ISC2 Certified Cloud Security Professional (CCSP) Practice Question
Your organization is evaluating a SaaS CRM platform. Compliance regulations mandate that encryption keys must never be exposed to the cloud provider, and internal policy requires that security staff can rotate or revoke the keys at any time without assistance from the provider. Which key-management pattern offered by many major public clouds best satisfies these requirements?
Dual-party key escrow where the provider retains one key share
Provider-managed envelope encryption using server-side keys
Bring Your Own Key (BYOK) with a provider-hosted HSM
Hold Your Own Key (HYOK) with a customer-controlled HSM
Hold Your Own Key (HYOK) keeps the cryptographic keys entirely under the customer's control, typically in an on-premises or customer-managed HSM. Because the key material never leaves the customer's security boundary, provider personnel cannot access the plaintext key, and the customer can independently perform key rotation or revocation whenever needed.
Bring Your Own Key (BYOK) improves control but the key is still imported into the provider's HSM, so the provider could theoretically access it and must participate in rotation. Provider-managed envelope encryption relies completely on keys generated and controlled by the cloud service, giving the customer little control. Dual-party key escrow splits the key, but the provider still holds a share, so it does not meet the "never exposed" requirement.
Ask Bash
Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.
What is HYOK and how does it work?
Open an interactive chat with Bash
What is the difference between BYOK and HYOK?
Open an interactive chat with Bash
What is an HSM and why is it important for key management?
Open an interactive chat with Bash
ISC2 Certified Cloud Security Professional (CCSP)
Cloud Concepts, Architecture and Design
Your Score:
Report Issue
Bash, the Crucial Exams Chat Bot
AI Bot
Loading...
Loading...
Loading...
Pass with Confidence.
IT & Cybersecurity Package
You have hit the limits of our free tier, become a Premium Member today for unlimited access.
Military, Healthcare worker, Gov. employee or Teacher? See if you qualify for a Community Discount.
Monthly
$19.99
$19.99/mo
Billed monthly, Cancel any time.
3 Month Pass
$44.99
$14.99/mo
One time purchase of $44.99, Does not auto-renew.
MOST POPULAR
Annual Pass
$119.99
$9.99/mo
One time purchase of $119.99, Does not auto-renew.
BEST DEAL
Lifetime Pass
$189.99
One time purchase, Good for life.
What You Get
All IT & Cybersecurity Package plans include the following perks and exams .