Exam Professional Cloud Security Engineer topic 1 question 64 discussion

when I revisited this, Now I think A is correct. In A - We will use an approved encryption method for encrypting Local SSD and VM to VM communication. In B and D, we are still using GCP's encryption algorithms and are not FIPS 140-2 approved. Moreover only the BoringCrypto is FIPS 140-2 approved and not the Boring SSL. I see A as evidently correct. ownez, genesis3k, MohitA has explained this and provided the right links too.

Disk Encryption with customer-managed keys: FIPS 140-2 compliance often requires encryption, and using customer-managed encryption keys (CMEK) ensures that you have control over the encryption keys, which can be crucial for compliance. Google Cloud supports FIPS 140-2 compliant encryption for data at rest with customer-managed keys. BoringSSL for data transit: BoringSSL is Google's fork of OpenSSL, designed to meet high standards of cryptographic security, including FIPS 140-2. Using BoringSSL for instance-to-instance communications ensures that data in transit is encrypted according to the necessary standards. Although UDP isn't inherently encrypted, you can implement encryption at the application layer using libraries like BoringSSL.

"BoringSSL as a whole is not FIPS validated. However, there is a core library (called BoringCrypto) that has been FIPS validated."

When you deploy Managed Instance Groups (MIGs), you typically create an instance template that defines the configuration of instances in the group, including the disk encryption settings.

B To comply with FIPS 140-2, the company needs to ensure that both data at rest and data in transit are encrypted using cryptographic libraries that are FIPS 140-2 certified. • Customer-managed keys (CMEK): Using customer-managed encryption keys (CMEK) in Google Cloud Key Management Service (KMS) ensures that encryption complies with FIPS 140-2 standards because the customer has control over the encryption keys and can ensure they are managed according to compliance requirements. • BoringSSL: A Google-maintained version of OpenSSL designed to be more streamlined and used in environments like Google Cloud, which includes support for FIPS 140-2 mode when linked to the BoringCrypto module. This library can be used to ensure that data in transit between instances is encrypted in compliance with FIPS.

The correct answer is B

A. Encrypt all cache storage and VM-to-VM communication using the BoringCrypto module: BoringCrypto is not an established or widely recognized cryptographic library for FIPS 140-2 compliance. Instead, BoringSSL or OpenSSL with FIPS validation should be used for both data-at-rest and data-in-transit encryption. C. Change the app instance-to-instance communications from UDP to TCP and enable BoringSSL on clients' TLS connections: While changing from UDP to TCP might provide more reliable connections, it does not directly address FIPS 140-2 compliance. You still need to ensure that all data-in-transit encryption uses a validated cryptographic module such as BoringSSL. D. Set Disk Encryption on the Instance Template used by the MIG to Google-managed Key and use BoringSSL library on all instance-to-instance communications: Google-managed keys for disk encryption do not provide the level of control required for FIPS 140-2 compliance, which typically requires customer-managed keys for greater control and accountability.

Selected answer B https://cloud.google.com/security/compliance/fips-140-2-validated/ "Google’s Local SSD storage product is automatically encrypted with NIST approved ciphers, but Google's current implementation for this product doesn’t have a FIPS 140-2 validation certificate. If you require FIPS-validated encryption on Local SSD storage, you must provide your own encryption with a FIPS-validated cryptographic module."

A. Encrypt all cache storage and VM-to-VM communication using the BoringCrypto module. This option ensures both storage (Local SSDs) and inter-instance communications are encrypted using a FIPS 140-2 compliant module.

A. Encrypt all cache storage and VM-to-VM communication using the BoringCrypto module. This option ensures both storage (Local SSDs) and inter-instance communications are encrypted using a FIPS 140-2 compliant module.

https://cloud.google.com/security/compliance/fips-140-2-validated/

A is the ans

"BoringSSL as a whole is not FIPS validated. However, there is a core library (called BoringCrypto) that has been FIPS validated" https://boringssl.googlesource.com/boringssl/+/master/crypto/fipsmodule/FIPS.md

https://cloud.google.com/docs/security/key-management-deep-dive A is right

A. Encrypt all cache storage and VM-to-VM communication using the BoringCrypto module.

FIPS140 module is supported

D is the correct answer