Encryption and key management systems are critical to protecting sensitive data, but how do you know they are working effectively? Regular audits of encryption and key management systems, policies, and processes are essential. The frequency of these audits should be proportional to the risk exposure, but should occur at least annually and after any security incidents.

Where did this come from?

This control comes from the CSA Cloud Controls Matrix v4.0.10 - 2023-09-26. You can download the full Cloud Controls Matrix from the Cloud Security Alliance website. For more information on auditing encryption and key management, check out the AWS Key Management Service Best Practices.

Who should care?

This control is relevant for:

• Security managers responsible for ensuring data is protected
• Compliance officers needing to meet industry standards like HIPAA and PCI
• IT auditors assessing the effectiveness of security controls
• Encryption engineers implementing key management systems

What is the risk?

Without regular audits, encryption and key management systems may have undetected vulnerabilities or configuration errors. This could allow unauthorized access to sensitive data and lead to costly data breaches. Audits help catch issues early before they can be exploited.

What's the care factor?

Audits take time and effort, but are a critical defense. For organizations handling regulated data like healthcare or financial records, audits are mandatory for compliance. Even without that requirement, the reputational and financial damage from a key management failure makes auditing a worthwhile investment for most.

When is it relevant?

Encryption and key management audits should be standard practice for any system storing or transmitting sensitive data. They are especially important for cloud-based systems where key management is delegated to the provider. Audits may not be needed for standalone test/dev systems not handling real data.

What are the trade-offs?

Thorough audits require skilled personnel and can be time-consuming, taking resources away from other projects. Overly frequent audits may provide diminishing returns vs the effort involved. Using external auditors adds cost but provides an independent assessment.

How to make it happen?

1. Develop an audit plan covering key management policies, procedures, and infrastructure
2. Define audit frequency based on risk assessment, at least annual
3. Assign qualified personnel to perform audit, consider external firm
4. Review policies and procedures against industry standards and best practices
5. Examine key management infrastructure configuration and access controls
6. Conduct sample tests - attempt key retrieval, rotation, and deletion
7. Review logs for unusual activity like access from unexpected accounts/IPs
8. Document all findings in audit report
9. Present report to management and develop remediation plan for any issues
10. Protect sensitive audit data and tools with strong encryption

What are some gotchas?

• Auditor needs permissions to access key management systems and logs
• KMS permissions like kms:Describe* required
• Audit may require temporary elevation of auditors privilege, ensure revoked after
• Test carefully on non-prod data, deleting prod keys can cause major outage

What are the alternatives?

Some compliance regimes allow self-assessment questionnaires in place of technical audits. These are less thorough but can reduce audit burden for lower-risk situations. Automated configuration scanning tools can supplement manual audits.

Explore further

• NIST SP 800-57 Recommendation for Key Management
• CIS Controls v8 3.11 Encrypt Sensitive Data at Rest
• AWS Audit Manager for automated evidence collection and reporting