ExpertMinds LogoExpertMinds
Hard1 markMultiple Choice
Domain 3: Designing for Security and ComplianceVPC Service ControlsSecurityData Exfiltration

GCP PCA · Question 11 · Domain 3: Designing for Security and Compliance

CASE STUDY: HealthData Corp

Overview: Healthcare SaaS managing 10PB of sensitive patient records and imaging.
Business: Strict HIPAA/SOC 2 compliance, ransomware protection, secure sharing of anonymized data with researchers, robust DR.
Executives:

  • CEO: "Trust is our product. Zero tolerance for breaches."
  • CFO: "Storage costs growing exponentially. Need lifecycle management."
  • CISO: "Zero-trust architecture, end-to-end encryption."
    Tech: RPO 15m, RTO 2h for core DB. All data CMEK encrypted. Strict access controls, audit logging. Prevent data exfiltration.
    Constraints: Images retained 7 years but rarely accessed after 90 days. Researchers use external identities. No public IPs on compute.

How should you design the network security architecture to prevent data exfiltration, even if an employee's credentials are compromised?

Answer options:

A.

Configure strict IAM roles and use Service Accounts for all access.

B.

Implement VPC Service Controls to create a secure perimeter around the GCP projects and restrict access from unauthorized networks.

C.

Use Cloud Armor to block malicious IP addresses.

D.

Enable Private Google Access on all subnets.

How to approach this question

Identify the GCP service specifically designed to mitigate data exfiltration by creating a network perimeter around APIs.

Full Answer

B.Implement VPC Service Controls to create a secure perimeter around the GCP projects and restrict access from unauthorized networks.✓ Correct
Implement VPC Service Controls to create a secure perimeter around the GCP projects and restrict access from unauthorized networks.
VPC Service Controls is Google Cloud's primary defense against data exfiltration. It allows you to define a security perimeter around GCP services (like Cloud Storage and BigQuery). If an employee's credentials are stolen, the attacker cannot access the data from an unauthorized IP address or copy the data to a GCP project outside the perimeter.

Common mistakes

Relying solely on IAM (A). IAM is necessary but insufficient for exfiltration prevention if credentials are compromised.
10All questions12

Practice the full GCP Professional Cloud Architect Practice Exam 4

50 questions · hints · full answers · grading

Sign up freeTake the exam

More questions from this exam

Q01CASE STUDY: TechStream Gaming Overview: 500 employees, $100M revenue. On-prem US/EU, 200 servers...MediumQ02CASE STUDY: TechStream Gaming Overview: 500 employees, $100M revenue. On-prem US/EU, 200 servers...MediumQ03CASE STUDY: TechStream Gaming Overview: 500 employees, $100M revenue. On-prem US/EU, 200 servers...HardQ04CASE STUDY: TechStream Gaming Overview: 500 employees, $100M revenue. On-prem US/EU, 200 servers...HardQ05CASE STUDY: TechStream Gaming Overview: 500 employees, $100M revenue. On-prem US/EU, 200 servers...Easy
View all 50 questions →