Exam Professional Cloud Security Engineer topic 1 question 175 discussion

Confidential Computing enables encryption for "data-in-use" Client Side encryption enables security for "data in transit" from Customer site to GCP Once data is at rest, use Google's default encryption for "data at rest"

I feel this should be DE. Confidential Computing enables encryption for "data-in-use" Client Side encryption enables security for "data in transit" from Customer site to GCP Once data is at rest, use Google's default encryption for "data at rest"

B. Customer-supplied encryption keys: This is crucial for achieving true end-to-end encryption. By providing your own encryption keys, you maintain complete control over the data, even Google Cloud cannot decrypt it without your keys. C. Hardware Security Module (HSM): HSMs provide a secure environment for storing and managing your encryption keys. This adds an extra layer of security, ensuring that your keys are protected from unauthorized access.

Answer BD. To accomplish end-to-end encryption of application data within Google Cloud, including data in transit, data in use, and data at rest, you should utilize the following options: B. Customer-supplied encryption keys - Customer-supplied encryption keys (CSEK) allow you to use your own encryption keys to protect your data at rest in Google Cloud, ensuring that your data is encrypted with keys that you control. D. Confidential Computing and Istio - Confidential Computing provides a hardware-based trusted execution environment (TEE) to protect data in use, ensuring that sensitive workloads and data remain encrypted while being processed. Istio can be used for securing data in transit within Google Cloud. Therefore, the correct answers are: **B. Customer-supplied encryption keys** **D. Confidential Computing and Istio**

I'll go with answer CD: https://cloud.google.com/kubernetes-engine/docs/how-to/encrypting-secrets#creating-key

Option E (Client-side encryption) typically refers to encrypting data on the client side before sending it to the cloud, and it can complement the other options but is not one of the primary mechanisms for achieving end-to-end encryption within Google Cloud itself.

D - Ensures encryption for data in use and transit E - Ensures Encryption at rest

Why not B, E?

https://cloud.google.com/compute/confidential-vm/docs/about-cvm#end-to-end_encryption

Google Cloud customers with additional requirements for encryption of data over WAN can choose to implement further protections for data as it moves from a user to an application, or virtual machine to virtual machine. These protections include IPSec tunnels, Gmail S/MIME, managed SSL certificates, and Istio. https://cloud.google.com/docs/security/encryption-in-transit

D. Confidential Computing and Istio E. Client-side encryption

AE is my answer.