Store the data in a single Persistent Disk, and delete the disk at expiration time

Store the data in a single BigQuery table and set the appropriate table expiration time.

Store the data in a single Cloud Storage bucket and configure the bucket's Time to Live.

Store the data in a single BigTable table and set an expiration time on the column families.

Add a nodeSelector field to the pod configuration to only use the Nodes labeled inscope: true.

Create a node pool with the label inscope: true and a Pod Security Policy that only allows the Pods to run on Nodes with that label.

Place a taint on the Nodes with the label inscope: true and effect NoSchedule and a toleration to match in the Pod configuration.

Run all in-scope Pods in the namespace ג€in-scope-pciג€.

Configure TCP Proxy Load Balancing as a global load balancing service listening on port 995.

Create a Network Load Balancer to listen on TCP port 995 with a forwarding rule to forward traffic based on location.

Use Cross-Region Load Balancing with an HTTP(S) load balancer to route traffic to the nearest region.

Use Cloud CDN to route the mail traffic to the closest origin mail server based on client IP address.

1. Leave the network configuration of the VMs in scope unchanged.
2. Create a new project including a new VPC network “new-vpc”.
3. Deploy a network appliance in “new-vpc” to filter access requests and only allow egress connections from “dev-vpc” to 10.58.5.0/24.

1. Leave the network configuration of the VMs in scope unchanged.
2. Enable Cloud NAT for “dev-vpc” and restrict the target range in Cloud NAT to 10.58.5.0/24.

1. Attach external IP addresses to the VMs in scope.
2. Define and apply a hierarchical firewall policy on folder level to deny all egress connections and to allow egress to IP range 10.58.5.0/24 from network dev-vpc.

1. Attach external IP addresses to the VMs in scope.
2. Configure a VPC Firewall rule in “dev-vpc” that allows egress connectivity to IP range 10.58.5.0/24 for all source addresses in this network.

Allow the external project by using the organizational policy, constraints/compute.trustedImageProjects.

1. Update the perimeter.
2. Configure the egressTo field to include the external Google Cloud project number as an allowed resource and the serviceName to compute.googleapis.com.
3. Configure the egressFrom field to set identityType to ANY_IDENTITY.

1. Update the perimeter.
2. Configure the ingressFrom field to set identityType to ANY_IDENTITY.
3. Configure the ingressTo field to include the external Google Cloud project number as an allowed resource and the serviceName to compute.googleapis.com.

1. Update the perimeter.
2. Configure the egressTo field to set identityType to ANY_IDENTITY.
3. Configure the egressFrom field to include the external Google Cloud project number as an allowed resource and the serviceName to compute.googleapis.com.

Use the Cloud Key Management Service to manage a data encryption key (DEK).

Use the Cloud Key Management Service to manage a key encryption key (KEK).

Use customer-supplied encryption keys to manage the data encryption key (DEK).

Use customer-supplied encryption keys to manage the key encryption key (KEK).

Run each tier in its own Project, and segregate using Project labels.

Run each tier with a different Service Account (SA), and use SA-based firewall rules.

Run each tier in its own subnet, and use subnet-based firewall rules.

Run each tier with its own VM tags, and use tag-based firewall rules.