Given Answer is correct:
Using the “Always Encrypted with deterministic encryption” feature would allow for data to be encrypted at rest and in transit. Transparent Data Encryption would only encrypt data at rest. Data Masking will only hide sensitive data. Azure Storage Service Encryption is used for encrypting data in storage accounts.
I think answer shout be A --Transparent Data Encryption (TDE)
While, Always Encrypted with determinates Encryption is best choose for small Application architecture where data is encrypted as it travels over the internal or external network.
But on Question SQL server version is “Microsoft SQL Server 2014”, where “Always Encryption” features does not support.
Reference URL: https://azure.microsoft.com/en-in/blog/transparent-data-encryption-or-always-encrypted/
Prior to SQL Server 2016 (13.x) SP1, Always Encrypted was limited to the Enterprise Edition. Does this mean Microsoft SQL Server 2014 Enterprise Edition will have Always Encrypted support ?
given answer is correct
Using the “Always Encrypted with deterministic encryption” feature would allow for data to be encrypted at rest and in transit. Transparent Data Encryption would only encrypt data at rest. AZURE Storage Service Encryption is used for encrypting data in storage accounts.
Key sentence is "Payment processing system must be able to use grouping and joining tables on encrypted columns", hence deterministic encryption is correct ans
https://docs.microsoft.com/en-us/sql/relational-databases/security/encryption/always-encrypted-database-engine?view=sql-server-ver15#selecting--deterministic-or-randomized-encryption
One requirement was missing from this question which is "Payment processing system must be able to use grouping and joining tables on encrypted columns." which narrow down the answer to AE Deterministic.
Review the same question here.
https://www.examtopics.com/exams/microsoft/az-304/view/24/
Deterministic encryption always generates the same encrypted value for any given plain text value. Using deterministic encryption allows point lookups, equality joins, grouping and indexing on encrypted columns. However, it may also allow unauthorized users to guess information about encrypted values by examining patterns in the encrypted column, especially if there's a small set of possible encrypted values, such as True/False, or North/South/East/West region. Deterministic encryption must use a column collation with a binary2 sort order for character columns.
Randomized encryption uses a method that encrypts data in a less predictable manner. Randomized encryption is more secure, but prevents searching, grouping, indexing, and joining on encrypted columns.
Hard one... Could be A or D but recommended is A (TDE) so i would go with that one instead....
https://azure.microsoft.com/en-gb/blog/transparent-data-encryption-or-always-encrypted/
https://docs.microsoft.com/en-us/sql/relational-databases/security/encryption/always-encrypted-database-engine?view=sql-server-ver15
On a second thought and because the requirement is to "recommend a solution for protecting the content of the payment processing system." and because we are handling sensitive data (payments) D might be the 'most' correct answer for the current scenario.
Since it's a payment processing system, it's possible that it will contain details such as people's credit cards. On that note, I'd select the most secure option, randomised.
C should be the answer
Randomized is more secure than deterministic
Deterministic gives space to guess the key.
https://docs.microsoft.com/en-us/sql/relational-databases/security/encryption/always-encrypted-database-engine?view=sql-server-ver15#:~:text=Deterministic%20encryption%20always%20generates%20the,any%20given%20plain%20text%20value.&text=Randomized%20encryption%20uses%20a%20method,and%20joining%20on%20encrypted%20columns.
Requirements:
- Encrypt data in transit and at rest
- Only the front-end and middle-tier components must be able to access the encryption keys that protect the data store.
- The middle-tier and the web front end must continue to operate without any additional configurations.
- Minimize the effort required to modify the middle-tier API and the back-end tier of the payment processing system
- Host the middle tier of the payment processing system on a virtual machine.
Possible Answers
A. Transparent Data Encryption (TDE)
- encrypts the storage of an entire database at rest only
B. Azure Storage Service Encryption
- only encrypts data at rest and won't help with our database
C. Always Encrypted with randomized encryption
- is transparent
- is currently supported in .NET Framework Data Provider for SQL Server (so matches our technology stack)
- more secure than "deterministic encryption"
D. Always Encrypted with deterministic encryption
- same applies then answer C, although not that secure
Conclusion: Answer C)
Use deterministic encryption for columns that will be used as search or grouping parameters. For example, a government ID number. Use randomized encryption for data such as confidential investigation comments, which aren't grouped with other records and aren't used to join tables.
Since we are dealing with payment systems and not just isolated data like comments it would appear Deterministic encryption is recommended.
Matze2ooo, good comments always. Thank you.
You miss something this time. First of all, there is no specific requirement demanding more security than the security obtained by the deterministic option. Thus, there is no obligation, based on requirements, to select C. In such case, it is up to you to decide what is the best considering the context. Having in mind that not deterministic option does not allow for querying and comparisons. Do you believe that you will be in position to run such a system without them? Hardly so. Only based on that I would choose deterministic.
In any case, in the case study you have a hint: "The middle-tier API uses the Entity Framework to communicate to the SQL Server database." Where “Entity Framework Core is a modern object-database mapper for .NET. It supports LINQ queries, change tracking, updates, and schema migrations.”
Thanks for pointing that out. I went through the docs again and I think I would now use deterministic over randomized as well (for the reasons you have stated).
This section is not available anymore. Please use the main Exam Page.AZ-301 Exam Questions
Log in to ExamTopics
Sign in:
Community vote distribution
A (35%)
C (25%)
B (20%)
Other
Most Voted
A voting comment increases the vote count for the chosen answer by one.
Upvoting a comment with a selected answer will also increase the vote count towards that answer by one.
So if you see a comment that you already agree with, you can upvote it instead of posting a new comment.
Shiven
Highly Voted 5 years, 1 month agoJames0208
4 years, 10 months agoquyennv
4 years, 7 months agoBaranli
Highly Voted 5 years, 4 months agocloudoman
5 years, 4 months agoRajuuu
5 years, 2 months agoPan81
4 years, 10 months agoPan81
4 years, 10 months agoglam
Most Recent 4 years, 3 months agoazurecert2021
4 years, 4 months agosejalo
4 years, 4 months agoarseyam
4 years, 5 months agosejalo
4 years, 4 months agosanketshah
4 years, 5 months agouser_name
4 years, 9 months agoRooh
4 years, 9 months agoqr
4 years, 10 months agoqr
4 years, 10 months agoWildsheep
4 years, 10 months agogboyega
4 years, 11 months agoLFWGD
4 years, 9 months ago[Removed]
4 years, 11 months agoKaawa
4 years, 11 months agoTinyTrexArmz
4 years, 11 months agoHarkonnen
4 years, 10 months ago[Removed]
4 years, 10 months agoWildsheep
4 years, 11 months agoBarry123456
4 years, 12 months agoWildsheep
4 years, 11 months agoDeveshSolanki
5 years agoManmohan
5 years ago