Professional Cloud Security Engineer Exam QuestionsBrowse all questions from this exam

Professional Cloud Security Engineer Exam - Question 64


In an effort for your company messaging app to comply with FIPS 140-2, a decision was made to use GCP compute and network services. The messaging app architecture includes a Managed Instance Group (MIG) that controls a cluster of Compute Engine instances. The instances use Local SSDs for data caching and

UDP for instance-to-instance communications. The app development team is willing to make any changes necessary to comply with the standard

Which options should you recommend to meet the requirements?

Show Answer
Correct Answer: A

Encrypt all cache storage and VM-to-VM communication using the BoringCrypto module ensures that both the Local SSD storage used for caching and the instance-to-instance communications comply with the FIPS 140-2 standard. BoringCrypto is a FIPS 140-2 validated cryptographic module, which ensures that the encryption used meets the necessary compliance requirements for data at rest and in transit. This approach directly addresses the need for FIPS 140-2 compliance without relying on other non-validated modules.

Discussion

17 comments
Sign in to comment
subhalaOption: A
Nov 26, 2020

when I revisited this, Now I think A is correct. In A - We will use an approved encryption method for encrypting Local SSD and VM to VM communication. In B and D, we are still using GCP's encryption algorithms and are not FIPS 140-2 approved. Moreover only the BoringCrypto is FIPS 140-2 approved and not the Boring SSL. I see A as evidently correct. ownez, genesis3k, MohitA has explained this and provided the right links too.

TNT87Option: A
Mar 10, 2021

https://cloud.google.com/security/compliance/fips-140-2-validated Google Cloud Platform uses a FIPS 140-2 validated encryption module called BoringCrypto (certificate 3318) in our production environment. This means that both data in transit to the customer and between data centers, and data at rest are encrypted using FIPS 140-2 validated encryption. The module that achieved FIPS 140-2 validation is part of our BoringSSL library. Ans A

ArizonaClassicsOption: A
Sep 15, 2023

A. Encrypt all cache storage and VM-to-VM communication using the BoringCrypto module. This option ensures both storage (Local SSDs) and inter-instance communications are encrypted using a FIPS 140-2 compliant module.

gicalOption: B
Dec 24, 2023

Selected answer B https://cloud.google.com/security/compliance/fips-140-2-validated/ "Google’s Local SSD storage product is automatically encrypted with NIST approved ciphers, but Google's current implementation for this product doesn’t have a FIPS 140-2 validation certificate. If you require FIPS-validated encryption on Local SSD storage, you must provide your own encryption with a FIPS-validated cryptographic module."

b6f53d8
Jan 5, 2024

YES, as in your link: you need to encrypt SSD using your own solution, and BoringSSL is a library to use

chetz12Option: A
Jan 5, 2021

I think A is correct as that's the only one support FIPS140 module

pedrojorgeOption: C
Jan 25, 2023

"BoringSSL as a whole is not FIPS validated. However, there is a core library (called BoringCrypto) that has been FIPS validated" https://boringssl.googlesource.com/boringssl/+/master/crypto/fipsmodule/FIPS.md

[Removed]Option: B
Oct 30, 2020

Ans - B

TNT87Option: A
Feb 9, 2021

A is the answer https://boringssl.googlesource.com/boringssl/+/master/crypto/fipsmodule/FIPS.md

[Removed]Option: D
Apr 13, 2021

D is the correct answer

sudarcharyOption: A
Feb 6, 2022

FIPS140 module is supported

gcpengineerOption: A
May 15, 2023

A is the ans

ymkkOption: A
Sep 4, 2023

https://cloud.google.com/security/compliance/fips-140-2-validated/

DebasishLowesOption: A
Mar 23, 2021

Ans : A

AwesomeGCPOption: A
Oct 7, 2022

A. Encrypt all cache storage and VM-to-VM communication using the BoringCrypto module.

AzureDP900Option: A
Nov 2, 2022

https://cloud.google.com/docs/security/key-management-deep-dive A is right

ArizonaClassicsOption: A
Sep 15, 2023

A. Encrypt all cache storage and VM-to-VM communication using the BoringCrypto module. This option ensures both storage (Local SSDs) and inter-instance communications are encrypted using a FIPS 140-2 compliant module.

3d9563bOption: B
Jul 21, 2024

A. Encrypt all cache storage and VM-to-VM communication using the BoringCrypto module: BoringCrypto is not an established or widely recognized cryptographic library for FIPS 140-2 compliance. Instead, BoringSSL or OpenSSL with FIPS validation should be used for both data-at-rest and data-in-transit encryption. C. Change the app instance-to-instance communications from UDP to TCP and enable BoringSSL on clients' TLS connections: While changing from UDP to TCP might provide more reliable connections, it does not directly address FIPS 140-2 compliance. You still need to ensure that all data-in-transit encryption uses a validated cryptographic module such as BoringSSL. D. Set Disk Encryption on the Instance Template used by the MIG to Google-managed Key and use BoringSSL library on all instance-to-instance communications: Google-managed keys for disk encryption do not provide the level of control required for FIPS 140-2 compliance, which typically requires customer-managed keys for greater control and accountability.