🔥 3-day streak
Professional Cloud Security Engineer64 / 152
Question 64 of 152

A data engineering team at a healthcare analytics company must de-identify a customer email address column before loading data into BigQuery for analysts. Requirements: (1) the same email must always produce the same token so analysts can perform GROUP BY joins across tables, (2) the wrapped cryptographic key used for tokenization must never be embedded in the Sensitive Data Protection (DLP) template or stored in plaintext, and (3) the security team must be able to rotate the key material centrally. Which configuration satisfies all requirements?

Reviewed for accuracy · Report an issueNext question