An organization, which handles large volumes of PII, allows mobile devices that can process, store, and transmit PII and other sensitive data to be issued to employees. Security assessors can demonstrate recovery and decryption of remnant sensitive data from device storage after MDM issues a successful wipe command. Assuming availability of the controls, which of the following would BEST protect against the loss of sensitive data in the future?
A. Implement a container that wraps PII data and stores keying material directly in the container’s encrypted application space.
B. Use encryption keys for sensitive data stored in an eFuse-backed memory space that is blown during remote wipe.
C. Issue devices that employ a stronger algorithm for the authentication of sensitive data stored on them.
D. Procure devices that remove the bootloader binaries upon receipt of an MDM-issued remote wipe command.