Question 13
Domain 2: Data Protection and Identity SecurityAn organization needs to securely delete data from cloud storage when retention periods expire. Which method provides the STRONGEST assurance that data cannot be recovered?
Correct answer: B
Explanation
Cryptographic erasure is strongest because the data remains encrypted, and deleting the encryption keys makes it unreadable even if storage blocks still exist. This provides stronger assurance than logical deletion or overwriting in cloud environments, where residual copies may persist.
Why each option is right or wrong
A. Moving data to a recycle bin folder
B. Cryptographic erasure by deleting encryption keys
NIST SP 800-88 Rev. 1 classifies cryptographic erase as a valid sanitization method for media that is encrypted, because destroying the media encryption key renders the underlying ciphertext computationally unrecoverable. In a cloud setting, this is the strongest option here because the organization cannot reliably perform physical overwriting of provider-managed storage blocks, and the data remains inaccessible even if replicas, snapshots, or residual blocks persist after the retention period expires.
C. Renaming files with random characters
D. Removing user access permissions