Google Cloud Professional Cloud Security Engineer — Question 312

Your organization's financial modeling application is already deployed on Google Cloud. The application processes large amounts of sensitive customer financial data. Application code is old and poorly understood by your current software engineers. Recent threat modeling exercises have highlighted the potential risk of sophisticated side-channel attacks against the application while the application is running. You need to further harden the Google Cloud solution to mitigate the risk of these side-channel attacks, ensuring maximum protection for the confidentiality of financial data during processing, while minimizing application problems. What should you do?

Answer options

• A. Enforce stricter access controls for Compute Engine instances by using service accounts, least privilege IAM policies, and limit network access.
• B. Implement a runtime library designed to introduce noise and timing variations into the application's execution which will disrupt side-channel attack.
• C. Migrate the application to Confidential VMs to provide hardware-level encryption of memory and protect sensitive data during processing.
• D. Utilize customer-managed encryption keys (CMEK) to ensure complete control over the encryption process.

Correct answer: C

Explanation

The correct answer is C because migrating to Confidential VMs provides hardware-level encryption, significantly enhancing the protection of sensitive data during processing against side-channel attacks. Options A and D, while they improve security, do not specifically address the side-channel attack vulnerabilities. Option B introduces noise but may not provide the same level of security as Confidential VMs.