CASE STUDY: HealthSecure. 50M patient records. Legacy mainframe, on-prem SAN (100TB), .NET portal. Req: Modernize portal, secure hospital sharing, fast audits. CEO: Modern UX. CFO: Automate audits. CISO: Zero breaches. Tech: HIPAA, CMEK, audit logging, API gateway, DR (1h RPO/4h RTO). Constraints: No public DB IPs, Dev/Ops separation, US data only, mainframe stays on-prem via VPN.
To meet the 1-hour RPO and 4-hour RTO for the modernized portal database, which architecture should you implement?
GCP PCA · Question 18 · Domain 3: Designing for Security and Compliance
CASE STUDY: HealthSecure. 50M patient records. Legacy mainframe, on-prem SAN (100TB), .NET portal. Req: Modernize portal, secure hospital sharing, fast audits. CEO: Modern UX. CFO: Automate audits. CISO: Zero breaches. Tech: HIPAA, CMEK, audit logging, API gateway, DR (1h RPO/4h RTO). Constraints: No public DB IPs, Dev/Ops separation, US data only, mainframe stays on-prem via VPN.
How should you implement Customer-Managed Encryption Keys (CMEK) while enforcing the strict separation of duties between Dev and Ops?
Answer options:
Store keys in the application code repository.
Create a dedicated KMS project managed by Security/Ops, and grant Encrypter/Decrypter roles to Dev service accounts.
Give Devs Project Owner access so they can manage their own keys.
Use Google-managed encryption keys instead.
50 questions · hints · full answers · grading
Expert