Learn the best approach to secure sensitive data in use during computations for financial applications using Compute Engine and Cloud Functions on Google Cloud Platform (GCP). Minimize unauthorized access risks with hardware-based memory isolation.
Table of Contents
Question
Your development team is launching a new application. The new application has a microservices architecture on Compute Engine instances and serverless components, including Cloud Functions. This application will process financial transactions that require temporary, highly sensitive data in memory. You need to secure data in use during computations with a focus on minimizing the risk of unauthorized access to memory for this financial application. What should you do?
A. Enable Confidential VM instances for Compute Engine, and ensure that relevant Cloud Functions can leverage hardware-based memory isolation.
B. Use data masking and tokenization techniques on sensitive financial data fields throughout the application and the application’s data processing workflows.
C. Use the Cloud Data Loss Prevention (Cloud DLP) API to scan and mask sensitive data before feeding the data into any compute environment.
D. Store all sensitive data during processing in Cloud Storage by using customer-managed encryption keys (CMEK), and set strict bucket-level permissions.
Answer
A. Enable Confidential VM instances for Compute Engine, and ensure that relevant Cloud Functions can leverage hardware-based memory isolation.
Explanation
When processing highly sensitive financial data that requires protection while in use during computations, the most effective approach is to leverage hardware-based memory isolation. This minimizes the risk of unauthorized access to memory.
For the Compute Engine instances in the microservices architecture, enabling Confidential VM instances provides this hardware-based memory isolation. Confidential VMs use the Secure Encrypted Virtualization (SEV) feature of AMD EPYC CPUs to encrypt data in memory, preventing unauthorized access even from the hypervisor.
For the serverless Cloud Functions components, ensuring they can leverage hardware-based memory isolation (currently in beta) similarly protects sensitive data during execution. The isolation is achieved using hardware virtualization features.
The other options, while relevant for data protection, do not directly address securing data in use during computation:
- Option B’s data masking and tokenization protects data at rest and in transit but not in use.
- Option C’s Cloud DLP API scans and masks data before processing but doesn’t isolate memory.
- Option D’s encrypted Cloud Storage protects data at rest but not during computation.
Therefore, using Confidential VMs and hardware-isolated Cloud Functions is the best solution for securing sensitive financial data in use within the given architecture.
Google Professional Cloud Security Engineer certification exam assessment practice question and answer (Q&A) dump including multiple choice questions (MCQ) and objective type questions, with detail explanation and reference available free, helpful to pass the Google Professional Cloud Security Engineer exam and earn Google Professional Cloud Security Engineer certification.