Domain 3: Security & Compliance

**CASE STUDY: Dress4Win** **Company Overview:** Dress4Win is a web-based retail company that helps users organize their wardrobes. **Current Environment:** Colocated data center. Tomcat app servers, Nginx web servers, MySQL databases, Redis caching. 100TB of image data on SAN. **Business Requirements:** Migrate to cloud to handle seasonal spikes (Black Friday). Reduce CapEx. Enable rapid prototyping. **Executive Statements:** CEO: 'Innovate faster, stop worrying about servers.' CFO: 'Move to OpEx. Ensure PCI-DSS compliance.' CTO: 'Modernize stack but migrate quickly first.' **Technical Requirements:** Secure hybrid connectivity during migration. PCI-DSS compliance. Automated scaling. CI/CD for microservices. **Constraints:** Migration must be completed before Q4 holiday season (6 months). Limited budget for refactoring during initial migration. **QUESTION:** To meet the CFO's requirement for PCI-DSS compliance, how should you secure the payment processing environment in GCP?

**CASE STUDY: TerramEarth** **Company Overview:** TerramEarth manufactures heavy equipment. 2 million vehicles in the field. **Current Environment:** Vehicles send telemetry via cellular. Processing 100,000 msgs/sec. On-prem Hadoop cluster. **Business Requirements:** Predict equipment failure. Reduce warranty costs. Provide fleet dashboard. **Executive Statements:** CEO: 'Monetize data.' CFO: 'Storage costs spiraling.' CTO: 'Need scalable ingestion and ML.' **Technical Requirements:** Ingest 500,000 msgs/sec. Store petabytes cost-effectively. Train ML models. Real-time anomaly detection. **Constraints:** Intermittent connectivity. Strict vehicle authentication. **QUESTION:** How should you meet the strict vehicle authentication constraint when vehicles connect to the GCP environment?

**CASE STUDY: HealthCare360** **Company Overview:** HealthCare360 provides EHR systems to hospitals in NA and EU. **Current Environment:** Isolated on-prem deployments. Fragmented data. **Business Requirements:** Centralize EHR in cloud. Enable cross-hospital research. Ensure compliance. **Executive Statements:** CEO: 'Transforming to SaaS.' CFO: 'Need cost attribution per tenant.' CSO: 'Zero compromise on HIPAA/GDPR.' **Technical Requirements:** Multi-region active-active deployment. Microservices on GKE. End-to-end encryption (CMEK). Strict network perimeters. **Constraints:** Zero data loss (RPO=0). RTO < 15 minutes. HIPAA (US) and GDPR (EU) compliance. **QUESTION:** To meet the CSO's requirement for strict network perimeters and HIPAA compliance, how should you protect the patient data stored in Cloud Storage and BigQuery?

You are deploying an internal HR application on Compute Engine. The application uses HTTP and should only be accessible to employees connected to the corporate network via Cloud VPN. Which load balancer should you use?

You are creating a new GCP project for a production environment. You need strict control over the IP address ranges used by your subnets to prevent overlapping with your on-premises network. How should you configure the VPC network?

Your e-commerce application uses Cloud SQL for PostgreSQL. During peak shopping hours, the database CPU hits 95% due to a massive number of read queries from the product catalog, causing latency. Write operations (orders) remain low. How should you optimize the database architecture?

You are designing a multi-tenant SaaS application on GKE. Each tenant's microservices run in a dedicated Kubernetes namespace. Tenant A's microservices need access to Tenant A's Cloud Storage bucket, and Tenant B's microservices need access to Tenant B's bucket. How should you configure authentication to ensure strict isolation?

Your development team spends too much time parsing through raw text logs in Cloud Logging to find application crashes and stack traces. Which TWO actions should you take to improve their troubleshooting efficiency? (Select TWO)

You are reviewing the GCP billing report for a large enterprise. You notice high costs for Compute Engine. The workloads consist of a baseline of 100 VMs that run 24/7, and an additional 50 VMs that scale up and down dynamically based on daily traffic. Which TWO cost optimization strategies should you apply? (Select TWO)

Your SRE team has defined an SLO of 99.9% availability for a critical service. Over the past month, the service has experienced multiple outages, and the error budget has been completely exhausted. According to Google SRE best practices, which THREE actions should the team take? (Select THREE)

CASE STUDY: ShopGlobal Overview: Retailer, 2000 employees, $500M revenue. US-Central co-lo, Java/Tomcat monolith, Oracle RAC 20TB, batch inventory sync. Business Req: Handle 10x Black Friday spikes, personalized recommendations, modernize to microservices. Execs: CEO wants omnichannel; CFO needs predictable spend; CTO demands zero downtime cutover. Tech Req: PCI-DSS compliance, automated image processing, real-time inventory, CI/CD. Constraints: Complex Oracle stored procedures, team learning containers, strict bi-annual audits. QUESTION: To meet the strict PCI-DSS compliance requirements and prepare for bi-annual audits, which security architecture should you implement?

CASE STUDY: AeroMech Overview: Aviation manufacturer, 5000 employees, $2B revenue. 100 engines, 10k sensors/engine, 1GB data/flight. On-prem Hadoop. Business Req: Predictive maintenance, secure data sharing with airlines, monetize data. Execs: CEO wants new revenue; CFO demands ML ROI; CTO says on-prem storage unfeasible. Tech Req: High-throughput ingestion, PB-scale storage, train ML on historical data, deploy ML to edge (aircraft). Constraints: Intermittent low-bandwidth flight connectivity, aviation data compliance, data scientists use Python/Jupyter. QUESTION: How should you securely share engine performance data with airline customers to create new revenue streams?

CASE STUDY: MediSecure Overview: Telehealth provider, 1500 employees, $300M revenue. Core app on AWS, 3 acquired clinics on VMware, fragmented EHRs, Active Directory. Business Req: Unify patient records, integrate clinics in 90 days, launch patient portal. Execs: CEO wants rapid integration; CFO wants CapEx to OpEx; CISO demands strict HIPAA/GDPR compliance. Tech Req: End-to-end PHI encryption, comprehensive audit logging, hybrid connectivity to clinics, DR (RPO 5m, RTO 1h). Constraints: Clinics have low bandwidth, high staff turnover requires automated IAM, legacy EHRs cannot be modified immediately. QUESTION: To satisfy the CISO's requirement for strict HIPAA compliance and control over PHI encryption, which encryption strategy should you use for data at rest in Cloud Storage?

CASE STUDY: MediSecure Overview: Telehealth provider, 1500 employees, $300M revenue. Core app on AWS, 3 acquired clinics on VMware, fragmented EHRs, Active Directory. Business Req: Unify patient records, integrate clinics in 90 days, launch patient portal. Execs: CEO wants rapid integration; CFO wants CapEx to OpEx; CISO demands strict HIPAA/GDPR compliance. Tech Req: End-to-end PHI encryption, comprehensive audit logging, hybrid connectivity to clinics, DR (RPO 5m, RTO 1h). Constraints: Clinics have low bandwidth, high staff turnover requires automated IAM, legacy EHRs cannot be modified immediately. QUESTION: How should you address the constraint of high staff turnover and the need for automated IAM provisioning?

Your company stores highly sensitive intellectual property in a Cloud Storage bucket. You need to ensure that even if an employee with legitimate IAM permissions tries to download the data from their home network or a coffee shop, the request is denied. How should you enforce this?

An application running on Google Kubernetes Engine (GKE) needs to read data from a Cloud Storage bucket. What is the most secure way to grant the application access to the bucket?

The CISO wants to implement a centralized security dashboard to detect misconfigurations and active threats across the entire GCP organization. Which TWO features of Security Command Center (SCC) Premium should you highlight? (Select TWO)

You are designing the IAM hierarchy for a new GCP organization. Following Google's best practices for security and manageability, which THREE principles should you apply? (Select THREE)

Your organization is migrating sensitive data to Cloud Storage. The security team dictates that Google must not manage the encryption keys, but they also do not want the operational burden of maintaining their own highly available key servers on-premises. Which TWO actions should you take? (Select TWO)

CASE STUDY: RetailMart Overview: Industry: Retail/E-commerce Size: 2000 employees, $500M revenue Environment: - Monolithic Java app on VMware - Oracle RAC DB - F5 Load Balancers - 10 Gbps Direct Connect to AWS Requirements: - CapEx to OpEx - Handle 10x Black Friday traffic - Personalized recommendations - Modernize without impacting sales Exec Statements: - CEO: Omnichannel experience. - CFO: Predictable costs, no hardware refresh. - CTO: Break monolith, but Oracle DB stays on-prem for 2 years. Tech Reqs: - Zero downtime deployments - PCI-DSS compliance - Image processing pipeline - Async order processing Constraints: - Hybrid architecture required - Team knows Spring Boot, zero Kubernetes exp - 6-month timeline QUESTION: To meet the PCI-DSS compliance requirement, how should you handle credit card numbers entered by users?

CASE STUDY: HealthData Inc Overview: Industry: Healthcare Analytics Size: 1000 employees Environment: - Co-located data center - Hadoop cluster - SFTP servers - 50 TB patient data Requirements: - ML models for diagnostics - Secure data sharing portals - Break data silos Exec Statements: - CEO: Need compute for ML. - CRO: HIPAA compliance is top priority. - CTO: Managed services needed to replace Hadoop. Tech Reqs: - Strict HIPAA compliance - Automated PHI de-identification - Comprehensive audit logging - CMEK - Network isolation (no public internet) Constraints: - US data sovereignty - 7-year retention (immutable) - Easy auditor access QUESTION: How should you enforce the network isolation requirement to ensure that patient data in Cloud Storage and BigQuery cannot be accessed from the public internet?

CASE STUDY: HealthData Inc Overview: Industry: Healthcare Analytics Size: 1000 employees Environment: - Co-located data center - Hadoop cluster - SFTP servers - 50 TB patient data Requirements: - ML models for diagnostics - Secure data sharing portals - Break data silos Exec Statements: - CEO: Need compute for ML. - CRO: HIPAA compliance is top priority. - CTO: Managed services needed to replace Hadoop. Tech Reqs: - Strict HIPAA compliance - Automated PHI de-identification - Comprehensive audit logging - CMEK - Network isolation (no public internet) Constraints: - US data sovereignty - 7-year retention (immutable) - Easy auditor access QUESTION: How should you design the architecture to automate the de-identification of Protected Health Information (PHI) as data is ingested?

A company is setting up its GCP Organization. They have three main departments: HR, Finance, and Engineering. Engineering has two sub-teams: Dev and QA. They want to apply a policy that prevents the creation of public IP addresses for all Engineering projects, but allows it for HR and Finance. How should you design the resource hierarchy and policy?

Your application runs on GKE and needs to access a Cloud Storage bucket. You want to follow the principle of least privilege and avoid managing service account keys manually. What is the most secure way to grant the GKE pods access to the bucket?

A healthcare company requires that all data stored in Cloud Storage must be encrypted using cryptographic keys that the company generates, stores, and manages entirely on their own on-premises Hardware Security Modules (HSMs). Google must not have access to the key material. Which encryption strategy must be used?

Your web application is deployed behind a Global HTTP(S) Load Balancer. You are experiencing a Layer 7 DDoS attack, specifically a flood of HTTP GET requests from various IP addresses attempting to exploit a SQL injection vulnerability. How should you mitigate this?

A healthcare company is storing sensitive patient documents in Cloud Storage. To meet compliance requirements, they must ensure that access permissions are applied consistently at the bucket level (preventing individual objects from having public access), and they must prevent data from being downloaded to unauthorized networks. Which TWO security controls should you implement? (Select TWO)

Your organization requires strict auditing of all GCP resources. The security team needs to know exactly who modified a firewall rule, and they also need to know which users queried a specific BigQuery dataset containing PII. Which TWO types of Cloud Audit Logs must be enabled or analyzed to gather this information? (Select TWO)

You are implementing VPC Service Controls to protect BigQuery and Cloud Storage. However, a specific third-party partner needs to upload files to a specific Cloud Storage bucket from their corporate IP address, which is outside your GCP network. Which TWO configurations can you use to allow this specific access while maintaining the perimeter? (Select TWO)

CASE STUDY: ShopGlobal Company Overview: ShopGlobal is an international e-commerce retailer. They are preparing for their largest annual sales event (Black Friday) and want to migrate off their aging on-premises infrastructure. Current Technical Environment: - 3 on-premises data centers (US-East, US-West, EU-Central). - VMware vSphere environment with 500 VMs. - Monolithic Java application running on Tomcat. - Oracle RAC database for transactions. - 50 TB of product images on SAN storage. Business Requirements: - Ensure 100% availability during the upcoming holiday season. - Modernize the application architecture over the next 3 years. - Reduce capital expenditure (CapEx) by shifting to an OpEx model. Executive Statements: - CEO: "Downtime during Black Friday costs us $1M per hour. We need bulletproof reliability." - CFO: "We want to stop buying hardware. Move everything to a pay-as-you-go model." - CTO: "We want to eventually move to microservices, but we don't have time to rewrite the app before the holidays." Technical Requirements: - Migrate the existing VMs to the cloud with minimal changes initially. - Implement a global CDN for product images to reduce latency. - Set up disaster recovery with an RPO of 15 minutes and RTO of 1 hour. - Ensure PCI-DSS compliance for payment processing. Constraints: - The migration must be completed in 4 months (before the code freeze). - The Oracle database license cannot be easily transferred to the cloud. - The team has no experience with Kubernetes or containers yet. QUESTION: To ensure PCI-DSS compliance for payment processing in the new cloud environment, which combination of GCP security controls should you implement?

CASE STUDY: AutoMakers Inc Company Overview: AutoMakers Inc is a leading vehicle manufacturer transitioning to connected and autonomous vehicles. They need a platform to ingest, process, and analyze telemetry data from millions of cars. Current Technical Environment: - Legacy MQTT brokers on-premises. - Hadoop cluster for batch processing (nightly runs). - 100,000 connected cars sending 1 KB of data every minute. - On-premises data warehouse reaching capacity. Business Requirements: - Support 5 million connected cars within 3 years. - Enable real-time alerting for critical vehicle faults. - Provide predictive maintenance insights to customers. - Monetize anonymized traffic data. Executive Statements: - CEO: "Data is our new engine. We need real-time insights to improve safety." - CFO: "The platform must scale cost-effectively. We only want to pay for what we use." - CTO: "We need a fully managed serverless data pipeline to minimize operational overhead." Technical Requirements: - Ingest up to 1 million messages per second with low latency. - Process data in real-time for anomaly detection. - Store raw telemetry data indefinitely for machine learning model training. - Provide a scalable data warehouse for business intelligence analysts. Constraints: - Strict data privacy regulations (GDPR) require masking of PII. - Limited data engineering staff; prefer managed services. - Must integrate with existing on-premises identity provider (Active Directory). QUESTION: How should you ensure compliance with GDPR requirements for masking Personally Identifiable Information (PII) before the data is stored or analyzed?

CASE STUDY: AutoMakers Inc Company Overview: AutoMakers Inc is a leading vehicle manufacturer transitioning to connected and autonomous vehicles. They need a platform to ingest, process, and analyze telemetry data from millions of cars. Current Technical Environment: - Legacy MQTT brokers on-premises. - Hadoop cluster for batch processing (nightly runs). - 100,000 connected cars sending 1 KB of data every minute. - On-premises data warehouse reaching capacity. Business Requirements: - Support 5 million connected cars within 3 years. - Enable real-time alerting for critical vehicle faults. - Provide predictive maintenance insights to customers. - Monetize anonymized traffic data. Executive Statements: - CEO: "Data is our new engine. We need real-time insights to improve safety." - CFO: "The platform must scale cost-effectively. We only want to pay for what we use." - CTO: "We need a fully managed serverless data pipeline to minimize operational overhead." Technical Requirements: - Ingest up to 1 million messages per second with low latency. - Process data in real-time for anomaly detection. - Store raw telemetry data indefinitely for machine learning model training. - Provide a scalable data warehouse for business intelligence analysts. Constraints: - Strict data privacy regulations (GDPR) require masking of PII. - Limited data engineering staff; prefer managed services. - Must integrate with existing on-premises identity provider (Active Directory). QUESTION: How should you integrate the existing on-premises Active Directory with Google Cloud to manage user access for the data analysts?

CASE STUDY: HealthSecure Company Overview: HealthSecure provides electronic health record (EHR) systems and telemedicine platforms to hospitals across North America. They handle highly sensitive patient data. Current Technical Environment: - Co-located data centers with strict physical security. - Monolithic .NET applications running on Windows Server. - Microsoft SQL Server databases. - Custom-built video streaming solution for telemedicine. Business Requirements: - Migrate to the cloud to improve scalability during telemedicine surges. - Maintain strict compliance with HIPAA and HITECH regulations. - Enable interoperability with other healthcare providers using FHIR standards. Executive Statements: - CEO: "Telemedicine is exploding. We need to scale instantly to meet patient demand." - Chief Risk Officer (CRO): "Security and compliance are our license to operate. A data breach would destroy us." - CTO: "We want to leverage cloud-native AI/ML for medical image analysis in the future." Technical Requirements: - End-to-end encryption for all data at rest and in transit. - Strict network isolation to prevent data exfiltration. - Comprehensive audit logging of all data access. - High availability across multiple regions. Constraints: - Must use Customer-Managed Encryption Keys (CMEK). - Third-party auditors require detailed compliance reports. - Legacy .NET applications cannot be easily containerized without refactoring. QUESTION: To meet the CRO's requirement for strict network isolation and prevent data exfiltration of sensitive patient records, which GCP security feature must be implemented?

CASE STUDY: HealthSecure Company Overview: HealthSecure provides electronic health record (EHR) systems and telemedicine platforms to hospitals across North America. They handle highly sensitive patient data. Current Technical Environment: - Co-located data centers with strict physical security. - Monolithic .NET applications running on Windows Server. - Microsoft SQL Server databases. - Custom-built video streaming solution for telemedicine. Business Requirements: - Migrate to the cloud to improve scalability during telemedicine surges. - Maintain strict compliance with HIPAA and HITECH regulations. - Enable interoperability with other healthcare providers using FHIR standards. Executive Statements: - CEO: "Telemedicine is exploding. We need to scale instantly to meet patient demand." - Chief Risk Officer (CRO): "Security and compliance are our license to operate. A data breach would destroy us." - CTO: "We want to leverage cloud-native AI/ML for medical image analysis in the future." Technical Requirements: - End-to-end encryption for all data at rest and in transit. - Strict network isolation to prevent data exfiltration. - Comprehensive audit logging of all data access. - High availability across multiple regions. Constraints: - Must use Customer-Managed Encryption Keys (CMEK). - Third-party auditors require detailed compliance reports. - Legacy .NET applications cannot be easily containerized without refactoring. QUESTION: How should you implement the encryption requirement to satisfy the constraint of using Customer-Managed Encryption Keys (CMEK)?

CASE STUDY: HealthSecure Company Overview: HealthSecure provides electronic health record (EHR) systems and telemedicine platforms to hospitals across North America. They handle highly sensitive patient data. Current Technical Environment: - Co-located data centers with strict physical security. - Monolithic .NET applications running on Windows Server. - Microsoft SQL Server databases. - Custom-built video streaming solution for telemedicine. Business Requirements: - Migrate to the cloud to improve scalability during telemedicine surges. - Maintain strict compliance with HIPAA and HITECH regulations. - Enable interoperability with other healthcare providers using FHIR standards. Executive Statements: - CEO: "Telemedicine is exploding. We need to scale instantly to meet patient demand." - Chief Risk Officer (CRO): "Security and compliance are our license to operate. A data breach would destroy us." - CTO: "We want to leverage cloud-native AI/ML for medical image analysis in the future." Technical Requirements: - End-to-end encryption for all data at rest and in transit. - Strict network isolation to prevent data exfiltration. - Comprehensive audit logging of all data access. - High availability across multiple regions. Constraints: - Must use Customer-Managed Encryption Keys (CMEK). - Third-party auditors require detailed compliance reports. - Legacy .NET applications cannot be easily containerized without refactoring. QUESTION: To meet the requirement for comprehensive audit logging of all data access for third-party auditors, what must you configure?

You are designing the IAM hierarchy for a new GCP organization. The security team insists on the principle of least privilege. A group of developers needs to view Compute Engine instances, restart them, and view Cloud Storage buckets, but they must not be able to delete instances or create new buckets. How should you assign permissions?

A European healthcare company is migrating to GCP. Due to strict data sovereignty laws, no data or compute resources can be deployed outside of the europe-west3 (Frankfurt) region. You need to ensure that developers cannot accidentally spin up resources in US or Asian regions. What is the most robust way to enforce this?

You are configuring a GKE cluster that runs multiple microservices. One specific microservice (Pod A) needs to read data from a Cloud Storage bucket. You want to follow the principle of least privilege and avoid using long-lived service account keys. Which TWO steps are required to implement Workload Identity for this pod? (Select TWO)

Your organization is preparing for a SOC 2 audit. The auditors require proof that you are continuously monitoring your GCP environment for misconfigurations (e.g., public Cloud Storage buckets, open firewall rules) and that you have a centralized dashboard for security alerts. Which TWO GCP services should you utilize? (Select TWO)

You are configuring Security Command Center (SCC) Premium for a large financial institution. The CISO wants to be alerted immediately if a service account key is leaked to a public GitHub repository, and wants to detect if any Compute Engine instances are communicating with known malicious IP addresses (botnets). Which TWO SCC built-in services provide these capabilities? (Select TWO)