Exam CISSP topic 1 question 287 discussion

going for DLP

DLP is the only answer here that will specifically restrict or control data types by label. The question doesn't ask about authorizing users or systems to send data to the cloud, it talks about making sure only the right data goes there. That would be a DLP, which will filter data by sensitivity label and prevent it from leaving the originating source regardless of who or what is trying to send it.

Access Control Lists (ACLs) enforce who or what can send data to the application by defining permissions for users, devices, or network traffic. They ensure only authorized data sources or entities can transmit data to the app.

B. Access control list (ACL) Controls who/what can access a system resource. It restricts access but doesn’t validate the data content being sent. ❌ Doesn’t ensure authorized data. C. Data loss prevention (DLP) Monitors and controls data in motion, at rest, and in use. Can enforce policies to ensure only authorized data types (e.g., no PII, PHI, or restricted data) are sent to the cloud app. Directly matches the requirement of ensuring “authorized data” only goes to the application. ✅ Correct. 👉 Memory Tip: Authorized data control = DLP. DLP = “data police” → only approved data leaves or enters.

ACL ensures authorised users. DLP only prevents data loss

If data is going to the cloud, it is leaving a secure environment therefore DLP should apply.

DLP in my opinion

Access Control Lists are used to specify which users, systems, or applications are authorized to access certain resources, and control which data can be sent to, received from, or processed by an application, especially in a cloud environment.

Data Loss Prevention (DLP) is defined as a set of technologies and policies designed to monitor, detect, and prevent sensitive data from LEAVING a secure environment. ACL is designed for inbound.

Answer is B. The question is discussing an application in the cloud, a.k.a, web application. In a web application, an "ACL" stands for "Access Control List," which is essentially a set of rules that define which users or groups can access specific data within the application and what actions they are allowed to perform on that data, effectively controlling who can read, write, or modify certain information based on their permissions level.

The given answer is A. Just providing another angle, authorized data sent might means only legit traffic to be sent, so HIPS ensure to filter unauthorized/malicious data/traffic to be sent to the application?

From what I understand "sent" means "outbound". DLP can be configured to ensure that only authorized data is sent to and from the application, ensuring that confidential data does not leave the corporate network inappropriately. For inbound data, tools like ACL, firewalls, or IPS are typically more relevant.

Woeful question - ACL due to integration with NAT? Dont see why it's DLP.

How is it DLP? the questions is asking how can we ensure that authorized data is sent to the app. Data Loss Prevention doesnt do this... The only tech that can remotely do this, although not the most effective way, is going to be the ACL based on these answer choices. ACL is the only one that can limit anything going anywhere.

Why not HIPS instead of ACL?

ACL is static and does not understand applications. Cloud services are dynamic, they usual use DNS to reach them. So ACL needs to be update if the Cloud services changes IP. Also if IP is changed, and ACL is not, it could send the correct data to the new IP host address. On top of this how does ACL stops IP spoofing? DLP is at least controlling at contend level which is more appriate, ACL is at the network layer.

Sorry, I wanted to say that I'm going with "B" - ACL