Domain 3: Designing for Security and Compliance

CASE STUDY: ShopGlobal. Global e-commerce. Monolithic Java on VMware. Oracle RAC (20TB). 10x Black Friday traffic. Req: Microservices, 100% uptime during holidays, personalized recommendations. CEO: Flawless omnichannel. CFO: Predictable spend. CTO: No vendor lock-in, open-source. Tech: Containerize, Global LB, PCI-DSS, async orders, real-time inventory. Constraints: Keep Oracle on-prem for 2 yrs (licensing), low K8s skills, strict security reviews. To meet PCI-DSS compliance and prevent data exfiltration from the payment processing microservices, what should you configure?

CASE STUDY: AutoMakers Inc. 1M connected cars, 100GB/day telemetry. Req: Predictive maintenance, real-time driver dashboard, monetize data. CEO: Data is new engine. CFO: Cut 3rd-party IoT costs. CTO: Highly scalable ingest. Tech: MQTT ingest, stream processing, ML models, 7-yr cold storage, handle intermittent connectivity. Constraints: Anonymize data, low vehicle compute, strict analytics budget. Which service should you integrate into the streaming pipeline to automatically anonymize Vehicle Identification Numbers (VINs) before data scientists access it?

CASE STUDY: HealthSecure. 50M patient records. Legacy mainframe, on-prem SAN (100TB), .NET portal. Req: Modernize portal, secure hospital sharing, fast audits. CEO: Modern UX. CFO: Automate audits. CISO: Zero breaches. Tech: HIPAA, CMEK, audit logging, API gateway, DR (1h RPO/4h RTO). Constraints: No public DB IPs, Dev/Ops separation, US data only, mainframe stays on-prem via VPN. How should you implement Customer-Managed Encryption Keys (CMEK) while enforcing the strict separation of duties between Dev and Ops?

A new developer joins your team and needs to view the configuration of Compute Engine instances, but should not be able to start, stop, or modify them. Which IAM role should you grant?

Your company wants to allow remote employees to access an internal web application hosted on Compute Engine without using a traditional VPN. How should you secure this access?

You have configured a VPC Service Controls perimeter around your production project to protect Cloud Storage. However, an external partner needs to upload files to a specific bucket within this perimeter from their own GCP project. How do you allow this?

You need to store database passwords and API keys for your Cloud Run application. Which TWO statements correctly describe why Secret Manager is preferred over Cloud KMS for this use case? (Select TWO)

Your CISO wants to ensure that no developer can create a VM with an external public IP address, and that all resources are created only in the 'europe-west1' region. Which TWO Organization Policies should you enforce? (Select TWO)

You are configuring Cloud Armor to protect a web application. Which TWO types of rules can you implement? (Select TWO)

**CASE STUDY: TrendWear Apparel** **Company Overview:** TrendWear Apparel is a global clothing retailer with an e-commerce platform and 500 physical stores. **Current Technical Environment:** - On-premises VMware environment - Legacy IBM Mainframe for core inventory management - Monolithic e-commerce application running on VMs **Business Requirements:** - Modernize the e-commerce platform to handle Black Friday (10x normal traffic) - Unify online and in-store inventory data in real-time - Avoid major capital expenditure (CapEx) for data center refreshes **Executive Statements:** - CEO: "We need an omnichannel experience. Customers should see accurate store inventory online." - CFO: "We must shift from CapEx to OpEx. No more buying hardware." - CTO: "We want to move to microservices, but we cannot retire the mainframe for at least 3 years due to complex legacy dependencies." **Technical Requirements:** - Hybrid architecture connecting GCP and on-premises - Microservices architecture for the new e-commerce platform - PCI-DSS compliance for all payment processing - Consistent management plane across on-prem and cloud **Constraints:** - Mainframe must remain on-premises - E-commerce migration must be completed before the next holiday season (8 months) **QUESTION:** To meet the PCI-DSS compliance requirement, the security team wants to ensure that raw credit card numbers are never stored in the cloud databases. How should you design the data ingestion pipeline?

**CASE STUDY: CareData Health** **Company Overview:** CareData Health is a large healthcare provider network operating 50 hospitals. They manage petabytes of patient records, medical imaging, and telemetry data. **Current Technical Environment:** - Decentralized on-premises data centers at each hospital - Legacy Electronic Health Record (EHR) systems - Fragmented data silos preventing holistic patient views **Business Requirements:** - Centralize patient data into a single secure data lake - Enable machine learning for predictive diagnostics - Securely share anonymized data with external research partners **Executive Statements:** - CEO: "We must leverage AI to improve patient outcomes and reduce readmission rates." - CISO: "Zero tolerance for data breaches. Patient data must be encrypted everywhere, and we must prevent any unauthorized data exfiltration." - DPO (Data Protection Officer): "We must strictly adhere to HIPAA in the US and GDPR for our European patients. Data residency is mandatory." **Technical Requirements:** - End-to-end encryption using keys managed by CareData - Strict access controls and comprehensive audit logging - Ingestion of HL7 and FHIR healthcare data formats - Physical separation of EU and US data **Constraints:** - Highly regulated environment - Legacy systems cannot be modified, only integrated with **QUESTION:** To meet the CISO's requirement of preventing unauthorized data exfiltration from the centralized data lake (BigQuery and Cloud Storage), which security control should you implement?

**CASE STUDY: CareData Health** **Company Overview:** CareData Health is a large healthcare provider network operating 50 hospitals. They manage petabytes of patient records, medical imaging, and telemetry data. **Current Technical Environment:** - Decentralized on-premises data centers at each hospital - Legacy Electronic Health Record (EHR) systems - Fragmented data silos preventing holistic patient views **Business Requirements:** - Centralize patient data into a single secure data lake - Enable machine learning for predictive diagnostics - Securely share anonymized data with external research partners **Executive Statements:** - CEO: "We must leverage AI to improve patient outcomes and reduce readmission rates." - CISO: "Zero tolerance for data breaches. Patient data must be encrypted everywhere, and we must prevent any unauthorized data exfiltration." - DPO (Data Protection Officer): "We must strictly adhere to HIPAA in the US and GDPR for our European patients. Data residency is mandatory." **Technical Requirements:** - End-to-end encryption using keys managed by CareData - Strict access controls and comprehensive audit logging - Ingestion of HL7 and FHIR healthcare data formats - Physical separation of EU and US data **Constraints:** - Highly regulated environment - Legacy systems cannot be modified, only integrated with **QUESTION:** To satisfy the technical requirement for encryption using keys managed by CareData, how should you configure encryption for the Cloud Storage buckets and BigQuery datasets?

You are auditing IAM permissions for a GCP project. You notice that several developers have been granted the `roles/editor` basic role. The security team requires that developers should only have the ability to view resources and manage Compute Engine instances, but they should not be able to modify IAM policies or access Cloud Storage buckets. What should you do?

Your development team is deploying a microservice to Google Kubernetes Engine (GKE). The microservice needs to read files from a Cloud Storage bucket. The security team strictly forbids the use of exported Service Account JSON keys due to the risk of credential leakage. How should you grant the GKE pods access to the Cloud Storage bucket?

Your application needs to authenticate with a third-party payment gateway using an API key. The security team requires that the API key is encrypted at rest, versioned, and access to it is strictly audited. Where should you store this API key?

You are designing a secure data perimeter for a highly regulated project. You have implemented VPC Service Controls (VPC SC). You also have VMs in a private subnet (no external IPs) that need to access Cloud Storage buckets within the perimeter. Which TWO configurations are required to make this work? (Select TWO)

You are deploying an internal microservice using Cloud Run. The service should only be accessible by other resources within your VPC network and should not be reachable from the public internet. Which TWO configurations must you apply to secure the Cloud Run service? (Select TWO)

Your company is building a payment processing system on GCP that must comply with PCI-DSS. Which THREE architectural practices should you implement to help achieve and maintain compliance? (Select THREE)

You are establishing the IAM policies for a new GCP Organization. Which TWO practices align with Google Cloud IAM best practices? (Select TWO)

CASE STUDY: HealthData Corp Overview: Healthcare SaaS managing 10PB of sensitive patient records and imaging. Business: Strict HIPAA/SOC 2 compliance, ransomware protection, secure sharing of anonymized data with researchers, robust DR. Executives: - CEO: "Trust is our product. Zero tolerance for breaches." - CFO: "Storage costs growing exponentially. Need lifecycle management." - CISO: "Zero-trust architecture, end-to-end encryption." Tech: RPO 15m, RTO 2h for core DB. All data CMEK encrypted. Strict access controls, audit logging. Prevent data exfiltration. Constraints: Images retained 7 years but rarely accessed after 90 days. Researchers use external identities. No public IPs on compute. How should you design the network security architecture to prevent data exfiltration, even if an employee's credentials are compromised?

CASE STUDY: HealthData Corp Overview: Healthcare SaaS managing 10PB of sensitive patient records and imaging. Business: Strict HIPAA/SOC 2 compliance, ransomware protection, secure sharing of anonymized data with researchers, robust DR. Executives: - CEO: "Trust is our product. Zero tolerance for breaches." - CFO: "Storage costs growing exponentially. Need lifecycle management." - CISO: "Zero-trust architecture, end-to-end encryption." Tech: RPO 15m, RTO 2h for core DB. All data CMEK encrypted. Strict access controls, audit logging. Prevent data exfiltration. Constraints: Images retained 7 years but rarely accessed after 90 days. Researchers use external identities. No public IPs on compute. How should you configure access for the external medical researchers to securely analyze the anonymized data?

CASE STUDY: HealthData Corp Overview: Healthcare SaaS managing 10PB of sensitive patient records and imaging. Business: Strict HIPAA/SOC 2 compliance, ransomware protection, secure sharing of anonymized data with researchers, robust DR. Executives: - CEO: "Trust is our product. Zero tolerance for breaches." - CFO: "Storage costs growing exponentially. Need lifecycle management." - CISO: "Zero-trust architecture, end-to-end encryption." Tech: RPO 15m, RTO 2h for core DB. All data CMEK encrypted. Strict access controls, audit logging. Prevent data exfiltration. Constraints: Images retained 7 years but rarely accessed after 90 days. Researchers use external identities. No public IPs on compute. To meet SOC 2 and HIPAA compliance, you must retain all administrative activity and data access logs for 3 years. How should you configure this?

Your company has a strict policy that all cryptographic keys used to encrypt data in Google Cloud must be generated and managed on-premises by your own Hardware Security Module (HSM). Which encryption method must you use?

You are designing the resource hierarchy for a large enterprise. The company has three main departments: HR, Finance, and Engineering. Each department has multiple environments (Dev, Test, Prod). You need to apply a policy that prevents the creation of external IP addresses for all Dev and Test environments across all departments. How should you structure the hierarchy?

A healthcare application running on Compute Engine needs to access a third-party API. The third-party API requires IP allowlisting and will only accept traffic from a single, static IP address. The application is deployed across an autoscaled Managed Instance Group (MIG). How should you configure the network to meet this requirement?

Your company is implementing a data lake in Cloud Storage. The compliance team requires that all data must be encrypted using keys managed by your organization, and that any accidental deletion of objects can be reversed within 30 days. Which TWO features should you implement? (Select TWO)

You are designing the IAM strategy for a new GCP environment. You need to grant a third-party auditing firm read-only access to Cloud Audit Logs and BigQuery datasets. The firm uses their own Google Workspace. You want to follow the principle of least privilege and minimize administrative overhead. Which TWO actions should you take? (Select TWO)

A financial services company is deploying a highly sensitive application on Compute Engine. To meet PCI-DSS compliance, the architecture must ensure that: 1) VM memory is encrypted in use, 2) The OS boot process is cryptographically verified, and 3) VMs do not have public IP addresses. Which THREE features should you enable? (Select THREE)

You are configuring Security Command Center (SCC) Premium for your organization. The CISO wants to automatically detect if any Cloud Storage buckets are made public, and wants to identify vulnerabilities in container images stored in Artifact Registry. Which TWO SCC built-in services should you ensure are enabled? (Select TWO)