**CASE STUDY: Dress4Win** **Company Overview:** Dress4Win is a web-based retail company that helps users organize their wardrobes. **Current Environment:** Colocated data center. Tomcat app servers, Nginx web servers, MySQL databases, Redis caching. 100TB of image data on SAN. **Business Requirements:** Migrate to cloud to handle seasonal spikes (Black Friday). Reduce CapEx. Enable rapid prototyping. **Executive Statements:** CEO: 'Innovate faster, stop worrying about servers.' CFO: 'Move to OpEx. Ensure PCI-DSS compliance.' CTO: 'Modernize stack but migrate quickly first.' **Technical Requirements:** Secure hybrid connectivity during migration. PCI-DSS compliance. Automated scaling. CI/CD for microservices. **Constraints:** Migration must be completed before Q4 holiday season (6 months). Limited budget for refactoring during initial migration. **QUESTION:** To meet the CFO's requirement for PCI-DSS compliance, how should you secure the payment processing environment in GCP?
CASE STUDY: ShopGlobal Overview: Retailer, 2000 employees, $500M revenue. US-Central co-lo, Java/Tomcat monolith, Oracle RAC 20TB, batch inventory sync. Business Req: Handle 10x Black Friday spikes, personalized recommendations, modernize to microservices. Execs: CEO wants omnichannel; CFO needs predictable spend; CTO demands zero downtime cutover. Tech Req: PCI-DSS compliance, automated image processing, real-time inventory, CI/CD. Constraints: Complex Oracle stored procedures, team learning containers, strict bi-annual audits. QUESTION: To meet the strict PCI-DSS compliance requirements and prepare for bi-annual audits, which security architecture should you implement?
CASE STUDY: RetailMart Overview: Industry: Retail/E-commerce Size: 2000 employees, $500M revenue Environment: - Monolithic Java app on VMware - Oracle RAC DB - F5 Load Balancers - 10 Gbps Direct Connect to AWS Requirements: - CapEx to OpEx - Handle 10x Black Friday traffic - Personalized recommendations - Modernize without impacting sales Exec Statements: - CEO: Omnichannel experience. - CFO: Predictable costs, no hardware refresh. - CTO: Break monolith, but Oracle DB stays on-prem for 2 years. Tech Reqs: - Zero downtime deployments - PCI-DSS compliance - Image processing pipeline - Async order processing Constraints: - Hybrid architecture required - Team knows Spring Boot, zero Kubernetes exp - 6-month timeline QUESTION: To meet the PCI-DSS compliance requirement, how should you handle credit card numbers entered by users?
Your organization requires strict auditing of all GCP resources. The security team needs to know exactly who modified a firewall rule, and they also need to know which users queried a specific BigQuery dataset containing PII. Which TWO types of Cloud Audit Logs must be enabled or analyzed to gather this information? (Select TWO)
CASE STUDY: ShopGlobal Company Overview: ShopGlobal is an international e-commerce retailer. They are preparing for their largest annual sales event (Black Friday) and want to migrate off their aging on-premises infrastructure. Current Technical Environment: - 3 on-premises data centers (US-East, US-West, EU-Central). - VMware vSphere environment with 500 VMs. - Monolithic Java application running on Tomcat. - Oracle RAC database for transactions. - 50 TB of product images on SAN storage. Business Requirements: - Ensure 100% availability during the upcoming holiday season. - Modernize the application architecture over the next 3 years. - Reduce capital expenditure (CapEx) by shifting to an OpEx model. Executive Statements: - CEO: "Downtime during Black Friday costs us $1M per hour. We need bulletproof reliability." - CFO: "We want to stop buying hardware. Move everything to a pay-as-you-go model." - CTO: "We want to eventually move to microservices, but we don't have time to rewrite the app before the holidays." Technical Requirements: - Migrate the existing VMs to the cloud with minimal changes initially. - Implement a global CDN for product images to reduce latency. - Set up disaster recovery with an RPO of 15 minutes and RTO of 1 hour. - Ensure PCI-DSS compliance for payment processing. Constraints: - The migration must be completed in 4 months (before the code freeze). - The Oracle database license cannot be easily transferred to the cloud. - The team has no experience with Kubernetes or containers yet. QUESTION: To ensure PCI-DSS compliance for payment processing in the new cloud environment, which combination of GCP security controls should you implement?
CASE STUDY: HealthSecure Company Overview: HealthSecure provides electronic health record (EHR) systems and telemedicine platforms to hospitals across North America. They handle highly sensitive patient data. Current Technical Environment: - Co-located data centers with strict physical security. - Monolithic .NET applications running on Windows Server. - Microsoft SQL Server databases. - Custom-built video streaming solution for telemedicine. Business Requirements: - Migrate to the cloud to improve scalability during telemedicine surges. - Maintain strict compliance with HIPAA and HITECH regulations. - Enable interoperability with other healthcare providers using FHIR standards. Executive Statements: - CEO: "Telemedicine is exploding. We need to scale instantly to meet patient demand." - Chief Risk Officer (CRO): "Security and compliance are our license to operate. A data breach would destroy us." - CTO: "We want to leverage cloud-native AI/ML for medical image analysis in the future." Technical Requirements: - End-to-end encryption for all data at rest and in transit. - Strict network isolation to prevent data exfiltration. - Comprehensive audit logging of all data access. - High availability across multiple regions. Constraints: - Must use Customer-Managed Encryption Keys (CMEK). - Third-party auditors require detailed compliance reports. - Legacy .NET applications cannot be easily containerized without refactoring. QUESTION: To meet the requirement for comprehensive audit logging of all data access for third-party auditors, what must you configure?
A European healthcare company is migrating to GCP. Due to strict data sovereignty laws, no data or compute resources can be deployed outside of the europe-west3 (Frankfurt) region. You need to ensure that developers cannot accidentally spin up resources in US or Asian regions. What is the most robust way to enforce this?
Your organization is preparing for a SOC 2 audit. The auditors require proof that you are continuously monitoring your GCP environment for misconfigurations (e.g., public Cloud Storage buckets, open firewall rules) and that you have a centralized dashboard for security alerts. Which TWO GCP services should you utilize? (Select TWO)
Full answers, grading, and explanations on why each answer is correct.
Expert