Question 31
Domain 2: Data Protection and Identity SecurityAn organization needs to ensure that data cannot be recovered from decommissioned cloud storage devices. Which control BEST addresses this requirement?
Correct answer: B
Explanation
Cryptographic erasure makes stored data unrecoverable by destroying the encryption keys, so even if the device is later accessed, the ciphertext cannot be decrypted. This is the best control for decommissioned cloud storage because it renders the data unusable without needing physical destruction of the media.
Why each option is right or wrong
A. Logical deletion and garbage collection
B. Cryptographic erasure (deleting encryption keys)
NIST SP 800-88 Rev. 1 classifies media sanitization methods and identifies cryptographic erase as the method that renders data unrecoverable by destroying the media’s encryption keys. For cloud storage devices that are being decommissioned, this is the only control that can make the stored ciphertext inaccessible without relying on physical destruction or overwriting, which may be impractical or impossible in a provider environment.
C. Data compression before deletion
D. Moving data to cold storage