CEK-13: Key Revocation

CSF v1.1 References:

PF v1.0 References:

Info icon.

Control is new to this version of the control set.

Control Statement

Define, implement and evaluate processes, procedures and technical measures to revoke and remove cryptographic keys prior to the end of its established cryptoperiod, when a key is compromised, or an entity is no longer part of the organization, which include provisions for legal and regulatory requirements.

Implementation Guidance

Key revocation removes keys from operational use before their expiration dates.

  1. Key revocation of a “symmetric key” restricts the use of the key material.
  2. Key revocation of an asymmetric key specifically refers to the private key.
  3. Perform emergency revocation when keys are lost or compromised.
  4. Revocation statuses should be available to all who have relied on the key.
  5. Use certificate revocation lists (CRLs) or other relevant mechanisms to inform stakeholders.
  6. ROI: Cost to decrypt then re-encrypt large distributed databases with a significant number of key holders.
  7. ROI: Risk of long-term cryptoperiods versus short and the amount of data encrypted with one key.
  8. All relevant transitions/activity should be recorded (logged) in the inventory management system (CKMS).

Auditing Guidance

  1. Examine the organization procedures and confirm the existence of a key revocation process.
  2. Identify a population of keys and confirm that they are captured within the key revocation process.
  3. Confirm that a list of entities no longer part of the organization is maintained.

[csf.tools Note: For more information on the Cloud Controls Matrix, visit the CSA Cloud Controls Matrix Homepage.]

Cloud Control Matrix is Copyright 2023 Cloud Security Alliance.