ISC2 Certified Secure Software Lifecycle Professional (CSSLP) Practice Question
Your team is designing an on-premises HR system that stores employee PII in an Oracle 19c database. Threat modeling identified the risk of stolen tape backups or SAN snapshots, while DBAs must continue running maintenance scripts without code changes. Which approach best meets the encryption-at-rest requirement?
Enable Transparent Data Encryption on the affected tablespaces or columns
Configure SSL/TLS for all client-to-server connections
Deploy host-based full-disk encryption on the database server
Apply application-layer tokenization before writing PII to the database
Transparent Data Encryption (TDE) is built into many commercial databases, including Oracle. It automatically encrypts data in datafiles, redo logs, and backups, protecting information if disks, snapshots, or tapes are lost. Because encryption and decryption are handled by the database engine, existing applications and DBA workflows continue to operate unchanged.
SSL/TLS secures data only while it travels over the network and does not protect files stored on disk. Application-layer tokenization would hide data from DBAs and usually requires extensive code and schema changes. Full disk encryption protects the local storage device, but once data is exported or backed up to external media, it is no longer covered; it also offers no granular control inside the database. Therefore, TDE most directly addresses the stated threat while meeting operational constraints.
Ask Bash
Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.