ISC2 Certified Cloud Security Professional (CCSP) Practice Question

Your company is moving a three-tier customer portal to a public IaaS provider. Web servers in a public subnet will query the application servers in a private subnet, which in turn connect to a managed database service. Compliance policy states that any sensitive data traversing the provider's internal network must be protected against disclosure even if another tenant gains packet-sniffing capability. The application team cannot modify existing code and wants to avoid significant re-architecture. Which security control BEST meets the requirement?

Configure host-based IPsec VPN tunnels between the web and application server instances.
Place the web and application tiers in the same VLAN to eliminate intermediate hops.
Apply stateful security group rules to allow only TCP port 443 from web to application servers.
Enable client-side encryption for all database queries using the provider's SDK.

Report Issue

Answer Description

Using host-based IPsec tunnels encrypts every packet exchanged between the web and application servers at the network layer, providing confidentiality even if the cloud provider's internal network is monitored. Because IPsec operates transparently to applications, it requires no changes to existing code or the overall application design. Security groups or firewalls restrict traffic but do not protect data from interception. Client-side database encryption secures only the database connection and would still leave web-to-application traffic unprotected, besides requiring code changes to invoke the SDK. Placing both tiers in the same VLAN may reduce hops but offers no encryption, so data could still be captured in clear text. Therefore, host-based IPsec is the most appropriate control for protecting intra-tier communications with minimal disruption.

Ask Bash

Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.