Home · Synthesis · cl-ccm-v4-key-management-full

Cloud cryptography and key management — CSA CEK control family

CSA CCM v4

Primary statement

Cloud cryptography per CSA CEK-01 (policy) + CEK-02 (FIPS 140-2/3 key generation) + CEK-03 (purpose-specific keys) + CEK-04 (rotation schedules — DEKs ≤1 year, TLS ≤1 year/2 max) + CEK-05 (revocation and destruction). Full CSA CEK series for cloud cryptography.

Audit-fatigue payoff

A unified cloud cryptography programme aligned to full CSA CEK series satisfies cloud crypto requirements with the canonical specification.

Strictness matrix

Scope
Scope: documented encryption and key management policy covering approved algorithms, key lengths, generation and storage, lifecycle, custody, revocation. Comprehensive policy scope. Ceiling source: csa_ccm:CSA.CEK-01 Rationale: CSA CEK-01 comprehensive policy scope.
Threshold
Threshold: FIPS 140-2/3 validated OR equivalent cryptographically secure RNGs. Cloud-provider HSM where required. Ceiling source: csa_ccm:CSA.CEK-02 Rationale: CSA CEK-02 FIPS threshold is binary.
Method
Method: encryption policy (CEK-01) + FIPS-validated generation (CEK-02) + purpose-specific keys (CEK-03 — separate for encryption / signing / authentication / TLS) + rotation schedules (CEK-04 — DEKs ≤1 year) + revocation and destruction (CEK-05) + integration with cl-cryptography-mgmt. Ceiling source: csa_ccm:CSA.CEK-04 Rationale: CSA CEK-01 through CEK-05 form the canonical cloud crypto method.
Frequency
Rotation: DEKs ≤1 year, TLS ≤1 year (2 max). Policy review annual. Revocation per incident or compromise. Ceiling source: csa_ccm:CSA.CEK-04 Rationale: CSA CEK-04 explicit cadences are the audit-defensible specification.
Evidence
Evidence: encryption policy + FIPS validation evidence + key inventory by purpose + rotation records + revocation records. Ceiling source: csa_ccm:CSA.CEK-01 Rationale: CSA CEK-01 evidence is comprehensive.

Auditor test pattern

Step 1: Inspect encryption policy (CEK-01). Step 2: Verify FIPS validation (CEK-02). Step 3: Verify purpose-specific keys (CEK-03). Step 4: Inspect rotation records (CEK-04). Step 5: Verify revocation procedure (CEK-05).

Common findings

Common findings: (1) Key purposes mixed (signing key reused for encryption); (2) Rotation overdue; (3) FIPS validation absent; (4) Revocation procedure documented but never exercised.