How is encryption managed on multi-tenant storage?
How is encryption managed on multi-tenant storage?
In a multi-tenant storage environment, it is most secure to use one encryption key per data owner. This approach ensures that each tenant's data is isolated from others, enhancing data security and preventing unauthorized access between tenants. Using a single key for all data owners or multiple keys per data owner typically does not provide the same level of segregation and security necessary for such environments.
According Security-Guidance-v4.0, Pg 125 : "It is recommended to use percustomer keys when possible, in order to better enforce multitenancy isolation." Answer must be B
B is the correct answer. For multi-tenant storage, it is recommended to use per-customer keys when possible, in order to better enforce multitenancy isolation. Ref: Security-Guidance-v4.0, Pg 125.
multiple keys per data owner
I can't find it in the reference but I think this should be C. The major cloud providers I know allow you to at least do two: a) multiple cloud-provider managed encryption keys b) customer-managed keys
This is a poorly formulated question but i believe the answer could still be D In an ideal scenario, "One key per data owner" would be a recommended practice for maintaining the highest level of security in a multi-tenant environment. However, the original question was about how encryption is managed on multi-tenant storage, without specifying it to the best or recommended practice. That's why the answer can still be "The answer could be A, B, or C depending on the provider," because in reality, encryption management can vary widely across different providers. It's always important for customers to inquire about a provider's security practices to ensure they are suitable for their specific needs, and to ideally look for a provider that uses the most secure practices, such as one key per data owner.
This is another poorly written question. If the authors of the CCSK exam want the question to be aligned with security, it should read: How should encryption be managed on multi-tenant storage? To @Brainiac's point, I've seen CSP that either facilitate 1 key per customer or do not support unique keys at all. The Security Guidance even states it is recommended to use per-customer keys when possible...when possible being the key phrase here.
The management of encryption on multi-tenant storage can vary depending on the provider and their specific implementation. However, the most common approach is: D. The answer could be A, B, or C depending on the provider. Different cloud service providers may employ different encryption strategies for multi-tenant storage. The management of encryption keys can vary from using a single key for all data owners (option A) to assigning one key per data owner (option B) or even allowing multiple keys per data owner (option C). The chosen approach depends on the provider's security architecture, data isolation mechanisms, and the level of encryption granularity required by their customers. It's important to note that cloud service providers often offer encryption-related features and options, allowing customers to select their desired level of encryption and key management. Therefore, the specific encryption management strategy employed on multi-tenant storage can vary and should be determined based on the capabilities and offerings of the individual provider.
Ans "A" is not aligned with a security rules, never using single key among the multiple Data owners.
How is it managed vs. how should it be managed. Should have one key per owner at least but could have multiple keys or a single key for everyone.
No answer here is correct - The right answer should be "B or C" but without the relations to regualtions. A is not meeting cloud security basics and cannot be part of an answer