PROFESSIONAL-CLOUD-SECURITY-ENGINEER Question #329: Real Exam Question with Answer & Explanation

Question

Your development team is launching a new application. The new application has a microservices architecture on Compute Engine instances and serverless components, including Cloud Functions. This application will process financial transactions that require temporary, highly sensitive data in memory. You need to secure data in use during computations with a focus on minimizing the risk of unauthorized access to memory for this financial application. What should you do?

Options

• AEnable Confidential VM instances for Compute Engine, and ensure that relevant Cloud Functions
• BUse data masking and tokenization techniques on sensitive financial data fields throughout the
• CUse the Cloud Data Loss Prevention (Cloud DLP) API to scan and mask sensitive data before
• DStore all sensitive data during processing in Cloud Storage by using customer-managed

Explanation

Confidential VMs use hardware-based memory encryption (AMD SEV or Intel TDX) to encrypt data while it is actively being processed in RAM - this is the definition of 'data in use' protection. When financial applications process sensitive data in memory, Confidential VMs ensure that even privileged access to the hypervisor or host cannot expose plaintext memory contents. This directly addresses the risk of unauthorized access to in-memory data. Option B (masking/tokenization) protects data at rest or in transit, not during in-memory computation. Option C (Cloud DLP) scans and redacts data but does not protect the computation environment itself. Option D (storing data in Cloud Storage during processing) contradicts the requirement of keeping data in memory and addresses at-rest encryption, not in-use encryption.

No community discussion yet for this question.