CSPs must provide the capability for CSCs to manage their own data encryption keys.
Key management capability is the process of CSPs providing CSCs the capability to manage CSC-owned or generated encryption keys.
- The CSC and CSP should agree on the definition and scope of CSC-managed keys and document this (shared responsibility) in the SLA, applicable contracts, policies, and procedures.
- The CSP should allow the CSC to manage policies, procedures, and processes.
- The CSP should empower the CSC to manage keys and data encryption keys.
- The CSP should enable the CSC to manage key encryption keys or master keys used to encrypt data keys.
- The CSP should allow the CSC to use the key management system (e.g., transactions, reporting, etc.).
- Optionally, the CSC should supply CSC-generated master encryption keys using bring-your-own-key (BYOK) mechanisms per the SLA.
- Identity CSC's data key encryption policy and standards.
- Review the implementation of the CSP key broker and key management services (KMS) and the cloud hardware security modules (HSMs).
- Confirm that the configuration enables appropriate management of the key, e.g., customer-managed master key, CSP-managed master key, and CSP-owned master key.
- Confirm that HSM meets internal compliance standards, e.g., FIPS 140-2.
[csf.tools Note: For more information on the Cloud Controls Matrix, visit the CSA Cloud Controls Matrix Homepage.]
Cloud Control Matrix is Copyright 2023 Cloud Security Alliance.