Exam CAS-004 topic 1 question 69 discussion

B. We recommend that you encrypt your virtual hard disks (VHDs) to help protect your boot volume and data volumes at rest in storage, along with your encryption keys and secrets. Azure Disk Encryption helps you encrypt your Windows and Linux IaaS virtual machine disks. Azure Disk Encryption uses the industry-standard BitLocker feature of Windows and the DM-Crypt feature of Linux to provide volume encryption for the OS and the data disks. The solution is integrated with Azure Key Vault to help you control and manage the disk-encryption keys and secrets in your key vault subscription. The solution also ensures that all data on the virtual machine disks are encrypted at rest in Azure Storage. https://docs.microsoft.com/en-us/azure/security/fundamentals/iaas

Since we're talking about IaaS we can promptly discard D, array controller-based, since this is encryption at hw level, and in most cases is not an option for cloud providers. Storage-based encryption involves encrypting data at rest, such as data stored on hard drives or in cloud storage. This is typically done using encryption keys that are managed by the cloud provider or by the customer. This method of encryption provides a high level of security, as it protects data from unauthorized access even if an attacker gains physical access to the storage media. Instance-based encryption involves encrypting data in transit, such as data transmitted over a network or the internet. While this method can provide some level of security, it is not as secure as storage-based encryption, as it does not protect data when it is at rest. Proxy-based encryption involves using a proxy server to encrypt data in transit. This method is similar to instance-based encryption, but it uses an additional layer of security by routing data through a secure server. However, it is still not as secure as storage-based encryption.

I think instance-based is the best option.

Storage-based encryption refers to encrypting data at rest, which means the data stored on disk or other storage devices is automatically encrypted. In an IaaS model, where the company is moving to the cloud, ensuring data is encrypted when stored in cloud storage is crucial for protecting sensitive customer data from unauthorized access, even if an attacker gains access to the physical hardware. Cloud providers often offer built-in, high-performance storage encryption options that can be configured to meet compliance and security standards. This method ensures data is encrypted as it's written to the disk and is accessible only by authorized users or processes with the correct decryption keys. Since the company is moving its customer-facing systems to the cloud and needs the highest level of security, storage-based encryption provides the most comprehensive and robust protection for data at rest in the cloud environment, making B the best choice

Storage-based is highest encryption option for IaaS solutions.

Instance-based encryption provides the highest level of security because encryption is applied at the compute instance level, ensuring that data is encrypted as it is processed, stored, or transmitted. This method enables fine-grained control over encryption keys and ensures that data is encrypted as close to the source as possible, reducing the risk of exposure during data handling. Storage-based: Encryption is applied at the storage layer, protecting data at rest but leaving it vulnerable during processing or transmission.

Highest encryption for data at rest on cloud infrastructure.

Instance-base may not cover all data at rest comprehensively, especially if data is moved outside the instance.

Can't find relevant information on "storage-based" encryption.

The correct answer is Storage based or B

B. Storage-based encryption: Storage-based encryption involves encrypting data at the storage level, typically at the disk or volume level. In this approach, data is encrypted before it is written to disk, ensuring that it remains encrypted while at rest. Storage-based encryption offers comprehensive protection for data stored on disk, regardless of the specific instances or VMs accessing the storage. By encrypting data at the storage level, organizations can ensure that data remains protected both at rest and during transmission, providing robust security for customer-facing production systems. This approach is well-suited for IaaS environments as it provides a centralized and consistent method for securing data across multiple instances or VMs.

For the highest level of security in an IaaS (Infrastructure as a Service) cloud environment, where customer-facing production systems are being moved, the most appropriate encryption method would be: B. Storage-based Storage-based encryption typically involves encrypting the data at rest within the storage infrastructure. This ensures that the data stored in the cloud storage, such as block storage or object storage, is protected by encryption. It provides a robust level of security for sensitive data and helps prevent unauthorized access to the stored information.

B. Storage-based Storage-based encryption involves encrypting data at the storage level, ensuring that data remains protected whether it is at rest or in transit.

In the context of the highest level of security for encryption in a cloud environment, while instance-based encryption can provide security for data in transit or during processing within specific instances, it's important to note that the highest level of security for data protection in a cloud environment is generally achieved through storage-based encryption. Storage-based encryption focuses on encrypting data at rest, meaning the data stored within the cloud storage is encrypted. This method ensures that even if someone gains unauthorized access to the stored data, they won't be able to interpret or access it without the necessary decryption keys.

B: for the highest level of security in an IaaS environment when moving customer-facing production systems to the cloud, you should prioritize data encryption at rest. Therefore, options B (Storage-based) and D (Array controller-based) are the most relevant choices, with the specific choice depending on your cloud provider and infrastructure setup.

A. Instance based storage protects against physical loss or theft, external administrator(s) accessing the storage, snapshots and storage-level backups being taken and removed from the system. Storage-based only protects against hardware theft or less, so Instance based is a higher level of security https://cloudgal42.com/cloud-data-encryption-architecture-and-options/ https://www.worthinlife.com/what-is-cloud-storage-encryption/

Instance-Based encryption is the highest level of security available for an IaaS. Luckily, they are in the implementation phase and can configure it that way from the start. It would be difficult to change later on. Source: Verifying against Chat GPT, my experience, other test banks, a written book, and weighing in the discussion from all users to create a 100% accurate guide for myself before I take the exam. (It isn't easy because of the time needed, but it is doing my diligence)