Use of cryptography
Description
Rules for the use of cryptography, including key management, shall be defined and implemented.
⚠️ Risk Impact
Weak or missing encryption exposes data at rest and in transit.
🔧 Remediation
Enforce encryption on all storage and transport layers. EchelonGraph checks encryption settings on databases, buckets, and connections.
💀 Real-World Attack Scenario
An organization used AES-128 encryption for database backups but stored the encryption key alongside the backup in the same S3 bucket. When the bucket was compromised, both the encrypted data and the key were stolen — rendering the encryption completely useless.
💰 Cost of Non-Compliance
Encryption without proper key management = no encryption. Average cost of poorly managed encryption breach: $3.8M. ISO 27001 A.8.24 requires documented cryptographic policies AND key management procedures.
📋 Audit Questions
- 1.What encryption algorithms are used for data at rest and in transit?
- 2.How are encryption keys managed, stored, and rotated?
- 3.Is key management separated from data storage?
- 4.What is your key destruction procedure?
🎯 MITRE ATT&CK Mapping
⚡ Common Pitfalls
- ⛔Storing encryption keys alongside encrypted data
- ⛔Using deprecated algorithms (DES, RC4, MD5)
- ⛔Not having a key rotation policy or procedure for key compromise
📈 Business Value
Proper cryptographic implementation with managed key lifecycle protects data even if storage is compromised. It's required by PCI DSS, HIPAA, GDPR, and ISO 27001.
⏱️ Effort Estimate
8-16 hours for cryptographic policy and key management documentation
EchelonGraph verifies encryption configurations and key rotation across all cloud resources
🔗 Cross-Framework References
Automate ISO 27001 A.8.24 compliance
EchelonGraph continuously monitors this control across all your cloud accounts.
Start Free →