312-50V12 Question #208: Real Exam Question with Answer & Explanation

Question

You are the chief cybersecurity officer at CloudSecure Inc., and your team is responsible for securing a cloud based application that handles sensitive customer data. To ensure that the data is protected from breaches, you have decided to implement encryption for both data-at-rest and data-in-transit. The development team suggests using SSL/TLS for securing data in transit. However, you want to also implement a mechanism to detect if the data was tampered with during transmission. Which of the following should you propose?

Options

• AImplement IPsec in addition to SSL/TLS.
• BSwitch to using SSH for data transmission.
• CEncrypt data using the AES algorithm before transmission.
• DUse the cloud service provider's built-in encryption services.

Explanation

This question tests knowledge of network security protocols that provide both encryption and data integrity verification for data in transit. The goal is to detect tampering during transmission alongside existing SSL/TLS.

Common mistakes.

• B. SSH is designed for secure remote shell access and file transfers, not for general application data transmission, and does not add tamper-detection capabilities beyond what SSL/TLS already provides for web-based data in transit.
• C. Encrypting data with AES before transmission provides confidentiality but does not inherently include a tamper-detection or integrity-verification mechanism, as AES alone lacks message authentication unless combined with a MAC algorithm (e.g., AES-GCM).
• D. Using the cloud provider's built-in encryption services typically addresses data-at-rest encryption and may duplicate existing TLS capabilities, but does not specifically add a network-layer tamper-detection mechanism for data in transit.

Concept tested. IPsec data integrity and tamper detection in transit

Reference. https://learn.microsoft.com/en-us/azure/vpn-gateway/vpn-gateway-about-vpn-devices#ipsec

No community discussion yet for this question.