Skip to content

Gcp Security

← Back to all decks

43 cards — 🟢 1 easy | 🟡 21 medium | 🔴 10 hard

🟢 Easy (1)

1. What is Identity Platform ?

Show answer Google Cloud Identity Platform is an authentication service that allows developers to easily integrate authentication and identity services into their applications. It supports multiple identity providers, enabling user authentication and management.

🟡 Medium (21)

1. What are usecases of IAP ?

Show answer Identity-Aware Proxy (IAP) is a GCP service that provides centralized access management for GCP resources. Use cases for IAP include:
Secure Remote Access: Allows employees or users to securely access resources from anywhere without a VPN.
Web Application Protection: Protects web applications from unauthorized access.
Granular Access Control: Enables fine-grained access control based on user identity rather than network location.

2. Explain Google Cloud SQL.

Show answer It's a fully managed relational database service supporting MySQL, PostgreSQL, and SQL Server. Provides automated backups, replication, and patches. Ideal for applications needing relational databases without the hassle of managing them.

3. Explain roles and permissions

Show answer Role is an encapsulation of set of permissions. For example an "owner" role has more than 3000 assigned permissions to the different components and services of GCP.

Remember: Three role types: Basic (Owner/Editor/Viewer — broad), Predefined (service-specific), Custom (user-defined).

Gotcha: Basic roles are too broad for production. Use predefined or custom roles for least privilege.

Number anchor: Owner role has 3000+ permissions. Viewer has ~300. Use the IAM recommender to right-size.

4. What are os policies ? or How can you perform automatic patch management in GCP ? or How do you ensure a certain package in installed on all incoming VMs?

Show answer OS Policies in GCP enable administrators to define and enforce policies on operating systems across VM instances. This includes automatically managing OS patches, updating packages, and enforcing configurations to ensure consistency and security compliance across the infrastructure. Through OS policies, administrators can define rules for automatic patch management, ensuring that specific packages are installed or updated on all incoming VMs as they are provisioned.

5. What is Cloud Identity-Aware Proxy (IAP)?

Show answer IAP is a service that controls access to web applications running on GCP. It allows access to applications based on a user's identity and context, rather than the traditional method of using a VPN.
IAP offers:
* Context-Aware Access: It considers user identity and context, such as device security status and geographic location, to grant access.

6. What is Customer-Supplied Encryption Key (CSEK)?

Show answer It's a feature allowing customers to manage their encryption keys used for data at rest in GCP services.
Key Points:
* Customer Control: Customers generate and manage their encryption keys outside of GCP.
* Data Encryption: Customers can use these keys to encrypt their data before storing it in GCP services.
Use Case:
CSEK enables customers to maintain control over their data encryption keys, ensuring an additional layer of security and compliance for sensitive data stored in GCP.

7. Describe Google Cloud Armor.

Show answer Cloud Armor is a DDoS and application defense service providing security against web-based threats. It offers customizable defenses to secure internet-facing applications. Key features include:
* DDoS Protection: Defends against volumetric and protocol-based DDoS attacks.

8. What are sole-tenant-nodes ?

Show answer Sole-Tenant Nodes are physical Compute Engine servers dedicated to a single user or organization. They offer the advantage of complete control over instance placement on the host hardware. This is beneficial for workloads that require specific hardware configurations, security, or compliance requirements that necessitate dedicated resources.

9. Describe GCP's approach to GDPR compliance.

Show answer GCP offers features to assist customers in their GDPR compliance efforts by providing tools for data protection and control. GCP has designed its services to help customers comply with GDPR. Here's how GCP approaches GDPR compliance:

10. What are service accounts in GCP?

Show answer Service accounts represent non-human users and are used to authenticate and authorize calls to GCP APIs. They act as non-human users and are designed to authenticate the code running in these environments. Service accounts can be assigned specific roles and permissions to access GCP resources securely, allowing fine-grained control over what services can do within the GCP ecosystem.

11. What is VMware Enginer offering of GCP ?

Show answer The VMware Engine is a fully managed VMware environment on GCP that allows enterprises to migrate and run their VMware workloads natively in the cloud. It provides a consistent infrastructure and operational experience for organizations already using VMware, enabling them to seamlessly extend their on-premises VMware environment to GCP without needing to re-architect applications. It offers a familiar environment while taking advantage of GCP's scalability, reliability, and global reach.

12. What is packet mirroring in GCP ?

Show answer Packet Mirroring in GCP is a feature that allows you to capture and mirror network traffic for inspection and analysis. It copies and forwards specific packets to a collector destination for detailed examination, aiding in security monitoring, debugging, and analysis. By duplicating network traffic, you can inspect and analyze data without disrupting the live traffic flow, enhancing security and troubleshooting capabilities.

13. What is web security scanner in GCP ?

Show answer Web Security Scanner is a GCP service that helps identify security vulnerabilities in web applications. It analyzes web applications for common security vulnerabilities, including cross-site scripting (XSS), mixed content, and outdated libraries. The scanner performs automated and manual tests on web applications, providing detailed reports on identified vulnerabilities and recommended fixes.

14. What is Identity-Aware Proxy (IAP) in GCP?

Show answer IAP is a GCP service that provides a central authentication and authorization service for applications running on GCP. It allows you to control access to web applications by verifying the identity of users and checking their permission levels before granting access. With IAP, you can secure access to your applications based on user identity and access policies without requiring a VPN.

15. What is Access Context Manager in GCP ?

Show answer Access Context Manager provides centralized access control for GCP resources by defining fine-grained, attribute-based access control policies. It allows administrators to set policies based on various contextual attributes like IP address, device security status, location, and time, ensuring access to resources is granted only when specific criteria are met.

16. What is Cloud Data Loss Prevention (DLP) in GCP?

Show answer Cloud DLP is a service for scanning, classifying, and redacting sensitive data across GCP services.It offers:
* Data Inspection and Classification: Identifies sensitive data within GCP storage services.
* Redaction and Anonymization: Allows for redacting or anonymizing sensitive data to protect privacy and confidentiality.
* Policy Enforcement: Defines and enforces data loss prevention policies.

17. What are organisation policies ?

Show answer Organization Policies in Google Cloud Platform (GCP) are a set of rules and constraints that an organization administrator can define and enforce across the entire organization's GCP resources. These policies help control and govern the behavior of the resources within the organization. They can include restrictions on resource creation, configuration settings, and access control rules, ensuring compliance with regulatory requirements and organizational standards.

18. How does GCP ensure data security?

Show answer GCP employs multiple layers of security, including encryption at rest and in transit, IAM, and compliance certifications.
* Encryption: Data in transit and at rest is encrypted using strong encryption protocols.

19. What is Istio in GCP?

Show answer Istio is an open-source service mesh that helps control the flow of traffic between services. It provides a uniform way to connect, manage, and secure microservices, offering features like traffic management, security, and observability. Istio's key functionalities include service discovery, load balancing, traffic control, authentication, and observability, allowing developers to have fine-grained control over their service interactions.

20. What are source repositories in GCP ?

Show answer Google Cloud Source Repositories is a version control service that makes it easy for teams to collaborate on code. It provides a scalable, fully featured, Git-based repository for source code, allowing developers to manage and track changes across teams or even organizations. It integrates seamlessly with other GCP tools, facilitating CI/CD workflows, code review, and collaboration.

21. What is BeyondCorp Enterprise product of GCP ?

Show answer BeyondCorp Enterprise is Google's modern security model designed to enable secure access to applications, resources, and data without a traditional VPN. It's based on zero trust principles, eliminating the concept of a trusted internal network and ensuring every access request is authenticated, authorized, and encrypted. It provides continuous and adaptive access control, considering various factors, like device security posture, location, and context, for granting or denying access.

🔴 Hard (10)

1. Explain Resource Manager in GCP.

Show answer GCP Resource Manager is a hierarchical organization tool for managing and governing resources. It allows organizations to organize and manage their GCP resources, projects, and services, offering centralized control over resource allocation, permissions, and organization policies. It provides a clear view of resource usage and access control, enabling consistent and efficient management across an organization's GCP projects.

2. Describe Identity and Access Management (IAM) in GCP.

Show answer IAM manages access control for GCP resources, allowing setting granular permissions for users and services.
Key Aspects:
* Principle of Least Privilege: Grants only necessary permissions to entities based on their roles.
* Resource Hierarchy: Manages permissions across organizations, folders, and projects.

3. How does Google Cloud Key Management Service (KMS) work?

Show answer KMS is a cryptographic key management service allowing the creation, storage, and management of cryptographic keys for use by other GCP services.
* Key Creation and Management: KMS enables the generation, rotation, and destruction of encryption keys. Customers have control over these keys and can manage their lifecycle.

4. How does GCP handle data governance and compliance requirements?

Show answer GCP provides a range of compliance certifications and features for meeting data governance requirements. It provides tools and controls for data classification, access controls, encryption, and auditing to meet industry-specific compliance standards. GCP services such as Cloud IAM, Data Loss Prevention (DLP), and security tools assist in ensuring compliance with regulations and organizational policies.

5. How does GCP handle compliance with various regulations?

Show answer GCP maintains a robust compliance program, aligning with global standards and regulations, ensuring that the platform meets strict standards set by different industries and regions. GCP maintains a wide array of certifications, including SOC 1, 2, and 3, ISO 27001, PCI DSS, HIPAA, and GDPR compliance. Here's how GCP handles compliance:

6. What do you understand by Chronicle ?

Show answer Chronicle is Google's cybersecurity intelligence platform that leverages massive data analysis and machine learning to detect and mitigate cybersecurity threats. It is designed to handle large-scale data with the use of Google's infrastructure, enabling security analysts to detect and understand threats. Chronicle helps in identifying security incidents across an organization's entire digital infrastructure and provides a comprehensive view of threats.

7. What was the need of reCAPTCHA enterprise ? How do you use it ? How does it work?

Show answer reCAPTCHA Enterprise is designed to protect websites and applications from abusive activities, such as fraud, spam, and other forms of automated abuse. The need arose due to increasing instances of online abuse by bots, impacting user experience and security. It uses adaptive risk analysis to distinguish between human and automated interactions, providing frictionless user experiences while protecting against malicious activities.

8. How do we do ssh using IAP ?

Show answer Secure Shell (SSH) using IAP involves setting up IAP to allow SSH connections to virtual machine instances without needing to expose them to the public internet. You can grant users or groups the necessary permissions to connect to the VM instance using SSH. This setup involves configuring IAP access, ensuring the user has the required permissions to connect via SSH, and establishing SSH connections through the GCP Console or the gcloud command-line tool.

9. How does Security Command Center works ? or What is Security Command Center ?

Show answer Security Command Center (SCC) is a GCP service designed for centralized security risk and compliance monitoring. It provides comprehensive visibility into your GCP environment by collecting, analyzing, and alerting on security data from GCP services. SCC continuously monitors and aggregates security-oriented telemetry, including findings from various GCP services and third-party partners.

10. Difference between the above two ?

Show answer Workload Identity: Allows GCP workloads to assume identities in a secure manner for accessing GCP resources without using service account keys.
Workload Identity Federation: Expands the capabilities of Workload Identity by allowing integration with external identity providers, enabling a broader range of identity systems for accessing GCP resources securely.