Google Cloud Professional Cloud Security Engineer — Question 238

You discovered that sensitive personally identifiable information (PII) is being ingested to your Google Cloud environment in the daily ETL process from an on- premises environment to your BigQuery datasets. You need to redact this data to obfuscate the PII, but need to re-identify it for data analytics purposes. Which components should you use in your solution? (Choose two.)

Answer options

• A. Secret Manager
• B. Cloud Key Management Service
• C. Cloud Data Loss Prevention with cryptographic hashing
• D. Cloud Data Loss Prevention with automatic text redaction
• E. Cloud Data Loss Prevention with deterministic encryption using AES-SIV

Correct answer: B, E

Explanation

The correct answers are B and E because Cloud Key Management Service provides the management of encryption keys, while Cloud Data Loss Prevention with deterministic encryption allows the PII to be encrypted in a way that can still be re-identified when needed. The other options do not fulfill the requirement of allowing re-identification while obfuscating the data.