Google Professional-Cloud-Security-Engineer Actual Questions

To ensure that PII data is separated from non-PII data, using Cloud Pub/Sub and Cloud Functions to trigger a scan by the Data Loss Prevention (DLP) API is an effective approach. This method allows for automated detection and handling of PII.

Steps:

Set Up Cloud Pub/Sub: Configure a Cloud Pub/Sub topic to receive notifications whenever a file is uploaded to the shared Cloud Storage bucket.

Deploy Cloud Functions: Create a Cloud Function that is triggered by the Pub/Sub topic. This function will invoke the DLP API to scan the uploaded file for PII.

Move Detected PII Files: If the scan detects PII, the Cloud Function will move the file to a secure Cloud Storage bucket accessible only by the administrator.

Set Permissions: Ensure that appropriate permissions are set on the Cloud Storage buckets to restrict access to files containing PII.

References:

Google Cloud: Data Loss Prevention

Cloud Functions documentation

To comply with GDPR requirements and manage encryption keys for workloads across multiple Google Cloud services, customer-managed encryption keys (CMEK) offer a suitable solution.

Customer-managed encryption keys (B):

CMEK allows you to create and manage encryption keys using Google Cloud Key Management Service (KMS). You maintain full control over the key lifecycle, including key rotation and destruction.

CMEK can be used with various Google Cloud services, such as Compute Engine, Google Kubernetes Engine, Cloud Storage, BigQuery, and Pub/Sub, ensuring consistent and compliant encryption across your environment.

Using CMEK, you can implement data protection by design, aligning with GDPR requirements by ensuring that encryption keys are appropriately managed and secured.

References

Customer-Managed Encryption Keys Documentation

Encryption at Rest in Google Cloud

To handle images containing personally identifiable information (PII) in chat logs while maintaining data utility, you can use Google Cloud's Data Loss Prevention (DLP) API. The DLP API provides capabilities to inspect and redact sensitive information from images. Here’s how you can use it:

Inspect Images: Use the DLP API to inspect images shared by customers for PII. This involves configuring the API to detect various types of sensitive information, such as names, social security numbers, and other PII.

Redact PII: Apply the redaction actions provided by the DLP API to remove or mask the PII in the images. The redaction can blur, mask, or replace sensitive information with placeholders, ensuring that the PII is not stored in the databases.

Store Redacted Images: Store the redacted images in your database for further analysis. This ensures that the sensitive information is not retained, addressing privacy concerns while still preserving the utility of the data for analysis.

By using the DLP API, the organization can effectively manage PII in customer-provided images, ensuring compliance with privacy regulations.

References

Cloud DLP Documentation

Redacting Sensitive Data with DLP API

Set up a Dedicated Interconnect link between the on-premises environment and Google Cloud:

Dedicated Interconnect provides a direct physical connection between your on-premises network and Google's network, which is ideal for high-throughput, low-latency connections.

Request a Dedicated Interconnect from the Google Cloud Console, specifying the required bandwidth and location.

Once provisioned, set up the connection on your on-premises router and configure the BGP sessions to exchange routes with Google Cloud.

Configure private access using the restricted.googleapis.com domains in on-premises DNS configurations:

Configure your on-premises DNS server to resolve Google APIs to restricted.googleapis.com. This ensures that the traffic stays within the Google network and is not exposed to the public internet.

Update your DNS settings to use restricted.googleapis.com for the necessary API endpoints.

This setup ensures that all Google Cloud API traffic is routed through the private link and subject to VPC Service Controls for additional security and compliance.

References:

Dedicated Interconnect Overview

Configuring DNS to use restricted.googleapis.com