Key Management & Crypto (expanded)21 items

Key Management & Crypto (expanded)21 items
Key Management → KMS/HSM Lifecycle

Tags: KMS, HSM, Rotation

Question: Are keys generated in FIPS 140-2/3 modules and rotated ≤ 12 months with auditable usage?

Applicable Requirements:
- NIST 800-53: SC-12, SC-13
NIST SP 800-57
- ISO 27001: A.10.1.2

Applicability: All encrypted data

Expected Result: CMKs never leave HSM; periodic rotation; usage logs; dual control for deletes.

Why It Matters: Key theft nullifies encryption.

Technical Breakdown:

  1. Split KMS admin vs crypto user roles; approvals for schedule deletions.
  2. Envelope encryption with frequent DEK rotation.
Deep Dive
Key Management → Envelope Encryption

Tags: Envelope, AEAD

Question: Do apps use envelope encryption (per-object DEK wrapped by CMK)?

Applicable Requirements:
- NIST 800-53: SC-12

Applicability: Databases/files/PII blobs

Expected Result: Random DEK per item; stored as wrapped blob; cache DEKs in memory only.

Why It Matters: Limits blast radius if DEK exposed.

Technical Breakdown:

  1. Use AEAD (AES-GCM/ChaCha20-Poly1305) with unique nonces.
  2. Never log plaintext keys; wipe memory buffers.
Deep Dive
Key Management → SoD for Crypto

Tags: Separation of Duties

Question: Are key-management permissions separated from data access roles?

Applicable Requirements:
- NIST 800-53: AC-5, AC-6

Applicability: Operators vs services

Expected Result: No single admin can decrypt & exfiltrate data; two-person rule for exports.

Why It Matters: Mitigates insider risk.

Technical Breakdown:

  1. Use KMS grants; deny human Decrypt; require approvals.
Deep Dive
Key Management → Crypto Agility

Tags: PQC, Agility

Question: Is there a plan to migrate algorithms/keys (e.g., RSA→ECC, PQC readiness)?

Applicable Requirements:
- NIST 800-53: SC-12
- NIST CSF: PR.AC, PR.DS

Applicability: All cryptographic systems

Expected Result: Inventory crypto use; abstract via KMS; plan PQC pilots.

Why It Matters: Future-proofs against breaks and PQC transition.

Technical Breakdown:

  1. Track ciphers in SBOM; test PQC KEMs as they stabilize.
Deep Dive
Key Management → KEK/DEK Rotation Cadence

Tags: Rotation Policy

Question: Are KEKs rotated annually and DEKs rotated more frequently per data sensitivity?

Applicable Requirements:
- NIST 800-53: SC-12

Applicability: Encrypted stores and backups

Expected Result: KEK rotation ≤12m; DEK per-object or quarterly; automated re-encryption plan.

Why It Matters: Balances performance with risk.

Technical Breakdown:

  1. Stagger rotations; monitor for key exhaustion; document playbooks.
Deep Dive
Key Management (SaaS Salesforce) → BYOK/CSE Controls

Tags: BYOK, CSE, Salesforce

Question: If BYOK/CSE supported, is tenant-specific keying enforced with tenant-initiated rotation and usage telemetry?

Applicable Requirements:
- NIST 800-53: SC-28, SC-12
- SOC 2: CC6.1

Applicability: Salesforce enterprise plans with encryption features.

Expected Result: Per-tenant keys; rotation by tenant; usage logs exportable; revocation disables data access.

Why It Matters: Assures customer control and evidentiary logging.

Technical Breakdown:

  1. Document key lifecycle; attest separation; test revocation effects.
Deep Dive
Key Management (SaaS ServiceNow) → BYOK/CSE Controls

Tags: BYOK, CSE, ServiceNow

Question: If BYOK/CSE supported, is tenant-specific keying enforced with tenant-initiated rotation and usage telemetry?

Applicable Requirements:
- NIST 800-53: SC-28, SC-12
- SOC 2: CC6.1

Applicability: ServiceNow enterprise plans with encryption features.

Expected Result: Per-tenant keys; rotation by tenant; usage logs exportable; revocation disables data access.

Why It Matters: Assures customer control and evidentiary logging.

Technical Breakdown:

  1. Document key lifecycle; attest separation; test revocation effects.
Deep Dive
Key Management (SaaS Microsoft 365) → BYOK/CSE Controls

Tags: BYOK, CSE, Microsoft 365

Question: If BYOK/CSE supported, is tenant-specific keying enforced with tenant-initiated rotation and usage telemetry?

Applicable Requirements:
- NIST 800-53: SC-28, SC-12
- SOC 2: CC6.1

Applicability: Microsoft 365 enterprise plans with encryption features.

Expected Result: Per-tenant keys; rotation by tenant; usage logs exportable; revocation disables data access.

Why It Matters: Assures customer control and evidentiary logging.

Technical Breakdown:

  1. Document key lifecycle; attest separation; test revocation effects.
Deep Dive
Key Management (SaaS Google Workspace) → BYOK/CSE Controls

Tags: BYOK, CSE, Google Workspace

Question: If BYOK/CSE supported, is tenant-specific keying enforced with tenant-initiated rotation and usage telemetry?

Applicable Requirements:
- NIST 800-53: SC-28, SC-12
- SOC 2: CC6.1

Applicability: Google Workspace enterprise plans with encryption features.

Expected Result: Per-tenant keys; rotation by tenant; usage logs exportable; revocation disables data access.

Why It Matters: Assures customer control and evidentiary logging.

Technical Breakdown:

  1. Document key lifecycle; attest separation; test revocation effects.
Deep Dive
Key Management (SaaS Snowflake) → BYOK/CSE Controls

Tags: BYOK, CSE, Snowflake

Question: If BYOK/CSE supported, is tenant-specific keying enforced with tenant-initiated rotation and usage telemetry?

Applicable Requirements:
- NIST 800-53: SC-28, SC-12
- SOC 2: CC6.1

Applicability: Snowflake enterprise plans with encryption features.

Expected Result: Per-tenant keys; rotation by tenant; usage logs exportable; revocation disables data access.

Why It Matters: Assures customer control and evidentiary logging.

Technical Breakdown:

  1. Document key lifecycle; attest separation; test revocation effects.
Deep Dive
Key Management (SaaS Databricks) → BYOK/CSE Controls

Tags: BYOK, CSE, Databricks

Question: If BYOK/CSE supported, is tenant-specific keying enforced with tenant-initiated rotation and usage telemetry?

Applicable Requirements:
- NIST 800-53: SC-28, SC-12
- SOC 2: CC6.1

Applicability: Databricks enterprise plans with encryption features.

Expected Result: Per-tenant keys; rotation by tenant; usage logs exportable; revocation disables data access.

Why It Matters: Assures customer control and evidentiary logging.

Technical Breakdown:

  1. Document key lifecycle; attest separation; test revocation effects.
Deep Dive
Key Management → Crypto Ops: HSM Backup & HA

Tags: Crypto

Question: Is the following control enforced: HSM Backup & HA?

Applicable Requirements:
- NIST 800-53: SC-12, SC-13
- ISO 27001: A.10.1.2

Applicability: HSM clusters

Expected Result: Redundant modules; secure backups; periodic restore tests

Why It Matters: Strengthens crypto operational posture.

Technical Breakdown:

  1. Automate issuance/renewal; scan for weak ciphers; report coverage.
Deep Dive
Key Management → Crypto Ops: FIPS Mode Enforcement

Tags: Crypto

Question: Is the following control enforced: FIPS Mode Enforcement?

Applicable Requirements:
- NIST 800-53: SC-12, SC-13
- ISO 27001: A.10.1.2

Applicability: Crypto libraries/services

Expected Result: FIPS mode enabled and attested on supported stacks

Why It Matters: Strengthens crypto operational posture.

Technical Breakdown:

  1. Automate issuance/renewal; scan for weak ciphers; report coverage.
Deep Dive
Key Management → Crypto Ops: Tokenization for PCI/PII

Tags: Crypto

Question: Is the following control enforced: Tokenization for PCI/PII?

Applicable Requirements:
- NIST 800-53: SC-12, SC-13
- ISO 27001: A.10.1.2

Applicability: Payment/PII systems

Expected Result: Format-preserving tokenization; vault separation

Why It Matters: Strengthens crypto operational posture.

Technical Breakdown:

  1. Automate issuance/renewal; scan for weak ciphers; report coverage.
Deep Dive
Key Management → Crypto Ops: TLS Cipher Policy

Tags: Crypto

Question: Is the following control enforced: TLS Cipher Policy?

Applicable Requirements:
- NIST 800-53: SC-12, SC-13
- ISO 27001: A.10.1.2

Applicability: Ingress/egress TLS

Expected Result: Modern TLS1.2+ ciphers; disable legacy suites and renegotiation

Why It Matters: Strengthens crypto operational posture.

Technical Breakdown:

  1. Automate issuance/renewal; scan for weak ciphers; report coverage.
Deep Dive
Key Management → Crypto Ops: Certificate Lifecycle

Tags: Crypto

Question: Is the following control enforced: Certificate Lifecycle?

Applicable Requirements:
- NIST 800-53: SC-12, SC-13
- ISO 27001: A.10.1.2

Applicability: Internal/external certs

Expected Result: ACME/automation; <90d lifetimes; inventory and alerts

Why It Matters: Strengthens crypto operational posture.

Technical Breakdown:

  1. Automate issuance/renewal; scan for weak ciphers; report coverage.
Deep Dive
Key Management → Advanced Crypto Controls: Key Usage Anomaly Detection

Tags: Crypto-Advanced

Question: Is the following control enforced: Key Usage Anomaly Detection?

Applicable Requirements:
- NIST 800-53: SC-12, SC-13
- SOC 2: CC6.1

Applicability: KMS logs

Expected Result: Alerts on unusual Decrypt/Encrypt patterns

Why It Matters: Improves detection, separation, and lifecycle hygiene for keys and secrets.

Technical Breakdown:

  1. SIEM rules on KMS patterns; restrict imported key lifecycles; scan CI/CD for secret leakage.
Deep Dive
Key Management → Advanced Crypto Controls: Customer Hold Your Own Key (HYOK)

Tags: Crypto-Advanced

Question: Is the following control enforced: Customer Hold Your Own Key (HYOK)?

Applicable Requirements:
- NIST 800-53: SC-12, SC-13
- SOC 2: CC6.1

Applicability: Some SaaS

Expected Result: Keys never leave customer HSM boundaries

Why It Matters: Improves detection, separation, and lifecycle hygiene for keys and secrets.

Technical Breakdown:

  1. SIEM rules on KMS patterns; restrict imported key lifecycles; scan CI/CD for secret leakage.
Deep Dive
Key Management → Advanced Crypto Controls: Key Material Import Controls

Tags: Crypto-Advanced

Question: Is the following control enforced: Key Material Import Controls?

Applicable Requirements:
- NIST 800-53: SC-12, SC-13
- SOC 2: CC6.1

Applicability: Imported keys

Expected Result: Validate wrapping keys; attest process; approvals

Why It Matters: Improves detection, separation, and lifecycle hygiene for keys and secrets.

Technical Breakdown:

  1. SIEM rules on KMS patterns; restrict imported key lifecycles; scan CI/CD for secret leakage.
Deep Dive
Key Management → Advanced Crypto Controls: Secrets at Build vs Deploy

Tags: Crypto-Advanced

Question: Is the following control enforced: Secrets at Build vs Deploy?

Applicable Requirements:
- NIST 800-53: SC-12, SC-13
- SOC 2: CC6.1

Applicability: CI/CD

Expected Result: No secrets in build artifacts; inject at deploy time

Why It Matters: Improves detection, separation, and lifecycle hygiene for keys and secrets.

Technical Breakdown:

  1. SIEM rules on KMS patterns; restrict imported key lifecycles; scan CI/CD for secret leakage.
Deep Dive
Key Management → Advanced Crypto Controls: API Key Encryption at Rest

Tags: Crypto-Advanced

Question: Is the following control enforced: API Key Encryption at Rest?

Applicable Requirements:
- NIST 800-53: SC-12, SC-13
- SOC 2: CC6.1

Applicability: API key stores

Expected Result: Keys encrypted with KEK; rotate; per-tenant segregation

Why It Matters: Improves detection, separation, and lifecycle hygiene for keys and secrets.

Technical Breakdown:

  1. SIEM rules on KMS patterns; restrict imported key lifecycles; scan CI/CD for secret leakage.
Deep Dive
© Key Management & Crypto (expanded)21 items • Security Review Playbook — Corey Potter • Built for expert threat modeling