My inaugural experience with the Google Cloud Platform dates back to 2017. Embarking on the journey to become a Google Cloud Professional Security Engineer (GCPSE) may not seem extraordinary at first glance, yet it provides invaluable insights into the subtle world of cloud security. I’ve often contemplated whether the proficiency needed to provision and secure cloud resources is universally applicable across different platforms like Google Cloud Platform (GCP), and this quest for knowledge sparked my curiosity.
Achieving certifications as a Cloud Security Engineer from major Cloud Service Providers (CSPs) like Microsoft Azure and Amazon Web Services (AWS), I felt drawn to broaden my expertise by mastering GCP. I wished to find out whether the skills I had accumulated were transferable or exclusive to each platform.
My role as a Senior Security Researcher at Eminence Ways further fueled this interest. During a security assessment for a client’s project, I learned that they deployed their workloads using the Google Cloud Platform. They had recently experienced a security incident, which brought to light the need for improved cloud security measures. Despite my conviction that cloud platform skills can be interchanged, I was confronted with the realization that each platform’s products and practices vary significantly in purpose. Consequently, I struggled to provide concise, effective input, which stimulated me to consider acquiring the GCPSE certification.
For years, I had passively engaged with Google Cloud but never ventured into deploying resources or designing multi-tier applications from scratch, utilizing security best practices and automation. As a Cloud Security Engineer, I recognized the responsibility goes beyond just securing workloads in the cloud. It’s also imperative to ensure their availability and scalability.
Navigating GCP’s unique approach to managing Identity and Access Management (IAM) and Resource Hierarchy was a learning curve. It demanded a thoughtful design of the hierarchy structure from the organization node to the project/resource level. Adhering to the principle of least privilege (POLP) while maintaining the required permissions posed a fascinating challenge.
Throughout this journey, I’ve formulated some personal observations about GCP that I consider noteworthy and beneficial from other cloud platforms:
- The Data Loss Protection (DLP) API is a superior security solution within GCP that intelligently prevents data leakage.
- The IAM hierarchy in the Google Cloud Platform (GCP) differs from other cloud platforms. It includes various levels such as organization, folder, resource, and service account (SA) based permissions.
- The Google Common Expression Language (CEL) offers an advanced tool for creating custom Web Application Firewall (WAF) rules, querying data through the Cloud Operation Dashboard, and more.
- Cloud Intrusion Detection System (IDS) leverages mirrored traffic to identify anomalies and malicious patterns, thereby detecting potential threats like SQL Injection, Cross-Site Scripting (XSS), and brute-force attacks.
- Google Kubernetes Engine(GKE) is one of the most beautiful things in the platform which has features like integrated developer tools, is open and flexible, and with baseline security and compliance.
About Exam:
GCPSE is a 2-hour long exam comprising 60 questions the exam can be given online proctored or through authorized test centers. The questions are mostly scenarios based on real-life incidents and actual problems that may arise in the Google Cloud Platform in the context of security. The questions are confusing which requires us to read the questions more carefully and choose the best solutions/answers.
There is a feature to flag questions for future review in case if you have any doubts
Learning Materials:
In preparation of the exam
- Hands-on practice labs.
- Google Cloud Learn.
- Quizlet flash cards.
- Google Cloud Security Videos and Whitepapers.
In conclusion, the journey toward becoming a GCPSE has been insightful, and the acquired knowledge has enhanced my ability to contribute more effectively to cloud security discussions and implementations.