Exam Professional Cloud Security Engineer topic 1 question 101 discussion

”This encryption method is reversible, which helps to maintain referential integrity across your database and has no character-set limitations.” https://cloud.google.com/blog/products/identity-security/take-charge-of-your-data-how-tokenization-makes-data-usable-without-sacrificing-privacy

C. Format-preserving encryption Justification Based on Documentation: https://cloud.google.com/dlp/docs/transformations-reference#transformation_methods According to the Google Cloud DLP guidelines, format-preserving encryption (FPE) transforms sensitive data while keeping its original format. This is essential for working with structured data where you need to maintain the integrity of data types (e.g., keeping a credit score as a numeric field) while ensuring security through encryption. The ability to join user information in the banking app with credit score data while preserving the structure and format of the data is critical, especially since the goal is to analyze the data without exposing sensitive information.

Why C. Format-preserving encryption is correct: Format-preserving encryption (FPE) encrypts data while preserving its format (e.g., encrypting a credit card number would still result in a string with the same length and structure). It ensures that data relationships and referential integrity across systems remain intact. FPE is supported by Google Cloud DLP for tokenization tasks. Why not the other options: A. Deterministic encryption: Deterministic encryption ensures that the same plaintext always encrypts to the same ciphertext, which can preserve referential integrity. However, it doesn't inherently maintain the format of the original data, which might be a requirement in this case.

D Cryptogrpahic hashing as it maintains refenrtial integrity and not reversible https://cloud.google.com/dlp/docs/pseudonymization

To meet the requirements of de-identifying and tokenizing sensitive data while maintaining referential integrity across the database, you should use "Deterministic encryption." Deterministic encryption is a form of encryption where the same input value consistently produces the same encrypted output (token). This ensures referential integrity because the same original value will always result in the same token, allowing you to link and join data across different systems or databases while still protecting sensitive information. Format-preserving encryption is a specific form of deterministic encryption that preserves the format and length of the original data, which can be useful for maintaining data structures and relationships. So, the correct option is: A. Deterministic encryption

"A" Requirements are reversible while maintaining referential integrity. Both A and D meet this requirement however D has input limitations. Therefore A is a better answer. https://cloud.google.com/dlp/docs/transformations-reference#transformation_methods

This is a poor question and not enough data is provided to determine which Tokenization method should be selected. There are three methods for Tokenization (also referred to as Pseudonymization). See: https://cloud.google.com/dlp/docs/transformations-reference#crypto and each method maintains referential integrity See: https://www.youtube.com/watch?v=h0BnA7R8vg4. Thus, you'd need to know whether it needs to be reversible, format preserving to confidentially select an answer..

https://cloud.google.com/blog/products/identity-security/take-charge-of-your-data-how-tokenization-makes-data-usable-without-sacrificing-privacy

"Deterministic encryption" is too wide definition, the key phrase is "Which cryptographic token format " so th answer is "Format-preserving encryption" - where Referential integrity is assured (...allows for records to maintain their relationship ....ensures that connections between values (and, with structured data, records) are preserved, even across tables)

Cryptographic uses strings , it asks to use tokenization and hence deterministic is better than FPE hence A

Though it's not clear, but, to prevent from data leak, it's better to have a non-reversible method as analysts don't need re-identification

A. Deterministic encryption

A is the answer. https://cloud.google.com/dlp/docs/pseudonymization FPE provides fewer security guarantees compared to other deterministic encryption methods such as AES-SIV. For these reasons, Google strongly recommends using deterministic encryption with AES-SIV instead of FPE for all security sensitive use cases. Other methods like deterministic encryption using AES-SIV provide these stronger security guarantees and are recommended for tokenization use cases unless length and character set preservation are strict requirements—for example, for backward compatibility with a legacy data system.

This question is taken from the exact scenario described in this link https://cloud.google.com/blog/products/identity-security/take-charge-of-your-data-how-tokenization-makes-data-usable-without-sacrificing-privacy

Both "Deterministic" and "format preserving" are key-based hashes (and reversible). It's not clear from the question, but doesn't look like we need it to be reversible. All of them maintain referential integrity https://cloud.google.com/architecture/de-identification-re-identification-pii-using-cloud-dlp#method_selection

preserve referential integrity and ensure that no re-identification is possible https://cloud.google.com/dlp/docs/pseudonymization#supported-methods

Cryptographic hash (CryptoHashConfig) maintains referential integrity. "Determinist encryption" is not a transformation method. https://cloud.google.com/dlp/docs/transformations-reference