AzPolicyAdvertizer

last sync: 2024-Nov-25 18:54:24 UTC

Microsoft Managed Control 1643 - Cryptographic Key Establishment And Management | Regulatory Compliance - System and Communications Protection

Azure BuiltIn Policy definition

Source Azure Portal
Display name Microsoft Managed Control 1643 - Cryptographic Key Establishment And Management
Id 6d8d492c-dd7a-46f7-a723-fa66a425b87c
Version 1.0.0
Details on versioning
Versioning Versions supported for Versioning: 0
Built-in Versioning [Preview]
Category Regulatory Compliance
Microsoft Learn
Description Microsoft implements this System and Communications Protection control
Additional metadata Name/Id: ACF1643 / Microsoft Managed Control 1643
Category: System and Communications Protection
Title: Cryptographic Key Establishment And Management
Ownership: Customer, Microsoft
Description: The organization establishes and manages cryptographic keys for required cryptography employed within the information system in accordance with Public Key Infrastructure Operational Security Standard.
Requirements: When cryptographic capabilities are employed to protect the confidentiality, integrity, or availability of data within Azure, the algorithms and cryptographic modules are FIPS 140-2 compliant. Rather than validate individual services, components, or products, Microsoft chooses to validate only the underlying cryptographic modules. Subsequently, Azure services are built to rely on the FIPS 140 validated cryptographic modules of the underlying operating systems, including the Cryptographic API: Next Generation (CNG) and Cryptographic API (CAPI) for Windows and Kernel Crypto API for Linux. Azure uses the documented APIs for each of the modules to access various cryptographic services. For additional information on how cryptographic modules are employed in Microsoft products, see the links below: When utilizing cryptographic mechanisms for securing data or services, Azure adheres to Microsoft’s Key Management Standard for establishing and managing keys. The Key Management Standard applies to all environments managed by Azure, including labs, production, and preproduction. Equipment used to generate, store and archive keys is physically and logically protected. Keys are classified and destroyed in accordance with the requirements set forth in the Asset Classification Standard and Asset Protection Standard documents. To reduce the likelihood of compromise, activation and deactivation dates for keys are defined so that the keys can only be used for a limited period. The Key Management Standard mandates the following Key Management Procedures: * Standard Operating Procedures * Secure methods * Storing Keys * Distributing Keys * Archiving Keys * Key Destruction * Changing or Updating Keys * Compromised Keys * Recovering Keys * Revoking Keys * Logging and Auditing * Key Distribution and access control Azure implements cryptographic key management through the use of approved secret stores, including Azure Key Vault and dSMS. Azure ensures that both secret stores contain the approved trust anchors, including certificates with visibility external to Azure and certificates related to the internal operations of services.
Mode Indexed
Type Static
Preview False
Deprecated False
Effect Fixed
audit
RBAC role(s) none
Rule aliases none
Rule resource types IF (2)
Microsoft.Resources/subscriptions
Microsoft.Resources/subscriptions/resourceGroups
Compliance
The following 1 compliance controls are associated with this Policy definition 'Microsoft Managed Control 1643 - Cryptographic Key Establishment And Management' (6d8d492c-dd7a-46f7-a723-fa66a425b87c)
Control Domain Control Name MetadataId Category Title Owner Requirements Description Info Policy#
op.exp.10 Cryptographic key protection op.exp.10 Cryptographic key protection 404 not found n/a n/a 53
Initiatives usage
Initiative DisplayName Initiative Id Initiative Category State Type
Spain ENS 175daf90-21e1-4fec-b745-7b4c909aa94c Regulatory Compliance GA BuiltIn
History none
JSON compare n/a
JSON
api-version=2021-06-01
EPAC