CEK-12: Key Rotation

CSF v1.1 References:

PF v1.0 References:

Info icon.

Control is new to this version of the control set.

Control Statement

Rotate cryptographic keys in accordance with the calculated cryptoperiod, which includes provisions for considering the risk of information disclosure and legal and regulatory requirements.

Implementation Guidance

Key rotation generates (based on policy) a new key version of a key used to encrypt data.

  1. Non-primary (old) keys should be used to decrypt data previously encrypted before re-encrypting the data with new keys.
  2. Old data may be re-encrypted using new keys based on organizational policy and technology capacity.
  3. When rotating keys, consider the following principles:
  • Cryptographic mechanism strength: algorithm, key length, and mode of operation.
  • The volume of information flow or the number of transactions.
  • The security life of the data.
  • The security functions, such as data encryption, digital signature, and key protection.
  • The number of key copies and the distribution of those copies.
  1. All relevant transitions/activity should be recorded (logged) in the inventory management system (CKMS).

Auditing Guidance

Consider the symmetric vs. asymmetric key rotation capabilities of CSPs and an appropriate rotation process adopted.

  1. Confirm that policy and procedures include a requirement for regular key rotation.
  2. Identify keys used within the organization. Confirm that these keys are part of the rotation process.
  3. Review the key rotation process to confirm logging and monitoring of key rotation, tracking of date, time, encryption algorithm used, and authorization process used.

[csf.tools Note: For more information on the Cloud Controls Matrix, visit the CSA Cloud Controls Matrix Homepage.]

Cloud Control Matrix is Copyright 2023 Cloud Security Alliance.