ExpertMinds LogoExpertMinds
Hard1 markMultiple Choice
Subtask 3.1: Security DesignSecurityVPC Service ControlsHIPAAData Exfiltration
This question is part of a case study — click to read the full scenario(Case 11)

CASE STUDY: HealthData Inc

Overview:
Industry: Healthcare Analytics
Size: 1000 employees

Environment:

  • Co-located data center
  • Hadoop cluster
  • SFTP servers
  • 50 TB patient data

Requirements:

  • ML models for diagnostics
  • Secure data sharing portals
  • Break data silos

Exec Statements:

  • CEO: Need compute for ML.
  • CRO: HIPAA compliance is top priority.
  • CTO: Managed services needed to replace Hadoop.

Tech Reqs:

  • Strict HIPAA compliance
  • Automated PHI de-identification
  • Comprehensive audit logging
  • CMEK
  • Network isolation (no public internet)

Constraints:

  • US data sovereignty
  • 7-year retention (immutable)
  • Easy auditor access

QUESTION: To replace the on-premises Hadoop cluster with a managed service while minimizing migration effort, which GCP service should you recommend?

View full case study page →

GCP PCA · Question 12 · Security Design

CASE STUDY: HealthData Inc

Overview:
Industry: Healthcare Analytics
Size: 1000 employees

Environment:

  • Co-located data center
  • Hadoop cluster
  • SFTP servers
  • 50 TB patient data

Requirements:

  • ML models for diagnostics
  • Secure data sharing portals
  • Break data silos

Exec Statements:

  • CEO: Need compute for ML.
  • CRO: HIPAA compliance is top priority.
  • CTO: Managed services needed to replace Hadoop.

Tech Reqs:

  • Strict HIPAA compliance
  • Automated PHI de-identification
  • Comprehensive audit logging
  • CMEK
  • Network isolation (no public internet)

Constraints:

  • US data sovereignty
  • 7-year retention (immutable)
  • Easy auditor access

QUESTION: How should you enforce the network isolation requirement to ensure that patient data in Cloud Storage and BigQuery cannot be accessed from the public internet?

Answer options:

A.

Configure Identity-Aware Proxy (IAP) for all Cloud Storage buckets.

B.

Remove all IAM roles containing 'roles/storage.objectViewer' from external users.

C.

Implement VPC Service Controls to create a secure perimeter around the GCP projects.

D.

Use Cloud Armor to block all external IP addresses.

How to approach this question

Identify the GCP security feature designed to mitigate data exfiltration risks for managed services.

Full Answer

C.Implement VPC Service Controls to create a secure perimeter around the GCP projects.✓ Correct
VPC Service Controls allows you to define a security perimeter around Google Cloud resources. It ensures that services like Cloud Storage and BigQuery can only be accessed from authorized VPC networks or specific IP ranges, effectively blocking public internet access and satisfying strict HIPAA network isolation requirements.

Common mistakes

Confusing IAM (identity-based access) with VPC-SC (network-based access). IAM checks *who* you are; VPC-SC checks *where* you are coming from.
11All questions13

Practice the full GCP Professional Cloud Architect Practice Exam 6

50 questions · hints · full answers · grading

Sign up freeTake the exam

More questions from this exam

Q01CASE STUDY: TechStream Gaming Overview: Industry: Gaming Size: 500 employees, $100M revenue Env...MediumQ02CASE STUDY: TechStream Gaming Overview: Industry: Gaming Size: 500 employees, $100M revenue Env...MediumQ03CASE STUDY: TechStream Gaming Overview: Industry: Gaming Size: 500 employees, $100M revenue Env...HardQ04CASE STUDY: TechStream Gaming Overview: Industry: Gaming Size: 500 employees, $100M revenue Env...MediumQ05CASE STUDY: TechStream Gaming Overview: Industry: Gaming Size: 500 employees, $100M revenue Env...Easy
View all 50 questions →