Skip to content

Contact sales

By filling out this form and clicking submit, you acknowledge our privacy policy.

Cloud Certifications: Google Cloud Professional Cloud Security Engineer

Jul 29, 2020 • 11 Minute Read

Introduction

Cloud-based solutions have been in high demand over the last several years, and this is not likely to change in the future. With large and well-established corporations, academic institutions, and even cities increasingly affected by insufficient security practices and attacks, knowing how to properly and efficiently secure Google Cloud (GC) cloud infrastructure is essential to organizations.

In this guide, you will learn about the GC Professional Cloud Security Engineer certification and the exam you can take to achieve it.

Target Audience

As the name suggests, this certification has "security" written all over it, specifically Google Cloud security offerings and features. Since it is a professional-level certification, the required exam covers a wide range of security topics and technologies.

As a Professional Cloud Security Engineer, you will enable organizations to design and implement a secure infrastructure on Google Cloud. Through an understanding of security best practices and industry security requirements, you will design, develop, and manage a secure infrastructure leveraging Google security technologies. You should be proficient in all aspects of Cloud Security, including:

  • Managing identity and access management
  • Defining organizational structure and policies
  • Using Google technologies to provide data protection
  • Configuring network security defenses
  • Collecting and analyzing Google Cloud logs
  • Managing incident responses
  • Demonstrating an understanding of regulatory concerns

Google recommends you have three or more years of industry experience, including one or more years designing and managing solutions using Google Cloud. A strong IT security background is an absolute must-have to fully comprehend and understand these topics.

Applicable Exam

A single exam is required to gain the GC Professional Cloud Security Engineer certification. Currently, this exam is only available in English.

The price of the exam is US $200. Google also offers a practice exam. At present, this practice exam is free of charge.

Certification Process

Format

The exam format is multiple choice and multiple select.

While Google offers some exams remotely, the GC Professional Cloud Security Engineer can only be taken in person at a test center. Follow this link to find locations of available test centers near you.

Time

You will have two hours to complete the exam. Ensure that you arrive on time and have completed the check-in process to ensure that you maximize the use of your allowed time.

Prerequisites

While there are no specific prerequisites to achieving this certification beyond passing the GC Professional Cloud Security Engineer exam, it is worth noting that experience with the required skills is key to a successful experience.

Passing the GC Associate Cloud Engineer exam and achieving the corresponding certification, while not mandatory, will help you prepare for this level since it introduces a number of technologies covered in the GC Professional Cloud Security Engineer exam.

Pluralsight Learning Path for Google Cloud Certified Associate Cloud Engineer

Ensure that you possess sufficient experience and invest the time to go through the relevant Pluralsight courses and other resources.

Skills Measured

Your skills will be measured in the following five categories:

  • Configuring access within a cloud solution environment
  • Configuring network security
  • Ensuring data protection
  • Managing operations within a cloud solution environment
  • Ensuring compliance

These categories are broken down into details as follows:

Configuring Access Within a cloud Solution Environment

Configuring cloud identity

  • Managing Cloud Identity
  • Configuring Google Cloud Directory Sync
  • Management of super administrator account

Managing user accounts

  • Designing identity roles at the project and organization level
  • Automation of user life cycle management process
  • API usage

Managing service accounts

  • Auditing service accounts and keys
  • Automating the rotation of user-managed service account keys
  • Identification of scenarios requiring service accounts
  • Creating, authorizing, and securing service accounts
  • Securely managed API access management

Managing authentication

  • Creating a password policy for user accounts
  • Establishing Security Assertion Markup Language (SAML)
  • Configuring and enforcing two-factor authentication

Managing and implementing authorization controls

  • Using resource hierarchy for access control
  • Privileged roles and separation of duties
  • Managing IAM permissions with primitive, predefined, and custom roles
  • Granting permissions to different types of identities
  • Understanding difference between Google Cloud Storage IAM and ACLs

Defining resource hierarchy

  • Creating and managing organizations
  • Resource structures (orgs, folders, and projects)
  • Defining and managing organization constraints
  • Using resource hierarchy for access control and permissions inheritance
  • Trust and security boundaries within GC projects

Configuring Network Security

Designing network security

  • Security properties of a VPC network, VPC peering, shared VPC, and firewall rules
  • Network isolation and data encapsulation for N tier application design
  • Use of DNSSEC
  • Private vs. public addressing
  • App-to-app security policy

Configuring network segmentation

  • Network perimeter controls (firewall rules; IAP)
  • Load balancing (global, network, HTTP(S), SSL proxy, and TCP proxy load balancers)

Establish private connectivity

  • Private RFC1918 connectivity between VPC networks and GC projects (Shared VPC, VPC peering)
  • Private RFC1918 connectivity between data centers and VPC network (IPSEC and Cloud Interconnect).
  • Enable private connectivity between VPC and Google APIs (private access)

Ensuring data protection

Preventing data loss with the DLP API

  • Identification and redaction of PII
  • Configuring tokenization
  • Configure format preserving substitution
  • Restricting access to DLP datasets

Managing encryption at rest

  • Understanding use cases for default encryption, customer-managed encryption keys (CMEK), and customer-supplied encryption keys (CSEK)
  • Creating and managing encryption keys for CMEK and CSEK
  • Managing application secrets
  • Object life cycle policies for Cloud Storage
  • Enclave computing
  • Envelope encryption

Managing Operations Within a Cloud Solution Environment

Building and deploying infrastructure

  • Backup and data loss strategy
  • Creating and automating an incident response plan
  • Log sinks, audit logs, and data access logs for near-real-time monitoring
  • Standby models
  • Automate security scanning for Common Vulnerabilities and Exposures (CVEs) through a CI/CD pipeline
  • Virtual machine image creation, hardening, and maintenance
  • Container image creation, hardening, maintenance, and patch management

Building and deploying applications

  • Application logs near-real-time monitoring
  • Static code analysis
  • Automate security scanning through a CI/CD pipeline

Monitoring for security events

  • Logging, monitoring, testing, and alerting for security incidents
  • Exporting logs to external security systems
  • Automated and manual analysis of access logs
  • Understanding capabilities of Forseti

Ensuring Compliance

Comprehension of regulatory concerns

  • Evaluation of concerns relative to compute, data, and network
  • Security shared responsibility model
  • Security guarantees within cloud execution environments
  • Limiting compute and data for regulatory compliance

Comprehension of compute environment concerns

  • Security guarantees and constraints for each compute environment (Compute Engine, Google Kubernetes Engine, App Engine)
  • Determining which compute environment is appropriate based on company compliance standards

Pluralsight Courses

Make sure you check out Pluralsight's Security in Google Cloud learning path, which currently contains three different courses at varying levels.

As always, the newer the course the more relevant the material will be to your learning journey.

Other Resources

Utilizing Google Cloud documentation and Google Cloud solutions and navigating to the relevant topics will also help you to prepare for this exam.

Compensation and Employment Outlook

The cloud business has been booming over the last several years. Google's cloud business keeps growing. While COVID-19 has affected everyone in some way, it certainly doesn't seem to have had a negative impact on Google's cloud business.

Gaining an up-to-date certification like the Google Cloud Professional Cloud Security Engineer certification from a household name like Google should make you much more attractive to both your current and future employers, especially since the cloud security field is booming. Your current employer might not raise your salary, but the next time you go looking for a job, make sure you check trusted Internet sources for up-to-date information on salaries in your region.

It's difficult to provide absolute figures because they will depend on numerous factors like your experience, company type and size, industry, and region. Expect salaries for an experienced Cloud Security Engineer to range from US $120,000 to US $225,000 in the United States.

Conclusion

As a specialty-level certification, the Google Cloud Professional Cloud Security Engineer credentials, while challenging, will earn you recognition and prove that you are a subject matter expert in this field. All it takes is a single exam, and you have a number of excellent courses available to gain the required knowledge and earn the badge. Sign up for Google Cloud, utilize the GC always free products and book the exam, which you can take in one of many testing centers.

I hope that this guide is useful and wish you good luck with gaining your certification.

Michael Taschler

Michael T.

Michael is an IT veteran with almost three decades' worth of experience designing, building, operating and troubleshooting cloud and enterprise systems. He holds many certifications including Azure Solutions Architect, Microsoft 365 Security Administrator, Azure Security Engineer and Microsoft 365 Teams Administrator. He is passionate about innovation, digital transformation and how we can create value by helping people and organisations build a better working world, from the mundane processes that can be automated to the complex problems that can be solved by using established as well as emerging technologies. Michael currently works as a cloud and infrastructure consultant for a global professional services company

More about this author