One key to securing access is to request an established groups that represent roles. Then apply the permissions to the groups, and allow the people in your organization who manage identity to assign membership to the groups. This creates a clean interface between permission management on Cloud side and group membership on the personnel IT side. Here are a couple of exam tips. You can declare regional endpoints in Cloud data flow for security and network performance. So that's an example of a feature for a technology that you ought to know. The other tip here is to be able to apply the principle of least privilege to example cases. Think about how you would only allow users access to services and actions they need to perform for their job and not anything more. Another key to security is to craft security permissions. The standard roles are defined for the most common use cases, but you might want to derive more granular and restricted roles by customizing them. Service accounts are a great way to separate system components and establish secure communication between components. A bastion host is a way to leverage a service account for risky and uncommon actions, make the user admin, startup, and login to a bastion host. From there, they can borrow the service account assigned to the host to perform the restricted functions. One benefit is that the login process generates logs for accountability. What are the two most common compliance areas? Privacy regulations such as HIPAA and GDPR, and commercial and line-of-business standards such as PCI, DSS. Remember that Google Cloud platform does a lot of security work behind the scenes, so your data solution inherits a lot of that automatically. Here's an exam tip. Know the default behavior of GCP, so you don't try to duplicate it unnecessarily. For example, a client used disk encryption on their computers in the data center. When they migrated their application to the Cloud, they plan to implement disk encryption again on the VMs, only to discover that the encryption requirement was already met by default on the platform.