You are part of an EU team that uses cloud computing tools to share confidential documents with external delegations. To comply with security and data protection principles, which is the most effective measure to protect these files at rest (stored) and in transit (in motion) without compromising the functionality of the cloud? option_A: Use network firewalls exclusively to block all external access, preventing any EU user from accessing the documents from their devices. option_B: Apply end-to-end encryption (E2EE) to the files before uploading them to the cloud and configure role-based access controls for authorized personnel. option_C: Remove metadata from the files and change the document names to generic names like 'Document1' to hide their content. option_D: Save the documents in public folders accessible by any network user to facilitate quick access from any location. option_E: Compress the files into a ZIP format with a 4-digit password and send them via standard email. Explanation: 1) **Why the correct answer is correct:** Option B is the fundamental practice of cybersecurity in modern digital environments. End-to-end encryption (E2EE) ensures that data is unreadable to anyone without the decryption key, protecting the information both at rest (on cloud servers) and in transit (while being transferred). Combined with the principle of 'least privilege' (role-based access), this ensures that only authorized personnel can access the information, aligning with EU data protection and security principles. 2) **Why the incorrect options are incorrect:** - Option D is incorrect because making files public eliminates any protection, exposing confidential data to anyone on the network. - Option E is incorrect because a 4-digit password is extremely weak and susceptible to brute-force attacks in seconds; sending files via standard email without additional encryption is an insecure practice. - Option C is incorrect because hiding metadata and using generic names does not encrypt the data; anyone with access to the file can read its content. This is a 'security through obscurity' or 'dark security,' which does not protect against real unauthorized access. - Option A is incorrect because blocking all external access nullifies the utility of cloud computing for collaboration. Security should not mean a total block, but rather granular and secure access control. 3) **Quick tip:** In the exam, if an option combines 'encryption' with 'access control,' it is almost always the correct answer in digital security questions, as it addresses both data protection and infrastructure security.