Google Cloud Professional Cloud Security Engineer Practice Exam

What type of encryption key should be managed for workloads in Compute Engine, Google Kubernetes Engine, Cloud Storage, BigQuery, and Pub/Sub in compliance with GDPR?

• A. Customer-managed encryption keys
• B. Google-managed encryption keys
• C. Application-managed encryption keys
• D. Default encryption keys

The correct answer is: Customer-managed encryption keys

Customer-managed encryption keys (CMEK) are essential for compliance with regulations like GDPR, as they provide organizations with greater control over their encryption keys. When using CMEK, the organization is responsible for the lifecycle management of those keys, including creation, rotation, and destruction. This level of control not only helps in enforcing data privacy policies but also ensures that the organization has the ability to manage access to sensitive data more strictly. In the context of GDPR, which emphasizes data protection and privacy, having control over encryption keys enables organizations to demonstrate compliance by providing transparency about data access and the ability to quickly respond to data subject requests, such as the right to erasure. By using CMEK, an organization can implement policies that better safeguard personal data, ensuring that only authorized users have access to encryption keys and, consequently, to the data encrypted under those keys. Other types of encryption key management, such as Google-managed encryption keys or default encryption keys, do not provide the same level of control over key management and may not fully satisfy the compliance requirements that GDPR mandates. Choices like application-managed and default encryption keys also do not align with the level of control and oversight required under GDPR, as they lack the necessary governance and audit capabilities for sensitive data management. Therefore