Security & Compliance

CASE STUDY: Dress4Win

Company Overview: Dress4Win is a web-based retail company that helps users organize their wardrobes.
Current Environment: Colocated data center. Tomcat app servers, Nginx web servers, MySQL databases, Redis caching. 100TB of image data on SAN.
Business Requirements: Migrate to cloud to handle seasonal spikes (Black Friday). Reduce CapEx. Enable rapid prototyping.
Executive Statements: CEO: 'Innovate faster, stop worrying about servers.' CFO: 'Move to OpEx. Ensure PCI-DSS compliance.' CTO: 'Modernize stack but migrate quickly first.'
Technical Requirements: Secure hybrid connectivity during migration. PCI-DSS compliance. Automated scaling. CI/CD for microservices.
Constraints: Migration must be completed before Q4 holiday season (6 months). Limited budget for refactoring during initial migration.

QUESTION:
To meet the CFO's requirement for PCI-DSS compliance, how should you secure the payment processing environment in GCP?

CASE STUDY: TerramEarth

Company Overview: TerramEarth manufactures heavy equipment. 2 million vehicles in the field.
Current Environment: Vehicles send telemetry via cellular. Processing 100,000 msgs/sec. On-prem Hadoop cluster.
Business Requirements: Predict equipment failure. Reduce warranty costs. Provide fleet dashboard.
Executive Statements: CEO: 'Monetize data.' CFO: 'Storage costs spiraling.' CTO: 'Need scalable ingestion and ML.'
Technical Requirements: Ingest 500,000 msgs/sec. Store petabytes cost-effectively. Train ML models. Real-time anomaly detection.
Constraints: Intermittent connectivity. Strict vehicle authentication.

QUESTION:
How should you meet the strict vehicle authentication constraint when vehicles connect to the GCP environment?

CASE STUDY: HealthCare360

Company Overview: HealthCare360 provides EHR systems to hospitals in NA and EU.
Current Environment: Isolated on-prem deployments. Fragmented data.
Business Requirements: Centralize EHR in cloud. Enable cross-hospital research. Ensure compliance.
Executive Statements: CEO: 'Transforming to SaaS.' CFO: 'Need cost attribution per tenant.' CSO: 'Zero compromise on HIPAA/GDPR.'
Technical Requirements: Multi-region active-active deployment. Microservices on GKE. End-to-end encryption (CMEK). Strict network perimeters.
Constraints: Zero data loss (RPO=0). RTO < 15 minutes. HIPAA (US) and GDPR (EU) compliance.

QUESTION:
To meet the CSO's requirement for strict network perimeters and HIPAA compliance, how should you protect the patient data stored in Cloud Storage and BigQuery?

You are deploying an internal HR application on Compute Engine. The application uses HTTP and should only be accessible to employees connected to the corporate network via Cloud VPN. Which load balancer should you use?

You are creating a new GCP project for a production environment. You need strict control over the IP address ranges used by your subnets to prevent overlapping with your on-premises network. How should you configure the VPC network?

Your e-commerce application uses Cloud SQL for PostgreSQL. During peak shopping hours, the database CPU hits 95% due to a massive number of read queries from the product catalog, causing latency. Write operations (orders) remain low. How should you optimize the database architecture?

You are designing a multi-tenant SaaS application on GKE. Each tenant's microservices run in a dedicated Kubernetes namespace. Tenant A's microservices need access to Tenant A's Cloud Storage bucket, and Tenant B's microservices need access to Tenant B's bucket. How should you configure authentication to ensure strict isolation?

Your development team spends too much time parsing through raw text logs in Cloud Logging to find application crashes and stack traces. Which TWO actions should you take to improve their troubleshooting efficiency? (Select TWO)

You are reviewing the GCP billing report for a large enterprise. You notice high costs for Compute Engine. The workloads consist of a baseline of 100 VMs that run 24/7, and an additional 50 VMs that scale up and down dynamically based on daily traffic. Which TWO cost optimization strategies should you apply? (Select TWO)

Your SRE team has defined an SLO of 99.9% availability for a critical service. Over the past month, the service has experienced multiple outages, and the error budget has been completely exhausted. According to Google SRE best practices, which THREE actions should the team take? (Select THREE)

CASE STUDY: ShopGlobal. Global e-commerce. Monolithic Java on VMware. Oracle RAC (20TB). 10x Black Friday traffic. Req: Microservices, 100% uptime during holidays, personalized recommendations. CEO: Flawless omnichannel. CFO: Predictable spend. CTO: No vendor lock-in, open-source. Tech: Containerize, Global LB, PCI-DSS, async orders, real-time inventory. Constraints: Keep Oracle on-prem for 2 yrs (licensing), low K8s skills, strict security reviews.

To meet PCI-DSS compliance and prevent data exfiltration from the payment processing microservices, what should you configure?

CASE STUDY: AutoMakers Inc. 1M connected cars, 100GB/day telemetry. Req: Predictive maintenance, real-time driver dashboard, monetize data. CEO: Data is new engine. CFO: Cut 3rd-party IoT costs. CTO: Highly scalable ingest. Tech: MQTT ingest, stream processing, ML models, 7-yr cold storage, handle intermittent connectivity. Constraints: Anonymize data, low vehicle compute, strict analytics budget.

Which service should you integrate into the streaming pipeline to automatically anonymize Vehicle Identification Numbers (VINs) before data scientists access it?

CASE STUDY: HealthSecure. 50M patient records. Legacy mainframe, on-prem SAN (100TB), .NET portal. Req: Modernize portal, secure hospital sharing, fast audits. CEO: Modern UX. CFO: Automate audits. CISO: Zero breaches. Tech: HIPAA, CMEK, audit logging, API gateway, DR (1h RPO/4h RTO). Constraints: No public DB IPs, Dev/Ops separation, US data only, mainframe stays on-prem via VPN.

How should you implement Customer-Managed Encryption Keys (CMEK) while enforcing the strict separation of duties between Dev and Ops?

A new developer joins your team and needs to view the configuration of Compute Engine instances, but should not be able to start, stop, or modify them. Which IAM role should you grant?

Your company wants to allow remote employees to access an internal web application hosted on Compute Engine without using a traditional VPN. How should you secure this access?

You have configured a VPC Service Controls perimeter around your production project to protect Cloud Storage. However, an external partner needs to upload files to a specific bucket within this perimeter from their own GCP project. How do you allow this?

You need to store database passwords and API keys for your Cloud Run application. Which TWO statements correctly describe why Secret Manager is preferred over Cloud KMS for this use case? (Select TWO)

Your CISO wants to ensure that no developer can create a VM with an external public IP address, and that all resources are created only in the 'europe-west1' region. Which TWO Organization Policies should you enforce? (Select TWO)

You are configuring Cloud Armor to protect a web application. Which TWO types of rules can you implement? (Select TWO)

CASE STUDY: TrendWear Apparel

Company Overview:
TrendWear Apparel is a global clothing retailer with an e-commerce platform and 500 physical stores.

Current Technical Environment:

• On-premises VMware environment
• Legacy IBM Mainframe for core inventory management
• Monolithic e-commerce application running on VMs

Business Requirements:

• Modernize the e-commerce platform to handle Black Friday (10x normal traffic)
• Unify online and in-store inventory data in real-time
• Avoid major capital expenditure (CapEx) for data center refreshes

Executive Statements:

• CEO: "We need an omnichannel experience. Customers should see accurate store inventory online."
• CFO: "We must shift from CapEx to OpEx. No more buying hardware."
• CTO: "We want to move to microservices, but we cannot retire the mainframe for at least 3 years due to complex legacy dependencies."

Technical Requirements:

• Hybrid architecture connecting GCP and on-premises
• Microservices architecture for the new e-commerce platform
• PCI-DSS compliance for all payment processing
• Consistent management plane across on-prem and cloud

Constraints:

• Mainframe must remain on-premises
• E-commerce migration must be completed before the next holiday season (8 months)

QUESTION:
To meet the PCI-DSS compliance requirement, the security team wants to ensure that raw credit card numbers are never stored in the cloud databases. How should you design the data ingestion pipeline?

CASE STUDY: CareData Health

Company Overview:
CareData Health is a large healthcare provider network operating 50 hospitals. They manage petabytes of patient records, medical imaging, and telemetry data.

Current Technical Environment:

• Decentralized on-premises data centers at each hospital
• Legacy Electronic Health Record (EHR) systems
• Fragmented data silos preventing holistic patient views

Business Requirements:

• Centralize patient data into a single secure data lake
• Enable machine learning for predictive diagnostics
• Securely share anonymized data with external research partners

Executive Statements:

• CEO: "We must leverage AI to improve patient outcomes and reduce readmission rates."
• CISO: "Zero tolerance for data breaches. Patient data must be encrypted everywhere, and we must prevent any unauthorized data exfiltration."
• DPO (Data Protection Officer): "We must strictly adhere to HIPAA in the US and GDPR for our European patients. Data residency is mandatory."

Technical Requirements:

• End-to-end encryption using keys managed by CareData
• Strict access controls and comprehensive audit logging
• Ingestion of HL7 and FHIR healthcare data formats
• Physical separation of EU and US data

Constraints:

• Highly regulated environment
• Legacy systems cannot be modified, only integrated with

QUESTION:
To meet the CISO's requirement of preventing unauthorized data exfiltration from the centralized data lake (BigQuery and Cloud Storage), which security control should you implement?

CASE STUDY: CareData Health

Company Overview:
CareData Health is a large healthcare provider network operating 50 hospitals. They manage petabytes of patient records, medical imaging, and telemetry data.

Current Technical Environment:

• Decentralized on-premises data centers at each hospital
• Legacy Electronic Health Record (EHR) systems
• Fragmented data silos preventing holistic patient views

Business Requirements:

• Centralize patient data into a single secure data lake
• Enable machine learning for predictive diagnostics
• Securely share anonymized data with external research partners

Executive Statements:

• CEO: "We must leverage AI to improve patient outcomes and reduce readmission rates."
• CISO: "Zero tolerance for data breaches. Patient data must be encrypted everywhere, and we must prevent any unauthorized data exfiltration."
• DPO (Data Protection Officer): "We must strictly adhere to HIPAA in the US and GDPR for our European patients. Data residency is mandatory."

Technical Requirements:

• End-to-end encryption using keys managed by CareData
• Strict access controls and comprehensive audit logging
• Ingestion of HL7 and FHIR healthcare data formats
• Physical separation of EU and US data

Constraints:

• Highly regulated environment
• Legacy systems cannot be modified, only integrated with

QUESTION:
To satisfy the technical requirement for encryption using keys managed by CareData, how should you configure encryption for the Cloud Storage buckets and BigQuery datasets?

You are auditing IAM permissions for a GCP project. You notice that several developers have been granted the roles/editor basic role. The security team requires that developers should only have the ability to view resources and manage Compute Engine instances, but they should not be able to modify IAM policies or access Cloud Storage buckets. What should you do?

Your development team is deploying a microservice to Google Kubernetes Engine (GKE). The microservice needs to read files from a Cloud Storage bucket. The security team strictly forbids the use of exported Service Account JSON keys due to the risk of credential leakage. How should you grant the GKE pods access to the Cloud Storage bucket?

Your application needs to authenticate with a third-party payment gateway using an API key. The security team requires that the API key is encrypted at rest, versioned, and access to it is strictly audited. Where should you store this API key?

You are designing a secure data perimeter for a highly regulated project. You have implemented VPC Service Controls (VPC SC). You also have VMs in a private subnet (no external IPs) that need to access Cloud Storage buckets within the perimeter. Which TWO configurations are required to make this work? (Select TWO)

You are deploying an internal microservice using Cloud Run. The service should only be accessible by other resources within your VPC network and should not be reachable from the public internet. Which TWO configurations must you apply to secure the Cloud Run service? (Select TWO)

Your company is building a payment processing system on GCP that must comply with PCI-DSS. Which THREE architectural practices should you implement to help achieve and maintain compliance? (Select THREE)

You are establishing the IAM policies for a new GCP Organization. Which TWO practices align with Google Cloud IAM best practices? (Select TWO)

CASE STUDY: HealthData Corp

Overview: Healthcare SaaS managing 10PB of sensitive patient records and imaging.
Business: Strict HIPAA/SOC 2 compliance, ransomware protection, secure sharing of anonymized data with researchers, robust DR.
Executives:

• CEO: "Trust is our product. Zero tolerance for breaches."
• CFO: "Storage costs growing exponentially. Need lifecycle management."
• CISO: "Zero-trust architecture, end-to-end encryption."
  Tech: RPO 15m, RTO 2h for core DB. All data CMEK encrypted. Strict access controls, audit logging. Prevent data exfiltration.
  Constraints: Images retained 7 years but rarely accessed after 90 days. Researchers use external identities. No public IPs on compute.

How should you design the network security architecture to prevent data exfiltration, even if an employee's credentials are compromised?