ExpertThis question is part of a case study — click to read the full scenario(Case 11)
CASE STUDY: HealthData Corp
Overview: Healthcare SaaS managing 10PB of sensitive patient records and imaging.
Business: Strict HIPAA/SOC 2 compliance, ransomware protection, secure sharing of anonymized data with researchers, robust DR.
Executives:
- CEO: "Trust is our product. Zero tolerance for breaches."
- CFO: "Storage costs growing exponentially. Need lifecycle management."
- CISO: "Zero-trust architecture, end-to-end encryption."
Tech: RPO 15m, RTO 2h for core DB. All data CMEK encrypted. Strict access controls, audit logging. Prevent data exfiltration.
Constraints: Images retained 7 years but rarely accessed after 90 days. Researchers use external identities. No public IPs on compute.
How should you design the network security architecture to prevent data exfiltration, even if an employee's credentials are compromised?
GCP PCA · Question 12 · Domain 3: Designing for Security and Compliance
CASE STUDY: HealthData Corp
Overview: Healthcare SaaS managing 10PB of sensitive patient records and imaging.
Business: Strict HIPAA/SOC 2 compliance, ransomware protection, secure sharing of anonymized data with researchers, robust DR.
Executives:
- CEO: "Trust is our product. Zero tolerance for breaches."
- CFO: "Storage costs growing exponentially. Need lifecycle management."
- CISO: "Zero-trust architecture, end-to-end encryption."
Tech: RPO 15m, RTO 2h for core DB. All data CMEK encrypted. Strict access controls, audit logging. Prevent data exfiltration.
Constraints: Images retained 7 years but rarely accessed after 90 days. Researchers use external identities. No public IPs on compute.
How should you configure access for the external medical researchers to securely analyze the anonymized data?
CASE STUDY: HealthData Corp
Overview: Healthcare SaaS managing 10PB of sensitive patient records and imaging.
Business: Strict HIPAA/SOC 2 compliance, ransomware protection, secure sharing of anonymized data with researchers, robust DR.
Executives:
- CEO: "Trust is our product. Zero tolerance for breaches."
- CFO: "Storage costs growing exponentially. Need lifecycle management."
- CISO: "Zero-trust architecture, end-to-end encryption."
Tech: RPO 15m, RTO 2h for core DB. All data CMEK encrypted. Strict access controls, audit logging. Prevent data exfiltration.
Constraints: Images retained 7 years but rarely accessed after 90 days. Researchers use external identities. No public IPs on compute.
How should you configure access for the external medical researchers to securely analyze the anonymized data?
Answer options:
Create Google Workspace accounts for all researchers and enforce MFA.
Generate long-lived Service Account JSON keys and email them securely to the researchers.
Use Workload Identity Federation to allow researchers to authenticate using their external Identity Provider (IdP) without creating Google Workspace accounts.
Make the Cloud Storage bucket containing anonymized data public, but use an unguessable URL.
How to approach this question
Full Answer
Common mistakes
Practice the full GCP Professional Cloud Architect Practice Exam 4
50 questions · hints · full answers · grading