Trust and security with Google Cloud

Google Cloud encrypts all customer data at rest by default without any configuration required. A customer asks: 'Do we need to do anything special to encrypt our data stored in Cloud Storage?' What is the correct answer?

A security architect wants to implement a 'never trust, always verify' security approach where no user or service is assumed to be trustworthy based on network location alone. Every access request must be authenticated and authorized regardless of whether it comes from inside or outside the corporate network. Which security model describes this approach?

A company is concerned about which security responsibilities belong to Google versus which belong to them when using Google Cloud's managed database service (Cloud SQL). In the shared responsibility model, which security tasks does Google handle?

A healthcare company needs to store patient data in Google Cloud and must comply with HIPAA (Health Insurance Portability and Accountability Act). Which statement correctly describes how Google Cloud helps them achieve HIPAA compliance?

An organization uses Google Cloud Identity and Access Management (IAM). A new employee is a data engineer who needs to read BigQuery datasets and run queries but should NOT be able to create new datasets, delete tables, or modify IAM policies. Which IAM role should be assigned?

A company wants to ensure that sensitive data (credit card numbers, SSNs) stored in BigQuery is automatically identified and protected. They also want ongoing scanning to detect if any new data violates their data governance policies. Which Google Cloud service provides these capabilities?

When data is transmitted between a user's browser and a Google Cloud-hosted web application over HTTPS, which security protection does this provide?

A company is evaluating Google Cloud and wants to know: what is Access Transparency, and how does it benefit customers with stringent governance requirements?

A company stores its data in Google Cloud. The security team asks: can Google employees access our customer data without our knowledge or consent? What does Google's commitment ensure?

A regulated financial services firm must ensure that its data never leaves a specific geographic region (EU) for compliance with GDPR data residency requirements. Which Google Cloud features help enforce this requirement?

What compliance certification verifies that an organization's Information Security Management System (ISMS) meets internationally recognized standards for managing information security risks?

A company uses Google Workspace for identity. They want employees to use their Google Workspace credentials to access third-party applications (Salesforce, Slack, etc.) without separate passwords for each app. Which technology enables this?

A company's security policy requires all employees to verify their identity using more than just a password when accessing Google Cloud resources. What security feature enforces this requirement?

Google's physical data center security includes multiple layers of protection. Which of the following is NOT a physical security measure Google uses at its data centers?

A company has a requirement from their security auditor to demonstrate that all administrative actions performed in Google Cloud (such as creating VMs, modifying IAM policies, and deleting storage buckets) are logged and tamper-evident. Which Cloud Logging log type fulfills this requirement?

A company wants to ensure that even if an attacker compromises an employee's password and passes MFA, the attacker cannot access sensitive Google Cloud resources from an unmanaged personal laptop. Which Google security feature enforces device trust as part of access decisions?

A company stores customer data in Google Cloud and wants to ensure data confidentiality in the event that hardware is decommissioned and returned by Google. How does Google protect customer data when storage hardware reaches end of life?

A company uses Google Cloud and has a compliance requirement to store certain data only within the European Union and ensure it cannot be accessed from outside the EU, even by Google operations personnel. Which Google Cloud offering specifically addresses this level of data sovereignty?

A security team wants to get a comprehensive, organization-wide view of security misconfigurations (such as publicly accessible storage buckets, VMs without firewalls, and IAM overprivilege), vulnerabilities in container images, and active threats across all Google Cloud projects. Which Google Cloud service provides this unified security posture management?

A company wants to know: if Google Cloud experiences a data breach that exposes customer data, what are Google's notification obligations under standard Cloud service terms?

The principle of least privilege is a fundamental security concept applied to IAM in Google Cloud. Which statement best describes this principle?

A company uses service accounts to allow their application running on a Compute Engine VM to access Cloud Storage. Which is the most secure way to configure this service account access?

A company stores encryption keys in Cloud KMS to protect sensitive data. What does Cloud KMS provide that standard application-layer encryption does not?

A company classifies its data into four sensitivity levels: Public, Internal, Confidential, and Restricted. Which type of data would typically be classified as 'Restricted' and require the highest level of security controls?

A security team wants to ensure that only container images built by their approved CI/CD pipeline can run in their GKE cluster. Images built outside the approved process — even by internal engineers — should be blocked. Which Google Cloud security feature enforces this?

A company wants to allow a third-party security firm to conduct a penetration test against their Google Cloud environment to identify vulnerabilities. What is Google Cloud's policy on penetration testing?

Which Google Cloud feature provides reports on how Google processes government requests for customer data and how often Google challenges overly broad requests?

A company's application stores user passwords. Their security team says passwords must be stored as hashes, never in plaintext. They want to ensure this requirement is met even if a database is compromised. Why is password hashing (with salt) the correct approach?

An organization's security team reviews their Google Cloud environment and finds that several Cloud Storage buckets have `allAuthenticatedUsers` bindings, and multiple service accounts have the Owner role. Which Google Cloud tool automatically identifies these types of high-risk IAM configurations?

A company's security architect wants to implement 'privacy by design' principles when building a new customer data platform on Google Cloud. What does privacy by design mean in this context?

A company's security team wants to ensure that only approved corporate devices can access Google Cloud resources, regardless of whether the user has valid credentials. Which Google Cloud security capability enforces device-level access requirements?

A financial services company is subject to regulations requiring them to demonstrate that their cloud provider's employees cannot access customer data without the customer's explicit approval. Which Google Cloud feature most directly addresses this requirement?

A security team is reviewing a developer's request to be granted the 'Owner' role on a production Google Cloud project 'just in case they need broad access.' The security team rejects this and instead grants a more specific role. Which security principle does the security team's decision enforce?

A company is moving a regulated workload to Google Cloud and must ensure that their encryption keys are stored in a hardware security module (HSM) that meets FIPS 140-2 Level 3 validation. Which Google Cloud key management option satisfies this requirement?

A company has employees who use personal (unmanaged) devices to access corporate applications. The security team wants to prevent sensitive Google Workspace documents from being downloaded to personal devices. Which Google control most directly addresses this data loss prevention requirement for device-based scenarios?

A startup is building a web application and wants to protect it from common web attacks like SQL injection and cross-site scripting. Which Google Cloud product provides web application firewall (WAF) capabilities?

An organization wants to ensure that Google Cloud services used by its employees cannot be used to exfiltrate data to a competitor's Google Cloud project. For example, they want to prevent copying data from their Cloud Storage bucket to a Storage bucket owned by a competitor. Which Google Cloud security control most directly prevents this type of insider data exfiltration?

A company has migrated sensitive customer data to Google Cloud. The legal team asks: 'If Google is hosting our data, who is responsible for ensuring that data is not improperly accessed by unauthorized users through our application?' Under the shared responsibility model, how should the CTO answer?

A company's security policy requires that all cloud-to-cloud communication between services must be encrypted in transit. An auditor asks how Google Cloud handles encryption for network traffic between Google services within its network. What is Google's default approach to encryption in transit within its infrastructure?

A CISO is evaluating Google Cloud's security posture and asks about independent third-party validation of Google's security practices. Which types of certifications and audit reports most directly provide this independent assurance?

A company's security team wants to be alerted when someone with administrative permissions changes an IAM policy in their Google Cloud organization. Which Google Cloud capability enables this detection?

A multinational company must ensure that personal data of European citizens stored in Google Cloud cannot be accessed by or transferred to systems outside the European Union, as required by GDPR data residency requirements. Which Google Cloud controls most directly enforce this?

A security audit finds that a company's application service accounts have been granted broad IAM roles (e.g., Storage Admin on the entire project) when they only need to read specific Cloud Storage buckets. The auditor recommends following the principle of least privilege. What is the most precise way to implement this for the Cloud Storage use case?

An enterprise's security team is implementing a strategy to protect against 'credential stuffing' attacks — where attackers use lists of username/password combinations from previous data breaches to try to log in to the company's applications. Which authentication control most effectively mitigates this threat?

A developer accidentally commits an application's Google Cloud service account key to a public GitHub repository. The key is valid and grants access to production resources. What is the correct immediate response?

A CISO asks why Google Cloud's security model is described as a 'defense-in-depth' approach. Which explanation best describes this concept in the context of Google Cloud's infrastructure security?

A company runs a multi-tenant SaaS application on Google Cloud where each customer's data must be strictly isolated from other customers'. A security architect is evaluating approaches: (A) logical isolation using application-level tenant IDs in a shared database, (B) IAM-based separation using separate service accounts per tenant, or (C) infrastructure-level isolation with separate Google Cloud projects per tenant. Which approach provides the strongest isolation guarantee?

A company's compliance team asks what evidence they can provide to regulators to demonstrate that Google Cloud services meet industry security standards. Which type of documentation most directly provides this evidence?

A company is concerned that employees might accidentally or maliciously upload sensitive personal data (such as credit card numbers or Social Security Numbers) to Cloud Storage buckets. Which Google Cloud product can automatically scan uploaded files and identify sensitive data patterns?

A CISO is implementing a Zero Trust security architecture for the company's Google Cloud environment. Under Zero Trust, which fundamental assumption about network traffic changes compared to traditional perimeter-based security?

A company is moving its financial reporting application to Google Cloud. The CFO asks: 'If Google Cloud experiences a data breach and our financial data is exposed, who is financially liable?' How should the cloud architect answer this question?

An organization wants to use Google Cloud for processing healthcare data subject to HIPAA regulations in the United States. Which contractual document must the organization obtain from Google before storing Protected Health Information (PHI) in Google Cloud?

A CISO is designing an identity strategy for Google Cloud that follows Zero Trust principles. She proposes that no long-lived credentials (API keys, service account keys) should be used for any automated workloads. What Google Cloud mechanism replaces service account keys for authenticating workloads running on Google Cloud infrastructure?

A security team is conducting a threat model for their Google Cloud environment. They identify 'insider threat' — a malicious authorized employee who intentionally exfiltrates or destroys data — as a key risk. Which combination of Google Cloud controls most effectively mitigates this risk?

A company wants to ensure that their confidential data stored in BigQuery cannot be shared outside the company's Google Cloud organization. Which Google Cloud security capability prevents data from being shared with external Google accounts (outside the organization)?

A company's security policy requires that when an employee is terminated, their access to all cloud resources must be revoked immediately — including any active sessions. Which approach most comprehensively achieves this in a Google Cloud environment integrated with Google Workspace?

A company's risk management team wants to understand Google Cloud's approach to supply chain security — specifically, how Google ensures that the hardware and firmware running in its data centers have not been tampered with. Which Google security initiative addresses hardware supply chain integrity?

A company's application stores sensitive customer information in Cloud Storage. A security audit finds that one bucket has 'allUsers' access granted (making it publicly accessible on the internet). The security team wants to prevent this from happening in the future. Which control prevents public access from being granted to Cloud Storage buckets?

A company's employees use Google Workspace for email, documents, and collaboration. The IT team wants to require all employees to use a physical security key (like a YubiKey) as their second authentication factor when signing in — eliminating phishing-vulnerable SMS and authenticator app codes. Which Google Workspace security capability supports this requirement?

A security architect is evaluating Google Cloud's approach to securing customer data against both external attackers and potential internal Google personnel access. She identifies four distinct controls: (1) encryption at rest by default, (2) Access Transparency logs, (3) Customer-Managed Encryption Keys (CMEK), and (4) Access Approval. How do these four controls work together to provide layered data protection?