Home · Synthesis · cl-encryption-at-rest

Encryption at rest — sensitive data and key management

PCI DSS CSA CCM v4 ISO 27001 GDPR ISO 27001

Primary statement

Encryption at rest per PCI 3.5.1 PAN rendered unreadable + PCI 3.6.1 key management + CSA CEK-07 cloud data stores with CMK/BYOK + CSA CEK-10 FIPS 140-3 validated key generation + ISO A.8.24 cryptography rules + GDPR Art 32 appropriate measures. Encryption at rest combined with strong key management is the data confidentiality control.

Audit-fatigue payoff

A unified encryption-at-rest programme — algorithm selection + FIPS-validated key generation + CMK/BYOK + key lifecycle — satisfies encryption-at-rest requirements across all 5 contributing frameworks.

Strictness matrix

Scope

Scope: ALL cloud data stores containing sensitive or personal data. CMK/BYOK (Customer-Managed Keys / Bring Your Own Key) for data classified Confidential or Restricted. Ceiling source: csa_ccm:CSA.CEK-07 Rationale: CSA CEK-07 with CMK/BYOK is the broadest cloud scope.

Threshold

Threshold: FIPS 140-3 validated cryptographic modules (or equivalent) + sufficient entropy + appropriate key length and algorithm per use. Ceiling source: csa_ccm:CSA.CEK-10 Rationale: CSA CEK-10 FIPS 140-3 threshold is the strictest.

Method

Method: cryptographic key management procedures + FIPS-validated key generation (CSA CEK-10) + CMK/BYOK for cloud (CSA CEK-07) + algorithm policy (ISO A.8.24) + key lifecycle (generation, distribution, rotation, archive, destruction) + key custody segregation + PCI 3.5.1 PAN-specific approach. Ceiling source: pci_dss:PCI.3.6.1 Rationale: PCI 3.6.1 + CSA CEK + ISO A.8.24 combined are the most prescriptive.

Frequency

Key rotation per documented cryptoperiod (typical: data encryption keys ≤1 year). Key inventory review: quarterly. Encryption posture review: annual. Ceiling source: pci_dss:PCI.3.6.1 Rationale: Per-cryptoperiod rotation with quarterly inventory is the cadence.

Evidence

Evidence: encryption-at-rest inventory + FIPS 140-3 validation evidence + CMK/BYOK configuration + key lifecycle procedures + rotation records. Ceiling source: csa_ccm:CSA.CEK-07 Rationale: CSA CEK-07 evidence with CMK/BYOK is comprehensive.

Auditor test pattern

Step 1: Inspect encryption-at-rest inventory. Step 2: Verify FIPS 140-3 validation. Step 3: For cloud data, verify CMK/BYOK configuration. Step 4: Sample one key; verify lifecycle procedures + rotation evidence.

Common findings

Common findings: (1) Encryption-at-rest at storage layer but plaintext at application layer; (2) FIPS validation absent; (3) Cloud encryption uses CSP-managed keys, not CMK/BYOK; (4) Key rotation procedure documented but not exercised.