Exam CCSP topic 1 question 439 discussion

For strong cloud security, cryptographic keys should not be stored with the cloud provider that holds the encrypted data. This practice, known as separation of duties, prevents a single entity from having both the keys and the encrypted data, reducing the risk of unauthorized access. Instead, organizations should use client-side key management or external Key Management Systems (KMS). Why Not the Others? B. Generated with redundancy → While key backups are important, redundancy alone does not ensure security if the key is compromised. C. At least 128 bits long → While 128-bit encryption is a minimum, modern security standards recommend 256-bit encryption for higher security. D. Split into groups → Key splitting (Shamir’s Secret Sharing) can be a useful security method but is not a strict requirement for cloud encryption.

i agree that keys should not be stored with the data wthat they protect. But saying that they should not be stored wth the cloud provider is not true. Azure and other cloud providers offer key vaults. The vaults are seperate and distinct from the data that is protected They off integrations where the keys can be accessed from applications. In azure's case the appliications can be configured with permiison to read the key, certiificate. This offers means of enhancing security by creating a secure way of accessing keys, certificates, passwords or other secret without directly without exposing keys in code. This is a very usual feature in PaaS

A. Not stored with the cloud provider.