Google Cloud Professional Cloud Security Engineer — Question 261

You are responsible for protecting highly sensitive data in BigQuery. Your operations teams need access to this data, but given privacy regulations, you want to ensure that they cannot read the sensitive fields such as email addresses and first names. These specific sensitive fields should only be available on a need-to- know basis to the Human Resources team. What should you do?

Answer options

• A. Perform data masking with the Cloud Data Loss Prevention API, and store that data in BigQuery for later use.
• B. Perform data redaction with the Cloud Data Loss Prevention API, and store that data in BigQuery for later use.
• C. Perform data inspection with the Cloud Data Loss Prevention API, and store that data in BigQuery for later use.
• D. Perform tokenization for Pseudonymization with the Cloud Data Loss Prevention API, and store that data in BigQuery for later use.

Correct answer: D

Explanation

The correct answer is D because tokenization for Pseudonymization allows sensitive fields to be replaced with non-sensitive equivalents, ensuring that only authorized personnel can access the original data. Option A (data masking) and B (data redaction) do not provide the same level of access control needed for compliance, as they might still expose sensitive information inappropriately. Option C (data inspection) merely analyzes data without protecting it, which does not meet the requirement for restricting access.