You are consulting with a client that requires end-to-end encryption of application data (including data in transit, data in use, and data at rest) within Google Cloud. Which options should you utilize to accomplish this? (Choose two.)
Confidential Computing enables encryption for "data-in-use"
Client Side encryption enables security for "data in transit" from Customer site to GCP
Once data is at rest, use Google's default encryption for "data at rest"
I feel this should be DE.
Confidential Computing enables encryption for "data-in-use"
Client Side encryption enables security for "data in transit" from Customer site to GCP
Once data is at rest, use Google's default encryption for "data at rest"
Confidential Computing and Istio (Option D): Confidential Computing protects data in use by running workloads in secure enclaves, ensuring that data remains encrypted even during processing. Istio can help secure data in transit by providing mutual TLS (mTLS) for service-to-service communication within your Kubernetes clusters.
Client-side encryption (Option E): Client-side encryption ensures that data is encrypted before it is sent to Google Cloud, protecting data in transit and at rest. This approach allows you to maintain control over the encryption keys and ensures that data is encrypted throughout its lifecycle.
B. Customer-supplied encryption keys: This is crucial for achieving true end-to-end encryption. By providing your own encryption keys, you maintain complete control over the data, even Google Cloud cannot decrypt it without your keys.
C. Hardware Security Module (HSM): HSMs provide a secure environment for storing and managing your encryption keys. This adds an extra layer of security, ensuring that your keys are protected from unauthorized access.
Option E (Client-side encryption) typically refers to encrypting data on the client side before sending it to the cloud, and it can complement the other options but is not one of the primary mechanisms for achieving end-to-end encryption within Google Cloud itself.
Google Cloud customers with additional requirements for encryption of data over WAN can choose to implement further protections for data as it moves from a user to an application, or virtual machine to virtual machine. These protections include IPSec tunnels, Gmail S/MIME, managed SSL certificates, and Istio.
https://cloud.google.com/docs/security/encryption-in-transit
A voting comment increases the vote count for the chosen answer by one.
Upvoting a comment with a selected answer will also increase the vote count towards that answer by one.
So if you see a comment that you already agree with, you can upvote it instead of posting a new comment.
GHOST1985
Highly Voted 2 years, 7 months agoBaburao
Highly Voted 2 years, 7 months agoPime13
Most Recent 4 months, 2 weeks agoDattaHinge
7 months agodesertlotus1211
1 year, 7 months agoAndrei_Z
1 year, 7 months agodesertlotus1211
1 year, 7 months agocyberpunk21
1 year, 8 months agoTNT87
2 years, 1 month agogcpengineer
1 year, 11 months agopmriffo
2 years, 4 months agoLittleivy
2 years, 5 months agoAwesomeGCP
2 years, 6 months agozellck
2 years, 7 months ago