Scenario: A new regulation in your industry requires the protection of customer data both in transit and at rest. What is the most comprehensive approach to achieve this?

A.  Disk encryption and SSL/TLS

B.  Database encryption and HTTPS

C.  Secure coding practices

D.  Physical security measures

Answer:  A

Explanation:  

A. Disk Encryption and SSL/TLS

This option provides a "holistic" technical defense covering both primary states of data requested by the regulation.

• Data at Rest (Disk Encryption): This protects the physical storage media. If a hard drive is stolen or a server is decommissioned improperly, the data remains unreadable without the cryptographic key. This is often referred to as Full Disk Encryption (FDE).

• Data in Transit (SSL/TLS): Transport Layer Security (TLS) creates an encrypted tunnel between two points (like a client and a server). It ensures that any data moving across the network cannot be intercepted or read by unauthorized parties (Man-in-the-Middle).

B. Database Encryption and HTTPS

While this is a strong answer, it is slightly less "comprehensive" than Option A in a broad infrastructure context.

• The Nuance: HTTPS is simply the application of TLS to web traffic (HTTP over TLS). Database encryption is excellent, but it only protects the data inside the database. If a sensitive file is stored on the server's desktop or in a temporary folder, database encryption won't protect it, whereas Disk Encryption covers the entire volume.

C. Secure Coding Practices

Secure coding (e.g., input validation, error handling) is essential for preventing vulnerabilities like SQL Injection or Cross-Site Scripting (XSS).

• The Conflict: While secure coding makes the application more robust, it is not an encryption technology. You can have a perfectly coded application that still sends data in plain text or stores it on an unencrypted disk. This is a Software Development (Domain 8) control, not a data-at-rest/in-transit control.

D. Physical Security Measures

Physical security (locks, cameras, guards) is a Physical Control (Domain 9).

• The Limitation: Physical security protects the hardware, but it does nothing to protect the data if the system is accessed remotely over the network. Most modern regulations specifically demand cryptographic protections because physical controls are easily bypassed by digital threats.