Topic 1 Question 179
You are building a real-time prediction engine that streams files, which may contain PII (personal identifiable information) data, into Cloud Storage and eventually into BigQuery. You want to ensure that the sensitive data is masked but still maintains referential integrity, because names and emails are often used as join keys. How should you use the Cloud Data Loss Prevention API (DLP API) to ensure that the PII data is not accessible by unauthorized individuals?
Create a pseudonym by replacing the PII data with cryptogenic tokens, and store the non-tokenized data in a locked-down button.
Redact all PII data, and store a version of the unredacted data in a locked-down bucket.
Scan every table in BigQuery, and mask the data it finds that has PII.
Create a pseudonym by replacing PII data with a cryptographic format-preserving token.
ユーザの投票
コメント(17)
- 正解だと思う選択肢: D
D is the answer.
https://cloud.google.com/dlp/docs/pseudonymization#supported-methods Format preserving encryption: An input value is replaced with a value that has been encrypted using the FPE-FFX encryption algorithm with a cryptographic key, and then prepended with a surrogate annotation, if specified. By design, both the character set and the length of the input value are preserved in the output value. Encrypted values can be re-identified using the original cryptographic key and the entire output value, including surrogate annotation.
👍 4zellck2022/11/29 - 正解だと思う選択肢: D
Answer D makes more sense to me. Source: https://cloud.google.com/dlp/docs/pseudonymization
👍 3devaid2022/10/16 - 正解だと思う選択肢: A
[B] and [C] aren't correct since they don't preserve referential integrity. [A] describes, in other words, Cryptographic hashing, where the sensitive data is replaced with a hashed value. The hashed value can't be reversed (https://cloud.google.com/dlp/docs/transformations-reference#crypto-hashing) so the phrase "store the non-tokenized data in a locked-down button (bucket)" ensures that data can be restored if needed. [D] seems to be a valid option too. However, in https://cloud.google.com/dlp/docs/pseudonymization#fpe-ffx, there is a warning: "FPE provides fewer security guarantees compared to other deterministic encryption methods such as AES- SIV ... ... For these reasons, Google strongly recommends using deterministic encryption with AES-SIV instead of FPE for all security sensitive use cases" Since there is no option to select Deterministic Encryption, and the question doesn't require to preserve the format of the data (keep the same length of data), I choose [A] as a more secure approach.
👍 3NicolasN2022/11/04
シャッフルモード