configuring logging, monitoring, and detection. Considerations include:

  • Configuring and analyzing network logs (firewall rule logs, VPC flow logs, packet mirroring)
  • Designing an effective logging strategy
  • Logging, monitoring, responding to, and remediating security incidents
  • Exporting logs to external security systems
  • Configuring and analyzing Google Cloud audit logs and data access logs
  • Configuring log exports (log sinks, aggregated sinks, logs router)
  • Configuring and monitoring Security Command Center (Security Health Analytics, Event Threat Detection, Container Threat Detection, Web Security Scanner)
Ensuring compliance

Determining regulatory requirements for the cloud. Considerations include:

  • Determining concerns relative to compute, data, and network
  • Evaluating security shared responsibility model
  • Configuring security controls within cloud environments
  • Limiting compute and data for regulatory compliance
  • Determining the Google Cloud environment in scope for regulatory compliance