Answer-first summary for fast verification
Answer: Migrate the application to Confidential VMs to provide hardware-level encryption of memory and protect sensitive data during processing.
The question specifically addresses mitigating sophisticated side-channel attacks during application runtime while protecting data confidentiality during processing. Option C (Migrate to Confidential VMs) is optimal because Confidential VMs provide hardware-level memory encryption using AMD SEV or Intel TDX technology, creating isolated execution environments that prevent unauthorized access to memory contents even from privileged system software or hypervisors. This directly addresses side-channel attack risks without requiring code modifications, which is crucial given the poorly understood legacy code. The community discussion shows 100% consensus on C, with references to Google's Confidential Computing documentation. Option A focuses on access controls but doesn't address memory-based side-channel attacks. Option B suggests runtime modifications that could introduce application problems and may not be effective against sophisticated hardware-level side-channels. Option D (CMEK) protects data at rest but doesn't address runtime memory protection against side-channel attacks.
Author: LeetQuiz Editorial Team
Ultimate access to all questions.
No comments yet.
Your organization's financial modeling application, which processes large volumes of sensitive customer financial data, is deployed on Google Cloud. The application's legacy code is not well understood by the current engineering team. Recent threat modeling has identified a significant risk of sophisticated side-channel attacks during application runtime. You need to harden the Google Cloud deployment to mitigate this risk and provide maximum protection for the confidentiality of financial data during processing, while minimizing application disruption. What should you do?
A
Enforce stricter access controls for Compute Engine instances by using service accounts, least privilege IAM policies, and limit network access.
B
Implement a runtime library designed to introduce noise and timing variations into the application's execution which will disrupt side-channel attack.
C
Migrate the application to Confidential VMs to provide hardware-level encryption of memory and protect sensitive data during processing.
D
Utilize customer-managed encryption keys (CMEK) to ensure complete control over the encryption process.