CEK-02 CEK Roles and Responsibilities

Summary

Cryptographic key management is a critical aspect of information security that requires well-defined roles and responsibilities. The Cloud Security Alliance (CSA) Cloud Controls Matrix (CCM) control CEK-02 provides guidance on defining and implementing these roles and responsibilities. By properly segregating duties and restricting access, organizations can significantly reduce the risk of unauthorized access to sensitive data.

Where did this come from?

This control comes from the CSA Cloud Controls Matrix v4.0.10 - 2023-09-26, which can be downloaded from https://cloudsecurityalliance.org/artifacts/cloud-controls-matrix-v4. The CCM is a cybersecurity control framework for cloud computing that provides a detailed understanding of security concepts and principles. It is aligned with industry-accepted security standards, regulations, and control frameworks such as ISO 27001/27002, ISACA COBIT, PCI DSS, NIST, and HIPAA. For more information on key management, refer to the AWS Key Management Service (KMS) Developer Guide: https://docs.aws.amazon.com/kms/latest/developerguide/overview.html

Who should care?

This control is particularly relevant for:

• Security managers responsible for overseeing cryptographic operations
• System administrators who configure and manage encryption keys
• Compliance officers ensuring adherence to security standards and regulations
• Developers integrating encryption into applications and services

What is the risk?

Improper management of cryptographic keys can lead to several adverse events:

• Unauthorized access to sensitive data if keys are exposed or misused
• Data loss if keys are lost and data cannot be decrypted
• Non-compliance with security standards and regulations
• Reputational damage and loss of customer trust

CEK-02 helps mitigate these risks by establishing clear roles and responsibilities for key management activities. However, it is not a complete solution and should be implemented in conjunction with other security controls.

What's the care factor?

Cryptographic key management should be a top priority for any organization dealing with sensitive data, especially in cloud environments where keys may be managed by third-party providers. Data breaches resulting from poor key management can have severe financial and reputational consequences. While implementing this control requires significant effort, the cost of not doing so can be much higher.

When is it relevant?

This control is relevant whenever cryptographic keys are used to protect sensitive data, which is common in most organizations today. It is especially critical in cloud environments where keys may be managed by the cloud service provider. However, it may be less relevant for organizations with very limited use of encryption or those using only pre-encrypted services where they have no control over key management.

What are the trade-offs?

Implementing robust key management practices comes with some costs and trade-offs:

• Additional time and effort to define and enforce roles and responsibilities
• Potential impacts on efficiency and agility due to strict segregation of duties
• Increased complexity of systems and processes
• Possible user experience impacts if security controls are too restrictive

Organizations must strike a balance between security and usability based on their specific risks and requirements.

How to make it happen?

1. Define clear roles and responsibilities for all aspects of the key management lifecycle, including generation, distribution, storage, rotation, and destruction. Ensure no single person has control over the entire process.
2. Implement technical controls to enforce segregation of duties, such as:
   • Separate key management from data access permissions
   • Use multi-party computation or threshold signatures for sensitive operations
   • Require multiple approvals for key generation and rotation
3. Establish and enforce cryptoperiods to limit the usage time of each key.
4. Maintain an inventory of all cryptographic keys and certificates, including metadata such as owner, purpose, creation date, and expiration.
5. Put processes in place to revoke and replace compromised keys quickly and safely.
6. Secure storage and backup of keys, using hardware security modules (HSM) where appropriate. Regularly test recovery procedures.
7. Securely destroy keys that are no longer needed, using approved cryptographic erasure methods.
8. Implement integrity checks to verify keys have not been tampered with before use.
9. Provide training to all relevant personnel on their roles and security best practices.
10. Regularly audit and test key management systems and processes to ensure ongoing effectiveness.

What are some gotchas?

• Cryptographic operations often require specific permissions that must be carefully allocated. For example, in AWS KMS the kms:CreateKey permission is needed to create keys. Refer to the AWS KMS API Permissions Reference for details: https://docs.aws.amazon.com/kms/latest/developerguide/kms-api-permissions-reference.html
• Key management systems can be complex to design and implement. Carefully plan the architecture and thoroughly test all workflows.
• Some applications and services may have specific requirements or limitations regarding key management that need to be accounted for.
• Regulations such as FIPS 140-2 place strict requirements on cryptographic modules and key management practices.

What are the alternatives?

While CEK-02 represents best practices, alternative approaches to key management are possible depending on the specific use case and risk profile:

• Use a fully managed key management service from a cloud provider, such as AWS KMS, to reduce the operational burden. However this requires trusting the provider.
• For some low-risk scenarios, key management may be handled within the application rather than through a centralized system. However this can lead to fragmentation and inconsistencies.
• Hardware security modules (HSM) provide the highest level of security for key storage and processing, but come at a higher cost and complexity than software-based key management.

Ultimately, the approach taken should be commensurate with the value of the data being protected and all applicable compliance requirements.

Explore further

• NIST SP 800-57 provides in-depth recommendations for key management: https://csrc.nist.gov/publications/detail/sp/800-57-part-1/rev-5/final
• The AWS Cryptography Services Whitepaper offers a good overview of key management in the cloud: https://docs.aws.amazon.com/whitepapers/latest/cryptography-services/welcome.html
• CIS Control 14 (Controlled Access Based on Need to Know) provides further guidance on access control: https://www.cisecurity.org/controls/controlled-access-based-on-the-need-to-know

This control aligns closely with CIS Control 14.5 (Encrypt Data on End-User Devices) and 14.8 (Encrypt Sensitive Information in Transit). It is part of a defense-in-depth strategy that uses encryption to safeguard data at rest and in transit.

‍