nerdexam
EC-Council

312-50V13 · Question #590

You work as a cloud security specialist at SkyNet Solutions. One of your clients is a healthcare organization that plans to migrate its electronic health record (EHR) system to the cloud. This system

The correct answer is D. Use client-side encryption and manage encryption keys independently of the CSP.. To ensure a cloud service provider cannot decrypt sensitive EHR data, client-side encryption with independent key management is the most suitable strategy.

Submitted by parkjh· Mar 6, 2026Cloud Computing

Question

You work as a cloud security specialist at SkyNet Solutions. One of your clients is a healthcare organization that plans to migrate its electronic health record (EHR) system to the cloud. This system contains highly sensitive personal and medical data. As part of your job, you need to ensure the security and privacy of this data while it is being transferred and stored in the cloud. You recommend that data should be encrypted during transit and at rest. However, you also need to ensure that even if a cloud service provider(CSP) has access to encrypted data, they should not be able to decrypt it. Which of the following would be the most suitable strategy to meet this requirement?

Options

  • ARely on network-level encryption protocols for data transfer.
  • BUse SSL/TLS for data transfer and allow the CSP to manage encryption keys.
  • CUtilize the CSP's built-in data encryption services.
  • DUse client-side encryption and manage encryption keys independently of the CSP.

How the community answered

(14 responses)
  • A
    7% (1)
  • C
    14% (2)
  • D
    79% (11)

Why each option

To ensure a cloud service provider cannot decrypt sensitive EHR data, client-side encryption with independent key management is the most suitable strategy.

ARely on network-level encryption protocols for data transfer.

Network-level encryption protocols protect data in transit but do not prevent the CSP from accessing or decrypting data once it is at rest on their servers if they manage the encryption keys.

BUse SSL/TLS for data transfer and allow the CSP to manage encryption keys.

Relying on SSL/TLS for data transfer is essential for transit, but allowing the CSP to manage encryption keys means the CSP could potentially decrypt the data stored at rest.

CUtilize the CSP's built-in data encryption services.

Utilizing the CSP's built-in data encryption services typically means the CSP manages the encryption keys, which allows them to decrypt the data, failing to meet the specific requirement.

DUse client-side encryption and manage encryption keys independently of the CSP.Correct

Client-side encryption, where data is encrypted before being sent to the cloud, combined with the client managing the encryption keys independently of the CSP, ensures that the CSP only receives and stores encrypted data and has no means to decrypt it. This provides the highest level of data confidentiality as the organization retains full control over the decryption process.

Concept tested: Client-side encryption and key management

Source: https://learn.microsoft.com/en-us/azure/security/fundamentals/encryption-overview

Topics

#Cloud security#Data encryption#Client-side encryption#Key management

Community Discussion

No community discussion yet for this question.

Full 312-50V13 Practice