ISC2 Certified Cloud Security Professional (CCSP) Practice Question
Your organization needs to copy its on-premises customer database that contains names, email addresses, and credit-card PANs into a public-cloud development subscription. Developers require data that looks and behaves like production values for functional testing, but compliance demands that the cloud copy never expose real customer identities and that the transformation be irreversible. Which data-obfuscation approach BEST satisfies these requirements?
Apply vault-based tokenization so developers can detokenize data on demand.
Replace sensitive columns with NULL values during extract to the cloud.
Substitute each sensitive field with realistic, format-preserving fictional values through static data masking before export.
Encrypt sensitive fields using format-preserving encryption keys stored on-premises for later decryption.
Static data masking that applies format-preserving substitution overwrites every sensitive value with a fictitious value that retains the original data type, length, and pattern-for example, replacing a 16-digit credit-card PAN with another valid-looking 16-digit number. The masking engine may use an internal secret or seed to generate the replacement values, but because it keeps no lookup table and the key or seed can be destroyed after masking, the cloud copy cannot be reverted to the original data, satisfying the requirement for irreversibility while still giving developers realistic test data.
Format-preserving encryption, on the other hand, is designed to be decrypted whenever the key is available, and vault-based tokenization always allows detokenization via the vault, so both violate the "never expose" mandate. Simply replacing the columns with NULL removes the realistic patterns that functional tests rely on, making it unsuitable for development use.
Ask Bash
Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.
What is static data masking?
Open an interactive chat with Bash
How does format-preserving substitution work in static data masking?
Open an interactive chat with Bash
Why are encryption and tokenization unsuitable for irreversible obfuscation?
Open an interactive chat with Bash
ISC2 Certified Cloud Security Professional (CCSP)
Cloud Data Security
Your Score:
Report Issue
Bash, the Crucial Exams Chat Bot
AI Bot
Loading...
Loading...
Loading...
Pass with Confidence.
IT & Cybersecurity Package
You have hit the limits of our free tier, become a Premium Member today for unlimited access.
Military, Healthcare worker, Gov. employee or Teacher? See if you qualify for a Community Discount.
Monthly
$19.99
$19.99/mo
Billed monthly, Cancel any time.
3 Month Pass
$44.99
$14.99/mo
One time purchase of $44.99, Does not auto-renew.
MOST POPULAR
Annual Pass
$119.99
$9.99/mo
One time purchase of $119.99, Does not auto-renew.
BEST DEAL
Lifetime Pass
$189.99
One time purchase, Good for life.
What You Get
All IT & Cybersecurity Package plans include the following perks and exams .