Cloud 101CircleEventsBlog
Have a chance to win a free CCSK v5 token by taking the Non-Human Identity Security Survey!

CSA Official Press Release

Published 09/27/2022

Cloud Security Alliance Offers Recommendations for Using Customer Controlled Key Store

Cloud Security Alliance Offers Recommendations for Using Customer Controlled Key Store

Document offers guidance for implementing a key management system (KMS) that is a dependency of a cloud service without being hosted by the service

SEATTLE Sept. 27, 2022 – The Cloud Security Alliance (CSA), the world’s leading organization dedicated to defining standards, certifications and best practices to help ensure a secure cloud computing environment, today released Recommendations for Using a Customer Controlled Key Store. Written by CSA’s Cloud Key Management Working Group, the paper offers guidance to organizations that opt to use a customer controlled key store (CCKS), whereby the key management system (KMS) is external to a cloud service provider (CSP) despite the KMS being a dependency of a cloud service.

“Because CCKS is still relatively new within cloud computing, there isn’t a deep bench of best practices available. Even so, this pattern is growing in popularity and because of this, we felt it imperative to provide a sound set of guidelines that will help companies taking this path optimize their security and related costs, as well as their operational and business agility,” said Paul Rich, a lead author and co-chair of the Cloud Key Management Working Group.

Because CCKS deals with the integration of a chosen KMS and at least one public cloud service, the document provides recommendations for choosing, planning, and deploying a KMS within the context of an integration pattern. It offers guidance pertaining to the technical, operational, legal, regulatory, and financial issues that an enterprise must consider when opting for a CCKS.

Using a CCKS presents numerous challenges, not the least of which is establishing a rationale for selecting a more complex and costly pattern. Despite the potential hurdles, there are several reasons a company might opt to use a CCKS, including:

  • Control of some of all facets of key management
  • Elimination of a cloud service provider’s ability to process customer data in plaintext
  • A desire to simplify operational complexity, security, and cost by reducing the number of KMS instances
  • Regulatory or contractual obligations surrounding KMS, standards, or operations
  • Vendor lock-in

“With this document, we hope to guide the program or project manager as they lead their company through the CCKS lifecycle, providing them with the critical information they need to successfully map the pattern to their organization,” said Michael Born, one of the paper’s lead authors.

The Cloud Key Management Working Group aims to facilitate the standards for seamless integration between cloud service providers and key broker services. Individuals interested in becoming involved in Cloud Key Management future research and initiatives are invited to join the working group.

Download the full document. Those interested in gaining a deeper understanding of Cloud Key Management Service patterns, as well as guidance for its use are encouraged to read Key Management in Cloud Services: Understanding Encryption’s Desired Outcomes and Limitations.

About Cloud Security Alliance
The Cloud Security Alliance (CSA) is the world’s leading organization dedicated to defining and raising awareness of best practices to help ensure a secure cloud computing environment. CSA harnesses the subject matter expertise of industry practitioners, associations, governments, and its corporate and individual members to offer cloud security-specific research, education, training, certification, events, and products. CSA's activities, knowledge, and extensive network benefit the entire community impacted by cloud — from providers and customers to governments, entrepreneurs, and the assurance industry — and provide a forum through which different parties can work together to create and maintain a trusted cloud ecosystem. For further information, visit us at, and follow us on Twitter @cloudsa.

Share this content on your favorite social network today!

About Cloud Security Alliance

The Cloud Security Alliance is a not-for-profit organization with a mission to promote the use of best practices for providing security assurance within Cloud Computing, and to provide education on the uses of Cloud Computing to help secure all other forms of computing. The Cloud Security Alliance is led by a broad coalition of industry practitioners, corporations, associations and other key stakeholders. For further information, follow us on Twitter @cloudsa.

For press inquiries, email Zenobia Godschalk of ZAG Communications or reach her by phone at 650.269.8315.