ISC2 Certified Cloud Security Professional (CCSP) Practice Question
Your company runs a three-tier web service spread across two availability zones in a public IaaS cloud. A penetration test shows that SQL queries exchanged between the application servers and the back-end database virtual machines are sent in clear text over the provider's virtual network. Refactoring the application to use TLS would require significant code rewrites and cannot be completed in the short term. To comply quickly with a new policy that mandates encryption of all sensitive data in transit, which control should you implement first to protect this traffic while imposing the least change on the existing application design?
Deploy a cloud web application firewall (WAF) in front of the web tier to inspect and sanitize SQL traffic.
Enable full-disk encryption on the database virtual machine volumes with provider-managed keys.
Configure host-based IPsec in transport mode between the application and database virtual machines, using centrally managed security policies.
Move both tiers into a private subnet so their traffic never leaves the provider's data center network.
Enabling host-based IPsec in transport mode on the application and database virtual machines provides immediate encryption of the IP payloads that carry the SQL traffic. Because the encryption and de-encryption occur at the operating-system level and the original IP headers remain intact, no modifications to the database protocol or application code are required. Full-disk encryption only protects data at rest, not data moving across the virtual network. Simply placing both tiers in a private subnet or relying on security group rules limits exposure but leaves the traffic unencrypted. A web application firewall is designed to inspect HTTP/HTTPS traffic and does not encrypt traffic between internal tiers.
Ask Bash
Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.