Crucial Exams

ISC2 Certified Cloud Security Professional (CCSP) Practice Question

A hospital is migrating a database that contains protected health information (PHI) to an IaaS provider. Compliance policy requires that the cloud operator must never be able to read the data, and internal auditors insist on a clear separation of duties for cryptographic key administration. Which design choice BEST meets both requirements while keeping management overhead low?

  • Hash personally identifying columns at the application layer but leave the rest of the database in plaintext.

  • Encrypt the data on-premises and store the customer-owned keys in an on-premises HSM that is integrated with the application via KMIP.

  • Rely on the provider's default storage-level encryption service and let the provider manage the master keys.

  • Use the provider's KMS but allow joint key custody, giving both cloud administrators and the customer security team full access to the keys.

ISC2 Certified Cloud Security Professional (CCSP)
Cloud Data Security
Your Score:
Settings & Objectives
Random Mixed
Questions are selected randomly from all chosen topics, with a preference for those you haven’t seen before. You may see several questions from the same objective or domain in a row.
Rotate by Objective
Questions cycle through each objective or domain in turn, helping you avoid long streaks of questions from the same area. You may see some repeat questions, but the distribution will be more balanced across topics.

Check or uncheck an objective to set which questions you will receive.

Wipe Score
Bash, the Crucial Exams Chat Bot
AI Bot