Google Cloud Professional Cloud Security Engineer Practice Exam

What kind of encryption should be used for directly storing secrets in Google Cloud?

• A. Customer-Managed Encryption Key (CMEK)
• B. Default Google encryption
• C. No encryption needed
• D. Partner-Managed Encryption Key

The correct answer is: Customer-Managed Encryption Key (CMEK)

Using Customer-Managed Encryption Keys (CMEK) for directly storing secrets in Google Cloud is a preferred approach because it allows organizations to have full control over their encryption keys. This means they can manage the lifecycle of the keys, including creating, rotating, or deleting them as needed. By utilizing CMEK, an organization can enforce security policies tailored to their requirements, as well as meet compliance and regulatory needs. CMEK also integrates smoothly with various Google Cloud services, providing an added layer of security while still allowing the flexibility to utilize Google Cloud's infrastructure and features. This is particularly crucial for sensitive information, as it ensures that even if data at rest is compromised, it cannot be accessed without the appropriate keys held by the organization. In contrast, options like default Google encryption, while secure and provided automatically by Google, do not offer the same level of control and customization that CMEK provides. Similarly, the option of not using encryption at all would expose sensitive data to significant risks. Partner-Managed Encryption Keys, while another valid option, may not always align perfectly with every organization’s internal management and compliance strategies, making CMEK generally more suitable for scenarios requiring fine-grained control over encryption practices.