CV0-003 · Question #474
A large law firm is migrating all of its systems to the cloud to meet growing business needs. The firm wants to reduce IT staff while maintaining day-to-day operations, such as user provisioning, fold
The correct answer is B. Client-to-site VPN. A client-to-site VPN uses client certificates to cryptographically bind each connection to a specific user identity, providing the auditable, non-deniable proof required for user non-repudiation.
Question
A large law firm is migrating all of its systems to the cloud to meet growing business needs. The firm wants to reduce IT staff while maintaining day-to-day operations, such as user provisioning, folder management, and permissions. Which of the following MUST the cloud provider and cloud customer implement to ensure user non-repudiation?
Options
- AServer certificate
- BClient-to-site VPN
- CTwo-factor authentication
- DSingle sign-on
How the community answered
(40 responses)- A10% (4)
- B80% (32)
- C8% (3)
- D3% (1)
Why each option
A client-to-site VPN uses client certificates to cryptographically bind each connection to a specific user identity, providing the auditable, non-deniable proof required for user non-repudiation.
A server certificate authenticates the server to the client, not the client to the server, so it establishes server identity but provides no mechanism to prove or bind user actions for non-repudiation.
A client-to-site VPN requires each user to authenticate using a unique client certificate issued by a trusted authority, which cryptographically binds the connection to a specific verified identity. Because the private key is held exclusively by the user, they cannot plausibly deny having initiated the connection, satisfying the definition of non-repudiation and creating an auditable record of user activity within the cloud environment.
Two-factor authentication strengthens identity verification at login but does not produce the cryptographic proof or signed audit trail that constitutes true non-repudiation of user actions.
Single sign-on centralizes authentication across services for convenience but provides no cryptographic mechanism to prove that a specific user performed a specific action, which is the core requirement of non-repudiation.
Concept tested: User non-repudiation via client certificate VPN authentication
Topics
Community Discussion
No community discussion yet for this question.