This is a poorly formulated question but i believe the answer could still be D In an ideal scenario, "One key per data owner" would be a recommended practice for maintaining the highest level of security in a multi-tenant environment. However, the original question was about how encryption is managed on multi-tenant storage, without specifying it to the best or recommended practice. That's why the answer can still be "The answer could be A, B, or C depending on the provider," because in reality, encryption management can vary widely across different providers. It's always important for customers to inquire about a provider's security practices to ensure they are suitable for their specific needs, and to ideally look for a provider that uses the most secure practices, such as one key per data owner.

This is another poorly written question. If the authors of the CCSK exam want the question to be aligned with security, it should read: How should encryption be managed on multi-tenant storage? To @Brainiac's point, I've seen CSP that either facilitate 1 key per customer or do not support unique keys at all. The Security Guidance even states it is recommended to use per-customer keys when possible...when possible being the key phrase here.

According Security-Guidance-v4.0, Pg 125 : "It is recommended to use percustomer keys when possible, in order to better enforce multitenancy isolation." Answer must be B

No answer here is correct - The right answer should be "B or C" but without the relations to regualtions. A is not meeting cloud security basics and cannot be part of an answer

B is the correct answer. For multi-tenant storage, it is recommended to use per-customer keys when possible, in order to better enforce multitenancy isolation. Ref: Security-Guidance-v4.0, Pg 125.

The management of encryption on multi-tenant storage can vary depending on the provider and their specific implementation. However, the most common approach is: D. The answer could be A, B, or C depending on the provider. Different cloud service providers may employ different encryption strategies for multi-tenant storage. The management of encryption keys can vary from using a single key for all data owners (option A) to assigning one key per data owner (option B) or even allowing multiple keys per data owner (option C). The chosen approach depends on the provider's security architecture, data isolation mechanisms, and the level of encryption granularity required by their customers. It's important to note that cloud service providers often offer encryption-related features and options, allowing customers to select their desired level of encryption and key management. Therefore, the specific encryption management strategy employed on multi-tenant storage can vary and should be determined based on the capabilities and offerings of the individual provider.

multiple keys per data owner

I can't find it in the reference but I think this should be C. The major cloud providers I know allow you to at least do two: a) multiple cloud-provider managed encryption keys b) customer-managed keys