Basic Concept: When a storage misconfiguration leads to data exposure, the question is which encryption type would have protected the confidentiality of data stored in that misconfigured storage. The three states of data — at rest, in transit, and in use — each require different encryption mechanisms. CompTIA SecAI+ Study Guide covers encryption states and their applicability to AI data protection.
Why D is Correct: Encryption at rest protects data stored in databases, file systems, and storage media by encrypting it so that even if unauthorized parties gain access to the storage through a misconfiguration, the data remains unreadable without the decryption key. Since the exposure resulted from a storage misconfiguration that allowed access to stored data, encryption at rest would have maintained confidentiality of the customer information despite the misconfiguration granting storage access.
Why A is Wrong: Model encryption specifically protects AI model weights and parameters from unauthorized access. It does not protect customer data stored in databases or data stores associated with the AI system.
Why B is Wrong: Encryption in transit protects data moving between components over networks. It does not protect data stored at rest in misconfigured storage that is accessed directly rather than over a network connection.
Why C is Wrong: Encryption in use (homomorphic encryption or confidential computing) protects data while it is being actively processed in memory. It addresses runtime processing security, not the confidentiality of data stored in misconfigured storage that is not currently being processed.
