A security engineer needs to protect sensitive customer records that are stored in a database on an on-premises file server. Which of the following controls would BEST safeguard the data if the physical disks are stolen from the server?
Install a host-based intrusion detection system (HIDS) on the server.
Place the database server in a separate management VLAN.
Implement full-disk encryption using AES-256.
Configure Transport Layer Security (TLS) for all web applications on the server.
Encrypting the entire drive (or the specific data volume) with a strong algorithm such as AES-256 renders the stored data unreadable without the corresponding decryption key. Controls like TLS focus on data in transit, VLAN segmentation limits network exposure but does not cryptographically protect the files themselves, and a host-based IDS only detects suspicious activity. Therefore, full-disk (or volume) encryption is the most effective measure to protect data at rest on the stolen disks.
Ask Bash
Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.
What is data at rest?
Open an interactive chat with Bash
What are encryption keys?
Open an interactive chat with Bash
What is the importance of encrypting data at rest?