ISC2 Certified Cloud Security Professional (CCSP) Practice Question
A healthcare provider is migrating electronic health record data that includes patient Social Security numbers to a multi-tenant SaaS platform. Regulations state the cloud provider must never be able to view the real SSNs, yet the application must still perform exact-match searches on that field and the organization needs the ability to restore the original values during legal discovery. Which data-protection technique best satisfies these requirements?
Format-preserving encryption of the SSN using AES-FF1 with client-side key management
Tokenization of the SSN with a centrally managed on-premises token vault
Irreversible hashing of the SSN with SHA-256 and a unique salt
Static data masking applied to the SSN before upload
Tokenization replaces the sensitive value with a surrogate (token) and stores the original value in a separate, secure token vault that the cloud provider cannot access. Because the same input will always return the same token (deterministic tokenization), the SaaS application can perform equality searches on the tokenized SSN while the real SSN remains hidden. When necessary, the organization can reverse the process by querying the vault to retrieve the original value.
Hashing with a salt is intentionally one-way, so the original SSN cannot be recovered, violating the legal discovery requirement. Static data masking permanently alters or removes sensitive characters, likewise preventing restoration. Format-preserving encryption is reversible, but without giving the provider access to the encryption key the application could not perform direct equality searches on ciphertext, and exposing the key to the SaaS operator would violate the requirement that the provider never see the real data. Therefore, tokenization with an on-premises mapping vault is the most appropriate choice.
Ask Bash
Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.
What is tokenization and how does it protect sensitive data?
Open an interactive chat with Bash
How does deterministic tokenization enable equality searches?
Open an interactive chat with Bash
Why is tokenization preferred over encryption for this use case?
Open an interactive chat with Bash
ISC2 Certified Cloud Security Professional (CCSP)
Cloud Data Security
Your Score:
Report Issue
Bash, the Crucial Exams Chat Bot
AI Bot
Loading...
Loading...
Loading...
Pass with Confidence.
IT & Cybersecurity Package
You have hit the limits of our free tier, become a Premium Member today for unlimited access.
Military, Healthcare worker, Gov. employee or Teacher? See if you qualify for a Community Discount.
Monthly
$19.99
$19.99/mo
Billed monthly, Cancel any time.
3 Month Pass
$44.99
$14.99/mo
One time purchase of $44.99, Does not auto-renew.
MOST POPULAR
Annual Pass
$119.99
$9.99/mo
One time purchase of $119.99, Does not auto-renew.
BEST DEAL
Lifetime Pass
$189.99
One time purchase, Good for life.
What You Get
All IT & Cybersecurity Package plans include the following perks and exams .