Google Cloud Professional Security Engineer, Exam Tips

Google Certified Professional Security Engineer exam tips (exam was 2 hours, 50 questions, completed in 1 hour):

1st Section (managing cloud identity) ● Configuring Google Cloud Directory Sync and implement single sign-on (SSO) with a third-party identity provider. ● Managing a super administrator account. ● Automating the user lifecycle management process. ● Administering user accounts and groups programmatically. ● Conguring Workforce Identity Federation

--> The one keep coming up (about 3 questions) was related to WIF, also testing your understanding of least priviledge concepts when granting access/capabilities for users.

2nd Section ( Managing service accounts). ● Securing and protecting service accounts (including default service accounts). ● Identifying scenarios requiring service accounts. ● Creating, disabling, and authorizing service accounts. ● Securing, auditing, and mitigating the usage of service account keys. ● Managing and creating short-lived credentials. ● Configuring Workload Identity Federation. ● Managing service account impersonation.

--> this one similar with other cloud exam, you need to really understand what is service account. How service account is better used and impersonation to grant access/communicate with other services.

3rd Section ( Managing authentication). ● Creating a password and session management policy for user accounts. ● Setting up Security Assertion Markup Language (SAML) and OAuth. ● Configuring and enforcing 2-step verification.

--> this one, just understand what is SAML and why MFA is important.

4th Section (Managing and implementing authorization controls). ● Managing privileged roles and separation of duties with Identity and Access Management (IAM) roles and permissions. ● Managing IAM and access control list (ACL) permissions. ● Granting permissions to different types of identities using IAM conditions and IAM deny policies. ● Denying access control at the organization, folder, project, and resource level using the principle of least privilege. ● Configuring Access Context Manager. ● Applying Policy Intelligence. ● Managing permissions through groups. ● Identifying use cases and configuring Privileged Access Manager.

--> Understand the structure of Org, Folder, Project and Resources is key. When the case is about least priviledge, then choose the answer that is least priviledge, avoid those that state "grant XXX to YYY for the org" for example. Its obvious.

Designing and conguring perimeter security. ● Configuring network perimeter controls (e.g., Cloud Next Generation Firewall [Cloud NGFW] rules and policies, Identity-Aware Proxy [IAP], load balancers, and Certificate Authority Service). ● Seing up application layer inspection on Cloud NGFW (e.g., layer 7). ● Differentiating between private and public IP addressing. ● Configuring web application firewalls (e.g., Google Cloud Armor). ● Deploying Secure Web Proxy. ● Configuring Cloud DNS security settings. ● Continually monitoring and restricting configured APIs.

--> one of the easiest part if you have done any cloud work deploying application according to best practices, or have been engaged with Landing zone setup etc.

Configuring boundary segmentation. ● Configuring security properties of a VPC network, VPC peering, Shared VPC, and firewall rules. ● Configuring network isolation and data encapsulation for N-tier applications. ● Identifying use cases and configuring VPC Service Controls.

--> VPC Service Control is key, understanding VPC peering, complete isolation, ensuring traffic only flows from a certain part of network. Not hard. The only thing new for me is the Shared VPC and VPC Peering, there rest is similar to other cloud.

Establishing private connectivity. ● Designing and configuring private connectivity between VPC networks and Google Cloud projects (Shared VPC, VPC peering, and Private Google Access for on-premises hosts). ● Designing and configuring private connectivity and encryption between data centers and VPC network (e.g., HA VPN, Cloud Interconnect). ● Establishing private connectivity between VPC and Google APIs (Private Google Access, Private Google Access for on-premises hosts, restricted Google access, Private Service Connect). ● Using Cloud NAT to enable outbound traffic.

--> This is also easy part. This is very similar to other cloud other than the Shared VPC and VPC Service Control. Understand if the "most cost effective" was part of the question, then usually VPN is the answer (not cloud interconnect). Also if you want to ensure private connection from On premise to Google Cloud, how to achieve it?

Protecting sensitive data and preventing data loss. ● Configuring Sensitive Data Protection (SDP) (e.g., discovering and redacting personally identiable information (PII), configuring pseudonymization and format preserving encryption). ● Restricting access to Google Cloud data services (e.g., BigQuery, Cloud Storage, and Cloud SQL datastores). ● Securing secrets with Secret Manager. ● Protecting and managing compute instance metadata.

Managing encryption at rest, in transit, and in use. ● Identifying use cases for Google default encryption, customer-managed encryption keys (CMEK), and Cloud External Key Manager (EKM). ● Determining when to use software and hardware keys ● Creating and managing encryption keys for CMEK and EKM (e.g., key rotation and revocation, key import). ● Applying encryption methods to various use cases. ● Configuring object lifecycle policies for Cloud Storage. ● Enabling Confidential Computing.

--> This is a bit harder part. Really understand how DLP in google works, the DLP API, the de-identification that can be reverse and cannot be, understand what is confidential computing is, what is encryption and how it works dependings on requirements, CMEK, CSEK, GMEK and key rotation. I think about 5-7 questions were related to this.

Securing AI Workload : just study on how to secure Vertex AI.

Automating infrastructure and application security. ● Automating security scanning for Common Vulnerabilities and Exposures (CVEs) through a continuous integration and delivery (CI/CD) pipeline. ● Configuring Binary Authorization to secure GKE clusters or Cloud Run. ● Automating virtual machine and container image creation (e.g., hardening, maintenance, VM patch management). ● Managing policy and drift detection at scale (e.g., cloud security posture management, custom organization policies and custom modules for Security Health Analytics).

Configuring logging, monitoring, and detection. ● Configuring and analyzing network logs (Cloud Next Generation Firewall [Cloud NGFW], VPC ow logs, Packet Mirroring, Cloud Intrusion Detection System [Cloud IDS], Log Analytics). ● Designing an effective logging strategy. ● Logging, monitoring, responding to, and remediating security incidents. ● Designing secure access to logs. ● Exporting logs to external security systems. ● Configuring and analyzing Google Cloud Audit Logs and data access logs. ● Configuring log exports (log sinks and aggregated sinks). ● Configuring and monitoring Security Command Center.

--> my fave part because this is also my day to day conversation in related to Security Command Center, CVE, monitoring and logging. Easy. Basically 1 question for each topic above. Hardest part is the Binary Authorization in Cloud Run, since I havent done it. but I did answer validation to see what makes the most sense.

lastly:

Adhering to regulatory and industry standards requirements for the cloud. ● Determining technical needs relative to compute, data, network, and storage. ● Evaluating the shared responsibility model. ● Configuring security controls within cloud environments to support compliance requirements (e.g., Assured Workloads, organizational policies, Access Transparency, Access Approval, regionalization of data and services). ● Determining the Google Cloud environment in scope for regulatory compliance. ● Mapping compliance requirements to Google Cloud services and security controls (e.g., network and access segmentation, audit log coverage).

--> this is also easy part. Just understand the shared responsibility, Access Transparancy.

ok, now about study materials:

1. Youtube, well, to my surprise for this exam, youtube has limited result.
2. Official Learn guide from Google Website.
3. try the sample question here.
4. and a lot of common sense, first I suggest you take the ACE exam so you more familiar with Google Cloud components.

Overall, the exam is not difficult, if I can do it, you definitely can do it. I think its worth it to emphasize your knowledge on Cloud Security.

#googlecloud #cybersecurity #examtips

https://cloud.google.com/learn/certification/cloud-security-engineer