Exam Professional Cloud Security Engineer topic 1 question 318 discussion

HSM is only for regulatory purpose and Client-side encryption won't provide highest security. Do not for a second think it's C, when you have B as an option. Why Option B is Correct? Cloud Storage with CMEK: CMEK (Customer-Managed Encryption Keys) allows you to manage your own encryption keys, providing you with full control over your data encryption at rest. It ensures that Google Cloud can store and process your data, but the encryption keys remain under your control, enhancing security. Cloud DLP (Data Loss Prevention): Cloud DLP helps you inspect, classify, and redact sensitive data, such as personally identifiable information (PII), before it's stored or processed. This is crucial for compliance and risk management. Secret Manager: Secret Manager is a service for securely storing API keys, passwords, certificates, and other sensitive data. By using Secret Manager, you ensure that access tokens and secrets are encrypted and controlled with IAM access policies, further increasing the security posture.

A more suitable option would involve using Cloud HSMs in conjunction with other strong security measures such as CMEKs and Cloud DLP.

Highly Secure etc = HSM

Client-Side Encryption: Encrypting data before it leaves your control ensures that even if someone gains access to your Cloud Storage bucket, they cannot decrypt the data without the encryption keys. This provides an extra layer of protection against unauthorized access or data breaches. Cloud KMS: Cloud KMS provides a secure and managed service for generating and storing your encryption keys.1 You can control key access with granular IAM permissions and audit all key operations. Cloud HSM: Cloud HSM takes key security to the next level by using dedicated, tamper-resistant hardware security modules (HSMs) to generate and protect your keys. This offers the highest level of protection against key compromise.

Answer C