Google Professional Cloud Security Engineer

Get started today

Ultimate access to all questions.

Quick Answer

Answer-first summary for fast verification

Answer: Enable Confidential VM instances for Compute Engine, and ensure that relevant Cloud Functions can leverage hardware-based memory isolation.

The question specifically focuses on securing 'data in use during computations' and minimizing 'unauthorized access to memory' for sensitive financial data. Option A directly addresses this by using Confidential VM instances for Compute Engine, which provides hardware-based memory encryption and isolation through technologies like AMD SEV or Intel SGX, protecting data even from cloud provider access. The mention of Cloud Functions leveraging hardware-based memory isolation refers to Confidential Computing capabilities that can be extended to serverless environments. Option B (data masking/tokenization) primarily protects data at rest or in transit, not data actively being processed in memory. Option C (Cloud DLP) is for data discovery and protection at rest/in transit, not runtime memory protection. Option D (CMEK with Cloud Storage) protects data at rest, not data actively being processed in compute environments. The community discussion strongly supports A with 100% consensus and upvoted explanations highlighting how Confidential VMs provide the necessary hardware-enforced memory protection for sensitive data during computation.

Author: LeetQuiz Editorial Team

Quick Answer

Answer-first summary for fast verification

Answer: Enable Confidential VM instances for Compute Engine, and ensure that relevant Cloud Functions can leverage hardware-based memory isolation.

Author: LeetQuiz Editorial Team

Comments (0)

No comments yet.

Your development team is deploying a new financial application with a microservices architecture on Compute Engine instances and serverless components like Cloud Functions. The application will process financial transactions that involve temporary, highly sensitive data in memory. To secure this data in use during computation and minimize the risk of unauthorized memory access, what should you do?

Enable Confidential VM instances for Compute Engine, and ensure that relevant Cloud Functions can leverage hardware-based memory isolation.

Use data masking and tokenization techniques on sensitive financial data fields throughout the application and the application's data processing workflows.

Use the Cloud Data Loss Prevention (Cloud DLP) API to scan and mask sensitive data before feeding the data into any compute environment.

Store all sensitive data during processing in Cloud Storage by using customer-managed encryption keys (CMEK), and set strict bucket-level permissions.