nerdexam
CompTIA

CV0-003 · Question #437

A company is using storage-as-a-service from an IaaS provider for application services. The company has a mandate to protect personal information being stored on the cloud. The service provided includ

The correct answer is C. Implement centralized key management.. Centralized key management lets the company retain independent control over the encryption keys used to protect personal data stored in the IaaS provider's cloud, ensuring data confidentiality even if the provider's infrastructure is compromised.

Security

Question

A company is using storage-as-a-service from an IaaS provider for application services. The company has a mandate to protect personal information being stored on the cloud. The service provided includes encryption for in-transit data and requires a security solution for data-at-rest. Which of the following should be deployed to secure the personal information?

Options

  • AImplement data tokenization.
  • BImplement hardware-based encryption.
  • CImplement centralized key management.
  • DImplement database-embedded encryption.

How the community answered

(41 responses)
  • A
    5% (2)
  • B
    5% (2)
  • C
    78% (32)
  • D
    12% (5)

Why each option

Centralized key management lets the company retain independent control over the encryption keys used to protect personal data stored in the IaaS provider's cloud, ensuring data confidentiality even if the provider's infrastructure is compromised.

AImplement data tokenization.

Data tokenization replaces sensitive values with non-sensitive surrogate tokens and is suited to specific use cases like payment card data, not a general-purpose solution for encrypting all personal data-at-rest across a cloud storage service.

BImplement hardware-based encryption.

Hardware-based encryption relies on physical hardware under the IaaS provider's control, which means the provider manages the encryption boundary and the company does not independently control key access.

CImplement centralized key management.Correct

Centralized key management separates cryptographic key custody from the physical storage managed by the IaaS provider, meaning the provider cannot access plaintext data without the company's keys. This approach directly satisfies the mandate to protect personal information at rest because encryption is applied by the company using keys the provider never holds, and key lifecycle operations such as rotation and revocation remain under the company's control.

DImplement database-embedded encryption.

Database-embedded encryption applies only to data stored within a specific database engine and does not address the broader storage-as-a-service scenario where personal data may reside in object or block storage outside a database.

Concept tested: Cloud data-at-rest protection with centralized key management

Source: https://csrc.nist.gov/publications/detail/sp/800-57-part-1/rev-5/final

Topics

#data-at-rest encryption#key management#data protection#IaaS

Community Discussion

No community discussion yet for this question.

Full CV0-003 Practice