CRISC Exam - Question 1105

Encrypting the data before it leaves the organization is the BEST way to protect sensitive data from administrators within a public cloud. When data is encrypted before leaving the organization, the data remains encrypted while it is stored in the cloud, and only authorized parties with the encryption keys can access the decrypted data. This means that even if cloud administrators gain access to the data, they would only be able to see the encrypted version and not the sensitive data in clear text.

I would think C would be the correct answer. If it is encrypted before it gets to the cloud. You wouldn't need to encrypt it on the Cloud Database

Its A. Read the question, you assume it comes from on prem but the question states the data resides in public cloud. Just encrypt the data itself so the admins cant access it.

Agree with C.

How do you define 'organisation'? are systems running in someone elses' organisation? Boundary of the organisation is defined as things which are in control of organisation including onprem and cloud systems. Also- You can encrypt the data in cloud with your own key so admins of cloud cannot see decrypt it. I say this

The BEST way to protect sensitive data from administrators within a public cloud is C. You retain full control over the encryption keys and algorithms, ensuring the confidentiality of your data even within the cloud provider's environment. A is incorrect, while it protects data at rest, cloud administrators with high-level access could still decrypt or bypass those safeguards.

Not sure what "before it leaves the organization" means if the data resides in the public cloud to begin with