What Is Data Encryption and Protection in Google Cloud?
Data encryption and protection is the bundle of Google Cloud services and default behaviors that keep customer data confidential, tamper-resistant, and out of the wrong hands. For the Cloud Digital Leader (CDL) exam, encryption is the second pillar of cloud security after Identity and Access Management (IAM). IAM decides who can touch the data; encryption decides what they see if they manage to touch it anyway. A stolen disk, a misrouted network packet, a snooping insider, a misconfigured bucket — encryption is the safety net under every one of these failure modes.
The CDL exam does not ask you to write Cloud KMS API calls or pick AES block sizes. Instead, it tests whether you, as a business leader, can answer questions like: "Do we need to do anything to encrypt our BigQuery datasets?" (No — it is automatic.) "What if our compliance team insists we hold the keys ourselves?" (Use Customer-Managed Encryption Keys, also known as CMEK.) "How do we stop credit card numbers from leaking into log files?" (Cloud DLP, recently renamed Sensitive Data Protection.) "Where do we store the API key that our application needs at runtime?" (Secret Manager.) "How do we prevent a rogue insider from copying data out of our perimeter?" (VPC Service Controls.) These are the kinds of decisions the CDL exam expects you to make confidently.
Google Cloud's encryption story rests on a simple principle: encryption should be on by default, with progressively more control available when the business needs it. Every byte of customer data written to Google Cloud is encrypted at rest with Google-managed keys — you cannot turn this off, and you do not need to configure anything. If you need more control, you can layer Customer-Managed Encryption Keys (CMEK) via Cloud KMS on top. If you need still more control, you can supply your own raw key material with Customer-Supplied Encryption Keys (CSEK). And if you need to encrypt the data even while it is being processed in memory, Confidential Computing provides that final layer through AMD SEV and Intel TDX hardware features.
Encryption at Rest: The Default Foundation
Encryption at rest means encrypting data when it is stored — on disks, in databases, in object stores, in backups. For the CDL exam, the single most important fact about encryption at rest in Google Cloud is that it is enabled by default for every service, with no configuration required.
Google-Managed Encryption (the Default)
When you upload a file to Cloud Storage, write a row to BigQuery, take a snapshot of a Compute Engine disk, or store a row in Cloud SQL, Google Cloud automatically:
- Generates a Data Encryption Key (DEK) for the chunk of data.
- Encrypts the data with the DEK using AES-256.
- Wraps (encrypts) the DEK with a Key Encryption Key (KEK) stored inside Google's internal Key Management Service.
- Stores the wrapped DEK alongside the encrypted data.
This entire process is invisible to you. You do not see the keys, you do not pay extra for the encryption, and you cannot turn it off. From a CDL perspective, the message to the business is: "All of our Google Cloud data is already encrypted at rest, automatically, at no additional cost."
Customer-Managed Encryption Keys (CMEK)
Customer-Managed Encryption Keys (CMEK) let you supply the Key Encryption Key from Cloud Key Management Service (Cloud KMS) instead of letting Google generate it internally. The Data Encryption Key still encrypts your data, but Google must call your Cloud KMS key to unwrap the DEK every time the data is accessed. If you disable or destroy your CMEK key, the data is effectively unreadable — even by Google.
CMEK is the right answer when:
- A compliance framework (HIPAA, PCI-DSS, FedRAMP, certain banking regulations) requires the customer to control the encryption keys.
- The security team wants the ability to revoke access instantly by disabling a key, without contacting Google support.
- An audit needs to log every use of an encryption key via Cloud Audit Logs.
Customer-Supplied Encryption Keys (CSEK)
Customer-Supplied Encryption Keys (CSEK) go one step further: you provide the raw key material in every API request, and Google never stores it. This is the most extreme version of "you hold the keys," but it also carries the most operational risk — if you lose the key, the data is permanently unrecoverable. CSEK is supported by a narrower set of services (mainly Cloud Storage and Compute Engine) and is rarely the right answer outside of highly regulated workflows.
Google-managed keys are NOT the same as "unencrypted." Some candidates assume that because they did not configure anything, their data is somehow exposed. In reality, Google-managed encryption is the default encryption — every byte on disk is encrypted with AES-256. CMEK does not add encryption that was not there; it only changes who holds the Key Encryption Key. The CDL exam loves to test this distinction with answer choices like "enable encryption on Cloud Storage" (wrong — it is already on) versus "configure CMEK using Cloud KMS" (the right answer when the business requires customer control). Reference: https://cloud.google.com/docs/security/encryption/default-encryption
Encryption in Transit: Protecting Data on the Wire
Encryption in transit means encrypting data while it is moving across a network — between your laptop and a Google Cloud API endpoint, between two Compute Engine VMs in different regions, between an on-premises data center and Google Cloud over a Cloud Interconnect link.
TLS by Default for All Google Cloud APIs
Every Google Cloud API endpoint requires Transport Layer Security (TLS) — typically TLS 1.2 or higher. When the gcloud CLI, the Cloud Console, the BigQuery driver, or a Cloud Run service makes an API call, the entire request and response are encrypted on the wire. As with encryption at rest, this is not something you configure — it is the default and cannot be turned off.
Inside Google's network, traffic between services is also encrypted automatically. When data moves between two regions inside Google Cloud — say, replication between a Spanner instance in us-central1 and one in europe-west4 — it crosses Google's private global backbone and is encrypted in transit, region-to-region, without your needing to do anything.
Identity-Aware Proxy (IAP) for Application Access
Identity-Aware Proxy (IAP) sits in front of HTTPS applications and Compute Engine VMs and authenticates every request before it reaches the backend. IAP enforces TLS and ties access to IAM principals, so an application can be reachable only by named users or groups — no VPN needed. For the CDL exam, IAP is the answer when a business wants to "remove the VPN" while still requiring authenticated, encrypted access to internal apps.
Cloud VPN and Cloud Interconnect for Hybrid Links
When you connect an on-premises data center to Google Cloud, you have two main options for encrypted hybrid networking:
- Cloud VPN — IPsec tunnels over the public internet. Traffic is encrypted by IPsec. Suitable for moderate bandwidth and quick setup.
- Cloud Interconnect — dedicated physical lines (Dedicated Interconnect) or partner-provided lines (Partner Interconnect). Traffic is not automatically encrypted at the IPsec layer, but you can layer HA VPN over Cloud Interconnect or use MACsec for line-rate encryption.
For the CDL exam, remember that Cloud VPN gives you encrypted hybrid connectivity over the public internet, and Cloud Interconnect gives you private, low-latency hybrid connectivity that you can additionally encrypt if regulations require.
白話文解釋(Plain English Explanation)
Encryption is one of those topics where the math feels intimidating, but the everyday-life parallels are surprisingly clear. The three analogies below each highlight a different aspect of Google Cloud's encryption and data-protection story.
Analogy 1 — The Bank Vault With Multi-Layer Security (Cloud KMS, CMEK, and the Key Hierarchy)
Picture a Taiwanese bank with a fortified gold vault in the basement. The gold bars inside are your data. The vault door is AES-256 encryption — physically impossible to break without the key. But here is the part most people miss: the bank does not leave the vault key in the door. The vault key is locked inside a smaller safe on the second floor. And that smaller safe is locked with a key held by the bank's security director.
This is exactly how Google Cloud encryption works under the hood. The Data Encryption Key (DEK) is the vault key. The DEK is wrapped (encrypted) by a Key Encryption Key (KEK) stored inside Cloud KMS — that is the smaller safe upstairs. With default Google-managed encryption, Google holds the security director's key. With Customer-Managed Encryption Keys (CMEK), you hold the security director's key in your own Cloud KMS KeyRing.
Now imagine the bank also offers a premium service: the customer brings their own key, hands it over for each visit, and the bank never keeps a copy. That is Customer-Supplied Encryption Keys (CSEK). The upside is total control. The downside is that if you lose your key on the way home, the gold is gone forever — even the bank cannot get it back. Most customers do not need this level of paranoia; CMEK is the sweet spot for compliance-driven workloads.
The Cloud KMS hierarchy mirrors how a real bank organizes its safes. A KeyRing is the safe-deposit-box room — a logical container in a specific region. Each CryptoKey is one safe-deposit box. Each CryptoKeyVersion is one physical key cut for that box — when you rotate the key, the old version still exists (so you can still unlock data encrypted by it), but new encryption operations use the new version. Crucially, the bank does not let you melt down a key the same day you decide to discard it; there is a 24-hour-minimum scheduled deletion window so you can change your mind. Google Cloud enforces the same safety pattern: KMS key destruction is scheduled, not immediate, defaulting to a 30-day waiting period.
Analogy 2 — The Sealed Envelope and the Encrypted Postmark (Encryption in Transit, IAP, and VPN)
Now imagine you are sending a love letter from Taipei to Tokyo via the postal system. You write the letter, put it in an envelope, and drop it in the post box. Between you and the recipient, the letter passes through dozens of hands — your local post office, an airport sorting facility, the international mail center, the destination courier. Encryption in transit is what happens when you seal the envelope and add a tamper-evident wax stamp. Anyone who intercepts the envelope in transit cannot read the letter without breaking the seal, and the recipient will see immediately if it has been opened.
In Google Cloud, every API call is automatically wrapped in TLS — the digital wax seal. When the gcloud CLI talks to BigQuery, when your browser opens the Cloud Console, when one Cloud Run service calls another, the entire conversation is sealed end-to-end. You cannot send a Google Cloud API call without TLS even if you tried.
What about more sensitive deliveries? Imagine a diplomatic courier service: instead of the public postal system, the letter travels in a locked diplomatic pouch carried by an identified courier through known checkpoints. That is Cloud VPN — an IPsec tunnel that encrypts traffic between your on-premises data center and Google Cloud over the public internet. For even tighter control, you might charter a private armored shuttle that bypasses public roads entirely — that is Cloud Interconnect, a dedicated physical link with optional MACsec encryption.
And then there is the human factor: who is allowed to receive the letter? You can encrypt the envelope perfectly, but if the recipient turns out to be an impostor, the encryption did not save you. That is where Identity-Aware Proxy (IAP) comes in — it checks the recipient's ID badge against an IAM principal list before handing over the letter. The CDL takeaway: encryption protects the letter in transit, but IAM and IAP control who can open it on the other end. Together with Cloud DLP scanning the contents for sensitive infotypes, the three layers cover the whole lifecycle of a digital "letter."
Analogy 3 — The Airport Three-Layer Security Check (DLP, Secret Manager, VPC Service Controls)
Picture Taipei Taoyuan International Airport. To get from check-in to the airplane, your bag passes through three independent layers of security: an X-ray machine that scans contents, an identity check at the gate, and a physical perimeter around the runway that nothing leaves except via a customs-cleared aircraft. These three layers map almost perfectly to three Google Cloud data-protection services.
The X-ray machine is Cloud DLP, now officially renamed Sensitive Data Protection. Cloud DLP inspects your data — files in Cloud Storage, tables in BigQuery, streams in Pub/Sub, free-form text passed to an API — and identifies more than 150 infoTypes: credit card numbers, Taiwan ID card numbers, US Social Security numbers, email addresses, phone numbers, medical codes, and more. Once detected, Cloud DLP can redact, mask, tokenize, or format-preserving-encrypt the sensitive elements, so the underlying data can flow into analytics and logs without leaking personally identifiable information (PII).
The identity check at the gate is Secret Manager, Google Cloud's managed service for storing API keys, passwords, database credentials, and TLS certificates. Instead of hard-coding a Stripe API key in your Cloud Run source code (where it might leak into a Git repository), you store it in Secret Manager and grant your service account roles/secretmanager.secretAccessor. Each secret version is encrypted at rest, automatically rotated on the schedule you choose, and every access is recorded in Cloud Audit Logs — just like the gate agent scanning your boarding pass and stamping the log.
The perimeter around the runway is VPC Service Controls. VPC Service Controls draws a security boundary around your Google Cloud services — BigQuery, Cloud Storage, Spanner, and dozens more — so that even an authenticated user with valid IAM permissions cannot exfiltrate data outside the perimeter. A compromised service account inside the perimeter cannot copy data to a personal Cloud Storage bucket in another project. A malicious insider with valid credentials cannot upload a BigQuery export to an external Drive. VPC Service Controls is the "no data leaves the runway" layer, and it is the answer the CDL exam expects for any scenario involving data exfiltration risk or shadow-IT prevention.
Cloud KMS: The Engine Behind CMEK
Cloud Key Management Service (Cloud KMS) is the Google Cloud service that creates, stores, rotates, and audits cryptographic keys. It is the engine that powers CMEK across every Google Cloud service that supports customer-managed encryption.
For the CDL exam, the most-tested distinction is who controls the key material. With Google-managed encryption (the default), Google generates and rotates keys automatically — no setup, no key administration. With CMEK via Cloud KMS, you own the KeyRing and can revoke decryption at any time by destroying the CryptoKeyVersion. With Cloud External Key Manager (Cloud EKM), the key material lives outside Google entirely, in a third-party HSM, and Google must call that external system for every operation. Scenarios mentioning "regulatory requirement to hold the key ourselves" point to CMEK; scenarios mentioning "key cannot leave our datacenter" point to Cloud EKM.
The KMS Hierarchy
Cloud KMS organizes keys in a strict three-level hierarchy:
- KeyRing — a logical container scoped to a specific region (or
global). KeyRings group related keys so IAM policies can be applied collectively. - CryptoKey — an individual key used to encrypt or decrypt data. A CryptoKey has a purpose (encrypt/decrypt, sign/verify, MAC) and an algorithm (e.g., AES-256-GCM, RSA-4096).
- CryptoKeyVersion — a specific version of a CryptoKey. When you rotate a key, a new version is created; old versions remain available to decrypt previously encrypted data.
The Cloud KMS hierarchy is KeyRing → CryptoKey → CryptoKeyVersion. Keys never live "loose" — they always belong to a KeyRing, which is bound to a specific region. Key deletion is scheduled, not immediate: the default waiting period is 30 days, during which you can recover the key. Once destroyed, a CryptoKeyVersion is gone forever and any data encrypted with it becomes unreadable. Reference: https://cloud.google.com/kms/docs/key-hierarchy
Software vs HSM-Backed Keys
Cloud KMS offers two protection levels:
- SOFTWARE — keys stored in software inside Google's secured environment. Cheaper, faster, perfectly adequate for most workloads.
- HSM — keys generated and stored inside FIPS 140-2 Level 3 certified hardware security modules. Required for many financial and government compliance regimes.
There is also Cloud External Key Manager (Cloud EKM) for the most regulated workloads: the actual key material lives in a third-party HSM outside Google's infrastructure, and Google must call that external system for every encrypt/decrypt operation.
Key Rotation
Cloud KMS supports automatic key rotation on a schedule you define (typically every 90 days). Each rotation creates a new CryptoKeyVersion; new encryption operations use the new version, while older data remains decryptable with its original version. For the CDL exam, the business takeaway is: "Yes, we can rotate keys regularly without breaking access to historical data."
Cloud DLP: Finding and Protecting Sensitive Data
Cloud Data Loss Prevention (Cloud DLP) — now officially branded Sensitive Data Protection — is the service that detects, classifies, and protects sensitive elements inside your data.
What Cloud DLP Detects
Cloud DLP recognizes more than 150 built-in infoTypes, including:
- Credit card numbers (with Luhn-check validation)
- US Social Security numbers, UK National Insurance numbers, Taiwan ID card numbers
- Email addresses and phone numbers
- IP addresses, MAC addresses
- Medical record numbers, ICD-10 codes
- Custom infoTypes you define via regex, dictionary, or hotwords
What Cloud DLP Does With the Findings
Once sensitive data is identified, Cloud DLP can:
- Redact — replace with a fixed string like
[REDACTED]. - Mask — replace some characters with a symbol like
*. - Tokenize — replace with a reversible token that can be re-identified later by privileged users.
- Format-preserving encryption — encrypt while keeping the data's original length and character set (useful for legacy systems that expect specific formats).
For the CDL exam, the key recognition pattern is: "scenario mentions PII, credit cards, or HIPAA data flowing into BigQuery / logs / Cloud Storage." → The answer is almost always Cloud DLP / Sensitive Data Protection.
Secret Manager: Centralized Credential Storage
Secret Manager is Google Cloud's managed service for storing and retrieving secrets at runtime — API keys, database passwords, OAuth tokens, TLS private keys, signing certificates.
For the CDL exam, Secret Manager is the canonical answer for any scenario where an application needs to retrieve a credential at runtime. The wrong answers are: hard-coding the credential in source code, baking it into a container image, storing it in a Cloud Storage bucket without encryption, or passing it as a plaintext environment variable. Secret Manager encrypts every secret at rest, controls access via IAM (roles/secretmanager.secretAccessor), and records every access in Cloud Audit Logs — exactly what compliance auditors want to see. Reference: https://cloud.google.com/secret-manager/docs/overview
Each secret has multiple versions, so rotation is straightforward: create a new version, switch your application to reference the latest, and disable the old version after a grace period. Secret Manager integrates with Cloud Run, Cloud Functions, GKE, and Compute Engine, so workloads can fetch secrets without keeping any plaintext on disk.
VPC Service Controls: The Anti-Exfiltration Perimeter
VPC Service Controls draws a security boundary around your most sensitive Google Cloud services — BigQuery, Cloud Storage, Spanner, Bigtable, Cloud KMS itself, and dozens more — to prevent data exfiltration even by authenticated, IAM-authorized users.
The classic problem VPC Service Controls solves: a developer with legitimate roles/bigquery.dataViewer access could, in principle, run a query and copy the results to a personal Cloud Storage bucket in a different project. IAM alone cannot stop this because IAM is about who can read the data, not where the data can flow to. VPC Service Controls creates a service perimeter that says, in effect: "BigQuery data inside this perimeter can only be read and written by workloads that are also inside this perimeter." Even with valid IAM permissions, an external request is blocked.
For the CDL exam, recognize VPC Service Controls as the answer when:
- A scenario mentions preventing data exfiltration.
- A regulator requires defense in depth beyond IAM.
- An organization wants to isolate sensitive datasets from the rest of the cloud footprint.
Confidential Computing: Encryption in Use
Encryption at rest covers data on disk. Encryption in transit covers data on the wire. But what about data in memory, while it is being processed by a CPU? Traditionally, data has to be decrypted into RAM before a CPU can operate on it — which means a sophisticated attacker with hypervisor-level access could read it.
Confidential Computing closes this last gap using CPU hardware features such as AMD SEV (Secure Encrypted Virtualization) and Intel TDX (Trust Domain Extensions). The CPU encrypts the contents of the VM's memory with a key that even the hypervisor cannot read. Google Cloud offers Confidential VMs, Confidential GKE Nodes, and integrations with services like Dataflow.
For the CDL exam, you do not need the cryptographic details. You only need to recognize that Confidential Computing protects data in use, completing the three-state security model (at rest, in transit, in use). It is the answer when a scenario mentions multi-party computation, sensitive financial workloads, or compliance regimes that explicitly call out "encryption in use."
A practical CDL mental model: every piece of customer data lives in one of three states — at rest (on disk), in transit (on the network), or in use (in memory). Google Cloud encrypts the first two by default, and Confidential Computing is the optional opt-in that covers the third state. When an exam question lists all three states and asks which Google Cloud capability protects all of them simultaneously, the answer involves Cloud KMS / CMEK for at rest, TLS / Cloud VPN for in transit, and Confidential VMs for in use. Reference: https://cloud.google.com/confidential-computing/docs/about-confidential-computing
CMEK (Customer-Managed Encryption Keys) is the Google Cloud feature that lets you supply the Key Encryption Key from your own Cloud KMS KeyRing instead of letting Google generate and hold it internally. Data Encryption Keys (DEKs) still encrypt the actual data; CMEK only changes who controls the wrapping key. Disabling or destroying a CMEK key effectively renders the protected data unreadable — even by Google. CMEK is distinct from CSEK (Customer-Supplied Encryption Keys), where the customer supplies raw key material on every API call and Google never stores it. Reference: https://cloud.google.com/kms/docs/cmek
How Data Protection Connects to Other CDL Topics
Data encryption and protection is not a standalone island — it threads through almost every other Google Cloud security and governance topic on the CDL exam.
- Identity and Access Management — encryption is meaningless without strong IAM. CMEK on a BigQuery dataset only matters if
roles/cloudkms.cryptoKeyEncrypterDecrypteris granted carefully. See Identity and Access Management (IAM) for how principals, roles, and resources interact with encryption keys. - Compliance and privacy — most compliance regimes (HIPAA, PCI-DSS, GDPR, ISO 27001, SOC 2) explicitly require encryption at rest and in transit. See Compliance and Privacy for how Google Cloud's certifications map to these requirements.
- Cloud value proposition — robust default encryption is one of the things that makes Google Cloud's cloud value proposition attractive to security-conscious enterprises that cannot accept "we will add encryption later."
- Cloud Audit Logs — every Cloud KMS key use, every Secret Manager access, and every VPC Service Controls denial is logged, providing forensic evidence of who touched what and when.
Common Data-Protection Mistakes to Avoid
For the CDL exam, recognize these anti-patterns when they appear in scenarios:
- "We need to enable encryption on our Cloud Storage buckets." — Wrong framing. Cloud Storage is already encrypted by default; the real question is whether the business needs CMEK.
- Hard-coding API keys in source code. — Always use Secret Manager. This is one of the most common real-world security failures.
- Granting
roles/cloudkms.adminto application service accounts. — Service accounts should hold the narrowroles/cloudkms.cryptoKeyEncrypterDecrypterrole, not the admin role. - Assuming IAM is enough to prevent data exfiltration. — Use VPC Service Controls in addition to IAM for sensitive datasets.
- Skipping Cloud DLP scanning before exporting data to BigQuery or external partners. — PII can sneak in through free-text fields and end up in analytics dashboards or partner exports.
Frequently Asked Questions
Do I need to enable encryption at rest for Cloud Storage, BigQuery, or Compute Engine?
No. Every Google Cloud storage service encrypts customer data at rest by default, using Google-managed keys and AES-256. You do not need to configure anything, you cannot turn it off, and there is no additional cost. The question to ask is not "should I enable encryption?" but rather "do I need customer-managed encryption keys (CMEK) to satisfy a compliance requirement?" If the answer is yes, configure CMEK via Cloud KMS; otherwise the default Google-managed encryption is the right choice.
What is the difference between CMEK and CSEK?
CMEK (Customer-Managed Encryption Keys) stores the Key Encryption Key inside Cloud KMS — Google's managed key service. You control the key's lifecycle (enable, disable, rotate, destroy), but Google still operates the cryptographic infrastructure. CSEK (Customer-Supplied Encryption Keys) goes further: you provide the raw key material in every API request, and Google never stores it. CSEK is more secure but also more dangerous — if you lose the key, the data is permanently unrecoverable. Most regulated workloads use CMEK; CSEK is reserved for the most extreme paranoia scenarios.
What happens if I delete a Cloud KMS key?
Cloud KMS key deletion is scheduled, not immediate. When you request deletion of a CryptoKeyVersion, it enters a DESTROY_SCHEDULED state with a default waiting period of 30 days (configurable from 1 to 120 days). During this window, you can restore the key. Once the waiting period expires, the key is permanently destroyed, and any data encrypted with that specific version becomes unreadable forever — including by Google. This is intentional: it gives you a safety net against accidental destruction while still letting you guarantee permanent deletion when compliance requires it.
When should I choose VPC Service Controls instead of relying on IAM?
IAM controls who can read or write data. VPC Service Controls controls where data can flow to. Use VPC Service Controls when IAM alone cannot prevent the risk — typically when an authenticated, IAM-authorized user might copy data out of an approved environment to an unapproved one (a personal project, an external bucket, a third-party SaaS). Common triggers in CDL scenarios are the phrases "prevent data exfiltration," "defense in depth," and "regulated dataset isolation."
What is Cloud DLP and why was it renamed?
Cloud DLP (Data Loss Prevention) is Google Cloud's service for detecting and protecting sensitive data — credit cards, PII, medical identifiers, custom infoTypes. It was officially rebranded to Sensitive Data Protection to better reflect its scope, but the CDL exam may still use either name. The functionality is the same: scan data sources, identify sensitive elements via more than 150 built-in infoTypes, and apply redaction, masking, tokenization, or format-preserving encryption. Use it whenever sensitive data needs to flow through analytics pipelines, logs, or external systems.
Is data automatically encrypted between regions inside Google Cloud?
Yes. When data moves between Google Cloud regions — for example, multi-region replication of a Spanner database or a Cloud Storage bucket configured for multi-region — the traffic travels over Google's private global backbone and is encrypted in transit, automatically, without any configuration. The same applies to traffic between Google Cloud services within a region. You only need to think about encryption in transit when traffic leaves Google Cloud, such as a Cloud VPN or Cloud Interconnect link to an on-premises data center.
Summary: Encryption as the Safety Net Under Every Workload
For the Cloud Digital Leader exam, data encryption and protection is the security layer that activates when IAM fails. Remember the three states of data — at rest, in transit, and in use — and remember that Google Cloud encrypts the first two by default, with CMEK via Cloud KMS available when the business needs to hold the key, and Confidential Computing available for the third state.
The supporting cast matters just as much: Cloud DLP / Sensitive Data Protection finds and redacts sensitive elements; Secret Manager is the canonical home for API keys and credentials; VPC Service Controls stops data from leaking even when IAM permits the read; Identity-Aware Proxy authenticates application access without a VPN; Cloud VPN and Cloud Interconnect encrypt hybrid links to on-premises data centers.
A CDL who can translate these tools into business language — "we use Google-managed encryption by default, layer CMEK on top for our HIPAA workloads, store all credentials in Secret Manager, and wrap our analytics datasets in a VPC Service Controls perimeter to prevent exfiltration" — is ready to advise stakeholders on how Google Cloud meets the security and compliance bar that modern enterprises demand. Encryption is not a feature you bolt on; in Google Cloud, it is the foundation everything else rests on.