My Journey to Conquering the Google Cloud Professional Cloud Security Engineer Exam!
In this article, I will share my experience of passing the Google Cloud Professional Cloud Security Engineer exam in August 2023.
If you’re interested in related topics, feel free to check out these other articles:
Introduction
In my job, I have been involved in Google Cloud projects that manage various aspects of an organization, such as maintaining the network and handling Identity and Access Management (IAM). Drawing from these experiences, I decided to assess my cloud security skills by taking the exam.
Scope of the Certification and My Impressions After Taking the Exam
Configure Access Within a Cloud Solution Environment
- Access Control: It’s essential to employ proper Identity and Access Management (IAM) strategies. These include Organization IAM, Folder IAM, Project IAM, and Resource IAM. Additionally, you’ll need to understand the inheritance mechanisms within IAM.
- Organization Policy: An Organization Policy controls resources across all projects. For example, it may impose restrictions on Service Account creation and limit the sharing of Cloud Storage Buckets.
- Resource Hierarchy Design: Utilize folders to segregate departments and control resource access through Folder IAM.
- Active Directory Federation: You can use Google Cloud Directory Sync to federate user identities between Google Cloud and your Active Directory (AD) server.
Configure Network Security
- Implied Network Rules: You must remember implied network rules on Google Cloud. All deny INGRESS and all allow EGRESS.
- Firewall Priority: In priority of the firewall rule, lower integers indicate higher priorities.
- Network Connection: Understand the type of connection methods. There are several connection methods such as VPC Network Peering, Cloud VPN, and Cloud Interconnect.
Ensure Data Protection
- Protect the Data: Utilize VPC Service Controls to manage APIs and mitigate the risk of data exfiltration.
- Conceal Sensitive Data: Employ Cloud Data Loss Prevention (DLP) to encrypt or mask sensitive data like Personally Identifiable Information (PII). The method of encryption you choose may vary depending on whether you’ll need to decrypt the data later, with options including complete masking or deterministic encryption.
Manage Operations Within a Cloud Solution Environment
- Key Management: Manage encryption keys using Cloud Key Management Service (KMS). It’s crucial to understand Envelop encryption and related terms like Customer-Managed Encryption Keys (CMEK), Customer-Supplied Encryption Keys (CSEK), Data Encryption Keys (DEK), and Key Encryption Keys (KEK).
- Preserve Secrets: Utilize Secret Manager to safeguard sensitive information such as API keys.
Ensure compliance
- Logs and Log Buckets: Familiarize yourself with different types of logs, including Audit Logs and Data Access Logs. By default, there are two log buckets:
_Defaultand_Required. - Preserve Logs: Various methods are available for log sinking, including Pub/Sub, BigQuery, and Cloud Storage Buckets. The method you choose should depend on how you intend to use the logs.
Check out my previous post:
My Learning Path
I have been involved in these fields for 1.5 years, and some practical skills have been particularly helpful in passing the exam:
- Designing IAM Roles: Tailor IAM roles for different groups within the organization, such as admins, developers, analysts, etc.
- Using Cloud Identity: Manage members and groups effectively through Cloud Identity.
- Implementing Organization Policies: Establish policies to create a secure cloud environment.
- Best Practices Knowledge: Understand the best approaches for using Organizations, Folders, and Projects to manage various projects.
- Network Fundamentals: Basic understanding of networking is crucial.
In addition to hands-on experience, I also used Udemy’s mock examination to brush up on my knowledge.
https://www.udemy.com/course/g-professional-cloud-security-engineer-practice-tests/
Reflections After Passing the Exam
After diving into Cloud Security Engineering, I realized there were details about each service that I had not fully understood. This was especially true for Cloud Key Management Service (KMS), where I found myself lacking knowledge about envelope encryption.
Through this exam, I gained a comprehensive understanding of Cloud Security on Google Cloud and had the opportunity to reflect on my work. I wholeheartedly recommend embarking on this journey and taking the exam!
