Answer-first summary for fast verification
Answer: Use Cloud Storage with client-side encryption, Cloud KMS for key management, and Cloud HSM for cryptographic operations.
Option C provides the strongest security and control for highly sensitive data through multiple layers of protection: client-side encryption ensures data is encrypted before leaving the organization's control, Cloud KMS offers secure key management with granular access controls, and Cloud HSM provides the highest level of key protection using dedicated, tamper-resistant hardware security modules. This combination ensures end-to-end encryption control and hardware-level key security, which is superior to other options. Option B uses CMEK (server-side encryption) which doesn't provide the same level of control as client-side encryption, and while Secret Manager is useful for API tokens, it doesn't enhance the core data encryption strategy. Option A's CSEK is less flexible than CMEK, and Option D's server-side encryption with BigQuery column-level encryption doesn't match the comprehensive protection of client-side encryption with HSM-backed keys.
Author: LeetQuiz Editorial Team
Ultimate access to all questions.
No comments yet.
Your organization needs to store highly sensitive data in Google Cloud and requires a solution with the maximum level of security and control. What is the recommended approach?
A
Use Cloud Storage with customer-supplied encryption keys (CSEK), VPC Service Controls for network isolation, and Cloud DLP for data inspection.
B
Use Cloud Storage with customer-managed encryption keys (CMEK), Cloud DLP for data classification, and Secret Manager for storing API access tokens.
C
Use Cloud Storage with client-side encryption, Cloud KMS for key management, and Cloud HSM for cryptographic operations.
D
Use Cloud Storage with server-side encryption, BigQuery with column-level encryption, and IAM roles for access control.