A security analyst is reviewing the architecture for a new, data-sensitive application. All three tiers (web, application, and database) are currently planned to run as separate processes on a single, large virtual machine. To BEST mitigate the risk of a compromise in one tier affecting the others, which of the following recommendations should the analyst make?
Install an agent-based EDR and a host-based firewall on the virtual machine.
Place a virtual firewall in front of the VM and configure micro-segmentation rules for each process.
Isolate each application tier in its own virtual machine on the same hypervisor.
Move the application to a containerized environment, with each tier in a separate container.
Isolating each application tier in its own virtual machine provides the strongest level of isolation among the choices. Each VM runs its own independent operating system, meaning a compromise at the OS level in one tier (e.g., the web server) will not directly impact the OS of the other tiers. While containers provide process-level isolation, they share the host OS kernel, creating a larger shared attack surface than separate VMs. An EDR and host-based firewall provide important host-level protection but do not isolate the application processes from each other on the same OS. Micro-segmentation is a network-level control that restricts traffic between workloads but does not prevent non-network-based attacks between processes running on the same VM.
Ask Bash
Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.
What is hypervisor-based isolation, and why is it effective for application tiers?
Open an interactive chat with Bash
How is containerization different from using VMs for isolation?
Open an interactive chat with Bash
What are the limitations of micro-segmentation for securing application architecture?