Google Cloud Professional Cloud Security Engineer Practice Exam

When you need to shield sensitive data from unauthorized access in log files, what approach should you take?

• A. Encrypt all log files with the same key
• B. Implement user roles based on job functions
• C. Store sensitive logs in a separate, secure location
• D. Remove all PII from logs before storage

The correct answer is: Store sensitive logs in a separate, secure location

Storing sensitive logs in a separate, secure location is an effective approach to shield sensitive data from unauthorized access. By isolating these logs, you can apply more stringent security measures specific to that storage solution, such as advanced encryption, access controls, and monitoring tailored to the sensitivity of the data. This separation minimizes the risk of exposure because only authorized personnel or systems can access these logs, reducing the attack surface. It allows for better management of access rights, ensuring that only those who require access for legitimate purposes can retrieve sensitive information. Additionally, a secure storage location can be configured with additional layers of protection, such as physical security measures, specialized audit logging, and backup strategies that further enhance the overall security posture of the organization. While encrypting log files, implementing user roles, and removing PII are all important security practices, they do not provide the same level of focused protection that dedicated storage for sensitive logs can offer. Encryption protects data at rest or in transit, but if access controls aren’t strict, unauthorized users may still reach sensitive logs. Similarly, user roles are essential for proper access management but must be implemented alongside secure storage to comprehensively protect sensitive log data. Removing PII is also valuable for preserving privacy, but it doesn't ensure that