Google Cloud Professional Cloud Security Engineer — Question 175

Your development team is launching a new application. The new application has a microservices architecture on Compute Engine instances and serverless components, including Cloud Functions. This application will process financial transactions that require temporary, highly sensitive data in memory. You need to secure data in use during computations with a focus on minimizing the risk of unauthorized access to memory for this financial application. What should you do?

Answer options

• A. Enable Confidential VM instances for Compute Engine, and ensure that relevant Cloud Functions can leverage hardware-based memory isolation.
• B. Use data masking and tokenization techniques on sensitive financial data fields throughout the application and the application's data processing workflows.
• C. Use the Cloud Data Loss Prevention (Cloud DLP) API to scan and mask sensitive data before feeding the data into any compute environment.
• D. Store all sensitive data during processing in Cloud Storage by using customer-managed encryption keys (CMEK), and set strict bucket-level permissions.

Correct answer: A

Explanation

The correct answer is A because Confidential VM instances provide enhanced security by leveraging hardware-based memory isolation, which is essential for protecting sensitive financial data in use. Options B and C focus on data protection before or after processing but do not address memory access during computations. Option D involves storage security but does not offer the same level of protection for data in use during processing.