You work for a financial institution that lets customers register online. As new customers register, their user data is sent to Pub/Sub before being ingested into BigQuery. For security reasons, you decide to redact your customers’ Government issued Identification Number while allowing customer service representatives to view the original values when necessary. What should you do?
A. Use BigQuery’s built-in AEAD encryption to encrypt the SSN column. Save the keys to a new table that is only viewable by permissioned users.
B. Use BigQuery column-level security. Set the table permissions so that only members of the Customer Service user group can see the SSN column.
C. Before loading the data into BigQuery, use Cloud Data Loss Prevention (DLP) to replace input values with a cryptographic hash.
D. Before loading the data into BigQuery, use Cloud Data Loss Prevention (DLP) to replace input values with a cryptographic format-preserving encryption token.
Answer
D