Explanation:
The question requires an encryption strategy that: (1) reduces key management complexity for non-sensitive data, (2) protects sensitive data with control over key residency and rotation, and (3) meets FIPS 140-2 Level 1 compliance for all data. Option D is optimal because: Google default encryption (used for non-sensitive data) is FIPS 140-2 Level 1 compliant and reduces management overhead as Google manages the keys. Cloud KMS (used for sensitive data) is also FIPS 140-2 Level 1 compliant and provides the required control over key residency and rotation schedules. Other options are less suitable: A and B use Cloud External Key Manager or KMS for all data, which increases management complexity for non-sensitive data. C uses Cloud External Key Manager for sensitive data, which is unnecessary when KMS already meets the requirements and is simpler to manage.
Ultimate access to all questions.
You need to implement an encryption at-rest strategy that reduces key management overhead for non-sensitive data while protecting sensitive data, offers control over key residency and rotation schedules, and meets FIPS 140-2 Level 1 compliance for all data. What should you do?
A
Encrypt non-sensitive data and sensitive data with Cloud External Key Manager.
B
Encrypt non-sensitive data and sensitive data with Cloud Key Management Service
C
Encrypt non-sensitive data with Google default encryption, and encrypt sensitive data with Cloud External Key Manager.
D
Encrypt non-sensitive data with Google default encryption, and encrypt sensitive data with Cloud Key Management Service.
No comments yet.