Your company has decided to implement a new cloud-based Customer Relationship Management (CRM) system. Compliance rules state that all backups of the CRM data must be encrypted. The Chief Information Security Officer asks for a recommendation that delivers both strong encryption and streamlined, centrally managed key handling. Which encryption approach best meets these requirements?
Cloud provider's managed Key Management Service (KMS) with server-side encryption
Encrypt only sensitive database fields by using public key infrastructure
Whole-disk encryption on the CRM application servers
Manually encrypt backups with AES-256 and store the keys in a spreadsheet
Using the cloud provider's managed Key Management Service (KMS) with server-side encryption meets both goals. KMS stores keys in validated HSMs and automates creation, rotation, and retirement while enforcing granular access controls and audit logging, so encrypted backups can be restored whenever needed without manual key handling. Whole-disk encryption secures only the local volume and generally relies on per-host keys rather than centralized administration. Manually encrypting data with AES-256 satisfies strength requirements but scales poorly and is prone to human error. Field-level encryption protects only selected columns, leaving the rest of the backup unencrypted and non-compliant.
Ask Bash
Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.
What is a Key Management Service (KMS)?
Open an interactive chat with Bash
Why is manual symmetric key management not suitable in this case?
Open an interactive chat with Bash
How does KMS compare to whole disk encryption for backup protection?