ISC2 Certified Cloud Security Professional (CCSP) Practice Question
Your SaaS development team will store customer personally identifiable information (PII) in a multitenant database hosted on a public IaaS provider. Corporate policy states that cloud-provider personnel must be technically prevented from viewing customer data, while the application itself must retain full read/write capability. Which cryptographic design decision best satisfies this requirement with the least operational complexity?
Apply volume-level encryption on the virtual machine disks using provider-supplied keys
Rely on TLS for all database connections and disable at-rest encryption to avoid key-management overhead
Enable the provider's server-side encryption service with provider-managed keys
Encrypt data on the client before transmission using keys stored in an on-premises Hardware Security Module integrated with a cloud KMS
Encrypting data on the client side with keys that remain under the customer's exclusive control ensures that ciphertext, not plaintext, is delivered to the cloud service. Because the keys are generated and held in an on-premises Hardware Security Module (HSM) that integrates with a cloud key-management service through secure APIs, the cloud provider never gains access to either the plaintext data or the encryption keys, fulfilling the requirement to prevent provider personnel from reading the PII. Server-side or volume-level encryption with provider-managed keys still exposes the keys to the provider's control, and relying solely on TLS secures data in transit but leaves it unprotected at rest. Therefore, client-side encryption with customer-managed keys is the most appropriate choice with minimal additional operational burden beyond key management that the organization already performs on-premises.
Ask Bash
Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.
What is an HSM and how does it integrate with a cloud KMS?
Open an interactive chat with Bash
What is client-side encryption and how does it protect customer data in the cloud?
Open an interactive chat with Bash
How does TLS differ from at-rest encryption, and why does TLS alone not meet the requirement?
Open an interactive chat with Bash
ISC2 Certified Cloud Security Professional (CCSP)
Cloud Application Security
Your Score:
Report Issue
Bash, the Crucial Exams Chat Bot
AI Bot
Loading...
Loading...
Loading...
Pass with Confidence.
IT & Cybersecurity Package
You have hit the limits of our free tier, become a Premium Member today for unlimited access.
Military, Healthcare worker, Gov. employee or Teacher? See if you qualify for a Community Discount.
Monthly
$19.99
$19.99/mo
Billed monthly, Cancel any time.
3 Month Pass
$44.99
$14.99/mo
One time purchase of $44.99, Does not auto-renew.
MOST POPULAR
Annual Pass
$119.99
$9.99/mo
One time purchase of $119.99, Does not auto-renew.
BEST DEAL
Lifetime Pass
$189.99
One time purchase, Good for life.
What You Get
All IT & Cybersecurity Package plans include the following perks and exams .