Google Cloud Professional Cloud Security Engineer — Question 309

Your organization is migrating a sensitive data processing workflow from on-premises infrastructure to Google Cloud. This workflow involves the collection, storage, and analysis of customer information that includes personally identifiable information (PII). You need to design security measures to mitigate the risk of data exfiltration in this new cloud environment. What should you do?

Answer options

• A. Encrypt all sensitive data in transit and at rest. Establish secure communication channels by using TLS and HTTPS protocols.
• B. Implement a Cloud DLP solution to scan and identify sensitive information, and apply redaction or masking techniques to the PII. Integrate VPC SC with your network security controls to block potential data exfiltration attempts.
• C. Restrict all outbound network traffic from cloud resources. Implement rigorous access controls and logging for all sensitive data and the systems that process the data.
• D. Rely on employee expertise to prevent accidental data exfiltration incidents.

Correct answer: B

Explanation

The correct answer, B, effectively combines data loss prevention techniques with network security controls to mitigate risks associated with sensitive information. While A focuses on encryption, it does not address identifying and handling PII specifically. C is overly restrictive and may impact functionality, and D is irresponsible as it relies solely on human error prevention without any systematic measures.