Key Management Lifecycle
Description
Cryptographic keys used to protect cardholder data must be managed throughout their lifecycle: generation, distribution, storage, rotation, revocation, destruction.
⚠️ Risk Impact
Strong encryption fails when keys are mismanaged. Keys stored alongside encrypted data = no encryption. Keys never rotated = no rotation. PCI specifically requires documented lifecycle.
🔍 How EchelonGraph Detects This
EchelonGraph's Tier 1 Cloud Scanner automatically checks for this condition across all connected cloud accounts. Violations are flagged as critical-severity findings with remediation guidance.
🔧 Remediation
Use cloud-managed KMS (AWS KMS, GCP Cloud KMS, Azure Key Vault). Rotate annually minimum. Document custodian roles. Audit key usage. Apply envelope encryption (KEK/DEK separation).
💀 Real-World Attack Scenario
A merchant encrypted database backups with AES-256 — but stored the encryption key alongside the backup in the same S3 bucket. When the bucket was compromised, both ciphertext + key were exfiltrated. The encryption was theatrical; PCI 3.7 deficiency documented in the breach analysis.
💰 Cost of Non-Compliance
Encryption without proper key management: ineffective. PCI 3.7 violations block compliance.
📋 Audit Questions
- 1.What KMS is used?
- 2.Annual rotation evidence?
- 3.Are keys stored separately from ciphertext?
- 4.Custodian roles documented?
🎯 MITRE ATT&CK Mapping
⚡ Common Pitfalls
- ⛔Keys + ciphertext in same store
- ⛔Manual rotation that gets skipped
- ⛔No envelope encryption — single key for all data
📈 Business Value
Proper key management ensures encryption actually protects.
⏱️ Effort Estimate
40-80 hours initial KMS architecture
EchelonGraph monitors KMS rotation policies + key-vs-ciphertext separation
🔗 Cross-Framework References
Automate PCI DSS 3.7 compliance
EchelonGraph continuously monitors this control across all your cloud accounts.
Start Free →