In an effort for your company messaging app to comply with FIPS 140-2, a decision was made to use GCP compute and network services.
The messaging app architecture includes a Managed Instance Group (MIG) that controls a cluster of Compute Engine instances.
The instances use Local SSDs for data caching and UDP for instance-to-instance communications.
The app development team is willing to make any changes necessary to comply with the standard Which options should you recommend to meet the requirements?
Click on the arrows to vote for the correct answer
A. B. C. D.D.
To comply with FIPS 140-2, the company messaging app needs to meet certain security requirements, including the use of encryption for data at rest and in transit. The app architecture includes a Managed Instance Group (MIG) that controls a cluster of Compute Engine instances. The instances use Local SSDs for data caching and UDP for instance-to-instance communications.
Option A: Encrypt all cache storage and VM-to-VM communication using the BoringCrypto module. This option suggests using the BoringCrypto module to encrypt both the cache storage and the instance-to-instance communication. BoringCrypto is a cryptographic library developed by Google that provides low-level cryptographic primitives. This option can help the messaging app comply with FIPS 140-2, as it provides encryption for both data at rest and in transit. However, it does not address the use of UDP for instance-to-instance communications, which may not be compliant with FIPS 140-2.
Option B: Set Disk Encryption on the Instance Template used by the MIG to customer-managed key and use BoringSSL for all data transit between instances. This option suggests using customer-managed key encryption for disk encryption on the instance template used by the MIG and using BoringSSL for all data transit between instances. BoringSSL is a TLS library developed by Google. This option can help the messaging app comply with FIPS 140-2, as it provides encryption for both data at rest and in transit. However, it does not address the use of UDP for instance-to-instance communications, which may not be compliant with FIPS 140-2.
Option C: Change the app instance-to-instance communications from UDP to TCP and enable BoringSSL on clients' TLS connections. This option suggests changing the instance-to-instance communications from UDP to TCP and enabling BoringSSL on clients' TLS connections. TCP is a more reliable and secure protocol than UDP, and BoringSSL provides encryption for TLS connections. This option can help the messaging app comply with FIPS 140-2, as it provides encryption for data in transit and improves the reliability and security of instance-to-instance communications. However, it does not address data at rest encryption.
Option D: Set Disk Encryption on the Instance Template used by the MIG to Google-managed Key and use BoringSSL library on all instance-to-instance communications. This option suggests using Google-managed key encryption for disk encryption on the instance template used by the MIG and using BoringSSL for all instance-to-instance communications. This option can help the messaging app comply with FIPS 140-2, as it provides encryption for data at rest and in transit. However, it does not address the use of UDP for instance-to-instance communications, which may not be compliant with FIPS 140-2.
Overall, Option C appears to be the best option as it addresses both data at rest and in transit encryption, and also improves the reliability and security of instance-to-instance communications. However, depending on the specific requirements of FIPS 140-2 compliance, other options may also be viable.