Cloud Security Concepts
Unlock the complete study guide + 1,040 practice questions across 16 full exams.
Bundled into the existing Certified Cloud Security Professional premium course — no separate purchase.
Included in this chapter:
- Cryptography and key management: control follows the key
- Identity and access control: the cloud perimeter
- Data and media sanitization: deletion becomes crypto-erase
- Network security: from trusted perimeter to zero trust
- Virtualization security: new isolation boundaries, each escapable
- Common threats and security hygiene: the exam patterns
Who holds the key, and what that buys you
| Property | Provider-managed key | Customer-managed key (CMK) | Customer-held / HYOK with HSM |
|---|---|---|---|
| Who generates and stores the key | Provider | Provider service, customer controls policy | Customer, in customer-controlled HSM |
| Customer can set rotation and access policy | No | Yes | Yes |
| Customer can revoke provider access by key action | No | Yes (disable/delete key) | Yes (withhold key) |
| Protects against the provider itself | No | Partly (key still in provider HSM) | Yes (key never leaves customer hardware) |
| Operational burden on customer | Lowest | Moderate | Highest (HSM availability is customer risk) |
| Typical driver | Default at-rest encryption | Compliance, separation of duties | Strict data sovereignty, FIPS 140-2/3 |
Decision tree
Cheat sheet
Unlock with Premium — includes all practice exams and the complete study guide.
Also tested in
References
- NIST CSRC Glossary, key management
- NIST CSRC Glossary, hardware security module
- NIST SP 800-57 Part 1 Rev. 5, Recommendation for Key Management Whitepaper
- NIST CMVP, Cryptographic Module Validation Program (FIPS 140-2 / 140-3)
- NIST SP 800-88 Rev. 1, Guidelines for Media Sanitization Whitepaper
- NIST SP 800-207, Zero Trust Architecture Whitepaper
- Cloud Security Alliance, Top Threats to Cloud Computing Whitepaper