GCP Professional Cloud Security Engineer Practice Question
A healthcare provider exports multiple BigQuery tables from its production database to a separate analytics project. The tables contain patient identifiers such as medical record number (MRN) and government ID. Data scientists must be able to join the de-identified tables on these identifiers to build longitudinal views, but only a restricted compliance team may later reverse the process to reveal the original values if legally required. Which Sensitive Data Protection (Cloud DLP) transformation best meets these requirements?
Shift each identifier value by a random offset to hide the real data while keeping the format intact.
Redact the identifier fields so they are removed entirely from the exported tables.
Mask each identifier by replacing all but the last four characters with the "#" symbol.
Apply cryptographic deterministic encryption using a Cloud KMS-protected key (CryptoDeterministicConfig) to pseudonymize the identifiers.
Because the same MRN or government ID needs to produce the same surrogate value every time, the transformation must be deterministic. At the same time, the provider wants the option to recover the original identifiers under tightly controlled conditions. Sensitive Data Protection's cryptographic deterministic encryption (CryptoDeterministicConfig) satisfies both needs: it generates a consistent token for a given input/key pair, enabling joins, and it is reversible through the same key for authorized re-identification. Simple redaction or masking would break joinability, while date shifting is unrelated. Format-preserving encryption is also reversible but is intended for preserving specific character sets rather than arbitrary string identifiers, so deterministic tokenization with CryptoDeterministicConfig is the most appropriate choice here.
Ask Bash
Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.
What is cryptographic deterministic encryption and how does it work in Cloud DLP?
Open an interactive chat with Bash
Why is simple masking or redaction not suitable for joining de-identified data?
Open an interactive chat with Bash
What makes Cloud KMS-protected keys critical for CryptoDeterministicConfig?
Open an interactive chat with Bash
What is CryptoDeterministicConfig in Cloud DLP?
Open an interactive chat with Bash
How does Cloud KMS protect encryption keys in CryptoDeterministicConfig?
Open an interactive chat with Bash
Why is deterministic encryption preferred over masking or redaction in this case?
Open an interactive chat with Bash
GCP Professional Cloud Security Engineer
Ensuring data protection
Your Score:
Report Issue
Bash, the Crucial Exams Chat Bot
AI Bot
Loading...
Loading...
Loading...
Pass with Confidence.
IT & Cybersecurity Package
You have hit the limits of our free tier, become a Premium Member today for unlimited access.
Military, Healthcare worker, Gov. employee or Teacher? See if you qualify for a Community Discount.
Monthly
$19.99
$19.99/mo
Billed monthly, Cancel any time.
3 Month Pass
$44.99
$14.99/mo
One time purchase of $44.99, Does not auto-renew.
MOST POPULAR
Annual Pass
$119.99
$9.99/mo
One time purchase of $119.99, Does not auto-renew.
BEST DEAL
Lifetime Pass
$189.99
One time purchase, Good for life.
What You Get
All IT & Cybersecurity Package plans include the following perks and exams .