This document is a project/training report submitted by Satyam for their Bachelor of Technology degree in Computer Science Engineering. It discusses cloud security training and certifications completed through Coursera and Google Cloud. The training covered topics such as cloud infrastructure, security best practices, networking, and mitigating security vulnerabilities. Hands-on labs explored access configuration, network security, data protection, operations management, and compliance. The report provides an overview of the trainings and certifications to fulfill degree requirements.
1. CLOUD SECURITY
PROJECT/TRAINING REPORT
SUBMITTED IN PARTIAL FULFILLMENT OF THE
REQUIREMENTS FOR THE AWARD
OF
DEGREE OF BACHELOR OF TECHNOLOGY IN COMPUTER
SCIENCE ENGINEERING
SUBMITTED BY : SUBMITTED TO:
Name: Satyam Prof. Vimmi Malhotra
Roll No. : 23155
HEAD OF DEPARTMENT- Dr. ASHIMA MEHTA Department
of Computer Science & Engineering
DRONACHARYA COLLEGE OF ENGINEERING,
KHENTAWAS, GURGAON, HARYANA
2. CLOUD SECURITY
PROJECT/TRAINING REPORT
SUBMITTED IN PARTIAL FULFILLMENT OF THE
REQUIREMENTS FOR THE AWARD
OF
DEGREE OF BACHELOR OF TECHNOLOGY IN COMPUTER
SCIENCE ENGINEERING
SUBMITTED BY :
Name: Satyam Roll
No. - 23155
SUBMITTED TO:
Dr.. Ashima Mehta
Prof. Vimmi Malhotra
Department of Computer Science & Engineering
MAHARISHI DAYANAND UNIVERSITY ROHTAK
(HARYANA)
3. Certificate
Aug 20,2022
satyam
has successfully completed the online, non-credit Professional
Certificate
Introduction to Digital
Transformation with Google
Cloud
Innovating with Data and
Google Cloud
Infrastructure and Application
Modernaation with Google
Cloud
Understanding Google Cloud
Security and Operations
Google Cloud Digital
Leader Training
The Cloud Digital Leader training courses are designed to increase
your baseline knowledge about cloud and Google Cloud so you can
confidently speak with colleagues in technical cloud roles. Moreover,
this training will enable you to contribute to informed cloud-related
business decisions across your organization. This training creates
knowledge in these areas. General cloud knowledge General Google
Cloud knowledge Google Cloud products and services
The online specialization named in this certificate may draw on material from courses taught on-campus, but the included
courses are not equivalent to on-campus courses. Participation in this onhne specialization does not consume enrollment
at this university. This certificate does not confer a University g-ade, course credit or degree, and it does not verify the id
entity of the learner.
4. Student Declaration
I hereby declare that the Practical Training Report entitled ("CLOUD SECURITY ") is an
authentic record of my own work as requirements of 6-weeks Industrial Training
during the period from July 2022 to September2022 for the award of degree of
B.Tech. (Computer Science & Engineering), Dronacharya College of Engineering.
Satyam
(23155)
Date: 06-Oct-2022
Certified that the above statement made by the student is correct to the best of
our knowledge and belief.
Signatures 1. 2. 3.
Head of Department (Signature
and Seal)
5. Acknowledgement
The successful completion of this training/internship program was quite a learning experience
for me at each and every step. At the same time, it has given me confidence to work in
professional setup.
I would like to express my deep and sincere gratitude to my guide(s), Dr. Ashima Mehta, Prof.
Vimmi Malhotra of Dronacharya College of Engineering for their unflagging support and
continuous encouragement throughout the internship work.
I must acknowledge the faculties and staffs of Dronacharya college of Engineering for their
continuous guidance and teaching support due to which I am able to successfully complete
this training/internship.
It’s my great pleasure to acknowledge my colleagues for providing constant support and
motivation to complete this training/internship.
Satyam
B. Tech. (Computer Science Engineering)
6. Roll No: - 23155
ABOUT THE INSTITUTE
I’ve done all these certifications from COURSERA online institute. Coursera
was founded by Daphne Koller and Andrew Ng in 2012 with a vision of
providing life-transforming learning experiences to learners around the world.
Today, Coursera is a global online learning platform that offers anyone,
anywhere, access to online courses and degrees from leading universities and
companies.
Coursera received B Corp certification in February 2021, which means that we
have a legal duty not only to our shareholders, but to also make a positive impact
on society more broadly, as we continue our efforts to reduce barriers to world-
class education for all.
7. Google Cloud
I’ve done my certifications under google cloud. Google Cloud is a suite of
public cloud computing services offered by Google. The platform includes a
range of hosted services for compute, storage and application development that
run on Google hardware. Google Cloud services can be accessed by software
developers, cloud administrators and other enterprise IT professionals over the
public internet or through a dedicated network connection.
This distribution of resources provides several benefits, including redundancy in
case of failure and reduced latency by locating resources closer to clients. This
distribution also introduces some rules about how resources can be used
together.
Certificates of 4 sub courses:
8. 1. Understanding google cloud security and operations:
2. Infrastructure and modernization with google cloud
9. 3. Innovating with data and google cloud:
4. Digital transformation woth google cloud:
10. Abstract
In the last decade, cloud computing has been incorporated in various
industries, from Health to Military, which has been meticulously
guided by exploring related technologies in the industry and academia
alike. The individual and enterprise computing model have shifted from
on-site infrastructure to remote data centres which is accessible via
internet and managed by cloud service providers. However, this
paradigm shift in computing introduces security concerns to individuals
and enterprises. To increase cloud deployment, these security concerns
need to be thoroughly reviewed and addressed. This paper reviews the
cloud security issues and concerns , while addressing various key
topics like vulnerabilities, threats and mitigations, and cloud models
11. Table of contents
Acknowledgement.................................................................................
Abstract.................................................................................................
Table of Contents...................................................................................
List of
Figures.....................................................................................................
1.
Introduction.................................................................................................
1.1 Introducing Google Cloud................................................................
1.2 Cloud Security...................................................................................
1.3 Cloud Security Challenges................................................................
2. Learnings from Cloud : Core Infrastructure.............................
2.1 Resources and Access in the Cloud.................................................
2.2 Virtual Machines and Networks in the Cloud................................
2.3 Storage in the Cloud.........................................................................
2.4Containers in the Cloud............................................................................
2.5Applications in the Cloud..........................................................................
2.6Developing and Deploying in the Cloud.................................................
2.7 Logging and Monitoring in the Cloud....................................................
3. Learnings from Security Best Practices in Google Cloud :............
3.1 Securing Compute Engine: Techniques and Best Practices.........
3.2 Securing Cloud Data: Techniques and Best Practices..................
3.3Application Security: Techniques and Best Practices............................
3.4Securing Google Kubernetes Engine: Techniques and Best Practices
12. 3.5Securing Cloud Data: Techniques and Best Practices..................................................
3.6Application Security: Techniques and Best Practices...................................................
3.7 Securing Google Kubernetes Engine: Techniques and Best Practices......................
4. Learnings from Networking in Google Cloud: Hybrid Connectivity and
Network Management...............................................................
4. 1 Google Cloud VPC Networking Fundamentals............................................................
4.2 Controlling Access to VPC Networks.....................................................................
4.3 Load Balancing.........................................................................................................
5. Networking in Google Cloud......................................................
5.1 Hybrid Connectivity..........................................................................................
5.2 Networking Pricing and Biling........................................................................
5.3 Network Moitoring and Troubleshooting.....................................................
6. Learnings from Mitigating Secruity Vulnerabilities on Google
Cloud.......
6.1 Protecting against Distributed Denial of Servic
Attacks(DDoS).......................................
6.2 Content-Related vulnerabilities : Techniques and Best
Practices...................................
6.3 Monitoring , Logging , Auditing and
Scanning...................................................................
7. Learnings from Managing Security in Google Cloud........................
7.1 Foundations of Google Cloud Security..........................................................
7.2 Cloud Identity...................................................................................................
7.3 Cloud Identity and Access Management (Cloud IAM)...............................
7.4 VPCs for Isolation and Security......................................................................
8. Learings from Hands On Labs in Google Cloud for Security
Engineers
81. Configuring Access Within a Cloud Solution Environment.........................
8.2 Configuring Network Security........................................................................
8.3 Ensuring Data Protection.................................................................................
8.4 Managing Operations in a Cloud Environment.............................................
8.5 Ensuring Compilance........................................................................................
13. 9. Conclusions And Future Scope
List of Figures
Figure 1.1 Google Cloud Logo Figure 2
Cloud Security Figure 2 relevent image
Figure 3 Resourse Hierarchy Figure 4 Virtual
machines Figure 5 Storage in google cloud
Figure 6 VPC peering Figure 7 Load
Balancers Figure 8: Hybrid connectivity
Figure 10 : VPC Sharing Figure 9 Network
Pricing and Biling Figure 12 Network
Monitoring Figure 10 Steps to Troubleshoot
a Network Figure 11 Network Troubleshoot
Flowchart Figure 12 Cloud Identity Logo
14. 1. Introduction to Google cloud :
This section welcomes learners to the Google Cloud Fundamentals: Core
Infrastructure course, and provides an overview of the course structure and
goals.
Google Cloud
Figure 1 Google Cloud Logo
1.1 Introducing Google Cloud
4- Google Cloud consists of a set of physical assets, such as computers and
hard disk drives, and virtual resources, such as virtual machines (VMs), that
are contained in Google Cloud's center around the globe. Each data center
location is in a region.
4- Regions are available in Asia, Australia, Europe, North America, and
South America. Each region is a collection of zones, which are isolated
from each other within the region. Each zone is identified by a name that
combines a letter identifier with the name of the region. For example,
zone a in the East Asia region is named asiaeast1a.
1.2 Cloud Security
4- Cloud security is a collection of
procedures and technology designed to
address external and internal threats to
business security. Organizations need
cloud security as they move toward their
digital transformation strategy and
15. incorporate cloud-based tools and services as part of their infrastructure.
4- The terms digital transformation and cloud migration have been used regularly in enterprise
settings over recent years. While both phrases can mean different things to different
organizations, each is driven by a common denominator: the need for change.
Cloud Security Engineers
Cloud security engineers are the professionals responsible to build, maintain, upgrade, and
continuously improving cloud networks and cloud-based systems. They are responsible for the
operations of secure cloud infrastructure, platforms, and software.
1.3 Cloud security challenges
Lack of visibility
It's easy to lose track of how your data is
being accessed and by whom, since many
cloud services are accessed outside of
corporate networks and through third
parties.
Multitenancy
Public cloud environments house multiple
client infrastructures under the same
umbrella, so it's possible your hosted services
can get compromised by malicious
attackers as collateral damage when targeting other businesses.
Access management and shadow IT
While enterprises may be able to successfully manage and restrict access points across onpremises
systems, administering these same levels of restrictions can be challenging in cloud environments.
This can be dangerous for organizations that don't deploy bring-yourown device (BYOD) policies and
allow unfiltered access to cloud services from any device or geolocation.
Compliance
Regulatory compliance management is oftentimes a source of confusion for enterprises using public
or hybrid cloud deployments. Overall accountability for data privacy and security still rests with the
enterprise, and heavy reliance on third-party solutions to manage this component can lead to costly
compliance issues.
Misconfigurations
Misconfigured assets accounted for 86% of breached records in 2019, making the inadvertent insider
a key issue for cloud computing environments. Misconfigurations can
16. include leaving default administrative passwords in place, or not creating appropriate privacy
settings.
2. . Learnings from Cloud : Core Infrastructure
4- We Identified the purpose and value of Google Cloud products and services.
4- We chose and work among and use application deployment environments on Google Cloud: App
Engine, Google Kubernetes Engine, and Compute Engine.
4- Choose among and use Google Cloud storage options: Cloud Storage, Cloud SQL, Cloud Bigtable,
and Firestore.
4- Interacted with Google Cloud services
4- In this course, we planned to deploy applications and create application environments on
Google Cloud. - Systems operations professionals, Solution Architects getting started with Google
Cloud, and developers. - Executives and business decision makers evaluating the potential of
Google Cloud to address their business needs. Upon finishing the required items in a course,
earned a badge of completion
2.1 Resources and Access in the Cloud
This section explores how resources get organized with projects, and how access to those
resources gets shared with the right part of a workforce through a tool called Identity and
Access Management (IAM). It's also in this section that we identify different ways to interact
with Google Cloud.
Google Cloud resources are organized hierarchically, where the organization node is the root
node in the hierarchy, the projects are the children of the organization, and the other
resources are descendants of projects. You can set allow policies at different levels of the
resource hierarchy.
IAM lets you set allow policies at the following levels of the resource hierarchy:
17. • Organization level. The organization resource represents your company. IAM roles granted at
this level are inherited by all resources under the organization. For more information, see
Access control for organizations using IAM.
• Folder level. Folders can contain projects, other folders, or a combination of both. Roles
granted at the highest folder level will be inherited by projects or other folders that are
contained in that parent folder. For more information, see Access control for folders using
IAM.
• Project level. Projects represent a trust boundary within your company. Services within the
same project have a default level of trust. For example, App Engine instances can access
Cloud Storage buckets within the same project. IAM roles granted at the project level are
inherited by resources within that project. For more information, see Access control for
projects using IAM.
• Resource level. In addition to the existing Cloud Storage and BigQuery ACL systems,
additional resources such as Genomics Datasets, Pub/Sub topics, and Compute Engine
instances support lower-level roles so that you can grant certain users permission to a
single resource within a project.
Allow policies are hierarchical and propagate down the structure. The effective allow policy for a
resource is the union of the allow policy set at that resource and the allow policy inherited from its
parent.
19. 2.2 Virtual Machines and Networks in the Cloud
This section of the course explores how Google Compute Engine works,
with a focus on virtual networking.
4- A cloud virtual machine is the digital version of a physical computer that can
run in a cloud. Like a physical machine, it can run an operating system, store
data, connect to networks, and do all the other computing functions.
4- Virtual machine is a software-based-computer that exists within the operating
system of another computer. In simpler terms, it is a virtualization of an actual
computer, except that it exists on another system.
4- Typically you will have a hypervisor running on the physical machine, and you
will have virtual machines running on top of the hypervisor. Hypervisor is a
software layer that allows you to virtualize the environment. The operating
system running in the virtual machine is called as the Guest Operating System.
20. Figure 16 Virtual machines
2.3 Storage in the Cloud
In Cloud Storage, buckets and objects are resources, and objects are located in buckets. An example
of using IAM with Cloud Storage is to allow read access to files that are uploaded.
Consider a scenario where many users upload files to a bucket, but they shouldn't be able to read or
delete any of the files uploaded by other users. Your data processing expert should be able to read
and delete uploaded files, but they shouldn't be able to delete buckets because others are using the
bucket location to upload their files. In this scenario, you would set allow policies on the project as
follows:
Grant the Storage Object Admin role to your data processing expert, Alice at alice@example.com.
Alice has object admin rights at the project level and can read, add, and delete any object in any
bucket in the project.
Grant Storage Object Creator to a group of users, data_uploaders@example.com.
This allow policy means that anyone who is a member of the groupdata_uploaders@example.com
can upload files to the bucket.
A group member owns files that they upload, but they can't read or delete any files that other users
upload.
21. Figure 17 Storage in google cloud
2.4 Containers in google cloud
Containers are packages of software that contain all of the necessary elements to run in any
environment. In this way, containers virtualize the operating system and run anywhere,
from a private data center to the public cloud or even on a developer's personal laptop.
From Gmail to YouTube to Search, everything at Google runs in containers. Containerization
allows our development teams to move fast, deploy software efficiently, and operate at an
unprecedented scale. We've learned a lot about running containerized workloads and we've
shared this knowledge with the community along the way: from the early days of
contributing cgroups to the Linux kernel, to taking designs from our internal tools and open
sourcing them as the Kubernetes project.
2.5 Appliocations in cloud
More specifically, a cloud application is software that runs its processing logic and data storage
between 2 different systems: client-side and server-side. Some processing takes place on an end
user's local hardware, such as a desktop or mobile device, and some takes place on a remote server.
Typically, one of the benefits of cloud applications is that most data storage exists on a remote
server. In fact, some cloud applications can even be built to consume almost no storage space on a
local device. Users interact with a cloud application via a web browser or application programming
interface (API). Those are the fundamental principles of a cloud application, but exactly what gets
handled between client and serverside, and how it changes the user experience, come in a few
different forms
2.6 Logging and Monitoring in cloud
This section highlights the importance of monitoring performance in relation to product
reliability, then moves on to define service level indicators (SLIs), service level objectives (SLOs),
and service level agreements (SLAs). It also examines the purpose of integrated monitoring,
logging, alerting, and debugging.
4- Monitoring
Cloud Monitoring automatically provides metrics at the registry level. You can use Cloud
Monitoring to create dashboards, such as a dashboard for the total number of active devices
in a registry. You can also set up alerts for when a particular metric exceeds a threshold, such
as when the amount of billable bytes sent to and from the devices in a registry exceeds a limit
you've set. Cloud Logging also provides the
22. ability to use logs-based metrics from Cloud Monitoring. You can configure userdefined
metrics to gain insights such as the number of devices that published data to a particular
Pub/Sub topic.
4- Logging
Cloud IoT Core produces two types of logs: audit logs and device logs. Both are available for
viewing in Cloud Logging.
+ Audit logs
Audit logs can help you answer the questions, "Who did what, where, and when?" For
example, you can use audit logs to see who created a device at a particular time, who
recently sent a device configuration, or when the last time a registry's IAM policy was set.
Cloud IoT Core writes, and provides by default, audit logs for the following Admin Activity
operations. These logs don't cost anything, nor do they count toward Cloud Logging quotas.
• CreateDeviceRegistry
• DeleteDeviceRegistry
• UpdateDeviceRegistry
• CreateDevice
• DeleteDevice
• UpdateDevice
• ModifyCloudToDeviceConfig
• SetIamPolicy
Cloud IoT Core writes, and doesn't provide by default, audit logs for Data Access. These logs
are subject to Cloud Logging quotas and pricing:
• GetDeviceRegistry
• ListDeviceRegistries
• GetDevice
• ListDevices
• GetIamPolicy Device Logs
You can use device logs to find information about device connections, errors, and other
lifecycle events. Whereas audit logs provide information about registry-level operations,
device logs can be used to pinpoint issues with individual devices.
23. Device logs are not automatically collected and must be enabled manually. They are subject to their
own quotas and limits that are separate from and do not count toward Cloud Logging quotas.
However, they are subject to Cloud Logging pricing
3. Security Best Practices in Google Cloud
Here, we explored and deploy the components of a secure Google Cloud solution, including
Cloud Storage access control technologies, Security Keys, Customer-Supplied Encryption Keys,
API access controls, scoping, shielded VMs, encryption, and signed URLs. It also covers
securing Kubernetes environments
3.1 Securing Compute Engine: Techniques and Best Practices
In this module we started with a discussion of service accounts, IAM roles
and API scopes as they apply to compute engine. We will also discuss managing
VM logins, and how to use organization policies to set constraints that apply to
all resources in your organization's hierarchy. Next, we will review compute
engine best practices to give you some tips for securing compute engine.Lastly,
we covered encrypting persistent disks with Customer-Supplied Encryption
keys.
IAM Roles :
An IAM role is an IAM identity that you can create in your account that has specific
permissions. An IAM role is similar to an IAM user, in that it is an AWS identity with
permission policies that determine what the identity can and cannot do in AWS.
However, instead of being uniquely associated with one person, a role is intended to
be assumable by anyone who needs it. Also, a role does not have standard longterm
credentials such as a password or access keys associated with it. Instead, when you
assume a role, it provides you with temporary security credentials for your role
session.
API SCOPES
As an API developer, you need to:
24. 1. Decide which information you would like applications to be able to access on a user's behalf.
2. Define these access levels as custom scopes. (To learn what scopes are, readScopes.)
3. Identify these scopes so that calling applications can use them.
4- Ways to Use API Access:
You can use API scopes in different ways:
• In an API where the calling application is a third-party, or external, application. In this case, the
calling application will request authorization from the user to access the requested scopes, and
the user will approve or deny the request.
• In an API where the calling application is a first-party application, or application that is registered
under the same Auth0 domain as the API it is calling. In this case, by default, user consent is not
requested, but you may configure consent to be required.
• In an API where the calling application is a back-end service, whether third-party or firstparty, and
no user exists. In this case, user consent is never requested.
All of these examples use scopes to limit access through use of a token. If you so choose, your API may
also use additional logic beyond the token to enforce more extensive access control.
3.2 Securing Cloud Data: Techniques and Best Practices
In this module we discuss controlling IAM permissions and access control lists on
Cloud Storage buckets, auditing cloud data, including finding and remediating data
that has been set to publicly accessible, how to use signed Cloud Storage URLs and
signed policy documents, and encrypting data at rest. In addition, BigQuery IAM
roles and authorized views will be covered to demonstrate managing access to
datasets and tables. The module will conclude with an overview of storage best
practices.
3.3 Application Security: Techniques and Best Practices
In this module we discussed application security techniques and best practices. We
saw how Web Security Scanner can be used to identify vulnerabilities in your
applications, and dive into the subject of Identity and Oauth phishing.
25. Lastly, you learned how Identity-Aware Proxy, or IAP, can be used to control
access to your cloud applications
3.4 Securing Google Kubernetes Engine: Techniques and Best
Practices
Protecting workloads in Google Kubernetes Engine involves many layers of the stack,
including the contents of your container image, the container runtime, the cluster
network, and access to the cluster API server. In this module, we learned how to
securely set up our Authentication and Authorization, how to harden our clusters,
secure our workloads, and monitor everything to make sure it stays in good health.
3.5' Securing Cloud Data: Techniques and Best Practices
In this module we discuss controlling IAM permissions and access control lists on
Cloud Storage buckets, auditing cloud data, including finding and remediating data
that has been set to publicly accessible, how to use signed Cloud Storage URLs and
signed policy documents, and encrypting data at rest. In addition, BigQuery IAM
roles and authorized views will be covered to demonstrate managing access to
datasets and tables. The module will conclude with an overview of storage best
practices
3.6 Application Security: Techniques and Best Practices
In this module we will discuss application security techniques and best practices.
We will see how Web Security Scanner can be used to identify vulnerabilities in
your applications, and dive into the subject of Identity and Oauth phishing. Lastly,
we will learn how Identity-Aware Proxy, or IAP, can be used to control access to
your cloud applications.
3.7 Securing Google Kubernetes Engine: Techniques and Best Practices
Protecting workloads in Google Kubernetes Engine involves many layers of the stack,
including the contents of your container image, the container runtime,
26. the cluster network, and access to the cluster API server. In this module, you will
learn how to securely set up your Authentication and Authorization, how to harden
your clusters, secure your workloads, and monitor everything to make sure it stays
in good health.
27. 4.Learnings from Networking in Google Cloud: Hybrid
Connectivity and Network Management
Networking is a principle theme of cloud computing. It's the underlying structure of Google
Cloud, and it's what connects all your resources and services to one another. This fundamental-
level quest will cover essential Google Cloud networking services and will give you hands-on
practice with specialized tools for developing mature networks. From learning the ins-andouts
of VPCs, to creating enterprise-grade load balancers, Networking in the Google Cloud will give
you the practical experience needed so you can start building robust networks right away.
4.1 Google Cloud VPC Networking Fundamentals
In this module, we're going to cover the fundamentals of Virtual Private Cloud (VPC) networking in
Google Cloud. This includes the different types of VPC objects, Internal DNS, Cloud DNS, IP aliases and
VMs with multiple network interfaces.
A Virtual Private Cloud (VPC) network is a virtual version of a physical network, implemented inside of
Google's production network, using Andromeda. A VPC network provides the following:
• Provides connectivity for your Compute Engine virtual machine (VM) instances, including
Google Kubernetes Engine (GKE) clusters, App Engine flexible environment instances, and
other Google Cloud products built on Compute Engine VMs.
• Offers native Internal TCP/UDP Load Balancing and proxy systems for Internal HTTP(S) Load
Balancing.
• Connects to on-premises networks using Cloud VPN tunnels and Cloud Interconnect
attachments.
• Distributes traffic from Google Cloud external load balancers to backends.
28. 4.2 Controlling Access to VPC Networks
In this module, we're going to cover ways to control access to VPC Networks. This includes Cloud
Identity and Access Management (Cloud IAM) and firewall rules.
VPC Networks:
You can think of a VPC network the same way you'd think of a physical network, except that it is
virtualized within Google Cloud. A VPC network is a global resource that consists of a list of regional
virtual subnetworks (subnets) in data centers, all connected by a global wide area network. VPC
networks are logically isolated from each other in Google Cloud.
A Cloud IAM :
Cloud IAM typically includes the following features:
• Single Access Control Interface. Cloud IAM solutions provide a clean and consistent access control
interface for all cloud platform services. The same interface can be used for all cloud services.
• Enhanced Security. You can define increased security for critical applications.
• Resource-level Access Control. You can define roles and grant permissions to users to access
resources at different granularity levels.
A Firewall rules
Each VPC network implements a distributed virtual firewall that you can configure. Firewall rules
allow you to control which packets are allowed to travel to which destinations. Every VPC
network has two implied firewall rules that block all incoming connections and allow all
outgoing connections.
The default network has additional firewall rules, including the default-allow-internal rule, which
permit communication among instances in the network.
Routes:
Routes tell VM instances and the VPC network how to send traffic from an instance to a
destination, either inside the network or outside of Google Cloud. Each VPC network comes with
some system-generated routes to route traffic among its subnets and send traffic from eligible
instances to the internet.
You can create custom static routes to direct some packets to specific destinations.
29. 4.3 Load Balancing :
Load Balancing Definition: Load balancing is the process of distributing network traffic across multiple
servers. This ensures no single server bears too much demand. By spreading the work evenly, load
balancing improves application responsiveness. It also increases availability of applications and
websites for users. Modern applications cannot run without load balancers
Over time, load balancers have added additional capabilities including security and application
acceleration
Application Servers
Figure 19 Load Balancers
LOAD Balancing and SSL
Secure Sockets Layer (SSL) is the standard security technology for establishing an encrypted link
between a web server and a browser. SSL traffic is often decrypted at the load balancer. When a
load balancer decrypts traffic before passing the request on, it is called SSL termination. The load
balancer saves the web servers from having to expend the extra CPU cycles required for decryption.
This improves application performance.
LOAD Balancing and Security:
Load Balancing plays an important security role as computing moves evermore to the cloud. The off-
loading function of a load balancer defends an organization against distributed denial-of-service (DDoS)
attacks. It does this by shifting attack traffic from the corporate server to a public cloud provider. DDoS
attacks represent a large portion of cybercrime as their number and size continues to rise. Hardware
defense, such as a perimeter firewall, can be costly and require significant maintenance. Software load
balancers with cloud offload provide efficient and cost-effective protection
30. 5. Networking in Google Cloud
We deployed Google Cloud networking technologies, such as the interconnection
among networks, common network design patterns, Cloud NAT and the automated
deployment of networks using Terraform. The course also covers networking pricing
and billing to help you optimize your network spend and monitoring and logging
features that can help you troubleshoot your Google Cloud network infrastructure.
5.1 Hybrid connectivity
In this module, we are going to cover the Google Cloud interconnect and peering
services available to connect your infrastructure to Google Cloud.
These services are Dedicated Interconnect, Partner Interconnect, IPsec VPN, Direct
Peering and Carrier Peering
here are two approaches for enabling hybrid connectivity:
1. One-to-one connectivity — In this setup, a VPN connection and/or Direct Connect private
VIF is created for every VPC. This is accomplished by using the virtual private gateway (VGW).
This option is great for small numbers of VPCs, but as a customer scales their VPCs, managing
hybrid connectivity per VPC can become difficult.
2. Edge consolidation — In this setup, customers consolidate hybrid IT connectivity for
multiple VPCs at a single endpoint. All the VPCs share these hybrid connections. This is
accomplished by using AWS Transit Gateway and the Direct Connect Gateway.
31. Figure 20: Hybrid connectivity
VPC Peering
VPC peering is point-to-point connectivity, and it does not support transitive routing. For
example, if you have a VPC peering connection between VPC A and VPC B and between
VPC A and VPC C, an instance in VPC B cannot transit through VPC A to reach VPC C. To
route packets between VPC B and VPC C, you are required to create a direct VPC peering
connection.
32. 5.2 Network Pricing and Biling
In this module, we are going to cover how Google Cloud networking
features are charged for, how to leverage Network Service Tiers to
optimize your spend and how to administer
5.3 Network Design and Deployment
In this module, we are going to explain some common network designs, automate
the deployment of networks using Terraform and launch networking solutions
using Cloud Marketplace.
Figure 22 Network Pricing and Biling
5.4 Networking Monitoring And Troubleshooting
In this module, we are going to cover network monitoring and logging
features that can help you troubleshoot your Google Cloud network
infrastructure.
Network Monitoring:
Network monitoring is the process of constantly monitoring a computer network for problems such as
slow traffic or component failure. Network Monitoring tools are always scanning the network and are
33. designed to automatically notify network administrators via text, email, or other application such as
Slack when a problem occurs. Network monitoring software differs from network security or
intrusion detection systems in that network monitoring is focused on internal network issues such as
overloaded routers, server failures, or network connection issues that could impact other devices.
Network Monitoring should provide:
• Visualization of the organization's complete IT and network infrastructure
• Monitoring, troubleshooting, and remediation of network performance
issues.
• Root cause analysis tools when problems occur.
• Dashboard with clear visualization tools and reports Types:
Network packet analyzers examine the data in each packet moving through the network, and the
information within the packets can determine if they are being routed correctly, if employees are
visiting prohibited websites, or if sensitive data including personally identifiable information (PII) such
as social security number is being exfiltrated from the network.
Application and services monitoring focuses on those systems and devices needed to maintain
network integrity to ensure they are operating within normal limits as well as indicating which
applications are being used by which business units organization-wide.
Access Management monitoring ensures that intruders are not granted access to network
resources, for example if an employee suddenly logs on from an IP address on another continent.
This can quickly spot network vulnerabilities and help remediate them and detect intruders before
they can do harm.
Figure 23 Network Monitoring
34. Network Troubleshooting:
Network troubleshooting in the process of measuring, identifying, and resolving network-related
issues. It's also defined as a logical process network engineers follow to improve the overall
network operations.
Troubleshooting is a repetitive, rigorous, and effective process that involves regular analysis and
testing of individual network components to ensure smooth operations.
Common Causes of Network Troubleshooting:
i-
l
l
i-
High bandwidth usage Faulty
hardware:
High CPU utilization
Poor physical connectivity
Figure 24 Steps to Troubleshoot a Network
35. Network Troubleshooting Flowchart
Collect information Customize logs Check access and security
0 nQU
Follow an escalation framework
Use monitoring tools
Figure 25 Network Troubleshoot Flowchart
36. 6. Learnings from Mitigating Secruity Vulnerabilities on
Google Cloud
In this self-paced training course, participants learn mitigations for attacks at many points in a Google
Cloud-based infrastructure, including Distributed Denial-of-Service attacks, phishing attacks, and threats
involving content classification and use. They also learn about the Security Command Center, cloud logging
and audit logging, and using Forseti to view overall compliance with your organization's security policies5.
6.1 Protecting against Distributed Denial of Service
Attacks(DDoS)
Distributed Denial of Service Attacks are a major concern today and can have a huge impact on businesses
if the business is not adequately prepared. In this module we will begin with a quick discussion on how
DDoS attacks work and then review some DDoS mitigation techniques that are provided by Google Cloud.
We will finish up with a review of complementary partner products and a lab where you will get a chance to
see some DDoS mitigations in action.
Distributed denial of service (DDoS) attacks are a subclass of denial of service (DoS) attacks. A DDoS attack
involves multiple connected online devices, collectively known as a botnet, which are used to overwhelm a
target website with fake traffic.
DoS Vs DDoS
The differences between regular and distributed denial of service assaults are substantive. In a DoS attack,
a perpetrator uses a single Internet connection to either exploit a software vulnerability or flood a target
with fake requests— usually in an attempt to exhaust server resources (e.g., RAM and CPU).
Types of DDos Attacks
1. Application layer attacks (a.k.a., layer 7 attacks) can be either DoS or DDoS threats that seek to overload
a server by sending a large number of requests requiring resource-intensive handling and processing.
Among other attack vectors, this
37. category includes HTTP floods, slow attacks (e.g., Slowloris or RUDY) and DNS query flood
attacks.
2. Network layer attacks (a.k.a., layer 3-4 attacks) are almost always DDoS assaults set up to
clog the "pipelines" connecting your network. Attack vectors in this category include UDP
flood, SYN flood, NTP amplification and DNS amplification attacks, and more.
6.2 Content-Related vulnerabilities : Techniques and Best Practices
In this module we will discuss threats to your content. First, we review the threat of
ransomware, and some of the mitigations you can utilize in Google Cloud to help
protect your systems from it. Then we will move to a discussion of threats related
to data misuse and privacyviolations and discuss a few mitigation strategies that
can be utilized to protect applications and systems
6.3 Monitoring , Logging , Auditing and Scanning
Collecting, processing, aggregating, and displaying real-time quantitative data is
helpful in supplying raw input into business analytics and in facilitating analysis of
security breaches. Google Cloud provides many services and features to help with
this - and that is what this module is all about.In this module we will investigate
Cloud Monitoring and Cloud Logging, Cloud Audit Logs, and then discuss how to
leverage Forseti Security to systematically monitor your Google Cloud resources.
39. Directory Sync and Single Sign-On. We will end with some authentication best
practices
7.3 Cloud Identity and Access Management (Cloud IAM)
Figure 27 Cloud IAM
4- Cloud Identity and Access Management (Cloud IAM) lets administrators
authorize who can take action on specific resources, giving you full control and
visibility to manage your cloud resources centrally. More specifically, we will
cover; the Resource Manager which enables you to centrally manage projects,
folders, and organizations, IAM roles and policies, including custom roles, and
Cloud IAM best practices, including separation of duties and the principle of
least privilege.
4- IAM lets you grant granular access to specific Google Cloud resources and helps prevent
access to other resources. IAM lets you adopt the security principle of least privilege, which
states that nobody should have more permissions than they actually need.
This model for access management has three main parts:
• Principal. A principal can be a Google Account (for end users), a service account (for
applications and compute workloads), a Google group, or a Google Workspace account or
Cloud Identity domain that can access a resource. Each principal has its own identifier, which
is typically an email address.
40. • Role. A role is a collection of permissions. Permissions determine what operations are
allowed on a resource. When you grant a role to a principal, you grant all the permissions
that the role contains.
• Policy. The allow policy is a collection of role bindings that bind one or more principals to
individual roles. When you want to define who (principal) has what type of access (role) on a
resource, you create an allow policy and attach it to the resource.
In the preceding diagram, for example, the allow policy binds principals, such as
user@example.com, to roles, such as the App Engine Admin role
(roles/appengine.appAdmin). If the allow policy is attached to a project, the principals gain the
specified roles within the project.
Roles and permissions
A role contains a set of permissions that allows you to perform specific actions on
Google Cloud resources. To make permissions available to principals, including users,
groups, and service accounts, you grant roles to the principals.
Role types
There are three types of roles in IAM:
• Basic roles, which include the Owner, Editor, and Viewer roles that existed prior to the
introduction of IAM.
• Predefined roles, which provide granular access for a specific service and are managed by
Google Cloud.
• Custom roles, which provide granular access according to a user-specified list of
permissions.
7.4 VPCs for Isolation and Security
4- Managed networking on Google Cloud utilizes a Virtual Private Cloud (or
VPC). In this module we will discuss VPC related security concepts including:
VPC firewalls, load balancing SSL policies, network Interconnect & peering
options, VPC network best practices and VPC flow logs. You will also have
the opportunity to practice what you've learned, by completing the labs
exercises "Configuring VPC Firewalls" and "Configuring and Using VPC Flow
Logs in Cloud Logging."
41. 8. Learings from Hands On Labs in Google Cloud for
Security Engineers
This course helps learners prepare for the Professional Cloud Security
Engineer (PCSE) Certification exam
81. Configuring Access Within a Cloud Solution Environment
4- Learned how to set up the Organization, Folder, and Project
hierarchy. Epxlore Organization policies and defining service
accounts, groups, and custom IAM roles and binding custom or
predefined roles to users, groups, and service accounts.
8.2 Configuring Network Security
4- Learned how to define VPC architecture for the Organization to
ensure appropriate resource isolation, firewall rules to
control/restrict traffic flow into and out of these VPCs, and
private IP connectivity to resources in VPCs
8.3 Ensuring Data Protection
4- Learned how to define DLP and VPC service controls process
for the Organization as well as the Encryption and key
management scheme.
8.4 Managing Operations in a Cloud Environment
4- Learn about automating Google Cloud security features
into the organizational CICD flow and utilizing Logging
and Monitoring for security forensics and alerting.
8.5 Ensuring Compilance
4- Explored organizational security design considerations to
satisfy specific compliance/regulatory requirements (SOC2,
PCI-DSS, HIPAA).
42. 9. Conclusions And Future Scope
4- As we have noted throughout this book, cloud computing has the potential to be a disruptive
force by affecting the deployment and use of technology. The cloud could be the next
evolution in the history of computing, following in the footsteps of mainframes,
minicomputers, PCs, servers, smart phones, and so on, and radically changing the way
enterprises manage IT. Yes, plenty of questions are still left to be answered regarding
security within the cloud and how customers and cloud service providers (CSPs) will
manage issues and expectations, but it would be a severe understatement to say simply
that cloud computing has generated interest in the marketplace.
4- The hype regarding cloud computing is unavoidable. It has caught the imagination of
consumers, businesses, financial analysts, and of course, the CSPs themselves. Search for
"cloud computing" on the Internet and you will uncover thousands of articles defining it,
praising it, ridiculing it, and selling it.
4- So powerful is the term cloud computing that according to some, just the mere mention of it
may help to drive additional attention and revenues for providers. Take, for example, the
case of Salesforce.com. According to Marc Benioff, CEO of Salesforce.com, his software-as-
a-service (SaaS) organization did not embrace the use of the term until he read an article
that referred to Google and Amazon as cloud computing leaders in December 2007. Soon
afterward, Salesforce.com started ...
Cloud security is gaining center stage, and attackers are growing more
sophisticated. Luckily, the security industry is rising to the challenge with new
security tools and platforms:
• XDR—providing unified threat detection and response across cloud, onpremise
networks, and endpoints.
• SSE—comprehensively securing access for remote users.
• SSPM—locking down SaaS applications.
43. • ZTNA—centralized access control built for dynamic cloud environments.
• WAAP —securing web applications and APIs, the user-facing interfaces of cloud
systems.
In 2022 and beyond, organizations will adopt these new technologies to address a
new wave of cloud threats, and secure the core of our evolving digital economy
Future Scope
4- In reference to securing the cloud, there are several meanings; securing the
ideal cloud for your company, ensuring you migrate to the right cloud with
innovative support. Securing your brands future and protecting your brand,
ensuring it's safe, secure and risk free.
4- Essentially, if you're considering purchasing one of Amazon's, or
Microsoft's cloud-based services, you're buying into world-class abilities at
keeping data secure. Security can therefore be perceived as convincing
motivation to migrate to cloud-based systems rather than a reason to ignore
them.
4- The challenges exist not in the security of cloud itself but in the policies and
technologies for security and control for the technology. Most enterprises are
accustomed with cloud or at least the notion of cloud, misconceptions and
misunderstandings about what technology can offer still remain unclear.
Uncertainty about the advantages of cloud computing is compounded by
numerous genuine and imaginary concerns about the security and control
implications of different cloud models.