WGU Managing-Cloud-Security - WGU Managing Cloud Security (JY02, GZO1)

The most critical concern in long-term cloud storage is key management. If encryption keys are lost, corrupted, or improperly rotated, the organization will lose the ability to decrypt its own data, rendering backups unusable. This issue is particularly serious because cloud storage almost always relies on encryption to secure sensitive or regulated information.

While regulatory compliance, quantum threats, and change tracking are important, none directly prevent permanent data loss. The reliability of key management ensures that access to long-term archival data is preserved across changes in personnel, technology, and vendors.

Best practices include using centralized key management systems (such as Hardware Security Modules or cloud Key Management Services), applying role-based controls, and performing periodic key rotation and escrow. Addressing key management in the backup plan ensures that data will remain accessible for years or decades, regardless of technological shifts.

The network is the component that enables customers to transfer data into and out of a cloud environment. It provides the connectivity through which data is uploaded, downloaded, and exchanged between customer systems and cloud infrastructure.

Firewalls protect the network by filtering traffic, load balancers distribute requests across resources, and virtual displays present interfaces, but none directly facilitate the transfer of data.

In cloud models, secure networking is critical. Protocols like TLS encrypt traffic, while VPNs and private links provide additional isolation. Reliable networking ensures availability, while strong controls safeguard confidentiality and integrity. Customers must ensure that the cloud provider offers secure, high-performance network services to support business needs.

In the Infrastructure as a Service (IaaS) model, the cloud consumer is responsible for installing and maintaining the operating system. Managing Cloud principles describe that IaaS provides virtualized computing resources such as servers, storage, and networking, while leaving system-level management to the customer.

Customers must install operating systems, apply patches, configure security settings, and manage applications running on the infrastructure. This responsibility provides flexibility but also requires strong operational and security controls.

In PaaS and SaaS, the provider manages the operating system. NaaS focuses on network services rather than OS management. Therefore, IaaS is the correct answer.

The lack of physical access to cloud infrastructure significantly affects the audit process for cloud customers. Managing Cloud guidance explains that customers do not have direct access to cloud data centers, servers, or networking equipment, which limits their ability to perform traditional on-site audits.

As a result, customers must rely on third-party audit reports, certifications, and attestations provided by the cloud service provider. This changes how evidence is collected and verified during audits and requires auditors to assess assurance reports instead of physical inspections.

Bandwidth constraints, uptime limits, and storage options impact performance and architecture decisions but do not directly affect audit methodology. Therefore, the absence of physical access is the primary audit-related characteristic.

Categorization is the process of systematically identifying and classifying files according to content and relevance. In preparation for a PCI DSS audit, it is critical to identify which files fall within scope—those that contain cardholder data or impact its security.

Normalization adjusts data format, tokenization substitutes sensitive data with tokens, and anonymization removes identifiers. While useful, none directly address the task of isolating “relevant files” for audit. Categorization ensures that files are grouped correctly, allowing auditors to focus on the proper scope and preventing unnecessary exposure of unrelated data.

This step aligns with PCI DSS requirements that limit scope to systems and data directly affecting cardholder data security. Proper categorization streamlines audits and demonstrates effective data governance.

Entity relationship and data flow diagrams can significantly speed up the process of identifying a suitable cloud service provider. Managing Cloud guidance explains that these diagrams document how applications, systems, and data interact across the enterprise.

By understanding data sensitivity, integration points, trust boundaries, and workloads, organizations can quickly determine which cloud service models, security controls, and compliance capabilities are required from a CSP. This enables efficient evaluation and comparison of providers.

Physical plant blueprints and egress safety designs are facilities-related documents, while BCDR plans focus on recovery strategies rather than provider selection. Therefore, entity relationship and data flow diagrams are the most useful documents for accelerating CSP identification.

Multivendor pathway connectivity refers to a cloud provider’s ability to maintain connections with multiple internet service providers (ISPs). This ensures redundancy and reduces the risk of outages due to a single ISP failure.

Electric providers, fuel vendors, and HVAC contracts support facility resilience, but they are not directly tied to connectivity. The purpose of multivendor pathways is specifically to guarantee uninterrupted network access and resilience for customer workloads.

By maintaining ISP redundancy, cloud providers improve availability and meet SLA commitments. This capability is especially critical for enterprises requiring high uptime or operating in regions where connectivity disruptions are common. It also provides flexibility in bandwidth management and routing optimization.

Industry best practice requires that encryption keys are stored separately from the data they protect. This ensures that if the data storage system is compromised, attackers cannot immediately decrypt sensitive information. The use of a secure escrow system is a recognized approach.

An escrow provides controlled storage for encryption keys, ensuring they are only accessible by authorized processes and not co-located with the protected data. Keeping keys “local” to the data creates a single point of failure. A public or private repository without specialized protection mechanisms would also be insufficient due to risks of insider threats or misconfiguration.

By placing keys in an independent escrow system, the organization enforces separation of duties, strengthens defense-in-depth, and aligns with cryptographic standards from NIST and ISO. This practice is vital when dealing with archival data, where long-term confidentiality must be preserved even as systems evolve.

The General Data Protection Regulation (GDPR) applies under the jurisdiction of the European Union. Managing Cloud documentation explains that GDPR governs the collection, processing, storage, and transfer of personal data belonging to individuals within EU member states.

GDPR applies not only to organizations physically located in the European Union but also to organizations outside the EU that process or control EU residents’ personal data. This broad scope makes GDPR one of the most influential data protection regulations affecting cloud services globally.

The regulation mandates strict requirements related to consent, data minimization, breach notification, and data subject rights. Organizations using cloud services must ensure that their providers support GDPR compliance requirements.

The other jurisdictions listed have their own privacy regulations but are not governed by GDPR. Therefore, the correct jurisdiction is the European Union.