Your organization operates in a highly regulated environment and has a stringent set of compliance requirements for protecting customer data. You must encrypt data while in use to meet regulations. What should you do?
A.
Use customer-managed encryption keys (CMEK) and Cloud KSM to enable your organization to control their keys for data encryption in Cloud SQL
B.
Enable the use of customer-supplied encryption keys (CSEK) keys in the Google Compute Engine VMs to give your organization maximum control over their VM disk encryption.
C.
Establish a trusted execution environment with a Confidential VM.
D.
Use a Shielded VM to ensure a secure boot with integrity monitoring for the application environment.
The requirement is to protect data while in use (meaning data in memory or CPU registers, during processing). This is a concept addressed by Confidential Computing using Trusted Execution Environments (TEEs).
Extracts:
"Confidential VMs are an IaaS solution... Confidential VMs offer: Encryption for 'data in use', including the processor state and the virtual machine's memory." (Source 4.1)
"Confidential computing protects data during processing by isolating workloads inside hardware-based trusted execution environments (TEEs), ensuring even cloud operators cannot access them." (Source 4.3)
"Confidential VMs extend the standard virtual machine concept by adding hardware-enforced confidentiality controls... they ensure data remains encrypted not only at rest and in transit, but also while in use." (Source 4.4)
Options A (CMEK) and B (CSEK) protect data at rest (disk encryption). Option D (Shielded VM) protects integrity and prevents rootkit compromise but does not encrypt memory while the data is actively being processed. Only Confidential VM (or TEE) protects data in use.
Contribute your Thoughts:
Chosen Answer:
This is a voting comment (?). You can switch to a simple comment. It is better to Upvote an existing comment if you don't have anything to add.
Submit