An SDP creates a "dark" network, visible only to authorized users, enhancing security by hiding infrastructure from potential attackers. Reference: [Security Guidance v5, Domain 7 - Infrastructure & Networking]

According to the CSA Security Guidance v4.0, Domain 9: Incident Response, the Containment, Eradication, and Recovery phase follows detection and analysis. This phase focuses on limiting the damage, removing the threat, and restoring systems to a secure operational state.
"After detection and analysis, containment, eradication, and recovery are necessary to prevent further damage and restore systems."
"Recovery is the process of restoring affected systems and services to a fully operational state in a controlled and safe manner." This includes activities such as:
Removing malware or compromised systems
Rebuilding or restoring from backups
Applying patches
Validating that vulnerabilities are fixed
Monitoring for any recurrence
Incorrect options:
A refers to the Post-Incident Activity phase.
C is part of Detection and Analysis.
D is also part of the initial phase of the incident response cycle.
Reference:
CSA Security Guidance v4.0 - Domain 9: Incident Response (Section: Containment, Eradication, and Recovery)

In the initial stage of implementing centralized identity management, the primary focus of cybersecurity measures is to integrate identity management (such as Single Sign-On (SSO), Role-Based Access Control (RBAC), and user directories) and secure devices that interact with the identity management system. This ensures that only authorized users and devices can access the network and resources, helping to establish a strong foundation for secure and efficient identity and access management.
Developing incident response plans is important but typically comes after establishing core security controls like identity management. Implementing advanced threat detection systems is a later stage security measure, after foundational controls like identity management are in place. Deploying network segmentation is a useful security strategy, but it is not the primary focus in the early stages of centralized identity management.

The correct answer isB. Customers retain control over their encryption keys.
Usingcustomer-managed encryption keys (CMEK)with a cloudKey Management Service (KMS)allows the customer toretain full control over the encryption keysused to encrypt their data. This is crucial in maintaining data sovereignty, privacy, and compliance with regulatory requirements.
Key Benefits of Customer-Managed Encryption Keys:
Key Ownership and Control:Unlike cloud provider-managed keys, CMEK ensures that the customer has full authority over the key's lifecycle, including creation, rotation, and deletion.
Enhanced Security:Customers can enforce strict access controls and audit who accesses the keys.
Compliance:Many regulations (like GDPR or HIPAA) mandate that data owners maintain control over encryption keys.
Data Privacy:Even though the data is stored on the cloud, the provider cannot access unencrypted data without the customer's permission.
Flexibility:Customers can choose when to revoke or rotate keys, which directly impacts data availability and access.
Why Other Options Are Incorrect:
A . Bypass the need for encryption:CMEK does not eliminate the need for encryption; it strengthens it by giving customers direct control.
C . Share encryption keys more easily:Sharing encryption keys can increase security risks, and CMEK is designed to restrict, not ease, key sharing.
D . Reduces computational load on the cloud service provider:CMEK does not impact the computational load. It focuses on key management and control rather than reducing processing overhead.
Real-World Example:
InAWS KMS, using CMEK allows customers to bring their own keys (BYOK) and manage them directly through AWS Key Management Service. Similar practices exist inGoogle Cloud KMSandAzure Key Vault, where customers can generate and control their own encryption keys.
Practical Use Case:
A healthcare provider using a cloud service to store patient records may use CMEK to ensure that sensitive data is encrypted under keys they control, ensuring compliance with regulations likeHIPAA.
Reference:
CSA Security Guidance v4.0, Domain 11: Data Security and Encryption
Cloud Computing Security Risk Assessment (ENISA) - Key Management and Encryption Cloud Controls Matrix (CCM) v3.0.1 - Data Protection and Encryption Domain