Explanation:
The specific concern is an insider threat where a single employee with individual access to encrypted material could potentially misuse that access (e.g., decrypt and steal sensitive data). The goal is to technically prevent any one person from having the complete ability to access the encrypted data on their own.

Key Splitting (Sharding):
This is a cryptographic technique where a decryption key is divided into multiple unique parts (shards). A certain number of these shards (e.g., 3 out of 5) are required to reconstruct the original key and decrypt the data.

How it Addresses Insider Threat:
This technique implements a separation of duties and dual control for cryptographic access. No single employee ever possesses the entire key. To decrypt the material, multiple employees (e.g., from different departments) must collaborate and provide their individual key shards. This effectively mitigates the risk of a lone insider acting maliciously, as they cannot act alone.

Analysis of Incorrect Options:
A. SSO with MFA (Single Sign-On with Multi-Factor Authentication):
This improves authentication security by requiring a second factor to prove identity. However, once authenticated, the employee still has individual, complete access to the encrypted material. It does nothing to prevent a malicious insider from using their legitimate access to decrypt data.

B. Salting and hashing:
These are techniques used to protect stored passwords. A salt is added to a password before it is hashed to defeat precomputed rainbow table attacks. This is irrelevant to controlling access to encrypted data and does not address the insider threat scenario.

C. Account federation with hardware tokens:
Federation allows users to access multiple systems with a single set of credentials, and hardware tokens provide strong authentication. Similar to SSO, this is an access mechanism. It does not change the fact that once access is granted, the user has individual control over the encrypted material. It strengthens the gate but doesn't change what's behind it.

D. SAE (Simultaneous Authentication of Equals):
SAE is a cryptographic protocol used in Wi-Fi networks (WPA3) for establishing a secure connection. It is designed to prevent offline dictionary attacks on Wi-Fi passwords and is not relevant for managing access to stored encrypted data or mitigating insider threats.

Reference:
This solution falls under Domain 3.6: Cryptography and Domain 1.0: Governance, Risk, and Compliance of the CAS-005 exam. Key concepts include:

Cryptographic Key Management: Implementing controls like key splitting to enforce separation of duties.

Principle of Least Privilege and Dual Control: Ensuring that critical actions (like decrypting sensitive data) require the collaboration of multiple parties, preventing any single point of failure or misuse.

Key splitting (E) is the only technique that directly and technically addresses the risk of a single insider misusing their individual access to encrypted material.

Explanation:
The problem is data exfiltration to unsanctioned cloud applications (personal storage accounts like Dropbox, Google Drive, etc.). The goal is to not just block or alert, but to actively monitor and control the data that is being sent to cloud services.

Cloud-Access Security Broker (CASB):
A CASB is a security policy enforcement point that sits between an organization's on-premises infrastructure and a cloud provider's infrastructure. It acts as a gatekeeper to ensure secure cloud usage.

How it Decreases Risk:
A CASB provides several critical functions that directly address this risk:

Discovery & Visibility:
It identifies all cloud services in use (sanctioned and unsanctioned).

Data Loss Prevention (DLP):
This is the key feature. A CASB can inspect data in motion to the cloud. It can identify sensitive content (based on patterns, fingerprints, or labels) being uploaded to personal storage sites and block the upload in real-time.

Access Control:
It can enforce policies to allow, block, or limit access to specific cloud applications based on user, device, or location.

A CASB provides a proactive, data-centric control designed specifically for the cloud era.

Analysis of Incorrect Options:
A. Improve firewall rules to avoid access to those platforms & D. Deploy an internet proxy that filter certain domains:

These are similar network-based blocking solutions. While they can technically block access to the domains of popular storage platforms, they are very coarse and ineffective controls.

* Easy to Bypass: Employees can use personal devices on cellular networks to bypass corporate proxies and firewalls.

* Too Broad: It blocks the entire application, which might be used legitimately for non-sensitive work. A CASB offers much more granular control.

* Reactive: The list of personal storage sites is endless; new ones pop up constantly, making it a game of whack-a-mole.

C. Create SIEM rules to raise alerts for access to those platforms:
A SIEM is a detective control. It can alert after the data has already been exfiltrated. By the time the SOC analyst sees the alert, the sensitive data is already on a server outside the company's control. The requirement is to decrease the risk (prevent the leak), not just to discover it after the fact.

Reference:
This solution is a core component of Domain 3.4: Secure Network Architecture and Domain 1.4: Data Security of the CAS-005 exam. CASBs are a critical technology for implementing a data-centric security strategy in a hybrid cloud world.

While the other options provide partial, often ineffective solutions, implementing a CASB (B) is the most comprehensive and effective way to directly decrease the risk of data leaks to personal cloud storage accounts by inspecting and controlling the data itself.

Explanation:
The threat posed by quantum computing is highly specific to certain types of cryptographic algorithms.

Shor's Algorithm:
This is a quantum algorithm that, if run on a sufficiently powerful quantum computer, can efficiently solve the mathematical problems that underpin the security of most widely used public-key cryptography.

Vulnerable Algorithms:

These include:

RSA:
Based on the practical difficulty of factoring the product of two large prime numbers.

Diffie-Hellman & ECC (Elliptic-Curve Cryptography):
Based on the difficulty of the discrete logarithm problem.

The Risk:
A cryptographically relevant quantum computer (CRQC) could use Shor's algorithm to break these encryption and digital signature schemes, rendering them useless. This would compromise the security of virtually all secure web traffic (TLS/SSL), digital signatures, and encrypted data that has been stored for future decryption. This specific and existential threat to current standards is the primary driver for the development and deployment of Post-Quantum Cryptography (PQC) – new encryption algorithms designed to be secure against both classical and quantum computer attacks.

Analysis of Incorrect Options:

B. Zero Trust security architectures will require homomorphic encryption.
Zero Trust is a security model centered on the belief that organizations should not automatically trust anything inside or outside its perimeters. While homomorphic encryption (performing computations on encrypted data) is an advanced cryptographic technique, it is not a requirement for Zero Trust. Zero Trust primarily relies on strong identity verification and access controls. The push for new algorithms is driven by quantum threats, not by Zero Trust architecture needs.

C. Perfect forward secrecy will prevent deployment of advanced firewall monitoring techniques.
Perfect Forward Secrecy (PFS) is a feature of key agreement protocols that ensures a session key derived from a set of long-term keys cannot be compromised if one of the long-term keys is compromised in the future. PFS is a security benefit, not a hindrance. It does not prevent advanced firewall monitoring; firewalls can still inspect TLS traffic if they are configured as a trusted man-in-the-middle. This option is a distractor and not related to the quantum threat.

D. Quantum computers will enable malicious actors to capture IP traffic in real time.
The ability to capture IP traffic is a function of network access (e.g., through a compromised node or wiretap), not computational power. Quantum computers do not provide a new capability to capture traffic; they threaten the ability to decrypt the captured traffic that was encrypted using vulnerable algorithms. The threat is to breaking the encryption, not the capture itself.

Reference:
This topic is a key part of Domain 3.6: Cryptography in the CAS-005 exam. It requires an understanding of:

Quantum Threats: The specific risk that quantum computing poses to asymmetric cryptography based on integer factorization and discrete logarithm problems.

Cryptographic Agility: The need to prepare for the migration to post-quantum cryptographic algorithms, a effort being led by standards bodies like NIST.

The main and direct reason for deploying new encryption algorithms is the vulnerability of current prime number-based systems to quantum attacks, as described in option A.