nerdexam
(ISC)2

CISSP · Question #1378

What is the MOST effective way to ensure that a cloud service provider does not access a customer's data stored within its infrastructure?

The correct answer is A. Use the organization's encryption tools and data management controls.. To prevent a cloud service provider from accessing customer data, the customer must retain full control of encryption keys and data management tooling independently of the provider.

Submitted by layla.eg· Mar 5, 2026Asset Security

Question

What is the MOST effective way to ensure that a cloud service provider does not access a customer's data stored within its infrastructure?

Options

  • AUse the organization's encryption tools and data management controls.
  • BEnsure that the cloud service provider will contractually not access data unless given explicit
  • CRequest audit logs on a regular basis.
  • DUtilize the cloud provider's key management and elastic hardware security module (HSM)

How the community answered

(31 responses)
  • A
    65% (20)
  • B
    19% (6)
  • C
    6% (2)
  • D
    10% (3)

Why each option

To prevent a cloud service provider from accessing customer data, the customer must retain full control of encryption keys and data management tooling independently of the provider.

AUse the organization's encryption tools and data management controls.Correct

Using the organization's own encryption tools and data management controls means the customer holds the encryption keys entirely outside the cloud provider's reach, making the data cryptographically inaccessible to the provider even if they have physical or logical access to the underlying storage. This approach implements a 'bring your own key' (BYOK) or 'hold your own key' (HYOK) model where the provider cannot decrypt data without the customer's keys. It is the only purely technical control that removes provider access without relying on trust or contracts.

BEnsure that the cloud service provider will contractually not access data unless given explicit

Contractual agreements are legal controls, not technical ones, and cannot technically prevent a provider from accessing data - they only create legal liability after a breach of trust has already occurred.

CRequest audit logs on a regular basis.

Requesting audit logs is a detective control that identifies access after the fact but does nothing to prevent the cloud provider from accessing data in the first place.

DUtilize the cloud provider's key management and elastic hardware security module (HSM)

Using the cloud provider's own key management service or HSM means the provider still controls or has access to the key material, which does not prevent them from decrypting and accessing the customer's data.

Concept tested: Customer-managed encryption keys to prevent provider data access

Source: https://learn.microsoft.com/en-us/azure/security/fundamentals/encryption-overview

Topics

#cloud security#data encryption#data ownership#BYOK#CSP responsibility

Community Discussion

No community discussion yet for this question.

Full CISSP Practice