ISC2 Certified Cloud Security Professional (CCSP) Practice Question
Your organization stores sensitive customer data in a public cloud provider's object storage. The objects are encrypted with keys you control using a client-side KMS. The contract stipulates that all customer data must be permanently destroyed within 24 hours of service termination, yet you have no access to the provider's physical media. Which data-deletion method best satisfies both the timing and assurance requirements?
Request the provider to degauss all drives that may contain your objects and supply a destruction certificate.
Instruct the provider to run a DoD 5220.22-M three-pass overwrite on the storage disks.
Immediately revoke and securely destroy the encryption keys used for the objects (cryptographic erasure).
Issue a TRIM command to force secure erase of each SSD block holding the data.
Cryptographic erasure (crypto-shredding) renders cloud-resident data unreadable by irrevocably destroying the encryption keys while leaving the encrypted blocks in place. Because the customer controls the keys, key destruction can be performed immediately and independently of the provider's physical media handling processes, meeting the 24-hour deadline and providing auditable proof of destruction.
Overwriting media with DoD 5220.22-M patterns or issuing TRIM commands depends on the provider's willingness and ability to locate every replica, which may span multiple systems and may not complete within 24 hours. Requesting drive degaussing likewise relies on provider action, is infeasible with shared or solid-state drives, and cannot be executed selectively for specific tenants. Therefore, key destruction via cryptographic erasure is the most reliable choice in a cloud environment.
Ask Bash
Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.
What is cryptographic erasure?
Open an interactive chat with Bash
How does cryptographic erasure compare to physical data destruction methods?
Open an interactive chat with Bash
Why are methods like TRIM commands or DoD overwrites unsuitable for cloud environments?
Open an interactive chat with Bash
ISC2 Certified Cloud Security Professional (CCSP)
Cloud Data Security
Your Score:
Report Issue
Bash, the Crucial Exams Chat Bot
AI Bot
Loading...
Loading...
Loading...
Pass with Confidence.
IT & Cybersecurity Package
You have hit the limits of our free tier, become a Premium Member today for unlimited access.
Military, Healthcare worker, Gov. employee or Teacher? See if you qualify for a Community Discount.
Monthly
$19.99
$19.99/mo
Billed monthly, Cancel any time.
3 Month Pass
$44.99
$14.99/mo
One time purchase of $44.99, Does not auto-renew.
MOST POPULAR
Annual Pass
$119.99
$9.99/mo
One time purchase of $119.99, Does not auto-renew.
BEST DEAL
Lifetime Pass
$189.99
One time purchase, Good for life.
What You Get
All IT & Cybersecurity Package plans include the following perks and exams .