SC-100 Certification Practice Question #58

Question

You are designing security for an Azure landing zone.
Your company identifies the following compliance and privacy requirements:
✑ Encrypt cardholder data by using encryption keys managed by the company.
✑ Encrypt insurance claim files by using encryption keys hosted on-premises.
Which two configurations meet the compliance and privacy requirements? Each correct answer presents part of the solution.
NOTE: Each correct selection is worth one point.

Accepted Answer

The two requirements are (1) cardholder data encrypted with **company-managed** keys, and (2) insurance claims encrypted with keys **hosted on-premises**. Option C satisfies (1): Azure Key Vault Managed HSM is a single-tenant, customer-controlled FIPS 140-3 Level 3 key store, so the company owns/manages the keys. Option B satisfies (2): per the MS Learn key-management comparison table, **customer-provided keys** are the only Azure Storage option whose key storage is the *customer's own key store* (which can be on-premises) — and they are supported on Blob Storage. The strong CD dissent rests on BYOK import into Managed HSM, but once a key is imported into Managed HSM it is hosted in Azure, not on-premises, so D fails the literal "keys hosted on-premises" wording (tzg and Arockia make this point). Suggested Answer lists only C, but the question requires two selections and the dominant 54-vote community answer plus the MS Learn table resolve the second to B. Confidence is held at 84 because of the genuine BC-vs-CD community split, though the docs clearly favor BC.

More SC-100 practice questions