ExpertMinds LogoExpertMinds
Hard1 markMultiple Choice
Subtask 3.1: Security DesignSecurityVPC Service ControlsHIPAACompliance
This question is part of a case study — click to read the full scenario(Case 16)

CASE STUDY: HealthCare360

Company Overview: HealthCare360 provides EHR systems to hospitals in NA and EU.
Current Environment: Isolated on-prem deployments. Fragmented data.
Business Requirements: Centralize EHR in cloud. Enable cross-hospital research. Ensure compliance.
Executive Statements: CEO: 'Transforming to SaaS.' CFO: 'Need cost attribution per tenant.' CSO: 'Zero compromise on HIPAA/GDPR.'
Technical Requirements: Multi-region active-active deployment. Microservices on GKE. End-to-end encryption (CMEK). Strict network perimeters.
Constraints: Zero data loss (RPO=0). RTO < 15 minutes. HIPAA (US) and GDPR (EU) compliance.

QUESTION:
To meet the requirement for a multi-region active-active deployment with an RPO of 0, which TWO database architectures could you use? (Select TWO)

View full case study page →

GCP PCA · Question 18 · Security Design

CASE STUDY: HealthCare360

Company Overview: HealthCare360 provides EHR systems to hospitals in NA and EU.
Current Environment: Isolated on-prem deployments. Fragmented data.
Business Requirements: Centralize EHR in cloud. Enable cross-hospital research. Ensure compliance.
Executive Statements: CEO: 'Transforming to SaaS.' CFO: 'Need cost attribution per tenant.' CSO: 'Zero compromise on HIPAA/GDPR.'
Technical Requirements: Multi-region active-active deployment. Microservices on GKE. End-to-end encryption (CMEK). Strict network perimeters.
Constraints: Zero data loss (RPO=0). RTO < 15 minutes. HIPAA (US) and GDPR (EU) compliance.

QUESTION:
To meet the CSO's requirement for strict network perimeters and HIPAA compliance, how should you protect the patient data stored in Cloud Storage and BigQuery?

Answer options:

A.

Configure strict IAM policies and make the buckets public only to authenticated users.

B.

Implement VPC Service Controls to create a security perimeter around the projects containing the data.

C.

Use Cloud Armor to block all external IP addresses from accessing the data.

D.

Encrypt the data using Customer-Supplied Encryption Keys (CSEK) and store the keys on-premises.

How to approach this question

Identify the GCP service designed to mitigate data exfiltration risks for managed APIs.

Full Answer

B.Implement VPC Service Controls to create a security perimeter around the projects containing the data.✓ Correct
Implement VPC Service Controls to create a security perimeter around the projects containing the data.
VPC Service Controls (VPC-SC) is the primary GCP mechanism for mitigating data exfiltration risks. It allows you to define a security perimeter around Google-managed services (like Cloud Storage, BigQuery, Spanner). Even if a malicious actor obtains valid IAM credentials, they cannot access the data from outside the defined network perimeter.

Common mistakes

Confusing Cloud Armor (WAF for apps) with VPC Service Controls (perimeter for APIs).
17All questions19

Practice the full GCP Professional Cloud Architect Practice Exam 1

50 questions · hints · full answers · grading

Sign up freeTake the exam

More questions from this exam

Q01**CASE STUDY: TechStream Gaming** **Company Overview:** TechStream Gaming is a global gaming com...HardQ02**CASE STUDY: TechStream Gaming** **Company Overview:** TechStream Gaming is a global gaming com...MediumQ03**CASE STUDY: TechStream Gaming** **Company Overview:** TechStream Gaming is a global gaming com...HardQ04**CASE STUDY: TechStream Gaming** **Company Overview:** TechStream Gaming is a global gaming com...MediumQ05**CASE STUDY: TechStream Gaming** **Company Overview:** TechStream Gaming is a global gaming com...Medium
View all 50 questions →