Google Cloud Professional Cloud Security Engineer Practice Exam

When your organization seeks full control over encryption keys used for data at rest, what approach should be taken?

• A. Use Google-managed keys for encryption
• B. Utilize Cloud External Key Management with an HSM
• C. Store keys in a Google Cloud Storage bucket
• D. Use local VM-based key management

The correct answer is: Utilize Cloud External Key Management with an HSM

Utilizing Cloud External Key Management with an HSM (Hardware Security Module) allows organizations to maintain full control over their encryption keys used for data at rest. This approach provides an enhanced security posture since the keys can be managed externally from Google Cloud services and are protected by dedicated hardware that provides robust physical security and compliance with various regulatory standards. Having full control over encryption keys is critical for organizations that must adhere to strict regulatory requirements or internal security policies. With Cloud External Key Management, the organization can define key usage policies and ensure that keys are only accessible to authorized users and applications, allowing for a tailored security model that meets specific compliance obligations. Additionally, this method ideally supports key lifecycle management, enabling secure key generation, rotation, and destruction. The reliance on an HSM further strengthens the security of the keys by protecting them from unauthorized access through hardware-based safeguards. In contrast, using Google-managed keys limits an organization’s control since those keys are handled entirely by Google, which may not align with firms needing stringent control. Storing keys in a Google Cloud Storage bucket would pose risks regarding key exposure. Local VM-based key management might not provide the same level of security and compliance as specialized external key management solutions.