Provide cryptographic protection to data at-rest and in-transit, using cryptographic libraries certified to approved standards.
Data protection/data encryption is the process of changing plaintext into ciphertext using a cryptographic algorithm and key.
- Organizations should be able to either encrypt all information on storage devices (i.e., full disk encryption) or encrypt specific data structures (e.g., files, records, or fields).
- Data at rest involves databases, end-user workstations, and file servers.
- Data in transit involves system interfaces, public networks, and electronic messaging.
- Cryptography provides data protection: confidentiality, integrity, availability, and source authentication.
- Cryptographic key management system security policies rules need to protect the confidentiality, integrity, availability, and source authentication of all keys, algorithms, and metadata.
- Key management technology and processes should be NIST FIPS validated and/or National Security Agency (NSA)-approved by other relevant international standardization bodies.
- Approved algorithms and key sizes should reside in the CKMS.
- Quantum-resistant encryption is developing quickly, and it is recommended that this technology is closely monitored so the organization is not exposed.
- Identify data flows within the organization that are in-transit.
- Identify data storages within the organization that are at-rest.
- Confirm that the identified data flows and data storages have been protected by an appropriate cryptographic algorithm aligned to cryptography, encryption, and key management policy and procedures.
[csf.tools Note: For more information on the Cloud Controls Matrix, visit the CSA Cloud Controls Matrix Homepage.]
Cloud Control Matrix is Copyright 2023 Cloud Security Alliance.