CDL - Security

Question 1

What are the 5 key GCP security products?

Answer 1

1. IAM
2. Cloud Identity
3. BeyonCorp Enterprise
4. Identity-Aware Proxy
5. Managed Services for Microsoft Active Directory

Question 2

What is GCP Cloud Identity?

Answer 2

The management of user identities, devices, and applications from one console.

Question 3

What is GCP IAM?

Answer 3

The establishment of fine-grained identity (role creation) and access management (role access) from the GCP console.

Question 4

What is GCP Identity-Aware Proxy?

Answer 4

Service that allows you to use identity and context to guard access to your applications and VMs

Question 4

What is BeyondCorp Enterprise?

Answer 4

GCPs zero-trust solution that 1) enables secure access and 2) integrated data threat protection

Question 5

What is Managed Service for Micosoft AD? (?)

Answer 5

The use of a highly available, hardened service running Microsoft AD

Question 6

What is GDPR? (exam)

Answer 6

General Data Protection Regulation - An EU privacy law applied to entities that collect and analyze data tied to EU residents.

Question 6

What is GCP Compliance Reports Manager?

Answer 6

Put simply, they are downloadable PDFs that demonstrate that GCP is compliant with various compliance and security standards.

Question 6

What is ISO & ISE?

Answer 6

International organization for Standardization +

International Electrotechnical Commission

Question 7

What are the different ISO/ESI compliance standards?

Answer 7

ISO/ESO
27001 - control of implementation guidance (exam )

27017 - enhanced focused on cloud security

27018 - protection of personal data in the cloud (PII)

27701 - Privacy Information Management System (PIMS) framework that outlines controls and processes to manage data privacy and protect PHII

Question 8

What is SOC?

Answer 8

System and Organization Controls

Question 9

What is SOC 2?

Answer 9

Evaluates internal controls, policies, and procedures that directly relate to the security of a system at a service organizations.

Question 10

What is FIPS 140-2? (exam)

Answer 10

Stands for Federal Information Processing Center that sets security standards and requirements for cryptographic modules.

Note: FIPS 140-3 is better and more secure.

Question 10

What is HIPPA?

Answer 10

Health Insurance Portability and Accountability Act - Law that regulates PII

Question 11

What is FedRAMP? (exam)

Answer 11

Federal Risk and Authorization Management Program.

US Gov standardized approach to security authorizations for CSP.

Question 12

In an effort to remain transparent, what are Google’s Trust Principles?

Question 12

What are GCPs Privacy Practices?

Question 13

What is DDoS?

Answer 13

Distributed Denial of Service.

A malicious attack that floods a website with large amounts of traffic.

Question 14

What is Cloud Armor? What are its two billing options?

Answer 14

It is a DDoS and Web Application Firewall (WAF) service.

1. PAYG
2. Managed Protection Plus (3k monthly)

Question 15

What makes Cloud Armor stand out from the competition?

Answer 15

It combines DDoS and and Web Application Firewall in one service, whereas most CSP do not.

Question 16

How does Cloud Armor protect clients?

Answer 16

1. Access controls via IP and Geo attributes
2. Supports hybrid and mult-cloud deployments
3. Cloud Load Balancing protection - detects and mitigates attacks on LBs
4. Pre-define WAF rules that mitigate 10 most cyber attacks.
5. Named IP lists
6. Visibility and monitoring

Question 17

What is Security Command Center?

Answer 17

A centralized security and risk management platform for GCP resources.

Question 18

What is Private Catalog? Benefits? (?)

Answer 18

PC is the packaging of GCP resources into a service offering that is made available and is discoverable internally only.

Benefits - Allows you to provide access policies based on roles to remain compliant.

Question 19

What are some SCC features?

Answer 19

1. Asset discovery and inventory (accounting for services within your environment)
2. Threat detection
3. Threat prevention

Question 20

What is SCC Asset discovery and inventory feature?

Answer 20

Provides inventory and historical information about your GCP cloud resources.

Question 21

What is SCC’s threat detection function?

Answer 21

Threat detection audits your cloud resources for security and vulnerability

Question 22

What is SCCs threat prevention function?

Answer 22

Threat prevention fixes security misconfiguration with single-click remediation.

Question 23

What is Data Loss Prevention?

Answer 23

A GCP service that DETECTS and PROTECTS sensitive information with GCP storage repositories

Question 23

What is Personally identifiable information (PII)?

Answer 23

Any data that can identify a person – birthday, full name, email address, mailing address, etc.

Question 24

What is Protected Health Information?

Answer 24

Any data that can identify health information of a patient

Question 25

How does DLP work?

Answer 25

1. Tools to mask, tokenize, or transform sensitive data
2. Automates tagging, remediation, or policy based findings
3. DLP connects into Security Command Center – or can be exported to your own SEIM

Question 26

What is BeyondCorp? Why is it needed?

Answer 26

BC is GCPs implementation of the zero trust model

Needed bc malicious actors by-pass conventional access controls (network level)

Question 27

What is the Zero Trust foundational principle?

Answer 27

“Trust no one, verify everything”

Question 28

What is a zero trust model?

Answer 28

ZT puts identity as the primary security perimeter to be protected.

User trust - identity + behavior (GCP Cloud Identity)

Device trust - identity + posture (GCP Endpoint Verification)

Question 29

What collection of services comprise BeyondCorp?

Answer 29

1. Access context manager - The rules engine (?)
2. Cloud IAP (Cloud IAM + Cloud Identity) + VPC Service controls (?)

Question 29

What is Access Context Manager’s function? How does it work?

Answer 29

Works to protect mobile workforces utilizing BYOD secure.

Works by allowsing org admins to define fine-grained, attribute based access controls.

Question 30

What are VPC Service Controls?

Answer 30

They allow you to create a service perimeter, which function like a firewall for GCP APIs.

Created through Access Level Policies. (?)

Question 31

When creating access policies within Access Control Manager, what are some attributes considered??

Answer 31

You can create access policies around:

• Device type
• OS
  -IP Address
• User identity

Question 32

Considering VPC service controls, how are access levels implemented?

Answer 32

They are automatically created for you when you create an access level, service perimeter or turn on IAP

Question 32

What is Cloud Identity Aware Proxy? What is it an alternative to?

Answer 32

Cloud IAP lets you establish a CENTRALIZED AUTHORIZATION LAYER for apps resources accessed via HTTPS.

Cloud IAP is an alternative to network level firewalls.

Question 33

What is BeyondCorp Enterprise?

Answer 33

A ZT model platform

Question 34

How does BeyondCorp Enterprise work? What does it protect against?

Answer 34

Via Chrome Browser Cloud Management, it protects Chrome users from malware & phishing as they download/upload files.

Question 35

What sets BeyondCorp apart from other ZT services?

Answer 35

1. Agentless - built into the browser. Hence easy adoption.
2. Rely’s on GCP Global infrastructure - 144 edge locations in over 200 countries

Question 36

What are some features of BeyondCorp Enterprise?

Answer 36

1. Identity and context-aware access controls - identity, device, contextual factors
2. Integrated threat and data protection - DLP, altering, and reporting.
3. Supports cloud, on-prem, hybrid environments.

Question 37

What is FIPS 140-2

Answer 37

Federal Information Processing Standard

A US & CA gov standard that specifies requirements for cryptographic modules (?) that product sensitive information.

Question 38

Whats a cryptographic module?

Answer 38

Hardware or software that performs cryptographic functions, such as encryption and decryption to protect sensitive data.

Question 39

What is the difference between cloud identity and IAM?

Answer 39

Cloud identity - foundational for user creation/identity management

IAM - pertains to the granular control of ACCESS to resources. .

Question 40

Different between Cloud Identity and IAM?

Answer 40

IAM provides more granular access controls.