Module 4: Ensuring Data Protection

Looking for ‘Preparing for Your Professional Cloud Security Engineer Journey Module 4 Answers’?

In this post, I provide complete, accurate, and detailed explanations for the answers to Module 4: Ensuring Data Protection of Course 1: Preparing for Your Professional Cloud Security Engineer JourneyPreparing for Google Cloud Certification: Cloud Security Engineer Professional Certificate.

Whether you’re preparing for quizzes or brushing up on your knowledge, these insights will help you master the concepts effectively. Let’s dive into the correct answers and detailed explanations for each question!

Diagnostic questions

Practice Assignment

1. Cymbal Bank has hired a data analyst team to analyze scanned copies of loan applications. Because this is an external team, Cymbal Bank does not want to share the name, gender, phone number, or credit card numbers listed in the scanned copies. You have been tasked with hiding this PII information while minimizing latency. What should you do?

  • Use the Cloud Vision API to perform optical code recognition (OCR) from scanned images. Redact the text using the Cloud Natural Language API with regular expressions.
  • Use the Cloud Vision API to perform optical code recognition (OCR) from scanned images. Redact the text using the Cloud Data Loss Prevention (DLP) API with regular expressions.
  • Use the Cloud Vision API to perform text extraction from scanned images. Redact the text using the Cloud Natural Language API with regular expressions.
  • Use the Cloud Data Loss Prevention (DLP) API to make redact image requests. Provide your project ID, built-in infoTypes, and the scanned copies when you make the requests. ✅

Explanation:
Cloud DLP can redact sensitive data directly from images using built-in infoTypes (like names, phone numbers, credit card numbers). This is low latency and purpose-built for redacting PII in scanned images. OCR is built into the image redaction flow.

2. Cymbal Bank needs to statistically predict the days customers delay the payments for loan repayments and credit card repayments. Cymbal Bank does not want to share the exact dates a customer has defaulted or made a payment with data analysts. Additionally, you need to hide the customer name and the customer type, which could be corporate or retail. How do you provide the appropriate information to the data analysts?

  • Generalize all dates to year and month with bucketing. Use the built-in infoType for customer name. Use a custom infoType for customer type with a custom dictionary.
  • Generalize all dates to year and month with bucketing. Use the built-in infoType for customer name. Use a custom infoType for customer type with regular expression.
  • Generalize all dates to year and month with date shifting. Use a predefined infoType for customer name. Use a custom infoType for customer type with regular expression.
  • Generalize all dates to year and month with date shifting. Use a predefined infoType for customer name. Use a custom infoType for customer type with a custom dictionary. ✅

Explanation:

  • Date shifting anonymizes but retains useful patterns.
  • Built-in infoTypes are available for common data like names.
  • Custom dictionary is best for known values like “corporate” or “retail”.

3. Cymbal Bank stores customer information in a BigQuery table called ‘Information,’ which belongs to the dataset ‘Customers.’ Various departments of Cymbal Bank, including loan, credit card, and trading, access the information table. Although the data source remains the same, each department needs to read and analyze separate customers and customer-attributes. You want a cost-effective way to configure departmental access to BigQuery to provide optimal performance. What should you do?

  •  Create an authorized dataset in BigQuery’s Explorer panel. Write Customers’ table metadata into a JSON file, and edit the file to add each department’s Project ID and Dataset ID. Provide the bigquery.user role to each department’s required users.
  • Secure data with classification. Open the Data Catalog Taxonomies page in the Google Cloud Console. Create policy tags for required columns and rows. Provide the bigquery.user role to each department’s required users. Provide policy tags access to each department separately.
  • Create separate datasets for each department. Create views for each dataset separately. Authorize these views to access the source dataset. Share the datasets with departments. Provide the bigquery.dataViewer role to each department’s required users. ✅
  • Create separate datasets for each department. Create authorized functions in each dataset to perform required aggregations. Write transformed data to new tables for each department separately. Provide the bigquery.dataViewer role to each department’s required users.

Explanation:
Each department needs access to a subset of the same BigQuery table (Information), but only specific customers and customer-attributes.

To:

  • Keep performance optimized
  • Maintain cost-effectiveness
  • Ensure data security and minimal duplication

4. Cymbal Bank has a Cloud SQL instance that must be shared with an external agency. The agency’s developers will be assigned roles and permissions through a Google Group in Identity and Access Management (IAM). The external agency is on an annual contract and will require a connection string, username, and password to connect to the database. How would you configure the group’s access?

  • Use Secret Manager. Use the duration attribute to set the expiry period to one year. Add the secretmanager.secretAccessor role for the group that contains external developers. ✅
  • Use Secret Manager. Use the resource attribute to set a key-value pair with key as duration and values as expiry period one year from now. Add secretmanager.viewer role for the group that contains external developers.
  • Use Secret Manager for the connection string and username, and use Cloud Key Management Service for the password. Use tags to set the expiry period to the timestamp one year from now. Add secretmanager.secretVersionManager and secretmanager.secretAccessor roles for the group that contains external developers.
  • Use Cloud Key Management Service. Use the destination IP address and Port attributes to provide access for developers at the external agency. Remove the IAM access after one year and rotate the shared keys. Add cloudkms.cryptoKeyEncryptorDecryptor role for the group that contains the external developers.

Explanation:

  • Secret Manager is the right place for managing credentials securely.
  • The duration attribute sets time-limited access.
  • secretAccessor gives read access to secrets.

5. Cymbal Bank calculates employee incentives on a monthly basis for the sales department and on a quarterly basis for the marketing department. The incentives are released with the next month’s salary. Employee’s performance documents are stored as spreadsheets, which are retained for at least one year for audit. You want to configure the most cost-effective storage for this scenario. What should you do?

  • Import the spreadsheets to BigQuery, and create separate tables for Sales and Marketing. Set table expiry rules to 365 days for both tables. Create jobs scheduled to run every quarter for Marketing and every month for Sales.
  • Import the spreadsheets into Cloud Storage and create NoSQL tables. Use App Engine cron jobs to run monthly for Sales and quarterly for Marketing. Use a separate job to delete the data after 1 year.
  • Upload the spreadsheets to Cloud Storage. Select the Nearline storage class for the sales department and Coldline storage for the marketing department. Use object lifecycle management rules to set the storage class to Archival after 365 days. Process the data on BigQuery using jobs that run monthly for Sales and quarterly for Marketing. ✅
  • Import the spreadsheets to Cloud SQL, and create separate tables for Sales and Marketing. For Table Expiration, set 365 days for both tables. Use stored procedures to calculate incentives. Use App Engine cron jobs to run stored procedures monthly for Sales and quarterly for Marketing.

Explanation:

  • Nearline: for monthly access (Sales).
  • Coldline: for quarterly access (Marketing).
  • Lifecycle rules automate cost-efficient archival.

6. Cymbal Bank uses Google Kubernetes Engine (GKE) to deploy its Docker containers. You want to encrypt the boot disk for a cluster running a custom image so that the key rotation is controlled by the Bank. GKE clusters will also generate up to 1024 randomized characters that will be used with the keys with Docker containers. What steps would you take to apply the encryption settings with a dedicated hardware security layer?

  • Create a new GKE cluster with customer-managed encryption and HSM enabled. Deploy the containers to this cluster. Delete the old GKE cluster. Use Cloud HSM to generate random bytes and provide an additional layer of security. ✅
  • Create a new key ring using Cloud Key Management Service. Extract this key to a certificate. Use the kubectl command to update the Kubernetes configuration. Validate using MAC digital signatures, and use a startup script to generate random bytes.
  • Create a new key ring using Cloud Key Management Service. Extract this key to a certificate. Use the Google Cloud Console to update the Kubernetes configuration. Validate using MAC digital signatures, and use a startup script to generate random bytes.
  • In the Google Cloud console, navigate to Google Kubernetes Engine. Select your cluster and the boot node inside the cluster. Enable customer-managed encryption. Use Cloud HSM to generate random bytes and provide an additional layer of security.

Explanation:

  • Customer-managed keys (CMEK) allow key control.
  • Cloud HSM enables hardware-level encryption.
  • New cluster with CMEK is needed to apply boot disk encryption.

7. Cymbal Bank needs to migrate existing loan processing applications to Google Cloud. These applications transform confidential financial information. All the data should be encrypted at all stages, including sharing between sockets and RAM. An integrity test should also be performed every time these instances boot. You need to use Cymbal Bank’s encryption keys to configure the Compute Engine instances. What should you do?

  • Create a Confidential VM instance with Customer-Managed Encryption Keys. In Cloud Logging, collect all logs for earlyBootReportEvent.
  • Create a Shielded VM instance with Customer-Supplied Encryption Keys. In Cloud Logging, collect all logs for earlyBootReportEvent.
  • Create a Confidential VM instance with Customer-Supplied Encryption Keys. In Cloud Logging, collect all logs for sevLaunchAttestationReportEvent. ✅
  • Create a Shielded VM instance with Customer-Managed Encryption Keys. In Cloud Logging, collect all logs for sevLaunchAttestationReportEvent.

Explanation:

  • Confidential VMs encrypt data in use (RAM).
  • Customer-Supplied Keys (CSEK) gives complete control.
  • sevLaunchAttestationReportEvent logs attestation of integrity.

8. You are building an AI model on Google Cloud to analyze customer data and predict purchase behavior. This model will have access to sensitive information like purchase history and demographics. To protect this data and prevent misuse of the model, what THREE security controls are most important to implement?

  • Monitor the model’s performance for anomalies and biases, then manually intervene if needed. ✅
  • Deploy the model in a region with the highest data security standards. ✅
  • Configure IAM roles to grant full access to the model for all Google Cloud users.
  • Enable Google Cloud Armor on your deployed model to block malicious requests. ✅
  • Store all model training data in BigQuery with public access for transparency.

Explanation:

  • Monitoring ensures responsible AI.
  • Region selection supports data residency & compliance.
  • Cloud Armor protects against external threats.

9. You're building a machine learning model on Google Cloud. You're choosing between two options: managing the infrastructure yourself (IaaS) or using Google's managed services (PaaS). To ensure the best security posture for both the model and its data, which TWO factors should you prioritize when defining security requirements for each hosting option?

  • Compliance with internal security policies
  • Granular access controls and permissions ✅
  • Network traffic inspection and intrusion detection
  • Physical server hardening and security patches
  • Data location and residency restrictions

Explanation:
These two are critical:

  • Access control protects resources from unauthorized use.
  • Data residency ensures compliance with data protection regulations.

10. You are tasked with developing an AI system on Google Cloud for a telecommunications business. This AI system will conduct sentiment analysis on conversations agents have with customers, and provide conversational recommendations to improve customer satisfaction in the future. What AI/ML-specific security controls do you need to plan for when developing this system?

  • Select Google Cloud AI services that leverage a PaaS model. These are the only ones that can guarantee a secure-by-design foundation.
  • Deploy your AI solution using managed instance groups (MIGs). These have baked in security controls specific to running AI workloads.
  • AI systems are more interconnected than non-AI systems. Prepare for new attack vectors, as attackers can exploit vulnerabilities in one system to attack another. ✅
  • Leverage an AI model-specific threat detection scanner. Threats between AI systems and non-AI systems have very little in common.

Explanation:
AI systems often integrate multiple components (e.g., APIs, databases, models), creating unique attack surfaces. Security must account for inter-system dependencies.

Knowledge Check

Graded Assignment

11. Which tool will Cymbal Bank use to scan for, detect, and optionally transform sensitive data to prevent exposure?

  • VPC service controls
  • Sensitive Data Protection ✅
  • Secret Manager
  • Google Cloud Armor

Explanation:

  • Sensitive Data Protection (formerly DLP API) scans for sensitive information like PII (Personally Identifiable Information) and can mask, redact, or transform the data.
  • It’s the ideal tool for data loss prevention and compliance in Google Cloud.

12. What feature will allow Cymbal Bank to delete or change the storage class of objects in Cloud Storage buckets?

  • Lifecycle management rules ✅
  • Retention policies
  • Object versioning
  • Rotation periods

Explanation:

Lifecycle management rules allow you to automatically:

  • Delete old objects
  • Change their storage class (e.g., from Standard to Nearline or Coldline)
  • Based on age, storage class, or number of newer versions

Related contents:

Module 2: Configuring Access
Module 3: Securing Communications and Establishing Boundary Protection
Module 5: Managing Operations
Module 6: Supporting Compliance Requirements

You might also like:

Course 2: Google Cloud Fundamentals: Core Infrastructure
Course 3: Networking in Google Cloud: Fundamentals
Course 4: Networking in Google Cloud: Routing and Addressing
Course 5: Networking in Google Cloud: Network Architecture
Course 6: Networking in Google Cloud: Network Security
Course 7: Networking in Google Cloud: Load Balancing
Course 8: Networking in Google Cloud: Hybrid and Multicloud
Course 9: Managing Security in Google Cloud
Course 10: Security Best Practices in Google Cloud
Course 11: Mitigating Security Vulnerabilities on Google Cloud
Course 12: Logging and Monitoring in Google Cloud
Course 13: Observability in Google Cloud
Course 14: Hands-On Labs in Google Cloud for Security Engineers

Leave a Reply