Generate Cryptographic keys using industry accepted cryptographic libraries specifying the algorithm strength and the random number generator used.
The key generation process should be cryptographically secure.
- Keys should be generated:
using random bit generators (RBGs) and possibly other parameters, or generated based on keys that are created in this fashion.
- Key management technology and processes should be NIST FIPS validated or NSA-approved or comparable.
- All relevant transitions/activity should be recorded (logged) in the inventory management system (CKMS).
- Confirm that the organization has an approved process for the generation of cryptographic keys.
- Identify the keys being used.
- Observe the generation of an encryption key in a production-like sandbox or as a test tenant in production and confirm the keys have been generated according to the appropriate procedure and technical specifications.
[csf.tools Note: For more information on the Cloud Controls Matrix, visit the CSA Cloud Controls Matrix Homepage.]
Cloud Control Matrix is Copyright 2023 Cloud Security Alliance.