Google Professional-Cloud-Security-Engineer Exam With Confidence Using Practice Dumps

To ensure that payment information is encrypted between the customer’s browser and Google Cloud Platform during checkout, the company should configure an SSL certificate on an L7 (Layer 7) Load Balancer. Here’s why this is the best solution:

SSL/TLS Termination: An L7 Load Balancer can handle SSL/TLS termination, which means it can decrypt HTTPS traffic, offloading the work from the backend servers. This is essential for handling encrypted connections securely.

HTTPS Configuration: By configuring an SSL certificate, the load balancer ensures that all traffic between the customer’s browser and the application is encrypted using HTTPS.

Security Best Practices: Using an L7 Load Balancer with an SSL certificate aligns with best practices for securing web applications, particularly for e-commerce sites handling sensitive payment information.

Managed Certificates: Google Cloud offers managed SSL certificates, which simplifies the process of obtaining, deploying, and renewing SSL certificates.

Implementation Steps:

Obtain an SSL certificate.

Configure the L7 Load Balancer in the GCP Console.

Associate the SSL certificate with the load balancer.

Ensure that the backend services are configured to handle HTTPS traffic.

Google Cloud Load Balancing Documentation

Setting up HTTPS Load Balancing

The standard and most efficient way to stream logs from Google Cloud (including Workspace logs that are shared with Google Cloud) to an external SIEM is via Cloud Logging Sinks pointing to Pub/Sub.5

According to Google Cloud Documentation (Architecture for exporting Cloud Logging logs):

"To stream logs to a third-party SIEM in real-time, you should create a log sink in Cloud Logging. The sink filters for specific logs (e.g., resource.type="audited_resource" and methodName:"login") and exports them to a Pub/Sub topic. The SIEM can then subscribe to this topic to pull events immediately as they are generated."

Why other options are incorrect:

A is incorrect: Exporting to Cloud Storage is for long-term archiving/compliance and is not real-time (it usually involves batched files every few hours).

C is incorrect: Polling via CLI is not scalable, introduces latency, and is prone to failure in production environments.

D is incorrect: Google Workspace does not have a native "direct push" feature for SIEM endpoints; it typically requires an intermediate step like Pub/Sub or BigQuery.