Exam CISSP topic 1 question 366 discussion

Controlled Unclassified Information - Encryption of Data at Rest In accordance with DoD policy, all unclassified DoD data that has not been approved for public release and is stored on mobile computing devices or removable storage media must be encrypted using commercially available encryption technology. https://www.stigviewer.com/stig/traditional_security_checklist/2020-08-26/finding/V-32263

For CUI protection, using virtualized storage with logical separation and back-end disk encryption is the most efficient and cost-effective strategy. It ensures compliance while minimizing complexity and performance impact.

Compared to other options B strikes a balance between comprehensive protection and operational efficiency

D. strong protection but may be more expensive and complex to implement and manage. It may also introduce performance overhead, especially if the encryption is not optimized for the storage infra. C. can be costly and complex to implement, especially when dealing with large volumes. B. might add complexity and overhead to the virtualized environment. may require more resources to manage encryption keys and processes within the virtualization layer, making it potentially less efficient and more costly. A. This approach allows for centralized encryption management, which can be more efficient than encrypting at multiple layers. It also leverages existing storage infra and adds encryption at the back-end, reducing complexity and cost. This strategy effectively protects data at rest while allowing for flexibility and scalability.

Best performance while cost efficient, B. D is not best performance, encrypting everything never is

the most efficient and cost-effective encryption strategy for data at rest would be: B) Perform logical separation of program information, using virtualized storage solutions with built-in encryption at the virtualization layer The rationale is: Option A would require additional backend disk encryption systems, increasing cost and complexity. Option C risks missing critical information deemed non-critical by the client. Option D encrypts everything, even non-critical data, driving up processing overhead. Option B provides logical separation and encryption using capabilities already built into the virtualization platform. This avoids the need for expensive new backend encryption systems (A) or full encryption (D). Encryption occurs at the virtualization layer, providing efficient and secure separation of the client's sensitive data. -Claude 2.0

This option offers an efficient way to segregate and manage CUI by utilizing virtualization and relying on backend disk systems for encryption, which can centralize and streamline encryption management.

C, only client end information being encrypted is not sufficient. D. SAN is quite expansive and not matched with question requirement. Compare to A, B is better since it considers both program/application and data storage.