CDL - Security Flashcards
What are the 5 key GCP security products?
- IAM
- Cloud Identity
- BeyonCorp Enterprise
- Identity-Aware Proxy
- Managed Services for Microsoft Active Directory
What is GCP Cloud Identity?
The management of user identities, devices, and applications from one console.
What is GCP IAM?
The establishment of fine-grained identity (role creation) and access management (role access) from the GCP console.
What is GCP Identity-Aware Proxy?
Service that allows you to use identity and context to guard access to your applications and VMs
What is BeyondCorp Enterprise?
GCPs zero-trust solution that 1) enables secure access and 2) integrated data threat protection
What is Managed Service for Micosoft AD? (?)
The use of a highly available, hardened service running Microsoft AD
What is GDPR? (exam)
General Data Protection Regulation - An EU privacy law applied to entities that collect and analyze data tied to EU residents.
What is GCP Compliance Reports Manager?
Put simply, they are downloadable PDFs that demonstrate that GCP is compliant with various compliance and security standards.
What is ISO & ISE?
International organization for Standardization +
International Electrotechnical Commission
What are the different ISO/ESI compliance standards?
ISO/ESO
27001 - control of implementation guidance (exam )
27017 - enhanced focused on cloud security
27018 - protection of personal data in the cloud (PII)
27701 - Privacy Information Management System (PIMS) framework that outlines controls and processes to manage data privacy and protect PHII
What is SOC?
System and Organization Controls
What is SOC 2?
Evaluates internal controls, policies, and procedures that directly relate to the security of a system at a service organizations.
What is FIPS 140-2? (exam)
Stands for Federal Information Processing Center that sets security standards and requirements for cryptographic modules.
Note: FIPS 140-3 is better and more secure.
What is HIPPA?
Health Insurance Portability and Accountability Act - Law that regulates PII
What is FedRAMP? (exam)
Federal Risk and Authorization Management Program.
US Gov standardized approach to security authorizations for CSP.
In an effort to remain transparent, what are Google’s Trust Principles?
What are GCPs Privacy Practices?
What is DDoS?
Distributed Denial of Service.
A malicious attack that floods a website with large amounts of traffic.
What is Cloud Armor? What are its two billing options?
It is a DDoS and Web Application Firewall (WAF) service.
- PAYG
- Managed Protection Plus (3k monthly)
What makes Cloud Armor stand out from the competition?
It combines DDoS and and Web Application Firewall in one service, whereas most CSP do not.
How does Cloud Armor protect clients?
- Access controls via IP and Geo attributes
- Supports hybrid and mult-cloud deployments
- Cloud Load Balancing protection - detects and mitigates attacks on LBs
- Pre-define WAF rules that mitigate 10 most cyber attacks.
- Named IP lists
- Visibility and monitoring
What is Security Command Center?
A centralized security and risk management platform for GCP resources.
What is Private Catalog? Benefits? (?)
PC is the packaging of GCP resources into a service offering that is made available and is discoverable internally only.
Benefits - Allows you to provide access policies based on roles to remain compliant.
What are some SCC features?
- Asset discovery and inventory (accounting for services within your environment)
- Threat detection
- Threat prevention
What is SCC Asset discovery and inventory feature?
Provides inventory and historical information about your GCP cloud resources.
What is SCC’s threat detection function?
Threat detection audits your cloud resources for security and vulnerability
What is SCCs threat prevention function?
Threat prevention fixes security misconfiguration with single-click remediation.
What is Data Loss Prevention?
A GCP service that DETECTS and PROTECTS sensitive information with GCP storage repositories
What is Personally identifiable information (PII)?
Any data that can identify a person – birthday, full name, email address, mailing address, etc.
What is Protected Health Information?
Any data that can identify health information of a patient
How does DLP work?
- Tools to mask, tokenize, or transform sensitive data
- Automates tagging, remediation, or policy based findings
- DLP connects into Security Command Center – or can be exported to your own SEIM
What is BeyondCorp? Why is it needed?
BC is GCPs implementation of the zero trust model
Needed bc malicious actors by-pass conventional access controls (network level)
What is the Zero Trust foundational principle?
“Trust no one, verify everything”
What is a zero trust model?
ZT puts identity as the primary security perimeter to be protected.
User trust - identity + behavior (GCP Cloud Identity)
Device trust - identity + posture (GCP Endpoint Verification)
What collection of services comprise BeyondCorp?
- Access context manager - The rules engine (?)
- Cloud IAP (Cloud IAM + Cloud Identity) + VPC Service controls (?)
What is Access Context Manager’s function? How does it work?
Works to protect mobile workforces utilizing BYOD secure.
Works by allowsing org admins to define fine-grained, attribute based access controls.
What are VPC Service Controls?
They allow you to create a service perimeter, which function like a firewall for GCP APIs.
Created through Access Level Policies. (?)
When creating access policies within Access Control Manager, what are some attributes considered??
You can create access policies around:
- Device type
- OS
-IP Address - User identity
Considering VPC service controls, how are access levels implemented?
They are automatically created for you when you create an access level, service perimeter or turn on IAP
What is Cloud Identity Aware Proxy? What is it an alternative to?
Cloud IAP lets you establish a CENTRALIZED AUTHORIZATION LAYER for apps resources accessed via HTTPS.
Cloud IAP is an alternative to network level firewalls.
What is BeyondCorp Enterprise?
A ZT model platform
How does BeyondCorp Enterprise work? What does it protect against?
Via Chrome Browser Cloud Management, it protects Chrome users from malware & phishing as they download/upload files.
What sets BeyondCorp apart from other ZT services?
- Agentless - built into the browser. Hence easy adoption.
- Rely’s on GCP Global infrastructure - 144 edge locations in over 200 countries
What are some features of BeyondCorp Enterprise?
- Identity and context-aware access controls - identity, device, contextual factors
- Integrated threat and data protection - DLP, altering, and reporting.
- Supports cloud, on-prem, hybrid environments.
What is FIPS 140-2
Federal Information Processing Standard
A US & CA gov standard that specifies requirements for cryptographic modules (?) that product sensitive information.
Whats a cryptographic module?
Hardware or software that performs cryptographic functions, such as encryption and decryption to protect sensitive data.
What is the difference between cloud identity and IAM?
Cloud identity - foundational for user creation/identity management
IAM - pertains to the granular control of ACCESS to resources. .
Different between Cloud Identity and IAM?
IAM provides more granular access controls.
