Google Cloud Professional Cloud Security Engineer Practice Exam

In order to prevent data exfiltration from BigQuery containing PII, what security measure should be applied?

• A. Restrict access to users in the same project only
• B. Create a service perimeter based on authorized IP addresses
• C. Enable encryption for all data at rest
• D. Use Identity and Access Management (IAM) roles only

The correct answer is: Create a service perimeter based on authorized IP addresses

Creating a service perimeter based on authorized IP addresses is an effective measure for preventing data exfiltration from BigQuery, particularly when dealing with Personally Identifiable Information (PII). A service perimeter defines a secure boundary around resources in a Google Cloud environment, ensuring that only traffic from specified IP addresses can access sensitive data resources. This significantly enhances security by limiting data access to trusted sources and reducing the attack surface. By establishing this perimeter, organizations can enforce strict access controls to PII data stored in BigQuery. This measure is particularly important because it can mitigate the risks associated with unauthorized access or exfiltration attempts from outside the approved network range. Other options, while relevant, do not offer the same level of protection against data exfiltration. For example, restricting access to users within the same project can limit exposure, but it doesn't account for potential vulnerabilities or insider threats. Enabling encryption for data at rest is vital for protecting data storage, but it does not prevent unauthorized access. Lastly, relying solely on IAM roles for access control could lead to overly broad permissions if not managed properly, making it easier for unauthorized users to access sensitive data. Thus, establishing a service perimeter based on authorized IP addresses provides a robust and proactive approach to safeguarding PII data