Name/Id: ACF1643 / Microsoft Managed Control 1643 Category: System and Communications Protection Title: Cryptographic Key Establishment And Management Ownership: Customer, Microsoft Description: The organization establishes and manages cryptographic keys for required cryptography employed within the information system in accordance with Public Key Infrastructure Operational Security Standard. Requirements: When cryptographic capabilities are employed to protect the confidentiality, integrity, or availability of data within Azure, the algorithms and cryptographic modules are FIPS 140-2 compliant. Rather than validate individual services, components, or products, Microsoft chooses to validate only the underlying cryptographic modules. Subsequently, Azure services are built to rely on the FIPS 140 validated cryptographic modules of the underlying operating systems, including the Cryptographic API: Next Generation (CNG) and Cryptographic API (CAPI) for Windows and Kernel Crypto API for Linux. Azure uses the documented APIs for each of the modules to access various cryptographic services. For additional information on how cryptographic modules are employed in Microsoft products, see the links below:
When utilizing cryptographic mechanisms for securing data or services, Azure adheres to Microsoft’s Key Management Standard for establishing and managing keys. The Key Management Standard applies to all environments managed by Azure, including labs, production, and preproduction. Equipment used to generate, store and archive keys is physically and logically protected. Keys are classified and destroyed in accordance with the requirements set forth in the Asset Classification Standard and Asset Protection Standard documents. To reduce the likelihood of compromise, activation and deactivation dates for keys are defined so that the keys can only be used for a limited period. The Key Management Standard mandates the following Key Management Procedures:
* Standard Operating Procedures
* Secure methods
* Storing Keys
* Distributing Keys
* Archiving Keys
* Key Destruction
* Changing or Updating Keys
* Compromised Keys
* Recovering Keys
* Revoking Keys
* Logging and Auditing
* Key Distribution and access control
Azure implements cryptographic key management through the use of approved secret stores, including Azure Key Vault and dSMS. Azure ensures that both secret stores contain the approved trust anchors, including certificates with visibility external to Azure and certificates related to the internal operations of services.
The following 2 compliance controls are associated with this Policy definition 'Microsoft Managed Control 1643 - Cryptographic Key Establishment And Management' (6d8d492c-dd7a-46f7-a723-fa66a425b87c)
Policies and procedures regarding the use of cryptography and, where appropriate, encryption
n/a
In order to safeguard the security of public electronic communications networks and publicly available electronic communications services, the use of encryption technologies, in particular end-to-end encryption as well as data-centric security concepts, such as cartography, segmentation, tagging, access policy and access management, and automated access decisions, should be promoted. Where necessary, the use of encryption, in particular end-to-end encryption should be mandatory for providers of public electronic communications networks or of publicly available electronic communications services in accordance with the principles of security and privacy by default and by design for the purposes of this Directive. The use of end-to-end encryption should be reconciled with the Member States’ powers to ensure the protection of their essential security interests and public security, and to allow for the prevention, investigation, detection and prosecution of criminal offences in accordance with Union law. However, this should not weaken end-to-end encryption, which is a critical technology for the effective protection of data and privacy and the security of communications.