Domain 5 of 6 · Chapter 2 of 3

Trusted Infrastructure

Unlock the complete study guide + 1,040 practice questions across 16 full exams.

Bundled into the existing Cloud Digital Leader premium course — no separate purchase.

Included in this chapter:

  • Defense in depth: security built into the stack
  • Encryption in all three states of data
  • The three A's, edge defense, and SecOps
  • Exam-pattern recognition

The three A's of trust: authentication vs. authorization vs. auditing

PillarAuthenticationAuthorizationAuditing
Question it answersWho are you?What may you do?Who did what, when?
Google Cloud controlIdentity + 2-Step Verification (2SV)Identity and Access Management (IAM)Cloud Audit Logs
What it works withA second factor beyond the passwordPrincipals granted roles (permission bundles) on resourcesAdmin Activity and Data Access log records
When it runsBefore access, to establish identityOn each action, to allow or deny itAfter the fact, as an immutable record
Failure if missingStolen password = full accessOver-privileged or unauthorized actionsNo accountability or forensic trail

Cheat sheet

  • Google designs its own infrastructure, so security is built in at every layer
  • Titan is Google's custom security chip and hardware root of trust
  • Data has three states (at rest, in transit, and in use) and a full security story covers all three
  • Data at rest is encrypted by default with AES-256, no customer action required
  • Data in transit is encrypted by default across Google's network
  • Confidential VMs encrypt data in use, and you opt into them
  • Authentication, authorization, and auditing are three distinct controls, never interchangeable
  • 2-Step Verification adds a second factor so a stolen password isn't enough
  • IAM grants roles to principals on resources: it controls what you may do
  • Cloud Audit Logs record who did what, where, and when
  • Cloud Armor defends availability at the network edge with DDoS and WAF protection
  • A DDoS attack threatens availability by flooding a service
  • Google Security Operations (formerly Chronicle) runs detection and response in the cloud
  • Defense in depth means no single safeguard is a single point of failure
  • Cloud Armor protects an external load balancer with security policies: IP/geo filtering, rate limiting, bot management, and Adaptive Protection
  • Cloud KMS lets you own and control the keys; Cloud HSM and External Key Manager extend where they live
  • Google's data centers control physical access and securely destroy retired drives

Unlock with Premium — includes all practice exams and the complete study guide.

Also tested in

References

  1. How Google designs security in its infrastructure
  2. Default encryption at rest
  3. Encryption in transit
  4. Confidential VM overview
  5. IAM overview
  6. Cloud Audit Logs overview
  7. Google Cloud Armor overview
  8. Google Security Operations