CISSP Question #844: Real Exam Question with Answer & Explanation

Question

Which of the following BEST avoids data reminisce disclosure for cloud hosted resources?

Options

• AStrong encryption and deletion of the keys after data is deleted.
• BStrong encryption and deletion of the virtual host after data is deleted.
• CSoftware based encryption with two factor authentication.
• DHardware based encryption on dedicated physical servers.

Explanation

Data remanence in cloud environments refers to residual data that persists after deletion. For cloud-hosted (typically virtualized) resources, destroying the virtual host ensures the underlying storage is fully deprovisioned and inaccessible.

Common mistakes.

• A. Deleting only the encryption keys leaves the encrypted data still present on the underlying storage media, meaning a sufficiently motivated adversary with access to the raw storage could potentially recover ciphertext and wait for cryptanalytic advances, and the virtual disk or storage volume itself is not deprovisioned.
• C. Software-based encryption with two-factor authentication addresses access control and data-in-use protection but does not specifically address data remanence, as residual data can still persist on storage media after deletion regardless of the authentication mechanism used.
• D. Hardware-based encryption on dedicated physical servers applies to on-premises or bare-metal deployments and is not applicable to cloud-hosted (virtualized, multi-tenant) resources; it also does not address the remanence problem inherent to shared or virtualized cloud storage environments.

Concept tested. Data remanence mitigation for cloud-hosted virtual resources

Reference. https://learn.microsoft.com/en-us/azure/security/fundamentals/data-encryption-best-practices

No community discussion yet for this question.