Google Cloud Professional Cloud Security Engineer — Question 184

Your organization must store highly sensitive data within Google Cloud. You need to design a solution that provides the strongest level of security and control. What should you do?

Answer options

• A. Use Cloud Storage with customer-supplied encryption keys (CSEK), VPC Service Controls for network isolation, and Cloud DLP for data inspection.
• B. Use Cloud Storage with customer-managed encryption keys (CMEK), Cloud DLP for data classification, and Secret Manager for storing API access tokens.
• C. Use Cloud Storage with client-side encryption, Cloud KMS for key management, and Cloud HSM for cryptographic operations.
• D. Use Cloud Storage with server-side encryption, BigQuery with column-level encryption, and IAM roles for access control.

Correct answer: C

Explanation

The correct answer is C because client-side encryption ensures that data is encrypted before it is sent to Cloud Storage, providing the highest level of control. Options A and B do not provide the same level of control as client-side encryption, and option D relies on server-side encryption, which does not offer the same security guarantees as client-side methods.