Question 31
Domain 4 — Technology, Security, and Resilience ControlsWhat is the primary risk associated with cloud computing?
Correct answer: B
Explanation
Cloud computing raises risks around where data is stored and which laws apply, so "data sovereignty" is a primary concern. It also uses a "shared responsibility" model, meaning security duties are split between provider and customer, and "vendor lock-in" can make it hard to move services or data to another provider.
Why each option is right or wrong
A. Cloud is always less secure than on-premises
B. Data sovereignty, shared responsibility, and vendor lock-in
Cloud deployments commonly create three exam-relevant risks: data may be replicated or processed in multiple jurisdictions, so the applicable privacy and disclosure rules can change depending on where the provider stores or routes the data; the customer does not fully outsource security because the provider and customer each retain distinct obligations under the shared-responsibility model; and proprietary services can make migration difficult, increasing dependence on one vendor. In practice, these issues are why cloud risk assessments focus on jurisdictional control, division of security duties, and exit/migration constraints rather than just uptime or cost.
C. Cloud eliminates all security responsibilities
D. Cloud requires no security controls