Examice

Exam PAM-SEN All QuestionsBrowse all questions from this exam

Question 20

A customer is moving from an on-premises to a public cloud deployment.

What is the best and most cost-effective option to secure the server key?

Install the Vault in the cloud the same way you would in an on-premises environment. Place the server key in a password protected folder on the operating system.

Install the Vault in the cloud the same way you would in an on-premises environment. Purchase a Hardware Security Module to secure the server key.

Install the Vault using the native cloud images and secure the server key using native cloud Key Management Systems.

Install the Vault using the native cloud images and secure the server key with a Hardware Security Module.

Correct Answer: C

The best and most cost-effective option to secure the server key when moving to a public cloud deployment is to install the Vault using the native cloud images and secure the server key using native cloud Key Management Systems (KMS). This approach leverages the built-in security features and managed services offered by cloud providers, ensuring robust security with minimal additional cost. Utilizing native cloud KMS is generally more cost-effective and integrated than purchasing and managing additional hardware like a Hardware Security Module, or relying on less secure and potentially more cumbersome methods like manual filesystem permissions.

Discussion

CavdogOption: C

The recommendation from Cyberark is to use KMS (as per the reference) however this would not be anywhere near as “cost-effective” as just storing them on the filesystem and securing them with NTFS permissions as per a normal on-prem deployment but my understanding is that this is strongly discouraged. There are also several difference between the cloud and on-prem installs therefore the statement “Install the Vault in the cloud the same way you would in an on-premises environment.” isn’t exactly true either. Therefore I'd say the answer is C. https://docs.cyberark.com/PAS/Latest/en/Content/PAS%20Cloud/ChangeServerKeys-cloud.htm#:~:text=To%20ensure%20the%20security%20of%20the%20keys%20in%20AWS%2C%20it%20is%20recommended%20to%20follow%20AWS%20best%20practices%20and%20encrypt%20them%20with%20KMS.

Cavdog

Correction the paramter does exist I'm trippin >.< However there is no requirement for a passphrase and it will work without it.

Cavdog

The answer is A.

Cavdog

mods, just delete this haha

Fabri59Option: C

The answer is C. https://docs.cyberark.com/Product-Doc/OnlineHelp/PAS/12.6/en/Content/PAS%20Cloud/ChangeServerKeys-cloud.htm?tocpath=Installation%7CInstall%20Privileged%20Access%20Manager%20-%20Self-Hosted%C2%A0in%20a%20cloud%20environment%7CInstall%20the%20Digital%20Vault%20on%20the%20cloud%7C_____14

marcosnevesOption: A

A is correct

Riaan_M

Nope. This is NOT the cost-efficient choice.

penuelaandyOption: C

https://docs.cyberark.com/Product-Doc/OnlineHelp/PAS/13.0/en/Content/PAS%20Cloud/ChangeServerKeys-cloud.htm?TocPath=Installation%7CInstall%20PAM%C2%A0in%20a%20cloud%20environment%7CInstall%20the%20Digital%20Vault%20on%20the%20cloud%7C_____14

pamloverOption: A

You would use CAVaultManager.exe ChangeAwsKeys to make new keys and store in the cloud. https://docs.cyberark.com/Product-Doc/OnlineHelp/PAS/13.0/en/Content/PAS%20Cloud/ChangeServerKeys-cloud.htm#ChangetheserverkeyonthePrimaryVault