Answer-first summary for fast verification
Answer: Implement Cloud External Key Manager (Cloud EKM) with Key Access Justifications to integrate with your existing one premises key management solution.
The question requires an encryption strategy that allows auditing key usage and denying specific decrypt requests, independent of the cloud provider. Cloud External Key Manager (Cloud EKM) with Key Access Justifications (option C) is the optimal choice because it integrates with an existing on-premises key management solution, enabling external control over keys. Key Access Justifications provides detailed audit trails of key access reasons and allows the external key manager to deny requests based on justification codes, meeting the regulatory requirements. Option B (Cloud EKM with Access Approval) is less suitable as Access Approval controls Google personnel access to data, not key usage or decrypt requests. Option A (default encryption with Cloud IAM) and Option D (CMEK with Confidential Compute) do not provide external key control or the ability to deny decrypt requests independently of Google Cloud.
Author: LeetQuiz Editorial Team
Ultimate access to all questions.
Your banking organization is migrating sensitive customer data to Google Cloud. This data is currently encrypted at rest on-premises and is subject to strict regulatory requirements. The chosen encryption strategy must allow you to audit all key usage and have the ability to deny specific types of decrypt requests, independent of the cloud service provider. What should you do to ensure robust security and regulatory compliance?
A
Utilize Google default encryption and Cloud IAM to keep the keys within your organization's control.
B
Implement Cloud External Key Manager (Cloud EKM) with Access Approval, to integrate with your existing on-premises key management solution.
C
Implement Cloud External Key Manager (Cloud EKM) with Key Access Justifications to integrate with your existing one premises key management solution.
D
Utilize customer-managed encryption keys (CMEK) created in a dedicated Google Compute Engine instance with Confidential Compute encryption, under your organization's control.
No comments yet.