A cloud security architect is designing a multi-tier application that processes sensitive customer data. To protect data in transit between the web tier and the application tier, which of the following is the MOST appropriate approach?
mTLS provides bidirectional authentication and encryption, ideal for service-to-service communication.
Why this answer
Mutual TLS (mTLS) is the most appropriate approach because it provides bidirectional authentication and encryption between the web tier and application tier. In a multi-tier application processing sensitive customer data, mTLS ensures that both the client (web tier) and server (application tier) present valid certificates, preventing man-in-the-middle attacks and unauthorized inter-tier communication. This is critical for protecting data in transit in zero-trust or internal network segments where simple server-side TLS would not verify the identity of the calling service.
Exam trap
ISC2 often tests the misconception that standard TLS (server-side only) is sufficient for internal service-to-service communication, but the trap here is that without mutual authentication, an attacker who compromises the web tier could impersonate it to the application tier, or a rogue service could connect to the application tier undetected.
How to eliminate wrong answers
Option A is wrong because standard TLS with server-side certificates only authenticates the server to the client, but does not authenticate the client (web tier) to the application tier, leaving the application tier vulnerable to unauthorized or spoofed connections. Option B is wrong because SSH tunnels provide point-to-point encryption but are designed for interactive shell access or port forwarding, not for high-throughput, persistent inter-tier service communication; they introduce management overhead and lack the certificate-based identity verification that mTLS offers for service-to-service authentication. Option D is wrong because IPsec VPN operates at the network layer and encrypts all traffic between subnets, but it is overly complex for application-layer communication, adds latency, and does not provide application-level identity verification between specific services; it is more suited for site-to-site connectivity rather than fine-grained inter-tier authentication.