Maximizing Encryption Control for Data at Rest in BigQuery

C.

The correct answer is C. Customer-managed encryption keys (CMEK).

Explanation: When storing data at rest in BigQuery, Google Cloud Platform (GCP) offers two options for encryption: default encryption and customer-managed encryption keys (CMEK).

Default encryption is the encryption that is automatically applied to data at rest in BigQuery by Google using its own encryption keys.

In contrast, customer-managed encryption keys (CMEK) allows customers to have maximum control over the encryption process of data stored at rest in BigQuery. With CMEK, the customer generates, stores, and manages their own encryption keys. These keys are then used to encrypt and decrypt the data at rest in BigQuery. By doing this, the customer has exclusive access to the encryption keys, and no one else can access the data without the customer's permission.

Using a Cloud Hardware Security Module (Cloud HSM) is not a bad option, but it's more expensive and time-consuming than using CMEK. Cloud HSM is a dedicated hardware device that is used to store and manage encryption keys. It provides a higher level of security and control over encryption keys, but it requires more management overhead and has a higher cost associated with it.

Using Cloud Storage as a federated data source is not relevant to the question at hand, as it is a technique for combining data from multiple data sources, not for encrypting data at rest.

Customer-supplied encryption keys (CSEK) are similar to CMEK, but they are not recommended for this use case because they do not provide the same level of control and security as CMEK. With CSEK, the customer provides the encryption keys to Google, which then uses them to encrypt and decrypt the data at rest in BigQuery. This means that Google still has access to the encryption keys, which may be a concern for customers who want maximum control over their data.