You are migrating an on-premises data warehouse to BigQuery, Cloud SQL, and Cloud Storage. You need to configure security services to meet compliance policies that require:

• Data at rest is protected with full lifecycle management for cryptographic keys.
• A key management provider is separate from data management.
• Visibility is provided into all encryption key requests.

Which two services should you include in the implementation?