Professional Cloud Security Engineer Exam

Exam Professional Cloud Security Engineer All QuestionsBrowse all questions from this exam

Question 64

In an effort for your company messaging app to comply with FIPS 140-2, a decision was made to use GCP compute and network services. The messaging app architecture includes a Managed Instance Group (MIG) that controls a cluster of Compute Engine instances. The instances use Local SSDs for data caching and

UDP for instance-to-instance communications. The app development team is willing to make any changes necessary to comply with the standard

Which options should you recommend to meet the requirements?

Encrypt all cache storage and VM-to-VM communication using the BoringCrypto module.

Set Disk Encryption on the Instance Template used by the MIG to customer-managed key and use BoringSSL for all data transit between instances.

Change the app instance-to-instance communications from UDP to TCP and enable BoringSSL on clients' TLS connections.

Set Disk Encryption on the Instance Template used by the MIG to Google-managed Key and use BoringSSL library on all instance-to-instance communications.

Correct Answer: A

Encrypt all cache storage and VM-to-VM communication using the BoringCrypto module ensures that both the Local SSD storage used for caching and the instance-to-instance communications comply with the FIPS 140-2 standard. BoringCrypto is a FIPS 140-2 validated cryptographic module, which ensures that the encryption used meets the necessary compliance requirements for data at rest and in transit. This approach directly addresses the need for FIPS 140-2 compliance without relying on other non-validated modules.

Discussion

subhalaOption: A

when I revisited this, Now I think A is correct. In A - We will use an approved encryption method for encrypting Local SSD and VM to VM communication. In B and D, we are still using GCP's encryption algorithms and are not FIPS 140-2 approved. Moreover only the BoringCrypto is FIPS 140-2 approved and not the Boring SSL. I see A as evidently correct. ownez, genesis3k, MohitA has explained this and provided the right links too.

gicalOption: B

Selected answer B https://cloud.google.com/security/compliance/fips-140-2-validated/ "Google’s Local SSD storage product is automatically encrypted with NIST approved ciphers, but Google's current implementation for this product doesn’t have a FIPS 140-2 validation certificate. If you require FIPS-validated encryption on Local SSD storage, you must provide your own encryption with a FIPS-validated cryptographic module."

b6f53d8

YES, as in your link: you need to encrypt SSD using your own solution, and BoringSSL is a library to use

ArizonaClassicsOption: A

A. Encrypt all cache storage and VM-to-VM communication using the BoringCrypto module. This option ensures both storage (Local SSDs) and inter-instance communications are encrypted using a FIPS 140-2 compliant module.

TNT87Option: A

https://cloud.google.com/security/compliance/fips-140-2-validated Google Cloud Platform uses a FIPS 140-2 validated encryption module called BoringCrypto (certificate 3318) in our production environment. This means that both data in transit to the customer and between data centers, and data at rest are encrypted using FIPS 140-2 validated encryption. The module that achieved FIPS 140-2 validation is part of our BoringSSL library. Ans A

pedrojorgeOption: C

"BoringSSL as a whole is not FIPS validated. However, there is a core library (called BoringCrypto) that has been FIPS validated" https://boringssl.googlesource.com/boringssl/+/master/crypto/fipsmodule/FIPS.md

chetz12Option: A

I think A is correct as that's the only one support FIPS140 module

ymkkOption: A

https://cloud.google.com/security/compliance/fips-140-2-validated/

gcpengineerOption: A

A is the ans

sudarcharyOption: A

FIPS140 module is supported

[Removed]Option: D

D is the correct answer

TNT87Option: A

A is the answer https://boringssl.googlesource.com/boringssl/+/master/crypto/fipsmodule/FIPS.md

[Removed]Option: B

Ans - B

3d9563bOption: B

A. Encrypt all cache storage and VM-to-VM communication using the BoringCrypto module: BoringCrypto is not an established or widely recognized cryptographic library for FIPS 140-2 compliance. Instead, BoringSSL or OpenSSL with FIPS validation should be used for both data-at-rest and data-in-transit encryption. C. Change the app instance-to-instance communications from UDP to TCP and enable BoringSSL on clients' TLS connections: While changing from UDP to TCP might provide more reliable connections, it does not directly address FIPS 140-2 compliance. You still need to ensure that all data-in-transit encryption uses a validated cryptographic module such as BoringSSL. D. Set Disk Encryption on the Instance Template used by the MIG to Google-managed Key and use BoringSSL library on all instance-to-instance communications: Google-managed keys for disk encryption do not provide the level of control required for FIPS 140-2 compliance, which typically requires customer-managed keys for greater control and accountability.

ArizonaClassicsOption: A

AzureDP900Option: A

https://cloud.google.com/docs/security/key-management-deep-dive A is right

AwesomeGCPOption: A

A. Encrypt all cache storage and VM-to-VM communication using the BoringCrypto module.

DebasishLowesOption: A

Ans : A