Subtask 3.1: Security Design

**CASE STUDY: TerramEarth** **Company Overview:** TerramEarth manufactures heavy equipment. 2 million vehicles in the field. **Current Environment:** Vehicles send telemetry via cellular. Processing 100,000 msgs/sec. On-prem Hadoop cluster. **Business Requirements:** Predict equipment failure. Reduce warranty costs. Provide fleet dashboard. **Executive Statements:** CEO: 'Monetize data.' CFO: 'Storage costs spiraling.' CTO: 'Need scalable ingestion and ML.' **Technical Requirements:** Ingest 500,000 msgs/sec. Store petabytes cost-effectively. Train ML models. Real-time anomaly detection. **Constraints:** Intermittent connectivity. Strict vehicle authentication. **QUESTION:** How should you meet the strict vehicle authentication constraint when vehicles connect to the GCP environment?

**CASE STUDY: HealthCare360** **Company Overview:** HealthCare360 provides EHR systems to hospitals in NA and EU. **Current Environment:** Isolated on-prem deployments. Fragmented data. **Business Requirements:** Centralize EHR in cloud. Enable cross-hospital research. Ensure compliance. **Executive Statements:** CEO: 'Transforming to SaaS.' CFO: 'Need cost attribution per tenant.' CSO: 'Zero compromise on HIPAA/GDPR.' **Technical Requirements:** Multi-region active-active deployment. Microservices on GKE. End-to-end encryption (CMEK). Strict network perimeters. **Constraints:** Zero data loss (RPO=0). RTO < 15 minutes. HIPAA (US) and GDPR (EU) compliance. **QUESTION:** To meet the CSO's requirement for strict network perimeters and HIPAA compliance, how should you protect the patient data stored in Cloud Storage and BigQuery?

You are deploying an internal HR application on Compute Engine. The application uses HTTP and should only be accessible to employees connected to the corporate network via Cloud VPN. Which load balancer should you use?

You are creating a new GCP project for a production environment. You need strict control over the IP address ranges used by your subnets to prevent overlapping with your on-premises network. How should you configure the VPC network?

Your e-commerce application uses Cloud SQL for PostgreSQL. During peak shopping hours, the database CPU hits 95% due to a massive number of read queries from the product catalog, causing latency. Write operations (orders) remain low. How should you optimize the database architecture?

You are designing a multi-tenant SaaS application on GKE. Each tenant's microservices run in a dedicated Kubernetes namespace. Tenant A's microservices need access to Tenant A's Cloud Storage bucket, and Tenant B's microservices need access to Tenant B's bucket. How should you configure authentication to ensure strict isolation?

CASE STUDY: AeroMech Overview: Aviation manufacturer, 5000 employees, $2B revenue. 100 engines, 10k sensors/engine, 1GB data/flight. On-prem Hadoop. Business Req: Predictive maintenance, secure data sharing with airlines, monetize data. Execs: CEO wants new revenue; CFO demands ML ROI; CTO says on-prem storage unfeasible. Tech Req: High-throughput ingestion, PB-scale storage, train ML on historical data, deploy ML to edge (aircraft). Constraints: Intermittent low-bandwidth flight connectivity, aviation data compliance, data scientists use Python/Jupyter. QUESTION: How should you securely share engine performance data with airline customers to create new revenue streams?

CASE STUDY: MediSecure Overview: Telehealth provider, 1500 employees, $300M revenue. Core app on AWS, 3 acquired clinics on VMware, fragmented EHRs, Active Directory. Business Req: Unify patient records, integrate clinics in 90 days, launch patient portal. Execs: CEO wants rapid integration; CFO wants CapEx to OpEx; CISO demands strict HIPAA/GDPR compliance. Tech Req: End-to-end PHI encryption, comprehensive audit logging, hybrid connectivity to clinics, DR (RPO 5m, RTO 1h). Constraints: Clinics have low bandwidth, high staff turnover requires automated IAM, legacy EHRs cannot be modified immediately. QUESTION: To satisfy the CISO's requirement for strict HIPAA compliance and control over PHI encryption, which encryption strategy should you use for data at rest in Cloud Storage?

CASE STUDY: MediSecure Overview: Telehealth provider, 1500 employees, $300M revenue. Core app on AWS, 3 acquired clinics on VMware, fragmented EHRs, Active Directory. Business Req: Unify patient records, integrate clinics in 90 days, launch patient portal. Execs: CEO wants rapid integration; CFO wants CapEx to OpEx; CISO demands strict HIPAA/GDPR compliance. Tech Req: End-to-end PHI encryption, comprehensive audit logging, hybrid connectivity to clinics, DR (RPO 5m, RTO 1h). Constraints: Clinics have low bandwidth, high staff turnover requires automated IAM, legacy EHRs cannot be modified immediately. QUESTION: How should you address the constraint of high staff turnover and the need for automated IAM provisioning?

Your company stores highly sensitive intellectual property in a Cloud Storage bucket. You need to ensure that even if an employee with legitimate IAM permissions tries to download the data from their home network or a coffee shop, the request is denied. How should you enforce this?

An application running on Google Kubernetes Engine (GKE) needs to read data from a Cloud Storage bucket. What is the most secure way to grant the application access to the bucket?

The CISO wants to implement a centralized security dashboard to detect misconfigurations and active threats across the entire GCP organization. Which TWO features of Security Command Center (SCC) Premium should you highlight? (Select TWO)

You are designing the IAM hierarchy for a new GCP organization. Following Google's best practices for security and manageability, which THREE principles should you apply? (Select THREE)

Your organization is migrating sensitive data to Cloud Storage. The security team dictates that Google must not manage the encryption keys, but they also do not want the operational burden of maintaining their own highly available key servers on-premises. Which TWO actions should you take? (Select TWO)

CASE STUDY: HealthData Inc Overview: Industry: Healthcare Analytics Size: 1000 employees Environment: - Co-located data center - Hadoop cluster - SFTP servers - 50 TB patient data Requirements: - ML models for diagnostics - Secure data sharing portals - Break data silos Exec Statements: - CEO: Need compute for ML. - CRO: HIPAA compliance is top priority. - CTO: Managed services needed to replace Hadoop. Tech Reqs: - Strict HIPAA compliance - Automated PHI de-identification - Comprehensive audit logging - CMEK - Network isolation (no public internet) Constraints: - US data sovereignty - 7-year retention (immutable) - Easy auditor access QUESTION: How should you enforce the network isolation requirement to ensure that patient data in Cloud Storage and BigQuery cannot be accessed from the public internet?

CASE STUDY: HealthData Inc Overview: Industry: Healthcare Analytics Size: 1000 employees Environment: - Co-located data center - Hadoop cluster - SFTP servers - 50 TB patient data Requirements: - ML models for diagnostics - Secure data sharing portals - Break data silos Exec Statements: - CEO: Need compute for ML. - CRO: HIPAA compliance is top priority. - CTO: Managed services needed to replace Hadoop. Tech Reqs: - Strict HIPAA compliance - Automated PHI de-identification - Comprehensive audit logging - CMEK - Network isolation (no public internet) Constraints: - US data sovereignty - 7-year retention (immutable) - Easy auditor access QUESTION: How should you design the architecture to automate the de-identification of Protected Health Information (PHI) as data is ingested?

A company is setting up its GCP Organization. They have three main departments: HR, Finance, and Engineering. Engineering has two sub-teams: Dev and QA. They want to apply a policy that prevents the creation of public IP addresses for all Engineering projects, but allows it for HR and Finance. How should you design the resource hierarchy and policy?

Your application runs on GKE and needs to access a Cloud Storage bucket. You want to follow the principle of least privilege and avoid managing service account keys manually. What is the most secure way to grant the GKE pods access to the bucket?

A healthcare company requires that all data stored in Cloud Storage must be encrypted using cryptographic keys that the company generates, stores, and manages entirely on their own on-premises Hardware Security Modules (HSMs). Google must not have access to the key material. Which encryption strategy must be used?

Your web application is deployed behind a Global HTTP(S) Load Balancer. You are experiencing a Layer 7 DDoS attack, specifically a flood of HTTP GET requests from various IP addresses attempting to exploit a SQL injection vulnerability. How should you mitigate this?

A healthcare company is storing sensitive patient documents in Cloud Storage. To meet compliance requirements, they must ensure that access permissions are applied consistently at the bucket level (preventing individual objects from having public access), and they must prevent data from being downloaded to unauthorized networks. Which TWO security controls should you implement? (Select TWO)

You are implementing VPC Service Controls to protect BigQuery and Cloud Storage. However, a specific third-party partner needs to upload files to a specific Cloud Storage bucket from their corporate IP address, which is outside your GCP network. Which TWO configurations can you use to allow this specific access while maintaining the perimeter? (Select TWO)