A healthcare organization stores patient data in BigQuery. They need to encrypt a specific column (e.g., SSN) using a key they manage, and decrypt it only for authorized queries via a user-defined function. Which approach should they use?
AEAD functions allow encrypting specific columns and decrypting via a SQL function, using keys from Cloud KMS.
Why this answer
BigQuery AEAD encryption functions (e.g., `AEAD.ENCRYPT` and `AEAD.DECRYPT`) allow you to encrypt a specific column using a customer-managed key stored in Cloud KMS, and then decrypt it only within a user-defined function (UDF) that enforces access controls. This meets the requirement of per-column encryption with key management and authorized decryption via a UDF.
Exam trap
Cisco often tests the distinction between dataset-level encryption (CMEK) and column-level encryption (AEAD), where candidates mistakenly choose CMEK because it involves Cloud KMS, but it does not allow per-column encryption or UDF-controlled decryption.
How to eliminate wrong answers
Option B is wrong because BigQuery column-level access controls only restrict who can see the column, but they do not encrypt the data at rest or in transit, so the data remains in plaintext and does not satisfy the encryption requirement. Option C is wrong because Cloud KMS with CMEK encrypts the entire BigQuery dataset at the storage level, not a specific column, and decryption is automatic for authorized users, not controlled via a UDF. Option D is wrong because Cloud DLP de-identifies data (e.g., masking or tokenization) but is not designed for reversible encryption with a customer-managed key and UDF-based decryption; it is typically used for static de-identification, not dynamic per-query decryption.