An organization's security and risk management teams are concerned about where their responsibility lies for certain production workloads they are running in Google Cloud Platform (GCP), and where Google's responsibility lies.
They are mostly running workloads using Google Cloud's Platform-as-a-Service (PaaS) offerings, including App Engine primarily.
Which one of these areas in the technology stack would they need to focus on as their primary responsibility when using App Engine?
Click on the arrows to vote for the correct answer
A. B. C. D.D.
When running workloads on Google Cloud Platform (GCP), it is important to understand the shared responsibility model for security. The shared responsibility model clarifies which security responsibilities are shared between the cloud provider (Google) and the customer (the organization using GCP). The responsibilities can vary depending on the type of service used, such as infrastructure-as-a-service (IaaS), platform-as-a-service (PaaS), or software-as-a-service (SaaS).
In this case, the organization is mostly using Google Cloud's PaaS offering, specifically App Engine, and is concerned about their security and risk management responsibilities. Therefore, they need to focus on their primary responsibility area for securing their workloads.
Option A, "Configuring and monitoring VPC Flow Logs," refers to network monitoring, which is typically the responsibility of the cloud provider. Therefore, this is not the primary responsibility area for the organization in this scenario.
Option B, "Defending against XSS and SQLi attacks," refers to application-level security, which is typically the responsibility of the customer. However, App Engine provides several built-in security features to help prevent these types of attacks, such as automatic XSS protection and SQL injection prevention. Therefore, while this is an important consideration, it is not the primary responsibility area for the organization in this scenario.
Option C, "Manage the latest updates and security patches for the Guest OS," refers to the responsibility of keeping the underlying operating system up to date with the latest security patches. However, App Engine is a fully managed service, which means that Google is responsible for managing and securing the underlying infrastructure, including the Guest OS. Therefore, this is not the primary responsibility area for the organization in this scenario.
Option D, "Encrypting all stored data," refers to the responsibility of data security, which is typically the responsibility of the customer. In this case, the organization should focus on encrypting any sensitive data stored in App Engine, as Google does not automatically encrypt all stored data. This is the primary responsibility area for the organization in this scenario.
In summary, when using App Engine, the organization's primary responsibility is to encrypt any sensitive data stored in the service. While they should also consider application-level security, network monitoring, and keeping their systems up to date with security patches, these areas are not the primary responsibility of the organization when using App Engine.