Date created: January 30, 2019
Last updated: March 2, 2021
Exam Completed: February 15, 2019

Part 1: Introduction
Part 2: Post Exam Review
Part 3: Daily Study
Part 4: Tips and Advice
Part 5: Final Exam

Update March 29, 2019. Google invited me to take part in creating the final security exam. Jump to Part 5.

Update March 2, 2021. I have to recertify. New article: Google Professional Cloud Security Engineer Recertification

Part 1: Introduction

On January 24, 2019, Google announced two new professional level certifications. The security certification beta starting February 8, 2019, and ending February 28, 2019. For the networking certification beta, February 2 to February 23, 2019. Those are the dates available in my area (Seattle).

I have decided to take the security certification beta now. I signed up with Kryterion to take the exam on February 11, 2019. The exam is four hours long and should be very challenging. This blog will track my progress as I prepare to take this certification and the results. I only have ten days to prepare, so this should be interesting given I do not have another Google Cloud certification. I have both AWS specialty certifications for security and networking. I plan to take the Google Cloud networking exam at some point.

Update (Feb-10-19)- I scheduled the Professional Cloud Network Engineer exam beta for February 22, 2019. Might as well knock out that certification attempt as well. I have started another article for the network exam.

Update (Feb-10-19) – Because of the bad weather in Seattle, the testing center will be closed tomorrow. I might be able to schedule for Wednesday pending the weather report tomorrow.

Update (Feb-12-19) – Rescheduled exam for Feb-15-2019. I had a hard time getting another exam scheduled. The testing center is booked. Kryterion told me that the number of people taking GCP exams has exploded. This is very interesting and matches what I have seen with customer interest in Google Cloud.

My background has extensive work in security. This includes software development and forensics going back over two decades. I also have two other professional level certifications in Security. One with AWS and the other with CWNP. My other certifications are listed here.

I have worked with Google Cloud off and on again for about eight years. However, starting in 2018 I started to work with Google Cloud a lot. Google’s services and market really took off last year. I think the reason is because of their excellent big data platforms. I feel that I have a good chance of passing the security certification as I have really focussed on Google Cloud security and I have written several articles about Google Cloud on this website.

I am creating a list of training materials I plan to use to prepare and then in detail for each day. After I take the certification, I will write a review on how well these materials fit into the beta exam.

Note: In the past, I have watched many excellent security videos by Google. I will list each one after I refind them. I plan to watch each one again.

I do not believe in just watching videos. You can watch a video on golf, but you have the hit the range to practice repeatedly. Same thing with any IT service. Study the fundamentals, read the FAQ and documentation and then design these services into something you can test against.

Study, practice and repeat. Every year new services are enhanced/released. New technologies are announced. New vulnerabilities are discovered. Building secure systems is not something you guess at. You either know how to build security into your designs or you don’t.

Update: March 29, 2019:

Special Mention: Loonycorn

Over the past few months, I have taken a number of courses by “Loonycorn” authors: Janani Ravi and Vitthal Srinivasan. They are specializing in Google Cloud Platform and Google Big Data. Their courses are fantastic. Last month they released many new Google courses on Pluralsight. Click each author’s name above to see the course list.

Special Mention: Google Qwiklabs

As part of my goal to dig deep into Google Cloud Platform, I used Google Qwiklabs almost every day for four months. I continue to use Qwiklabs often. During the past four months, I completed 20 Quests and over 215 labs. The ability to follow pre-designed labs for practice is very useful when combined with consistent everyday study sessions. Qwiklabs has a great value and protects you from unplanned expenses when you forget and leave resources running in the cloud. Similar to cooking in the kitchen, following a recipe gives you a foundation to the build upon and create your own recipes.

Link to my profile on Google Qwiklabs.

Google Cloud Developer’s Cheat Sheet

Very nice poster, courtesy of Greg Wilson, that shows the large breadth of Google Cloud Platform. Project home page.

Identity and Security section from Greg’s poster:

Special Mention: Exam Reviews from other test takers:

If you have taken this exam, send me an email with a link to your article and I will put your review on this list: blog@jhanley.com

Part 2: Post Exam Review

The test is 133 questions with four hours to complete it.

Overall, this test is very good quality with only a few minor things here and there. Nothing that would affect your score. However, this test is much too long. After 80 questions, I was tired, and I had problems staying 100% focussed. This exam is very hard. You will really need to know Google services and Google best practices for security. Read those whitepapers.

My tips after taking the exam. These tips might save you from failing.

  1. Study the security whitepapers. Further down is a list of whitepapers to study.
  2. Study Google Cloud networking. Understand VPCs, Firewalls, Peering, etc.
  3. Study IAP.
  4. Study Active Directory integration with IAP.
  5. Study DLP.
  6. Study KMS and Encryption.

The number one item that surprised me was the number of networking related questions. I have MVP awards in both security and networking, so this should not surprise me that Google considers networking a vital component in security. I am taking the Google Professional Cloud Network Engineer Certification on February 22. At that time I will know which one to take first (networking or security). Just plan to take both so you have that advanced level of knowledge covering both.


Update March 13, 2019

I passed the Network Engineer exam.

Update Feb 27, 2019

I took the Network Engineer exam on the 22nd. The network exam is a bit harder and there is not much overlap of security knowledge on the network exam. There is some overlap of network knowledge on the security exam. However, the network knowledge required for the network exam is much deeper and more complex with a big focus on hybrid technologies (VPNs, Interconnect, etc.) that is not present on the security exam. Both exams are challenging and require a solid knowledge of GCP services. You can pass the network exam without solid GCP security knowledge however, you will not pass the security exam without solid GCP network knowledge.

Which one should you take first? This is a toss-up. I love both topics so my interest level for both is very high every day. I recommend a program where you prepare for both exams interleaving security and networking. Take the security exam first, then polish your hybrid networking skills and then take the network exam.


I was right in that encryption and KMS would be all over the exam. Make sure you understand DEK, KEK, CMEK, CSEK, and KMS. There was only one question where HSM was mentioned.

I practiced hard with Identity-Aware Proxy (IAP). I wished that I would have done more homemade labs on IAP. There were a lot of questions on IAP.

Google places high importance on understanding identity in this exam. Study each identity-related service including federation (AD -> Google Identity) and how to synchronize identity providers. Make sure you know G Suite enough to set everything up. It surprised me that G Suite was on the exam. I was prepared at a basic level as I use G Suite for my domain and email.

IAM was everywhere. Make sure you understand IAM at the Organization and Project level.

Another area that surprised me was the CLI gcloud or rather the lack of gcloud. I had expected a lot of questions that would require solid knowledge of command line statements. There were none.

There were several questions on DLP. I was not well prepared for this service. I knew the basics but not enough for this exam.

The exam had many questions on security best practices. I wish that I would have spent more time drilling into the security whitepapers.

My recommendations which I am reading again post exam:

In this article, I documented a lot of the material I studied to prepare. I recommend that you watch every video, document, and whitepaper. Then add a lot more to my list. Google’s security exam is broad and deep. The “Professional” part really means it. The Google Security exam is harder than the AWS Security Specialty.

What would I do differently now that I have taken the exam? I would allocate more time, maybe four weeks instead of two and study the whitepapers more in-depth. I would spend more time on Active Directory with Google Identity. I would spend more time on IAP. I would spend more time on DLP.

Part 3: Daily Study
January 29, 2019 – Day #1 – Preparation Start:
  • A thorough review of the certification exam guide. I printed this document and then checked off every area I was not at an advanced level with. I then narrowed down this list to 10 areas to focus on, one per day.
  • I searched the Internet for training materials for Google Cloud Security. The list of materials available is listed above. I did a cram session on Linux Academy’s security essentials course. This is an excellent introductory level course and made for a good review of the basics. I made notes of areas to focus on. I spent a lot of time in the Google console making sure I knew all details well.
  • Total time spent: the entire day – about 12 hours.
  • I only plan to spend about two hours per day from now until the exam. However, I like to start with a cram session so I have a solid understanding of my weak areas. Then I can create a realistic plan to succeed.
January 30, 2019 – Day #2 – KMS, HSM and Encryption

Today my focus is on KMS and encryption for GCP.

Encryption and the management of encryption permissions and keys is a very important topic for cloud services. I expect that this topic will be everywhere on the Google exam. As I prepare for certification, I will review the encryption features for each GCP service in detail.

Documents Studied:
Videos Watched:
Interesting new term: ALTS

Google’s Application Layer Transport Security (ALTS) is a mutual authentication and transport encryption system developed by Google and typically used for securing Remote Procedure Call (RPC) communications within Google’s infrastructure. ALTS is similar in concept to mutually authenticated TLS but has is designed and optimized to meet the needs of Google’s data center environments.

Interesting new product / technology: BoringSSL

Tip: This is on the exam

BoringSSL is a fork of OpenSSL that meets Google’s needs. Currently, BoringSSL is the SSL library in Chrome/Chromium, Android (but it’s not part of the NDK) and several other apps/programs.

Action items requiring more study/work before the exam:
  • Istio – Linux Academy shows Istio being used for VM to VM traffic. Their slide showed this as user configurable.
Interesting Points:
  • All data within GCP is encrypted. This means “At Rest” and “In Transit”.
  • Encrypted data is broken into chunks and distributed across data centers with unique keys.
  • Each chunk uses its own unique key for encryption.
  • The key for each chunk is itself encrypted by another key.
  • HSM is not available on global keyrings.
  • Google supports public-key wrapped CSEK (Customer Supplied Encryption Key) also called RSA key wrapping. Details here and here.
Total time spent today: about 4 hours.
January 31, 2019 – Day #3 – Encryption & Services

Today my focus is on encryption and individual Google services. My first task is to create a lab practicing with CMEK (Customer Managed Encryption Keys) for BiqQuery.

Tip: BiqQuery was not on the exam. CMEK was.

Documents Studied:
Videos Watched:
Interesting Points:
  • BigQuery does not support the global region for KeyRings or keys.
  • You need the BigQuery service account to set up permissions for KMS. The easiest way is via the CLI:
    • bq show --encryption_service_account
  • No special arrangements are required to query a table protected by Cloud KMS.
  • You can change the encryption key using the bq update command. You can also change the encryption key when copying a table using the bq cp command.
  • You can remove the encryption key using the bq cp command copying the table to itself.
  • BigQuery does not automatically rotate a table encryption key when the Cloud KMS key associated with the table rotates. Existing tables continue to use the key version with which they were created. New tables will use the current key version.
  • BigQuery supports the SQL command SESSION_USER() which returns the email address of the user running the query. Documentation here.
Total time spent today: about 2 hours.
February 1, 2019 – Day #4 – Network Security

Section 2 of the exam guide is “Configuring Network Security”. Today I will start an in-depth review of Google Cloud Networking.

Tip: Lots of networking questions on the exam.

Documents Studied:
Videos Watched:
Interesting Points:
  • Google Andromeda
    • Google Cloud customers now enjoy significantly improved intra-zone network latency with the release of Andromeda 2.1, a software-defined network (SDN) stack that underpins all of Google Cloud Platform (GCP). The latest version of Andromeda reduces network latency between Compute Engine VMs by 40% over Andromeda 2.0 and by nearly a factor of 8 since we first launched Andromeda in 2014.
  • Legacy Networks
    • You can still create a legacy network, which has no subnets. Legacy networks have a single global IP range. You cannot create subnets in a legacy network or switch from legacy to auto or custom VPC networks. Documentation here and here.
  • Network performance is related to VM core count.
  • Private Google Access enables VM instances with only internal (private) IP addresses (no external IP addresses) to reach the public IP addresses of Google APIs and services. You enable Private Google Access at the subnet level. When enabled, instances in the subnet that only have private IP addresses can send traffic to Google APIs and services through the default route (0.0.0.0/0) with a next hop to the default Internet gateway.
  • A VPC Service Controls service perimeter controls access to Google APIs and services. To enable Private Google Access within a service perimeter, your VM instances must send requests to restricted.googleapis.com instead of *.googleapis.com. Enabling this feature provides access to supported Google APIs and services.
  • Jupiter Data-center Fabric
  • B4 Backbone
    • Datacenter to Datacenter
    • SDN platform
    • High throughput (multiple terabits)
  • B2 Backbone
    • Google to the Internet
    • Protected network with high SLA
    • Traffic is carried as far as possible on Google (cold potato)
  • Espresso
    • SDN to Peering Edge
    • Faster, Low-latency access to Google Services – best availability & user experience
    • Dynamically choose from where to serve customers based on end-to-end requirements.
  • Access Transparency
    • Trust is paramount when choosing a cloud provider. We want to be as open and transparent as possible, allowing customers to see what happens to their data. Now, with Access Transparency, we’ll provide you with an audit log of authorized administrative accesses by Google Support and Engineering, as well as justifications for those accesses, for many GCP services, and we’ll be adding more throughout the year. With Access Transparency, we can continue to maintain high performance and reliability for your environment while remaining accountable to the trust you place in our service.
Today’s Summary:

The more that I prepare for the security exam the more that I also want to take the networking exam. I am very experienced at an advanced networking level both for data centers and cloud infrastructures. Tomorrow I will review the networking certification exam guide and consider scheduling that exam also.

Update – I scheduled the Professional Cloud Network Engineer exam beta for February 22, 2019. Might as well knock out that certification attempt also.

Total time spent today: about 4 hours.
February 2, 2019 – Day #5 – Network Security

Section 2 of the exam guide is “Configuring Network Security”. Today I will continue my in-depth review of Google Cloud Networking.

Documents Studied:
Videos Watched:
Interesting Points:
  • DSR (Direct Server Return)
    • When the packet arrives at the selected service endpoint, it is decapsulated and consumed. The response, when ready, is put into an IP packet with the source address being the VIP and the destination address being the IP of the user. We use Direct Server Return (DSR) to send responses directly to the router so that Maglev need not handle returning packets, which are typically larger in size. This paper focuses on the load balancing of incoming user traffic. The implementation of DSR is out of the scope of this paper. Link
  • Network Load Balancer (NLB)
    • Regional only
    • Layer 4
    • Does not support IPv6
    • No traffic routing based on L7
    • No TLS termination/offload
    • Client IP preserved – does not need x-forwarded-for
    • IP based session affinity
Today’s Summary:

There are a lot of details to pay attention to for Google load balancers. Nothing really related to security and today’s preparation is better suited for the networking certification. Time well spent and learned a few subtle features.

Total time spent today: about 2 hours.

 

February 3, 2019 – Day #6 – Network Security

Today I will split the study time in two. The first half on network security. Then work on section “4.3 Monitoring for security events” which includes Cloud Security Scanner and Forseti.

Tip: Forseti is on the exam.

Documents Studied:
Videos Watched:
Interesting Points:
  • SSL proxy can handle HTTPS, but this is not recommended. Link. I think that a lot of people confuse SSL with HTTPS.
  • SSL Proxy Load Balancing supports ports 25, 43, 110, 143, 195, 443, 465, 587, 700, 993, 995, 1883, and 5222. I am not sure if knowing all port numbers is important. (Tip: port numbers were not on the exam). There were a few that I had to look up:
    • 195 – DNSIX Network Level Module Audit
    • 465 – TCP: URL Rendezvous Directory for SSM (Cisco protocol)
    • 465 – UDP: Authenticated SMTP over TLS/SSL (SMTPS)
    • 700 – Extensible Provisioning Protocol (EPP)
    • 1883 – MQTT (formerly MQ Telemetry Transport)
    • 5222 – Extensible Messaging and Presence Protocol (XMPP) client connection
  • Better utilization of the virtual machine instances — SSL processing can be very CPU intensive if the ciphers used are not CPU efficient. To maximize CPU performance, use ECDSA SSL certs, TLS 1.2 and prefer the ECDHE-ECDSA-AES128-GCM-SHA256 cipher suite for SSL between the load balancer and your instances. Link. Note the wording “between the load balancer and your instances”.
  • Organization policies support restricting at lower levels in the hierarchy. This contrasts with IAM policies where inheritance can only expand lower in the hierarchy. Video at 14:30.
Total time spent today: about 4 hours.

 

February 4, 2019 – Day #7 – Cloud Storage Security

Today I will focus on Cloud Storage security (IAM and ACLs).

Tip: Study IAM and ACLs in detail for the exam.

Documents Studied:
Videos Watched:
  • None
Interesting Points:
  • GCS: You cannot grant discrete permissions for reading or writing ACLs or other metadata. To allow someone to read and write ACLs, you must grant them OWNER permission. Link.
  • This table lists the different naming conventions used by Google APIs:
  • Google Cloud Storage uses scope, also called grantee, to specify who it is that has a given permission. OAuth uses scopes to define permissions.
  • Special identifier for all Google account holders:
    • This special scope identifier represents anyone who is authenticated with a Google account. The special scope identifier for all Google account holders is allAuthenticatedUsers.
  • Special identifier for all users:
    • This special scope identifier represents anyone who is on the Internet, with or without a Google account. The special scope identifier for all users is allUsers.
Total time spent today: about 1 hour.
February 5-7, 2019 – Day #8,9,10 – No Study

I did not have time during these days to study. My work, which currently is GCP, had me working long hours.

February 8, 2019 – Day #11 – Google Cloud Endpoints

Google Cloud Endpoints is a service I have not worked with previously. I decided that API security is very important today as just about everything we do with customer-facing systems involves APIs of some sort. Time to learn about another Google Cloud service.

Tip: Only one question on Cloud Endpoints. Focus on IAP for the exam.

Documents Studied:
  • Google Cloud Endpoints documentation home page.
    • I started with the home page and read just about everything.
Videos Watched:
  • None
Labwork:
  • Qwiklabs: Cloud Endpoints: Qwik Start
    • This is a good introductory lab for Cloud Endpoints. Very recommended as a first step. Complete this lab and then go back and hit the documentation. Then complete the next tutorial.
  • Getting Started with Endpoints on Compute Engine with Docker. Link.
Interesting Points:

It took a lot of effort to really understand Cloud Endpoints and how to put them to work. This is an interesting service that appears simple on the surface but has lots of details to master.

Today’s Summary:

Google Cloud Endpoints is a very interesting service that has good potential to both protect your external facing APIs but improve the standardization of your APIs. Supported authorization methods include API Keys, Firebase Authentication, Auth0, Google ID Tokens, JWTs (Service Accounts).

Total time spent today: about 4 hours.
February 9, 2019 – Day #12 – Google Cloud API Security

Today I am continuing on API security. I have a little time this evening as we had a power failure in Seattle that lasted until 6 PM.

Documents Studied:
  • None
Videos Watched:
Today’s Summary:

I lost the entire day because of a power failure. I did a mental review of everything so far, so not all was lost.

Total time spent today: about 1 hour.
February 10, 2019 – Day #13 – Google Cloud Security Review

Today is the last day before the exam. Today I will spend all day reviewing. I have created a list of topics to review. At this point, I am very comfortable taking the exam tomorrow based upon the certification exam guide.

Items that I will review today:

Tip: I put an asterisk next to the items important for the exam.

    • *Cloud Identity
    • *Google Cloud Directory Sync
    • *Cloud Security Scanner
    • *Cloud Interconnect
    • *Forseti
    • *VPC Peering
    • *Shared VPC
    • *Private Access
    • *DNSSEC
    • *IAP
    • IPSEC
    • Enclave computing
Videos Watched:
Labwork:

Tip: Cloud Functions was not on the exam. VPC Peering is on the exam.

  • Qwiklabs: Controlling Access to Google Cloud Functions
    • This is a very good lab that shows how to use Google service accounts to create an OAuth token to authorize Cloud Function requests. This is primarily service-to-service authorization. I plan to enhance this lab to use Google Accounts for User authorization at a later date and publish this as an article here on my blog.
  • Qwiklabs: VPC Network Peering
  • Qwiklabs: Network Performance Testing
  • Qwiklabs: Network Tiers – Optimizing Network Spend

My next post should be a review of taking the actual exam.

Total time spent today: all day.
February 11, 2019 – Day #14 – Exam Day

I am not taking the exam today. The testing center is closed because of the bad weather we are having in Seattle. I will update later once I can get a date scheduled. In the meantime, I will now prepare for the network certification beta exam. Security exam rescheduled for February 15, 2019.

See below for the real exam day.

February 13, 2019 – Extra Study

Since my exam has been delayed to Friday because of weather, I will continue studying. For the most part, I will study some of the less commonly used features to round out my knowledge.

Documents Studied:
Videos Watched:
February 15, 2019 – Exam Completed

Last night, I ate my favorite food, tacos, and went to bed early. No study yesterday. I got up early and went out for a good breakfast (Denver omelet and hash browns). Arrived at the testing center about 30 minutes early, completed my paperwork and began the test at 11:45 AM. Finished the test 2 hours 10 minutes later.

Did I pass? Yes, I am confident I passed the exam. I had no problems in any area except for DLP and Active Directory + IAP. I completed the exam in almost half the allocated time. I should learn the exam results once the beta period closes, which I think is February 28.

In summary, I highly recommend that everyone who takes Google Cloud Platform seriously prepare for and take this exam. The security knowledge required to properly and safely manage cloud services and applications is mandatory today. This exam is very broad regarding Google services and technologies. Spend the time to properly prepare. Cramming for this exam will probably result in failure or a low score.

Good luck on your journey in the cloud.

Tips & Advice
  • Learn Google Cloud Services in depth before preparing for this certification. You should already be at the Google Cloud Professional Architect level in knowledge and experience.
  • Do not expect to cram for this exam and succeed.
  • Set a date and pay for the exam. You can always change the exam date. However, by paying for the exam, I get focussed quickly.
  • Do not worry about failing the certification exam (money aside). The experience will help you really understand your weak points.
  • Your goal should be polishing your knowledge on the certification subject and not cramming to pass. You should already know GCP well before preparing for the security exam. So many cloud engineers and architects I interview have two or three certifications and cannot remember the important details three months later. When I drill down into their exam preparation I find that they often crammed eight hours a day and then just barely passed the exam without really mastering the certification. There is no replacement for experience. Certifications are great but embarrassing when you cannot apply what you should know.
  • Set aside consistent everyday study and practice sessions. Four or five days per week.
  • You need not study the day before the exam. Take a break and let your mind rest all those nerve connections you built.
  • It can take 20 minutes to get into deep concentration. Try to set aside two to three hours each study day for this exam. You will need a quiet place with no disturbances. Tell the kids you are doing homework preparing for a final exam.
  • Communicate with your family and friends your goal. They will understand that your time will be limited for a few weeks. Give them a hint to throw you a dinner or a party when you take the exam even if you fail.
  • Stop when you get tired. It is hard to be focussed and maintain good memory when you are tired. Note: I am not saying stop when you are lazy. Dedication and focus require will power. Know your limits and the difference between tired (fatigue) and lazy.
  • Electronic notes are OK. Handwritten notes on paper reinforce longer-term memory. When I watch a training video, I stop fifty or a hundred times and make little detail notes. I repeat sections sometimes two or three times. I put an asterisk next to items I must study in more detail. I go back over my notes the next day and hit those asterisks.
  • Exercise, good eating and plenty of rest are critical items during your study periods (and all the time). Your comprehension and memory will be much higher when your body is functioning well.
  • I go into a mode I call “total absorption” when I am preparing for certification. I put training videos on my iPhone and play them while driving (listen only), sitting at lunch, etc. I increase my exercise by walking a lot and listening to recorded classes, YouTube, etc while walking. I skip lots of other little things, to become totally focussed on the certification subject. I think and repeat in my mind everything I am studying. I keep reviewing the exam objectives over and over. I just become one with the subject matter.

To give you a real comparison, I consider certification the final steps in my mastery of Google Cloud Platform. I have been working with GCP for around 8 years (off and on again). I wrote a C++ SDK for Google Cloud Storage as my first project for GCP. I consult in Security, Networking and Big Data for GCP. For the past five months, I have been studying GCP in detail to begin preparation for certification. I did not use certification as my method to learn GCP. My depth of knowledge of GCP is broad. I am #1 every month, #2 for total questions answered and #7 of all time for GCP on Stack Overflow: link.

What I am trying to say is “Do not be in a hurry to certify, learn Google Cloud Platform well and then certify”.

Part 5: Final Exam

After I took the security certification beta exam, Google contacted me to let me know I passed and that my score was high. Google asked me to take part in creating the final security certification exam.

I am under NDA for this process. I will add that Google Cloud is using science instead of raw scores to determine passing grades. This is an interesting comparison to other cloud vendors. For the person taking the test, I think this is a better method and gives more importance to experience over raw memorization.

They have reduced the exam from 113 questions to 40. The beta exam was a monster covering huge areas of Google Cloud Platform, G Suite and security.  The final exam is now reasonable in the knowledge and experience required.

One tip: this exam now tests for your experience and understanding of Google Cloud security. This is not an exam you can watch a few video courses, memorize facts and then pass. The criteria that the exam is designed to test is three years of security experience and at least one year of GCP experience.

The final exam will be available at Google Next ’19 for scheduling.