A security engineer needs to protect sensitive customer records that are stored in a database on an on-premises file server. Which of the following controls would BEST safeguard the data if the physical disks are stolen from the server?
Place the database server in a separate management VLAN.
Configure Transport Layer Security (TLS) for all web applications on the server.
Implement full-disk encryption using AES-256.
Install a host-based intrusion detection system (HIDS) on the server.
Encrypting the entire drive (or the specific data volume) with a strong algorithm such as AES-256 renders the stored data unreadable without the corresponding decryption key. Controls like TLS focus on data in transit, VLAN segmentation limits network exposure but does not cryptographically protect the files themselves, and a host-based IDS only detects suspicious activity. Therefore, full-disk (or volume) encryption is the most effective measure to protect data at rest on the stolen disks.
Ask Bash
Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.
What is AES-256 and why is it used in encryption?
Open an interactive chat with Bash
How is full-disk encryption different from file-level encryption?
Open an interactive chat with Bash
Why is TLS not sufficient for securing data at rest?