Exam CAS-005 topic 1 question 62 discussion

Actual exam question from CompTIA's CAS-005

Question #: 62
Topic #: 1

A security analyst received the following finding from a cloud security assessment tool:
Virtual Machine Data Disk is encrypted with the default encryption key.
Because the organization hosts highly sensitive data files, regulations dictate it must be encrypted so It is unreadable to the CSP. Which of the following should be implemented to remediate the finding and meet the regulatory requirement? (Choose two.)

A. Disk encryption with customer-provided keys
B. Disk encryption with keys from a third party
C. Row-level encryption with a key escrow
D. File-level encryption with cloud vendor-provided keys
E. File-level encryption with customer-provided keys
F. Disk-level encryption with a cross-signed certificate

Show Suggested Answer

Suggested Answer: AE 🗳️

by vicbersong at May 1, 2025, 5:44 a.m.

Comments

Submit Cancel

vicbersong

1 month, 3 weeks ago

Selected Answer: AE

✅ Explanation: The key issue in the finding is that encryption is being done using the default keys provided by the cloud service provider (CSP). Regulatory compliance often requires that the CSP must not have access to the keys, meaning the organization must control and manage the encryption keys. 🔐 Best Solutions: A. Disk encryption with customer-provided keys This ensures that the organization, not the CSP, owns and controls the encryption keys used to protect data-at-rest. Commonly referred to as Bring Your Own Key (BYOK). This directly addresses the regulatory requirement for the data to be unreadable to the CSP. E. File-level encryption with customer-provided keys Adds another layer of security where sensitive files are encrypted before being stored, using keys managed by the organization. This ensures data confidentiality even if disk encryption is bypassed.

upvoted 1 times

...