GCP Professional Cloud Security Engineer Practice Question
A financial-services company is migrating a sensitive Monte Carlo simulation workload from an on-premises HPC cluster to Google Cloud. The CISO requires that the data remain encrypted not only on disk and on the network but also while it is being processed in memory, so that even Google administrators or other tenants on the same host cannot inspect it. The engineering team wants to avoid recompiling or refactoring the application code and will accept a small performance impact. Which Google Cloud capability best satisfies these requirements, and why?
Encrypt all persistent disks with Customer-Managed Encryption Keys (CMEK) and use VPC Service Controls to prevent exfiltration; this extends encryption to data processed in memory.
Run the workload on sole-tenant nodes with Shielded VMs, which isolate tenants at the host level but rely on standard memory protection without encrypting data in use.
Enable Confidential VMs, which use processor-based memory encryption (AMD SEV or Intel TDX) to protect data while it is in use, require no application changes, and incur only minor performance overhead.
Store encryption keys in Cloud HSM and perform application-level encryption/decryption of all data before and after every CPU operation to ensure in-memory protection.
Confidential Computing on Google Cloud is implemented with Confidential VMs that use CPU-level hardware extensions such as AMD Secure Encrypted Virtualization (SEV) or Intel TDX to encrypt memory pages with a unique, ephemeral key bound to the virtual machine. Because the encryption is transparent to the guest OS and applications, existing workloads run unmodified. The protection limits visibility for Google administrators and other tenants, but memory-encryption housekeeping can introduce a modest performance overhead (typically a few percent). Sole-tenant nodes and Shielded VMs harden isolation but do not encrypt data in use, while Cloud HSM and KMS address key storage rather than memory protection.
Ask Bash
Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.
What is AMD SEV and Intel TDX, and how are they used for Confidential VMs?
Open an interactive chat with Bash
What are the key differences between Shielded VMs and Confidential VMs?
Open an interactive chat with Bash
What impact does Confidential VMs' memory encryption have on performance?
Open an interactive chat with Bash
What are AMD SEV and Intel TDX in Confidential Computing?
Open an interactive chat with Bash
How do Confidential VMs differ from standard Shielded VMs?
Open an interactive chat with Bash
What performance impact can be expected with Confidential VMs?
Open an interactive chat with Bash
GCP Professional Cloud Security Engineer
Ensuring data protection
Your Score:
Report Issue
Bash, the Crucial Exams Chat Bot
AI Bot
Loading...
Loading...
Loading...
Pass with Confidence.
IT & Cybersecurity Package
You have hit the limits of our free tier, become a Premium Member today for unlimited access.
Military, Healthcare worker, Gov. employee or Teacher? See if you qualify for a Community Discount.
Monthly
$19.99 $11.99
$11.99/mo
Billed monthly, Cancel any time.
$19.99 after promotion ends
3 Month Pass
$44.99 $26.99
$8.99/mo
One time purchase of $26.99, Does not auto-renew.
$44.99 after promotion ends
Save $18!
MOST POPULAR
Annual Pass
$119.99 $71.99
$5.99/mo
One time purchase of $71.99, Does not auto-renew.
$119.99 after promotion ends
Save $48!
BEST DEAL
Lifetime Pass
$189.99 $113.99
One time purchase, Good for life.
Save $76!
What You Get
All IT & Cybersecurity Package plans include the following perks and exams .