Membership
Join as an Organization
Enterprises
Solution Providers
Contact Us
Current Members
Initiatives & Partnerships
AI Safety Initiative
CxO Trust
Zero Trust Advancement Center
Trusted Cloud Providers
Trusted Cloud Consultant
Other Opportunities
Event Sponsorships
Join as Individual
Chapters
Circle Community Forum
Research Working Groups
Volunteer Opportunities
STAR Program
STAR Home
STAR Registry
Submit to Registry
Provide Feedback
Certified STAR Auditors
STAR Enabled Solutions
Stay compliant in the cloud
CCAK Training
STAR Lead Auditor Training
Training for Government Agencies
Governance, Risk & Compliance Tools
Cloud Controls Matrix (CCM)
Consensus Assessment Initiative Questionnaire (CAIQ)
EU Cloud Code of Conduct
STAR Level 1
At level one organizations submit a self-assessment.
View companies at level one
Learn about level one
STAR Level 2
At level two organizations earn a certification or third-party attestation.
View companies at level two
Learn about level two
Certificates & Training
Online Platform
Knowledge Center
CSA Exams
Events
Learn and network while you earn CPE credits.
Virtual Events & Webinars
Event Sponsorships
Certificates
Certificate of Cloud Security Knowledge (CCSK)
Certificate of Cloud Auditing Knowledge (CCAK)
Certificate of Competence in Zero Trust (CCZT)
Digital Badges
Trainings
Zero Trust Training (ZTT)
Cloud Infrastructure Security Training
STAR Lead Auditor Training
Advanced Cloud Security Practitioner (ACSP) Training
CCSK Train the Trainer
Training Network
Become an Instructor
Become a Training Partner
Specialized Training Options
Train my entire team
Training for Government Agencies
Research
CSA Research
Latest Research
Working Groups
Open Peer Reviews
Research Topics
Strategic Initiatives
AI Safety Initiative
Zero Trust Advancement Center
CxO Trust
Trusted Cloud Consultant
FinCloud Security
Thought Leadership
CloudBytes Webinars
Blog
Getting Started with CSA Research
Cloud security best practices
Assess your cloud compliance
Security questionnaire for vendors
Top threats to cloud computing
Awards & Recognition
Juanita Koilpillai Awards
Research Fellows
Critical Topics
AI Safety Initiative
AI Technology and Risk
AI Governance & Compliance
AI Controls
AI Organizational Responsibilities
Enterprise Architecture
Blockchain
Zero Trust
DevSecOps
Top Threats
Membership
Join as an Organization
Enterprises
Solution Providers
Contact Us
Current Members
Initiatives & Partnerships
AI Safety Initiative
CxO Trust
Zero Trust Advancement Center
Trusted Cloud Providers
Trusted Cloud Consultant
Other Opportunities
Event Sponsorships
Join as Individual
Chapters
Circle Community Forum
Research Working Groups
Volunteer Opportunities
STAR Program
STAR Home
STAR Registry
Submit to Registry
Provide Feedback
Certified STAR Auditors
STAR Enabled Solutions
Stay compliant in the cloud
CCAK Training
STAR Lead Auditor Training
Training for Government Agencies
Governance, Risk & Compliance Tools
Cloud Controls Matrix (CCM)
Consensus Assessment Initiative Questionnaire (CAIQ)
EU Cloud Code of Conduct
STAR Level 1
At level one organizations submit a self-assessment.
View companies at level one
Learn about level one
STAR Level 2
At level two organizations earn a certification or third-party attestation.
View companies at level two
Learn about level two
Certificates & Training
Online Platform
Knowledge Center
CSA Exams
Events
Learn and network while you earn CPE credits.
Virtual Events & Webinars
Event Sponsorships
Certificates
Certificate of Cloud Security Knowledge (CCSK)
Certificate of Cloud Auditing Knowledge (CCAK)
Certificate of Competence in Zero Trust (CCZT)
Digital Badges
Trainings
Zero Trust Training (ZTT)
Cloud Infrastructure Security Training
STAR Lead Auditor Training
Advanced Cloud Security Practitioner (ACSP) Training
CCSK Train the Trainer
Training Network
Become an Instructor
Become a Training Partner
Specialized Training Options
Train my entire team
Training for Government Agencies
Research
CSA Research
Latest Research
Working Groups
Open Peer Reviews
Research Topics
Strategic Initiatives
AI Safety Initiative
Zero Trust Advancement Center
CxO Trust
Trusted Cloud Consultant
FinCloud Security
Thought Leadership
CloudBytes Webinars
Blog
Getting Started with CSA Research
Cloud security best practices
Assess your cloud compliance
Security questionnaire for vendors
Top threats to cloud computing
Awards & Recognition
Juanita Koilpillai Awards
Research Fellows
Critical Topics
AI Safety Initiative
AI Technology and Risk
AI Governance & Compliance
AI Controls
AI Organizational Responsibilities
Enterprise Architecture
Blockchain
Zero Trust
DevSecOps
Top Threats
Cloud 101CircleEventsBlog
Register for CSA’s free Virtual Cloud Trust Summit to tackle enterprise challenges in cloud assurance.

​Developing Key Management Systems

Home
Industry Insights
​Developing Key Management Systems

Blog Article Published: 04/09/2021

Based on a publication written by the Cloud Key Management Working Group

Key management is the management of cryptographic keys in a cryptosystem. A reliable key management system (KMS) helps a business meet compliance and data control requirements, and also benefits the overall security of the organization. In this post, we’ll be covering some of the important questions to keep in mind when developing key management systems for your organization, policies to follow regarding the control environment, and controls to enact that are relevant to the different phases of the key management lifecycle. This blog highlights major takeaways from the research document Key Management in Cloud Services.

Questions to Answer First

As with most modern computing technologies that intersect with cloud computing, there are many possible architectural combinations of solutions to cloud computing and key management. The primary questions that affect how organizations approach the architectural choice include:

  1. What key management systems are already in use by the organization? CSA recommends that organizations — regardless of any cloud adoption planned, underway, or established — document the capabilities of existing KMS in terms that can be evaluated for potential use in achieving business, privacy, and security outcomes. This establishes the foundation for evaluating a cloud KMS in the future.
  2. What are the desired functional, operational, and business outcomes for use of the cloud service? This question may elicit a long list of desired outcomes, with considerations of cost, complexity, stability, service level agreement, privacy, transparency, and more.

Key Management Control Environment

The next important factor to consider is the control environment — the setting which facilitates the operation of controls and the controls themselves. The control environment consists of all the policies and procedures supported by management as well as their actions regarding deviations from policy. Here is an overview of some of the policies that are necessary to ensure a proper control environment:

Governance and Policy Management:

  • Each encryption key or group of keys needs to be governed by an individual key usage policy.
  • Encryption and key management policies and procedures should be reviewed annually.

Risk Management:

  • An encryption and key management risk program should include provisions for risk assessment, risk treatment, risk context, and monitoring and feedback.

Change Management:

  • Changes to encryption and key management systems, policies, and procedures should be made in accordance with a procedure that includes determining the effects, costs, and benefits of the change.
  • Changes should be communicated to all relevant stakeholders.
  • Changes should all be recorded with the possibility of the change being reversed to the original state.

Key Management System:

  • An encryption and key management storage system should require keys and/or certificates to be automatically recorded.
  • Key security functions should be isolated from non-security functions via partitions or domains.

Centralized Logging:

  • A secure audit trail of unalterable logging information evidencing key transactions, administration activities, and security events should be maintained.

Audit:

  • Encryption and key management systems, policies, and processes should be independently audited annually.

Key Management Controls

The phases of the key management lifecycle govern the creation, usage, storage, and destruction of keys. Here are some of the controls associated with different phases:

Generation:

  • All keys should be generated within a secure cryptographic module which relies upon a random bit generator.

Activation:

  • Symmetric or private keys should be activated only when they are required to be used.
  • Public keys should be activated when they are made available or on the date indicated in associated metadata.

Deactivation:

  • Symmetric or private keys should be deactivated when they are no longer required for applying cryptographic protection to data. Then, these keys may be destroyed or archived.

Compromise:

  • Generally, keys are compromised when they are released to or determined by an unauthorized entity. Cryptographic protection applied to information of compromised keys must cease and the compromised key must be revoked.

Replacement:

  • Sometimes, keys need to be replaced due to a compromise of the key or the end of the key’s crypto-period. The new key should be generated in a manner that is entirely independent of the value of the old key.

Recovery:

  • Key recovery is the act of bringing crypto keys back up or archived keys back to their original state. It is important to closely replicate associated key attributes to their original state to preserve the assigned usage attributes. Key information may be recovered from backups during the key’s valid crypto-period or from archives.

Destruction:

  • Once it has been carefully determined that they are no longer required, keys should be destroyed in a manner that removes all traces of the keying material.
  • Once the key has been marked for deletion, there is no facility to undo this state. It is imperative to provide the user with sufficient warning prior to destruction.

Interested in a more in-depth look at this topic?

This blog highlights some of the major points from the research document Key Management in Cloud Services by the Cloud Key Management Working Group.

In the full version of this research document you will read a more detailed explanation of some of the topics brought up in this blog as well as information about:

  • Programmatic Library Interfaces, including REST and SOAP recommendations.
  • API Practical Considerations, including what these relationships look like in practice, the interface triangle, and practical API management.


Acknowledgments

Lead Authors:
Contributors:
Doug Egan
Ashish Kurmi
Paul Rich
Michael Roza
Mike Schrock
Marina Bregkou
Subhojit Goswami
Anup Marwaha
Christiane Peters
Cloud Key ManagementEnhancing cloud security strategy

Share this content on your favorite social network today!

Latest from CSA
Join AT&T Cybersecurity in Chicago
The State of AI and Security Survey Report
CSA's STAR: The Key to Cloud Security & Compliance
Trending This Week
#1 The 5 SOC 2 Trust Services Criteria Explained
#2 What You Need to Know About the Daixin Team Ransomware Group
#3 Mitigating Security Risks in Retrieval Augmented Generation (RAG) LLM Applications
#4 Cybersecurity 101: 10 Types of Cyber Attacks to Know
#5 Detecting and Mitigating NTLM Relay Attacks Targeting Microsoft Domain Controllers
Level up with Cloud Infrastructure Security Training
Related Articles:
How to Prepare Your Workforce to Secure Your Cloud Infrastructure with Zero Trust

Published: 04/24/2024

Neutralizing the Threat with Cloud Remediation

Published: 04/23/2024

10 Tips to Guide Your Cloud Email Security Strategy

Published: 04/17/2024

The Widening Overlap Between Cloud Workloads and Cybersecurity

Published: 04/17/2024