ExamTopics Logo
Mail Us[email protected]
Menu
Microsoft Discussions
exam questions

Exam SC-100 All Questions

View all questions & answers for the SC-100 exam
Go to Exam

Exam SC-100 topic 2 question 10 discussion

Actual exam question from Microsoft's SC-100
Question #: 10
Topic #: 2
[All SC-100 Questions]

You are designing security for an Azure landing zone.
Your company identifies the following compliance and privacy requirements:
✑ Encrypt cardholder data by using encryption keys managed by the company.
✑ Encrypt insurance claim files by using encryption keys hosted on-premises.
Which two configurations meet the compliance and privacy requirements? Each correct answer presents part of the solution.
NOTE: Each correct selection is worth one point.

  • A. Store the cardholder data in an Azure SQL database that is encrypted by using Microsoft-managed keys.
  • B. Store the insurance claim data in Azure Blob storage encrypted by using customer-provided keys.
  • C. Store the cardholder data in an Azure SQL database that is encrypted by using keys stored in Azure Key Vault Managed HSM.
  • D. Store the insurance claim data in Azure Files encrypted by using Azure Key Vault Managed HSM.
Show Suggested Answer Hide Answer
Suggested Answer: BC 🗳️
by Alex_Burlachenko at Aug. 30, 2022, 6:49 p.m.

Comments

Chosen Answer:
This is a voting comment (?). It is better to Upvote an existing comment if you don't have anything to add.
Switch to a voting comment New
Submit Cancel
Alex_Burlachenko
Highly Voted 2 years, 9 months ago
I would like to select B & C
upvoted 40 times
maltns
1 year, 3 months ago
B: Customer provided keys (CPK) enables you to store and manage keys in on-premises or key stores other than Azure Key Vault to meet corporate, contractual, and regulatory compliance requirements for data security. https://azure.microsoft.com/en-us/blog/customer-provided-keys-with-azure-storage-service-encryption/
upvoted 4 times
...
...
PlumpyTumbler
Highly Voted 2 years, 9 months ago
Selected Answer: CD
Hardware Security Module takes the cake. Want to use your own keys? Great. You can still do that with BYOK.
upvoted 14 times
mynk29
2 years, 4 months ago
Azure Key Vault Managed HSM. are not hosted on pre. B and C are right answer
upvoted 7 times
...
Learing
2 years, 7 months ago
You can add a local key to an managed HSM, but with customer-provided (not customer-managed) keys they are not stored in any Azure Service
upvoted 3 times
...
...
tzg
Most Recent 5 months, 1 week ago
Selected Answer: BC
D does not meet the requirement of using encryption keys hosted on-premises, as Managed HSM is an Azure-hosted service.
upvoted 1 times
...
jvallespin
10 months, 2 weeks ago
Its C and D, customer managed keys for blob and files must be stored in key vault or Azure HSM. https://learn.microsoft.com/en-us/azure/storage/common/customer-managed-keys-overview https://learn.microsoft.com/en-us/azure/storage/common/storage-service-encryption#about-encryption-key-management
upvoted 1 times
jvallespin
10 months, 1 week ago
Correction to my answer, its B and C. Because you can use a customer-provided key (not customer-managed) to include into the cleint request for Blob Storage. As is said in the link below: "Customer-provided keys can be stored in Azure Key Vault or in another key store" meanwhile the Customer-Managed keys for Storage must be stored in AKV or HSM but is not the case. Additionally the D answer does not mention the key, it just says encrypt using an HSM that cannot be because an HSM by itself does not encrypt. https://learn.microsoft.com/en-us/azure/storage/blobs/storage-blob-customer-provided-key
upvoted 2 times
...
...
besoaus
11 months, 1 week ago
It is obvious for me B & C
upvoted 2 times
...
emartiy
11 months, 2 weeks ago
Selected Answer: CD
C - everybody almost agree with this option. So, what is second for insurence claim files? You can use on prem keys and store them on Azure Managed HSM Import keys from your on-premises HSMs Generate HSM-protected keys in your on-premises HSM and import them securely into Managed HSM. https://learn.microsoft.com/en-us/azure/key-vault/managed-hsm/overview#import-keys-from-your-on-premises-hsms
upvoted 1 times
...
ayadmawla
1 year, 3 months ago
It is not D and for those choosing D, please refer to the diagram for Azure Storage here: https://rajanieshkaushikk.com/2023/04/08/azure-blob-storage-vs-file-storage-vs-disk-storage-which-is-right-for-you/
upvoted 1 times
...
Mendel
1 year, 3 months ago
Selected Answer: CD
Answer seems correct. C. Store the cardholder data in an Azure SQL database that is encrypted by using keys stored in Azure Key Vault Managed HSM: This option aligns with the requirement to encrypt cardholder data using encryption keys managed by the company. Azure Key Vault Managed HSM provides FIPS 140-2 Level 3 validated HSMs, ensuring a high level of security for key management. D. Store the insurance claim data in Azure Files encrypted by using Azure Key Vault Managed HSM: This option allows you to generate HSM-protected keys on-premises and securely import them into Azure Key Vault Managed HSM. By encrypting insurance claim files with keys stored in Azure Key Vault Managed HSM, you can meet the requirement to encrypt insurance claim files using encryption keys hosted on-premises while leveraging the security and manageability of Azure Key Vault Managed HSM. https://learn.microsoft.com/en-us/azure/key-vault/managed-hsm/hsm-protected-keys-byok
upvoted 1 times
...
Arockia
1 year, 5 months ago
Option A is incorrect because it uses Microsoft-managed keys, which does not meet the requirement for the company to manage the encryption keys for cardholder data. Option D is incorrect because it uses Azure Key Vault Managed HSM, which is a cloud-based service. The requirement for insurance claim files is to use keys hosted on-premises.
upvoted 1 times
...
Murtuza
1 year, 5 months ago
Selected Answer: C
C is definitely one of the answers
upvoted 1 times
...
sherifhamed
1 year, 8 months ago
Selected Answer: CD
To meet the compliance and privacy requirements for encrypting cardholder data and insurance claim files, you should consider the following configurations: ✅ C. Store the cardholder data in an Azure SQL database that is encrypted by using keys stored in Azure Key Vault Managed HSM. ✅ D. Store the insurance claim data in Azure Files encrypted by using Azure Key Vault Managed HSM.
upvoted 1 times
...
calotta1
1 year, 9 months ago
C and D - surely you can't recommend storing cardholder data in a storage account.
upvoted 1 times
Ramye
1 year, 5 months ago
Of course you can as long as you can keep it safe, secure and encrypted .
upvoted 1 times
...
...
[Removed]
1 year, 10 months ago
CD https://learn.microsoft.com/en-us/azure/key-vault/managed-hsm/overview
upvoted 1 times
...
apyasir
1 year, 11 months ago
Currently, Azure Blob storage does not support customer-provided keys (BYOK) for encryption. Azure Blob storage utilizes Azure Storage Service Encryption (SSE) to automatically encrypt data at rest. With SSE, Azure Blob storage encrypts your data using Microsoft-managed keys. These keys are managed and rotated by Azure behind the scenes, providing a high level of security for your data. You do not have direct control over the encryption keys used by Azure Blob storage. so answer: C & D
upvoted 1 times
NinjaSchoolProfessor
1 year, 10 months ago
Incorrect, Data in Blob storage and Azure Files is always protected by customer-managed keys when customer-managed keys are configured for the storage account. https://learn.microsoft.com/en-us/azure/storage/common/customer-managed-keys-overview?toc=%2Fazure%2Fstorage%2Fblobs%2Ftoc.json&bc=%2Fazure%2Fstorage%2Fblobs%2Fbreadcrumb%2Ftoc.json#customer-managed-keys-for-queues-and-tables
upvoted 2 times
...
...
zellck
2 years ago
Selected Answer: BC
BC is the answer. https://learn.microsoft.com/en-us/azure/azure-sql/database/transparent-data-encryption-byok-overview?view=azuresql Azure SQL transparent data encryption (TDE) with customer-managed key (CMK) enables Bring Your Own Key (BYOK) scenario for data protection at rest, and allows organizations to implement separation of duties in the management of keys and data. With customer-managed TDE, the customer is responsible for and in a full control of a key lifecycle management (key creation, upload, rotation, deletion), key usage permissions, and auditing of operations on keys.
upvoted 6 times
zellck
2 years ago
https://learn.microsoft.com/en-us/azure/storage/blobs/encryption-customer-provided-keys Clients making requests against Azure Blob storage can provide an AES-256 encryption key to encrypt that blob on a write operation. Subsequent requests to read or write to the blob must include the same key. Including the encryption key on the request provides granular control over encryption settings for Blob storage operations. Customer-provided keys can be stored in Azure Key Vault or in another key store.
upvoted 2 times
...
...
Zapman
2 years ago
AB is correct in my opinion ,Explanation: A. Storing cardholder data in an Azure SQL database encrypted with Microsoft-managed keys ensures that the data is encrypted. Microsoft-managed keys are suitable for encrypting cardholder data as per compliance requirements. B. Storing insurance claim data in Azure Blob storage encrypted with customer-provided keys allows for encryption of the data. By using on-premises keys, the company maintains control over the encryption keys and meets the requirement for encrypting insurance claim files.
upvoted 1 times
...
Tictactoe
2 years, 1 month ago
AB is right
upvoted 1 times
Ramye
1 year, 5 months ago
A definitely not - requirements is not to use Microsoft keys
upvoted 2 times
...
...
Load full discussion...
Community vote distribution
A (35%)
C (25%)
B (20%)
Other
Most Voted
A voting comment increases the vote count for the chosen answer by one.

Upvoting a comment with a selected answer will also increase the vote count towards that answer by one. So if you see a comment that you already agree with, you can upvote it instead of posting a new comment.

SaveCancel