减少Google云平台上的安全漏洞

课程概况

This self-paced training course gives participants broad study of security controls and techniques on Google Cloud Platform.

Through recorded lectures, demonstrations, and hands-on labs, participants explore and deploy the components of a secure GCP solution, including Cloud Identity, the GCP Resource Manager, Cloud IAM, Google Virtual Private Cloud firewalls, Google Cloud Load balancing, Cloud CDN, Cloud Storage access control technologies, Stackdriver, Security Keys, Customer-Supplied Encryption Keys, the Google Data Loss Prevention API, and Cloud Armor. Participants learn mitigations for attacks at many points in a GCP-based infrastructure, including Distributed Denial-of-Service attacks, phishing attacks, and threats involving content classification and use.

To get the most out of this course, participants should have:
* Prior completion of Google Cloud Platform Fundamentals: Core Infrastructure or equivalent experience
* Prior completion of GCP and Hybrid Networking Deep Dive or equivalent experience
* Knowledge of foundational concepts in information security, such as
* vulnerability, threat, attack surface
* confidentiality, integrity, availability
* common threat types and their mitigation strategies
* public-key cryptography
* public and private key pairs
* certificates
* cipher types
* certificate authorities
* Transport Layer Security/Secure Sockets Layer encrypted communication
* public key infrastructures
* security policy
* Basic proficiency with command-line tools and Linux operating system environments
* Systems Operations experience, deploying and managing applications, on-premises or in a public cloud environment
* Reading comprehension of code in Python or Javascript

>>> By enrolling in this course you agree to the Qwiklabs Terms of Service as set out in the FAQ and located at: https://qwiklabs.com/terms_of_service <<<

课程大纲

Welcome to Mitigating Security Vulnerabilities on Google Cloud Platform

Welcome to Mitigating Security Vulnerabilities on Google Cloud Platform! In this course we will build upon the foundations laid during the earlier course in this series, Managing Security in Google Cloud Platform. In this section, expect to learn more about security tools available to you when using GCP, and how to implement security "best practices" to lower the risk of malicious attacks against your systems, software and data.

Securing Compute Engine

In this module we will start with a discussion of service accounts, IAM roles and API scopes as they apply to compute engine. We will also discuss managing VM logins, and how to use organization policies to set constraints that apply to all resources in your organization's hierarchy. Next, we will review compute engine best practices to give you some tips for securing compute engine.

Lastly, we will cover encrypting persistent disks with Customer Supplied Encryption keys.

Securing Cloud Data

In this module we discuss controlling IAM permissions and access control lists on Cloud Storage buckets, auditing cloud data, including finding and remediating data that has been set to publicly accessible, how to use signed Cloud Storage URLs and signed policy documents, and encrypting data at rest. In addition, BigQuery IAM roles and authorized views will be covered to demonstrate managing access to datasets and tables. The module will conclude with an overview of storage best practices.

Protecting against Distributed Denial of Service Attacks (DDoS)

Distributed Denial of Service Attacks are a major concern today and can have a huge impact on businesses if the business is not adequately prepared. In this module we will begin with a quick discussion on how DDoS attacks work and then review some DDoS mitigation techniques that are provided by the Google Cloud Platform. We will finish up with a review of complementary partner products and a lab where you will get a chance to see some DDoS mitigations in action.

Application Security

In this module we will discuss application security techniques and best practices. We will see how the Google Cloud Security scanner can be used to identify vulnerabilities in your applications, and dive into the subject of Identity and Oauth phishing. Lastly, you will learn how the Google Cloud Identity-Aware Proxy or IAP can be used to control access to your cloud applications.

Content-Related Vulnerabilities

In this module we will discuss threats to your content. First, we review the threat of ransomware, and some of the mitigations you can utilize in GCP to help protect your systems from it. Then we will move to a discussion of threats related to data misuse and privacy violations and discuss a few mitigation strategies that can be utilized to protect applications and systems.