Your organization runs a mission-critical workload in a highly regulated industry. Sensitive data is uploaded from endpoint computers to Cloud Storage and then processed by Compute Engine VMs. A compliance review has found that the current setup does not meet data protection requirements. You must implement a solution that fulfills the following:

Manage the Data Encryption Key (DEK) outside of Google Cloud.

Retain full control of encryption keys using a third-party provider.

Encrypt the sensitive data before it is uploaded to Cloud Storage.

Decrypt the data during processing within the Compute Engine VMs.

Encrypt the data in memory while it is in use on the Compute Engine VMs.

What two actions should you take?*

Exam-Like

Configure Customer Managed Encryption Keys to encrypt the sensitive data before it is uploaded to Cloud Storage, and decrypt the sensitive data after it is downloaded into your VMs.

Configure Cloud External Key Manager to encrypt the sensitive data before it is uploaded to Cloud Storage, and decrypt the sensitive data after it is downloaded into your VMs.

Create Confidential VMs to access the sensitive data.

Migrate the Compute Engine VMs to Confidential VMs to access the sensitive data.

Create a VPC Service Controls service perimeter across your existing Compute Engine VMs and Cloud Storage buckets.

Google Professional Cloud Security Engineer

Get started today

Comments