ISC2 Certified Cloud Security Professional (CCSP) Practice Question
A security architect is designing an on-premises OpenStack deployment. Corporate policy states that every compute host must validate the integrity of its BIOS, bootloader, and type-1 hypervisor at power-on, and must be able to prove its trusted state to the cloud controller before any tenant workloads are started. The team wants to use the cryptographic chip that is already soldered onto most enterprise server motherboards and avoid adding external devices. Which mechanism BEST satisfies these requirements?
Use self-encrypting drives (SEDs) that automatically wipe keys on reboot to prevent unauthorized boot tampering.
Deploy Network Access Control (NAC) using 802.1X to authenticate servers before they join the management VLAN.
Implement a Trusted Platform Module (TPM) on each host and enable secure/measured boot with remote attestation.
Install a dedicated Hardware Security Module (HSM) cluster to store encryption keys for the hypervisor.
A Trusted Platform Module (TPM) provides a hardware root of trust that can securely store cryptographic measurements of the BIOS, bootloader, and hypervisor during the boot process. Using secure or measured (trusted) boot, the TPM can sign these measurements so that a remote attestation service-such as OpenStack's Trusted Compute or cloud-provider-specific attestation services-can verify that the host has not been tampered with before allowing it to join the resource pool.
A Hardware Security Module (HSM) mainly protects cryptographic keys for applications and does not measure or attest to the integrity of the boot chain. Network Access Control (802.1X) governs port-level network admission and does nothing to ensure firmware or hypervisor integrity. Self-encrypting drives safeguard data at rest but cannot validate the overall platform's software stack at boot time. Therefore, deploying TPM-based secure/trusted boot is the correct control to meet the stated policy.
Ask Bash
Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.
What is a Trusted Platform Module (TPM)?
Open an interactive chat with Bash
How does secure/measured boot work with a TPM?
Open an interactive chat with Bash
What is remote attestation in relation to TPM?
Open an interactive chat with Bash
ISC2 Certified Cloud Security Professional (CCSP)
Cloud Security Operations
Your Score:
Report Issue
Bash, the Crucial Exams Chat Bot
AI Bot
Loading...
Loading...
Loading...
Pass with Confidence.
IT & Cybersecurity Package
You have hit the limits of our free tier, become a Premium Member today for unlimited access.
Military, Healthcare worker, Gov. employee or Teacher? See if you qualify for a Community Discount.
Monthly
$19.99
$19.99/mo
Billed monthly, Cancel any time.
3 Month Pass
$44.99
$14.99/mo
One time purchase of $44.99, Does not auto-renew.
MOST POPULAR
Annual Pass
$119.99
$9.99/mo
One time purchase of $119.99, Does not auto-renew.
BEST DEAL
Lifetime Pass
$189.99
One time purchase, Good for life.
What You Get
All IT & Cybersecurity Package plans include the following perks and exams .