Google Professional Cloud Security Engineer Exam - Topic 2 Question 14 Discussion

Actual exam question for Google's Professional Cloud Security Engineer exam

Question #: 14
Topic #: 2

[All Professional Cloud Security Engineer Questions]

In an effort for your company messaging app to comply with FIPS 140-2, a decision was made to use GCP compute and network services. The messaging app architecture includes a Managed Instance Group (MIG) that controls a cluster of Compute Engine instances. The instances use Local SSDs for data caching and UDP for instance-to-instance communications. The app development team is willing to make any changes necessary to comply with the standard

Which options should you recommend to meet the requirements?

AEncrypt all cache storage and VM-to-VM communication using the BoringCrypto module.

BSet Disk Encryption on the Instance Template used by the MIG to customer-managed key and use BoringSSL for all data transit between instances.

CChange the app instance-to-instance communications from UDP to TCP and enable BoringSSL on clients' TLS connections.

DSet Disk Encryption on the Instance Template used by the MIG to Google-managed Key and use BoringSSL library on all instance-to-instance communications.

Show Suggested Answer

Suggested Answer: D

by Markus at May 07, 2022, 06:02 PM

Limited Time Offer

25%

Off

Get Premium Professional Cloud Security Engineer Questions as Interactive Web-Based Practice Test or PDF

Contribute your Thoughts:

Submit Cancel

Krystina

4 months ago

Isn't BoringCrypto just a fork of BoringSSL? Not sure if that's enough.

upvoted 0 times

...

Amie

4 months ago

Definitely agree with B, BoringSSL is a good choice!

upvoted 0 times

...

Pamela

4 months ago

Wait, are we really trusting Google-managed keys? Seems risky.

upvoted 0 times

...

Xenia

4 months ago

I think Option C is better for security, TCP is more reliable.

upvoted 0 times

...

Matt

5 months ago

Option B sounds solid with customer-managed keys.

upvoted 0 times

...

Jacki

5 months ago

I vaguely remember that Google-managed keys might not meet the strict requirements for FIPS 140-2, but I can't recall the specifics. I should have reviewed that section more thoroughly.

upvoted 0 times

...

Martin

5 months ago

I feel like using BoringSSL for data transit is definitely a good idea, but I’m unsure if it’s enough on its own without also encrypting the disk.

upvoted 0 times

...

Stephane

5 months ago

I remember we discussed the importance of using customer-managed keys for encryption in one of our practice sessions, but I'm not entirely sure if that's the best choice here.

upvoted 0 times

...

Zona

5 months ago

I think we had a similar question about securing communications between instances, and I recall that switching from UDP to TCP could help with reliability, but I'm not confident if it’s necessary for FIPS compliance.

upvoted 0 times

...

Nathan

5 months ago

Hmm, I'm a little unsure about this one. I know switches help mitigate collisions, but I'm not sure which specific characteristic allows them to do that. I'll have to think it through carefully.

upvoted 0 times

...

Johnna

5 months ago

Hmm, I'm not sure about this one. I'm debating between the facilitated workshop and the questionnaire. The workshop might be more interactive, but the questionnaire could reach more people quickly.

upvoted 0 times

...