GCP Professional Cloud Security Engineer Practice Question
A health-insurance provider must copy several BigQuery tables containing the 10-digit numeric column member_id from its production project to a separate analytics project for data scientists. Compliance requires hiding the real identifiers, allowing analysts to perform equality joins on member_id, and enabling a small security team to recover the original values during fraud investigations without involving the analysts. Which Google Cloud Sensitive Data Protection configuration meets all requirements with the least operational overhead?
Mask every digit of member_id with the character "#" before exporting the tables.
Apply a date-shifting transformation to member_id and instruct analysts to cast the shifted value to STRING when joining.
Run an SDP inspection job that applies deterministic encryption with CryptoDeterministicConfig, writes the result as a surrogate infoType, and protects the key in Cloud KMS; grant only the security team dlp.jobs.reidentify and KMS decrypt permissions.
Encrypt member_id with format-preserving encryption (FFX) but do not store a surrogate infoType to prevent re-identification.
Deterministic encryption with CryptoDeterministicConfig replaces each member_id with a repeatable ciphertext so joins continue to work. Storing the ciphertext as a surrogate infoType lets DLP re-identification jobs map the surrogate back to the original value, provided the caller has both dlp.jobs.reidentify permission and access to the Cloud KMS key that protected the data. Masking or date shifting destroys join capability and cannot be reversed, while format-preserving encryption without a surrogate blocks automated re-identification.
Ask Bash
Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.
What is CryptoDeterministicConfig in Google Cloud Sensitive Data Protection?
Open an interactive chat with Bash
What is the role of Cloud KMS in the proposed solution?
Open an interactive chat with Bash
How does storing a surrogate infoType facilitate re-identification?
Open an interactive chat with Bash
What is deterministic encryption and how is it used in this context?
Open an interactive chat with Bash
What is Google Cloud KMS and how does it protect encryption keys?
Open an interactive chat with Bash
What is a surrogate infoType in Google Cloud DLP?
Open an interactive chat with Bash
GCP Professional Cloud Security Engineer
Ensuring data protection
Your Score:
Report Issue
Bash, the Crucial Exams Chat Bot
AI Bot
Loading...
Loading...
Loading...
Pass with Confidence.
IT & Cybersecurity Package
You have hit the limits of our free tier, become a Premium Member today for unlimited access.
Military, Healthcare worker, Gov. employee or Teacher? See if you qualify for a Community Discount.
Monthly
$19.99 $11.99
$11.99/mo
Billed monthly, Cancel any time.
$19.99 after promotion ends
3 Month Pass
$44.99 $26.99
$8.99/mo
One time purchase of $26.99, Does not auto-renew.
$44.99 after promotion ends
Save $18!
MOST POPULAR
Annual Pass
$119.99 $71.99
$5.99/mo
One time purchase of $71.99, Does not auto-renew.
$119.99 after promotion ends
Save $48!
BEST DEAL
Lifetime Pass
$189.99 $113.99
One time purchase, Good for life.
Save $76!
What You Get
All IT & Cybersecurity Package plans include the following perks and exams .