Google Cloud Professional Cloud Security Engineer — Question 344

You work for a banking organization. You are migrating sensitive customer data to Google Cloud that is currently encrypted at rest while on-premises. There are strict regulatory requirements when moving sensitive data to the cloud. Independent of the cloud service provider, you must be able to audit key usage and be able to deny certain types of decrypt requests. You must choose an encryption strategy that will ensure robust security and compliance with the regulations. What should you do?

Answer options

• A. Utilize Google default encryption and Cloud IAM to keep the keys within your organization's control.
• B. Implement Cloud External Key Manager (Cloud EKM) with Access Approval, to integrate with your existing on-premises key management solution.
• C. Implement Cloud External Key Manager (Cloud EKM) with Key Access Justifications to integrate with your existing one premises key management solution.
• D. Utilize customer-managed encryption keys (CMEK) created in a dedicated Google Compute Engine instance with Confidential Compute encryption, under your organization's control.

Correct answer: C

Explanation

The correct answer is C because implementing Cloud EKM with Key Access Justifications allows for detailed auditing and the ability to justify key access requests, which meets regulatory requirements. Option A does not provide the necessary auditing capabilities, while option B lacks specific justification features for key access. Option D, while secure, may not fully meet the auditing and compliance needs as effectively as C.