Cloud Certifications: Google Cloud Professional Cloud Security Engineer
Introduction
Cloud-based solutions have been in high demand over the last several years, and this is not likely to change in the future. With large and well-established corporations, academic institutions, and even cities increasingly affected by insufficient security practices and attacks, knowing how to properly and efficiently secure Google Cloud (GC) cloud infrastructure is essential to organizations.
In this guide, you will learn about the GC Professional Cloud Security Engineer certification and the exam you can take to achieve it.
Target Audience
As the name suggests, this certification has "security" written all over it, specifically Google Cloud security offerings and features. Since it is a professional-level certification, the required exam covers a wide range of security topics and technologies.
As a Professional Cloud Security Engineer, you will enable organizations to design and implement a secure infrastructure on Google Cloud. Through an understanding of security best practices and industry security requirements, you will design, develop, and manage a secure infrastructure leveraging Google security technologies. You should be proficient in all aspects of Cloud Security, including:
- Managing identity and access management
- Defining organizational structure and policies
- Using Google technologies to provide data protection
- Configuring network security defenses
- Collecting and analyzing Google Cloud logs
- Managing incident responses
- Demonstrating an understanding of regulatory concerns
Google recommends you have three or more years of industry experience, including one or more years designing and managing solutions using Google Cloud. A strong IT security background is an absolute must-have to fully comprehend and understand these topics.
Applicable Exam
A single exam is required to gain the GC Professional Cloud Security Engineer certification. Currently, this exam is only available in English.
The price of the exam is US $200. Google also offers a practice exam. At present, this practice exam is free of charge.
Certification Process
Format
The exam format is multiple choice and multiple select.
While Google offers some exams remotely, the GC Professional Cloud Security Engineer can only be taken in person at a test center. Follow this link to find locations of available test centers near you.
Time
You will have two hours to complete the exam. Ensure that you arrive on time and have completed the check-in process to ensure that you maximize the use of your allowed time.
Prerequisites
While there are no specific prerequisites to achieving this certification beyond passing the GC Professional Cloud Security Engineer exam, it is worth noting that experience with the required skills is key to a successful experience.
Passing the GC Associate Cloud Engineer exam and achieving the corresponding certification, while not mandatory, will help you prepare for this level since it introduces a number of technologies covered in the GC Professional Cloud Security Engineer exam.
Ensure that you possess sufficient experience and invest the time to go through the relevant Pluralsight courses and other resources.
Skills Measured
Your skills will be measured in the following five categories:
- Configuring access within a cloud solution environment
- Configuring network security
- Ensuring data protection
- Managing operations within a cloud solution environment
- Ensuring compliance
These categories are broken down into details as follows:
Configuring Access Within a cloud Solution Environment
Configuring cloud identity
- Managing Cloud Identity
- Configuring Google Cloud Directory Sync
- Management of super administrator account
Managing user accounts
- Designing identity roles at the project and organization level
- Automation of user life cycle management process
- API usage
Managing service accounts
- Auditing service accounts and keys
- Automating the rotation of user-managed service account keys
- Identification of scenarios requiring service accounts
- Creating, authorizing, and securing service accounts
- Securely managed API access management
Managing authentication
- Creating a password policy for user accounts
- Establishing Security Assertion Markup Language (SAML)
- Configuring and enforcing two-factor authentication
Managing and implementing authorization controls
- Using resource hierarchy for access control
- Privileged roles and separation of duties
- Managing IAM permissions with primitive, predefined, and custom roles
- Granting permissions to different types of identities
- Understanding difference between Google Cloud Storage IAM and ACLs
Defining resource hierarchy
- Creating and managing organizations
- Resource structures (orgs, folders, and projects)
- Defining and managing organization constraints
- Using resource hierarchy for access control and permissions inheritance
- Trust and security boundaries within GC projects
Configuring Network Security
Designing network security
- Security properties of a VPC network, VPC peering, shared VPC, and firewall rules
- Network isolation and data encapsulation for N tier application design
- Use of DNSSEC
- Private vs. public addressing
- App-to-app security policy
Configuring network segmentation
- Network perimeter controls (firewall rules; IAP)
- Load balancing (global, network, HTTP(S), SSL proxy, and TCP proxy load balancers)
Establish private connectivity
- Private RFC1918 connectivity between VPC networks and GC projects (Shared VPC, VPC peering)
- Private RFC1918 connectivity between data centers and VPC network (IPSEC and Cloud Interconnect).
- Enable private connectivity between VPC and Google APIs (private access)
Ensuring data protection
Preventing data loss with the DLP API
- Identification and redaction of PII
- Configuring tokenization
- Configure format preserving substitution
- Restricting access to DLP datasets
Managing encryption at rest
- Understanding use cases for default encryption, customer-managed encryption keys (CMEK), and customer-supplied encryption keys (CSEK)
- Creating and managing encryption keys for CMEK and CSEK
- Managing application secrets
- Object life cycle policies for Cloud Storage
- Enclave computing
- Envelope encryption
Managing Operations Within a Cloud Solution Environment
Building and deploying infrastructure
- Backup and data loss strategy
- Creating and automating an incident response plan
- Log sinks, audit logs, and data access logs for near-real-time monitoring
- Standby models
- Automate security scanning for Common Vulnerabilities and Exposures (CVEs) through a CI/CD pipeline
- Virtual machine image creation, hardening, and maintenance
- Container image creation, hardening, maintenance, and patch management
Building and deploying applications
- Application logs near-real-time monitoring
- Static code analysis
- Automate security scanning through a CI/CD pipeline
Monitoring for security events
- Logging, monitoring, testing, and alerting for security incidents
- Exporting logs to external security systems
- Automated and manual analysis of access logs
- Understanding capabilities of Forseti
Ensuring Compliance
Comprehension of regulatory concerns
- Evaluation of concerns relative to compute, data, and network
- Security shared responsibility model
- Security guarantees within cloud execution environments
- Limiting compute and data for regulatory compliance
Comprehension of compute environment concerns
- Security guarantees and constraints for each compute environment (Compute Engine, Google Kubernetes Engine, App Engine)
- Determining which compute environment is appropriate based on company compliance standards
Pluralsight Courses
Make sure you check out Pluralsight's Security in Google Cloud learning path, which currently contains three different courses at varying levels.
As always, the newer the course the more relevant the material will be to your learning journey.
Other Resources
Utilizing Google Cloud documentation and Google Cloud solutions and navigating to the relevant topics will also help you to prepare for this exam.
Compensation and Employment Outlook
The cloud business has been booming over the last several years. Google's cloud business keeps growing. While COVID-19 has affected everyone in some way, it certainly doesn't seem to have had a negative impact on Google's cloud business.
Gaining an up-to-date certification like the Google Cloud Professional Cloud Security Engineer certification from a household name like Google should make you much more attractive to both your current and future employers, especially since the cloud security field is booming. Your current employer might not raise your salary, but the next time you go looking for a job, make sure you check trusted Internet sources for up-to-date information on salaries in your region.
It's difficult to provide absolute figures because they will depend on numerous factors like your experience, company type and size, industry, and region. Expect salaries for an experienced Cloud Security Engineer to range from US $120,000 to US $225,000 in the United States.
Conclusion
As a specialty-level certification, the Google Cloud Professional Cloud Security Engineer credentials, while challenging, will earn you recognition and prove that you are a subject matter expert in this field. All it takes is a single exam, and you have a number of excellent courses available to gain the required knowledge and earn the badge. Sign up for Google Cloud, utilize the GC always free products and book the exam, which you can take in one of many testing centers.
I hope that this guide is useful and wish you good luck with gaining your certification.