I helped Design the Google Professional Cloud Security Engineer Exam
Last summer I had the amazing opportunity to represent my company, Cloudreach, and partner with Google for a workshop to curate their newly released Professional Cloud Security Engineer exam. I was able to collaborate with Google’s security professionals, lend my expertise in the security space, and produce a certification aimed at challenging and certifying individuals looking to enhance their knowledge in Cloud security. Now that the certification is officially out of Beta, I wanted to share my experience and give bit more insight for those looking to take the exam.
The workshop was divided into two parts and took place at their headquarters in San Jose, CA, and Seattle, WA respectively. It was my first time participating in the creation of a professional exam, and let me say creating an exam is harder and much more complicated than taking one.
We were a small team of experts (dubbed the Job Task Analysis team) with various backgrounds in security and were first tasked with creating our target audience and goals for this exam. Questions, such as “What background expertise are we expecting this professional to have?” and “What topics are key for this individual to know regarding securing an enterprise in general and in the Google Cloud Platform?” were posed in order to come up with the description of the appropriate candidate for the exam. Using mind mapping exercises we were able to identify that this exam should be aimed for the professional level (so an individual with at least 3–5 years of experience in the cloud technology and security field) versus the associate level. we wanted this individual to already have a foundation in cloud and technology basics and couple this experience with an enterprise security focus.
Once we established the target audience and description of the ideal candidate, it was time to narrow down what we were assessing and build out the exam. As a security professional, I asked myself what would I be looking for in a candidate wishing to join my team and enhance an organization’s security position, not only in the cloud but more specifically using the tools provided in the Google Cloud Platform? Security topics are vast but we were able to hone in on the following important aspects to convey what this test will be assessing:
Configuring access within a cloud solution environmentConfiguring network securityEnsuring data protectionManage operations within a cloud solution environmentEnsuring compliance
Now that we have this outline for let’s break this down to explain a bit more on what we are specifying, shall we?
Configuring access within a cloud solution environment
First and foremost when beginning to build your cloud architecture you must think about access control. Access control is a security technique that regulates who or what can view or use resources in a computing environment. It is a fundamental concept in security that minimizes risk to the business or organization. In regards to this exam, we are looking for how you manage your organization’s overall IAM. This includes configuring user accounts, service accounts and keys, password policies, resource hierarchies, and authorization controls.
Configuring network security
It is in a security professional’s best interest to understand how cloud networking differs from your traditional on-premises data center environments. One of the primary challenges with network security in cloud computing is an enterprise’s lack of network visibility to monitor and tackle suspicious activity. To tackle this topic it is important for a security professional to understand the security concepts of designing network security in the cloud (think the different VPC options) and network segmentation.
Ensuring data protection
No matter what industry you work in you will almost certainly have come across a story about how “data” is changing the face of our world. In today’s ever-connected digital world, data is king — organizations and attackers alike are vying to collect it, albeit for different reasons. As a security professional you should ensure you have adequate controls in place to protect and detect the data in your organization. This includes DLP methods, managing encryption at rest, and managing encryption keys.
Managing operations within a cloud solution environment
Cloud operations encompass the process of managing and delivering cloud services and infrastructure to either an internal or an external user base. This involves ensuring peak performance and maintaining availability in order to satisfy the needs and expectations of customers and meet service level agreement standards. Here you should take a deep dive into the concepts of building and deploying infrastructure (think backup and data loss strategies, security scanning for CVEs), building and deploying applications, and monitoring and logging security events in order for proper investigation and incident response.
Depending on the nature of your business, there are many forms of compliance that your company and its employees must uphold. Taking steps to meet your legal obligations might seem like a management no-brainer, but only fulfilling your minimum requirements might result in missed opportunities. Understanding the reasons for the various rules, laws, and regulations that govern your business will help you take advantage of any benefits they offer while ensuring you stay in compliance at all times. Make sure you have an understanding of the different regulatory concerns (GDPR, PCI-DSS), Google’s security shared responsibility model, and determining which compute environment is appropriate based on your company compliance standards
You will be tested on these concepts, and much more, in a two-hour multiple choice exam. If you are already familiar with working in Cloud environments, and more specifically GCP, then building upon your already learned concepts will be straightforward. For those not familiar with cloud environments or have not had hands-on experience with the Google Platform I encourage you to take their fundamental Coursera courses to get started.