Google Cloud Professional Data Engineer Exam

To centrally manage diverse key management requirements across different jurisdictions, what should you use?

• A. Enable confidential computing
• B. Store keys in Cloud KMS
• C. Store keys with a hardware security module
• D. Use Cloud External Key Manager (EKM)

The correct answer is: Use Cloud External Key Manager (EKM)

Utilizing Cloud External Key Manager (EKM) is the best approach for centrally managing diverse key management requirements across different jurisdictions. EKM allows organizations to manage cryptographic keys used in Google Cloud services while retaining control over those keys externally. This capability supports compliance with various regulations and jurisdictions that may require organizations to maintain keys in specific locations or under particular governance controls. By using EKM, you can integrate a hardware security module (HSM) or other key management solution from outside of Google Cloud, allowing for enhanced control and flexibility over key management practices. This is particularly important for organizations operating in multiple regions where local laws and regulations dictate how and where sensitive data and cryptographic keys should be stored and managed. In contrast, other options, such as enabling confidential computing or storing keys in Cloud KMS, do not provide the same level of external control and may not meet the diverse legal requirements across jurisdictions. Storing keys with a hardware security module could provide security benefits, but without the centralized, jurisdiction-aware management that EKM offers, it may fall short in effectively addressing the diverse key management needs across different legal environments.