Buy Me a Coffee
Home
Created by Claudiu Tabac - © 2026
This material is open for educational and research use. Commercial use without explicit permission from the author is not allowed.
SCC-06: Cryptography & Key Management
Establishing cryptographic trust as a foundational security capability across the enterprise
The Foundation of Enterprise Trust
SCC-06 defines how cryptographic mechanisms and cryptographic keys are selected, governed, and operated to protect data confidentiality, integrity, and authenticity across the enterprise. This security capability cluster determines whether cryptography is applied intentionally and consistently, or incidentally and inconsistently across systems and processes.
In the ECIL framework, cryptography is not a technical afterthought or checkbox item. It represents a foundational trust capability that underpins identity assurance, secure communications, data protection, and regulatory confidence. When implemented correctly, cryptography becomes the invisible guardian of organizational trust.
Core Protection Areas
  • Data confidentiality and privacy
  • Information integrity verification
  • Authentication mechanisms
  • Digital signature validation
  • Secure channel establishment
Purpose & Strategic Objectives
Intentional Cryptographic Use
Ensure cryptographic implementation is driven by risk-based decisions, not default configurations or ad-hoc choices. Every cryptographic control should align with threat models and data classification.
Standards Consistency
Apply approved algorithms and cryptographic standards uniformly across all systems and processes. Eliminate variance that creates exploitable weaknesses in the security posture.
Lifecycle Key Protection
Protect cryptographic keys from generation through retirement. Keys represent concentrated trust and require rigorous controls at every stage of their existence.
Governance Framework
Establish oversight mechanisms for cryptographic decisions, exceptions, and deviations. Create accountability for cryptographic choices and their long-term implications.

Critical Reality: Weak cryptography or poor key management undermines otherwise strong security controls. A single compromised key or deprecated algorithm can negate millions invested in security infrastructure.
Cryptographic Policy & Standards
This capability area examines whether cryptography is governed by clear standards and decisions, not left to implementation defaults or individual developer preferences. Organizations must establish explicit cryptographic direction that guides technology selection and implementation.
Cryptographic consistency emerges as a governance outcome. When policies clearly define acceptable algorithms, key lengths, and implementation patterns, teams can make confident decisions that align with enterprise security objectives and regulatory expectations.
Policy Framework Components
  1. Approved Algorithms: Defined list of cryptographic algorithms and protocols authorized for production use
  1. Standard Baselines: Minimum cryptographic strength requirements mapped to data classification levels
  1. Exception Management: Formal process for evaluating and approving deviations from cryptographic standards
  1. Legacy Transition: Structured approach to identifying and replacing deprecated cryptographic implementations
  1. Regulatory Alignment: Mapping of internal standards to external compliance requirements
Key Management Lifecycle
1
Generation
Keys created using cryptographically secure random number generators with appropriate entropy sources. Generation occurs in protected environments with audit logging.
2
Storage & Protection
Keys secured in hardware security modules (HSMs) or key management systems with access controls. Clear ownership and custodianship established for all key material.
3
Distribution
Keys transmitted through secure channels with authentication. Key escrow and recovery procedures documented for business continuity scenarios.
4
Rotation & Expiration
Regular key rotation based on usage volume, time elapsed, or risk events. Automated processes enforce expiration policies and prevent expired key usage.
5
Retirement & Destruction
Secure destruction of key material when no longer needed. Backup keys managed with same rigor as production keys throughout retention period.
Keys represent concentrated trust and must be protected accordingly. A compromised key can expose years of encrypted data, authenticate unauthorized transactions, or enable persistent system access. The key management lifecycle ensures that cryptographic material never becomes a liability.
Encryption Coverage: Data at Rest & in Transit
Data at Rest Protection
Sensitive data encrypted on storage systems, databases, backup media, and endpoint devices. Encryption strength aligned with data classification levels and regulatory requirements. Key separation ensures storage administrators cannot access plaintext data.
  • Full disk encryption for endpoints
  • Database transparent data encryption
  • File-level encryption for repositories
  • Backup media encryption
Data in Transit Security
Network communications protected using TLS 1.2 or higher for public networks. Internal segmentation enforces encryption for sensitive data flows even within trusted zones. API communications secured with mutual authentication where appropriate.
  • TLS/SSL for web applications
  • VPN encryption for remote access
  • Encrypted messaging protocols
  • Database connection encryption
Management Channel Protection
Administrative interfaces, configuration management systems, and privileged access channels protected with strong encryption. Management traffic isolated from production networks with additional cryptographic controls applied to prevent lateral movement.
  • SSH for system administration
  • Encrypted management APIs
  • Secure remote desktop protocols
  • Configuration management encryption

Consistency Principle: Encryption must be applied consistently based on data classification, not selectively based on convenience or performance concerns. Gaps in encryption coverage create exploitable vulnerabilities.
Cryptography Across Security Domains
Identity & Authentication
Cryptography enables strong identity assurance through digital certificates, public key infrastructure (PKI), and cryptographic authentication protocols. Multi-factor authentication relies on cryptographic operations to verify possession factors and prevent replay attacks.
  • Certificate-based authentication
  • Cryptographic token validation
  • FIDO2/WebAuthn protocols
  • Kerberos ticket encryption
Application Security
Applications leverage cryptography for session management, API authentication, data validation, and secure credential storage. Cryptographic libraries integrated into development frameworks provide consistent security primitives across application portfolios.
Platform Services
Cloud platforms, operating systems, and infrastructure components provide cryptographic services including key vaulting, certificate management, and encryption-as-a-service. Platform-level controls ensure cryptography is available as a consumable service rather than requiring custom implementation.
  • Cloud key management services
  • Hardware security module integration
  • Secrets management platforms
  • Certificate authority services
Trust Chain Management
Certificate lifecycle management, certificate authority operations, and trust store governance ensure cryptographic trust relationships remain valid. Regular validation prevents expired certificates from disrupting services.
Cryptography is an enabler of trust across systems. It provides the technical foundation for authentication, authorization, secure communications, and data protection that other security capabilities depend upon.
Governance, Oversight & Continuous Assurance
01
Coverage Assessment
Regular inventory of cryptographic implementations across the enterprise. Identify gaps where sensitive data lacks encryption or where non-standard cryptography has been deployed. Map encryption coverage to data classification requirements.
02
Exception Tracking
Maintain registry of approved cryptographic exceptions with business justification, compensating controls, and remediation timelines. Review exceptions quarterly to ensure temporary deviations don't become permanent technical debt.
03
Usage Monitoring
Monitor key access patterns, certificate expiration events, and cryptographic operation logs. Detect anomalous key usage that could indicate compromise or unauthorized access to cryptographic material.
04
Standards Review
Periodic assessment of cryptographic standards against evolving threats and regulatory guidance. Update approved algorithm lists as cryptanalysis advances and quantum computing threats emerge.
05
Compliance Validation
Regular audit of cryptographic implementations against internal policies and external requirements. Validate that deployed cryptography meets regulatory expectations and industry best practices.
"Without oversight, cryptography degrades silently over time. Algorithms become deprecated, keys outlive their intended lifespan, and exceptions become the norm. Governance transforms cryptography from a point-in-time control into a sustained capability."
Regulatory & Assurance Framework Integration
SCC-06 is evaluated consistently across regulatory frameworks, even when cryptographic requirements are expressed through different terminology and control objectives. Each framework examines whether cryptography establishes and maintains trust appropriate to the organization's risk profile.
ISO/IEC 27001
Addresses cryptographic controls through Annex A 8.24 (Use of cryptography) and related information security controls. Emphasizes cryptographic policy, key management procedures, and protection of cryptographic keys throughout their lifecycle.
NIS2 Directive
Requires cryptographic protection for sensitive data and secure communications as part of cybersecurity risk management. Focuses on encryption of data at rest and in transit, particularly for essential and important entities.
DORA Framework
Expects ICT protection mechanisms including cryptography for financial entities. Emphasizes cryptographic resilience, key management governance, and protection of critical ICT systems against cyber threats.
SOC 2 Trust Services
Evaluates encryption and key management through confidentiality criteria and processing integrity principles. Auditors assess whether cryptographic controls are designed and operating effectively to protect customer data.
Each regulatory lens evaluates whether cryptography establishes and maintains trust appropriate to the information being protected and the threat landscape being addressed. The universal questions in SCC-06 translate consistently across these frameworks while respecting their unique emphases.
Evidence, Failure Modes & Practical Application
Representative Evidence
Evidence supporting SCC-06 demonstrates governed cryptographic use and protected key material, not just feature enablement or checkbox compliance.
  • Cryptographic policies and approved algorithm standards
  • Key management procedures with defined roles and responsibilities
  • Encryption configuration baselines and coverage reports
  • Key inventory and certificate management records
  • Audit logs for key access and cryptographic operations
  • Exception registers with approval and review evidence
Common Failure Modes
  • Deprecated Algorithms: Use of MD5, SHA-1, or weak cipher suites that provide false sense of security
  • Poor Key Protection: Keys stored in application code, configuration files, or accessible to unauthorized personnel
  • Inconsistent Coverage: Encryption applied to production but not development/test environments containing real data
  • Absent Lifecycle: Keys never rotated, expired certificates causing service disruptions, no destruction procedures
These failures often expose sensitive data and undermine regulatory trust, creating compliance gaps and increasing breach risk.
Using SCC-06 in Practice
Security architects, compliance officers, and crypto/key management leads can leverage SCC-06 to assess whether cryptography is governed and intentional, align encryption practices with data and identity risk, interpret cryptographic requirements consistently across regulations, and identify systemic weaknesses in key management before they become incidents.
SCC-06 ensures that trust is cryptographically enforced, not assumed. It transforms cryptography from a technical implementation detail into a strategic security capability that can be measured, improved, and confidently presented to auditors and regulators.
Created by Claudiu Tabac — © 2026
This material is open for educational and research use. Commercial use without explicit permission from the author is not allowed.