Cloud data encryption (CDE) is becoming a critical priority for firms and software vendors migrating their workloads and sensitive data to the cloud. CDE ensures that data is kept confidential, maintains its integrity, also allows security and risk (S&R) pros to meet regulatory compliance and data residency mandates. This report assesses and provides guidance on architectural options for encryption key management (including pros, cons, and best practices) and highlights application CDE integration best practices.