Rotate cryptographic keys in accordance with the calculated cryptoperiod, which includes provisions for considering the risk of information disclosure and legal and regulatory requirements.
Key rotation generates (based on policy) a new key version of a key used to encrypt data.
- Non-primary (old) keys should be used to decrypt data previously encrypted before re-encrypting the data with new keys.
- Old data may be re-encrypted using new keys based on organizational policy and technology capacity.
- When rotating keys, consider the following principles:
- Cryptographic mechanism strength: algorithm, key length, and mode of operation.
- The volume of information flow or the number of transactions.
- The security life of the data.
- The security functions, such as data encryption, digital signature, and key protection.
- The number of key copies and the distribution of those copies.
- All relevant transitions/activity should be recorded (logged) in the inventory management system (CKMS).
Consider the symmetric vs. asymmetric key rotation capabilities of CSPs and an appropriate rotation process adopted.
- Confirm that policy and procedures include a requirement for regular key rotation.
- Identify keys used within the organization. Confirm that these keys are part of the rotation process.
- Review the key rotation process to confirm logging and monitoring of key rotation, tracking of date, time, encryption algorithm used, and authorization process used.
[csf.tools Note: For more information on the Cloud Controls Matrix, visit the CSA Cloud Controls Matrix Homepage.]
Cloud Control Matrix is Copyright 2023 Cloud Security Alliance.