Answer: Implement a defense-in-depth model that includes: - Unity Catalog fine-grained privileges + dynamic row filters and column masks (preferably via centralized ABAC policies with governed tags), - Customer-managed keys (CMK) for Unity Catalog-managed storage and sensitive external locations, - Enforcement of TLS encryption for all cluster-to-storage and inter-cluster communication, - Audit logging enabled at the workspace and Unity Catalog level.

**A: Incorrect** While cloud-provider encryption at rest (e.g., SSE-KMS) and TLS for transit are baseline requirements and are enabled by default in Databricks, this option stops at coarse-grained (table-level) access control in Unity Catalog. It completely lacks dynamic row-level filtering and column-level masking/dynamic masking — features explicitly required for fine-grained protection of PII/PHI under GDPR/HIPAA/PCI-DSS. This would almost certainly fail compliance audits that demand need-to-know access at the record/field level. **B: Partially correct but insufficient** Using Unity Catalog's row filters and column masks (especially via ABAC in public preview or GA features) is excellent for dynamic, policy-driven protection without duplicating data. However, limiting CMK to only "the most sensitive catalogs" leaves gaps in other areas (e.g., workspace-level objects, notebooks, logs, or less-sensitive-but-still-regulated catalogs). Relying on default platform-managed keys and transit encryption is acceptable for many use cases but falls short of the "strict" multi-regulation scenario that often mandates customer control over key lifecycle (e.g., immediate revocation capability). **C: Correct** This is the most comprehensive defense-in-depth approach aligned with Databricks best practices and exam expectations at the Professional level: - **Unity Catalog** centralizes governance and enables fine-grained privileges, row filters, and column masks (preferably via ABAC for stronger, non-overridable enforcement). - **CMK** provides customer control over encryption key material for catalogs and sensitive locations, satisfying regulations requiring key ownership/revocation. - Explicit TLS enforcement covers data in transit end-to-end. - Audit logging supports compliance evidence and forensic needs. It achieves strong security, scalability (no heavy client-side crypto), centralized policy management, and reasonable cost (CMK has modest incremental cost but is often required). **D: Incorrect / anti-pattern** Client-side / application-level column encryption (via UDFs) before writing to Delta breaks many Delta Lake benefits: - No native predicate pushdown or optimization on encrypted columns - Query performance degradation (decryption in every read) - Complicates schema evolution, time travel, and Delta Sharing - Makes centralized governance harder (Unity Catalog cannot mask/understand encrypted blobs) While technically possible for extreme cases, it is **not** the recommended or scalable pattern in modern Databricks architectures.