Answer-first summary for fast verification
Answer: Cloud Key Management Service, Cloud Data Loss Prevention with deterministic encryption using AES-SIV
The question requires obfuscating PII while maintaining the ability to re-identify it for analytics, which necessitates deterministic encryption. Cloud Data Loss Prevention (DLP) with deterministic encryption using AES-SIV (E) ensures consistent encryption for the same input, enabling re-identification. Cloud Key Management Service (KMS) (B) is essential for securely storing and managing the cryptographic keys used by DLP for encryption, as referenced in Google's documentation and community discussions. Option A (Secret Manager) is for API keys and passwords, not encryption keys. Option C (DLP with cryptographic hashing) is irreversible, preventing re-identification. Option D (DLP with automatic text redaction) removes data entirely, making re-identification impossible. The community consensus (96% upvotes for BE) and linked Google architecture confirm B and E as optimal.
Author: LeetQuiz Editorial Team
Ultimate access to all questions.
You have identified that sensitive personally identifiable information (PII) is being ingested into your Google Cloud environment during a daily ETL process from an on-premises environment to BigQuery datasets. You need to redact this data to obfuscate the PII but retain the ability to re-identify it for data analytics purposes. Which two components should you use in your solution?
A
Secret Manager
B
Cloud Key Management Service
C
Cloud Data Loss Prevention with cryptographic hashing
D
Cloud Data Loss Prevention with automatic text redaction
E
Cloud Data Loss Prevention with deterministic encryption using AES-SIV
No comments yet.