ISC2 Certified Cloud Security Professional (CCSP) Practice Question
Your company is moving sensitive PII datasets into a public cloud object store. Regulations require that only your organization, not the provider, can access the cryptographic keys protecting the data while still allowing the service to perform server-side processing such as lifecycle tiering. Which data protection approach best satisfies these requirements?
Applying application-layer tokenization while storing the token vault and encryption keys in the provider's key management service.
Encrypting only the storage disks on the provider's infrastructure with keys generated and held by the provider.
Server-side encryption using provider-managed symmetric keys that the cloud service automatically rotates.
Client-side encryption with customer-managed keys stored in an on-premises HSM and imported to the cloud via a bring-your-own-key interface.
Because the organization must retain exclusive control of the keys while still taking advantage of the cloud service's native features, the keys should be generated and escrowed by the customer and then supplied to the provider's key management service for server-side encryption. Using client-side encryption with customer-managed keys delivered through a bring-your-own-key (BYOK) process meets this need: the data is encrypted before it leaves the enterprise, and the provider receives only an imported key that the customer can revoke or replace at any time. Relying on provider-managed keys (server-side or disk-level encryption) violates the requirement for sole key control. Tokenization that stores surrogate values or keys in the provider's vault also fails to meet the mandate because the provider would hold the sensitive mapping information.
Ask Bash
Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.
What is BYOK in cloud encryption?
Open an interactive chat with Bash
What is client-side encryption, and how does it differ from server-side encryption?
Open an interactive chat with Bash
How does an HSM enhance cryptographic security for sensitive data?
Open an interactive chat with Bash
ISC2 Certified Cloud Security Professional (CCSP)
Cloud Data Security
Your Score:
Report Issue
Bash, the Crucial Exams Chat Bot
AI Bot
Loading...
Loading...
Loading...
Pass with Confidence.
IT & Cybersecurity Package
You have hit the limits of our free tier, become a Premium Member today for unlimited access.
Military, Healthcare worker, Gov. employee or Teacher? See if you qualify for a Community Discount.
Monthly
$19.99
$19.99/mo
Billed monthly, Cancel any time.
3 Month Pass
$44.99
$14.99/mo
One time purchase of $44.99, Does not auto-renew.
MOST POPULAR
Annual Pass
$119.99
$9.99/mo
One time purchase of $119.99, Does not auto-renew.
BEST DEAL
Lifetime Pass
$189.99
One time purchase, Good for life.
What You Get
All IT & Cybersecurity Package plans include the following perks and exams .