ISC2 Certified Cloud Security Professional (CCSP) Practice Question
Your organization stores sensitive customer data in a public cloud object storage service that supports several encryption modes. Compliance mandates that cryptographic keys must never persist within the provider's environment, yet developers prefer to rely on native server-side encryption so they can keep existing workflows unchanged. Which key management option best satisfies both the compliance requirement and the operational preference?
Generate a customer master key in the provider's dedicated hardware security module service and grant the storage service access to it for encryption
Implement client-side encryption in the application and store the data-encryption keys in the cloud provider's managed key management service
Rely on the provider's default server-side encryption with provider-managed keys stored in a multi-tenant key management service
Configure server-side encryption with customer-provided keys supplied on every request, allowing the provider to encrypt objects without storing the key
Server-side encryption with customer-provided keys (often called SSE-C or a hold-your-own-key model) lets clients send a fresh symmetric key with each storage request. The cloud service uses that key to encrypt or decrypt the object in-flight and retains only a non-reversible hash for verification, discarding the key itself after the operation. Because the key is never written to or managed by the provider, the compliance requirement that no key material be stored in the cloud environment is met. At the same time, encryption and decryption still occur on the server side, so application workflows need no change. By contrast, provider-managed default keys and customer master keys generated in a provider-hosted HSM are stored in the cloud and violate the requirement, while client-side encryption off-loads all cryptographic processing to the application and does not use server-side encryption.
Ask Bash
Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.
What is server-side encryption with customer-provided keys (SSE-C)?
Open an interactive chat with Bash
How does SSE-C differ from provider-managed keys?
Open an interactive chat with Bash
Why does server-side encryption with customer-provided keys satisfy compliance requirements?
Open an interactive chat with Bash
ISC2 Certified Cloud Security Professional (CCSP)
Cloud Data Security
Your Score:
Report Issue
Bash, the Crucial Exams Chat Bot
AI Bot
Loading...
Loading...
Loading...
Pass with Confidence.
IT & Cybersecurity Package
You have hit the limits of our free tier, become a Premium Member today for unlimited access.
Military, Healthcare worker, Gov. employee or Teacher? See if you qualify for a Community Discount.
Monthly
$19.99
$19.99/mo
Billed monthly, Cancel any time.
3 Month Pass
$44.99
$14.99/mo
One time purchase of $44.99, Does not auto-renew.
MOST POPULAR
Annual Pass
$119.99
$9.99/mo
One time purchase of $119.99, Does not auto-renew.
BEST DEAL
Lifetime Pass
$189.99
One time purchase, Good for life.
What You Get
All IT & Cybersecurity Package plans include the following perks and exams .