Read Time: 3 minutes

Crypto-shredding is the technique to discard the encryption keys for the encrypted data without zeroizing/deleting the encrypted data, hence making the data undecipherable.

Over the past many years, the topic of data protection has been hitting the headlines. The unstoppable movement of data from various sources is susceptible to various risks and threats that had impacted millions of users in a short time. In the present technological era, data encryption has become the de-facto standard within the various industries; however, the management of encrypted data has become an uphill task for the stakeholders.

While discussing the management of encrypted data, there are two types of encrypted data to be looked into: Active encrypted data & Passive encrypted data.

With the active encrypted data, the data is used by various crypto-systems and being handled appropriately within the security ecosystem, whereas, with the passive encrypted data, the data is not used actively and is ready to be destructed.

Challenges in data destruction

Data destruction is a challenging task while exercising it as an individual’s right for erasure, specifically in reference to data protection regulations such as GDPR. While exercising the right to erasure, the organization has to look up all the references of concerned data within their databases, logs, backups, etc., find the relevant data and delete it from their systems; however, this is not a straightforward task and contains pros & cons of its own.

Next comes the solution to this problem, i.e., crypto-shredding.

Crypto-shredding: Solution to data destruction

As we know, in the crypto-shredding, the encryption is key is discarded/destroyed, and since the key is destroyed, the data that is encrypted by the key automatically becomes unusable as it can’t decrypt it without the key; however, we need to make sure there are no other copies of the key which could be used by bad actors to decrypt the data as the data is still available and lies in an encrypted fashion.

Also, there could be another possibility of breaking the encryption algorithm that can be safely discarded as if the algorithm would have been breakable. It would be considered and marked as vulnerable by the relevant authorities, and any organization would not be using it in the first place itself to encrypt the data.

Considering the above pointers, we can safely assume that the crypto-shredding is equivalent to deleting/zeroizing the data itself.

Crypto-shredding tackles the problem of searching/indexing the specific data reference across the entire infrastructure in a different way by focusing only on one crucial aspect, i.e., management of encryption keys. For example, when the new data is created and is supposed to be stored/backed up/replicated. Before performing any action on this, the data would be encrypted first and then processed further for any action. When the data is supposed to be deleted, rather than searching the data references in your infrastructure, it simply deletes the encryption keys to make the data undecipherable.

Till now, we have understood the strengths of crypto-shredding. Let’s look at the weaknesses as well:

  1. If the encryption applied to the data is not strong enough, the data breach could still occur, and in this case, the process of crypto-shredding won’t be useful.
  2. Since the crypto-shredding deletes the keys only, the encrypted data still exists, and that would require the management of storage in your environment.
  3. As the whole concept of crypto-shredding revolves around the key deletion, the organizations must have an efficient key management system that involves secure key deletion.


Currently, there are no standards in place for crypto-shredding as such. However, certain compliance standards require something called “the right to be forgotten” where the customer has the right to ask that all their personal data be completely deleted without undue delay. Crypto-shredding is an efficient technique to manage the passive encrypted data, but with its own limitations. Many organizations still do not use crypto-shredding as it’s not prescribed by authorities such as NIST, GDPR, etc. Instead of crypto-shredding, customers can take a look at NIST Special Publication 800-88 revision 1, which is a NIST document discussing the sanitization of data. 



Free Downloads

Datasheet of Encryption Consulting Services

Encryption Consulting is a customer focused cybersecurity firm that provides a multitude of services in all aspects of encryption for our clients.

Encryption Services

About the Author

Dipanshu Bhatnagar is a Principal Consultant Cloud Security Specialty at Encryption Consulting working with PKIs, AWS Cloud Cryptographic services and tools, Google Cloud Cryptographic Services, and helping high profile clients towards their cloud journey with complete data privacy assurance.

Read Time: 10 min

Let’s define NIST Cyber Security Framework in brief. 

The NIST Cyber Security Framework known as NIST CSF is a cybersecurity assessment-type framework developed by the NIST (National Institute of Standards and Technology). The core purpose of the NIST CSF is to protect the nation’s critical infrastructure using a set of cybersecurity best practices and recommendations. It’s a voluntary, risk-based, and outcome-oriented cybersecurity framework to help your organization to categorize its security activities around five key functions 1) Identify 2) Protect, 3) Detect, 4) Respond, and 5) Recover.

 Let’s look at each function briefly:

Identify – The Identify function assist you to evolve an overall cybersecurity risk management approach to systems, people, assets, data, and capabilities in the organization. It helps you to identify the critical assets, overall business environment, governance model, and supply chain. 

Protect – The protect function helps you to set up defensive controls based on the inputs from identify function such as critical assets, risk tolerance/acceptance levels. It also emphasizes the importance of access control & identity management, protecting data, and training & awareness to users. 

Detect – The detection functions help you to detect anomalies, malicious activities, and other events effectively by continuous security monitoring and with the help of other detection processes & procedures. 

Respond – To complete the detection function, respond helps you to take the right action immediately through incident response planning, mitigation actions for events, accurate analysis, communication to the designated stakeholders, and continuous improvement with each event.

Recover – Recover function assists you to get back to the pre-attack condition with the help of recovery planning, continuous improvement, and communication to the designated stakeholders.

NIST Cyber Security Framework Overview: Core, Tiers, and Profile

The NIST CSF consists of three sections:

The core section represents cybersecurity practices, technical, operational, process security controls, and outcomes that support the five risk management functions such as Identify, Protect, Detect, Respond, and Recover.

The tiers section emphasizes the organization’s processes of managing risks while remaining aligned with NIST CSF.

The profiles characterize how effectively an organization’s cybersecurity program is managing its risk. It also expresses the state of an organization’s “as is” and ‘’to be’’ cybersecurity postures.

NIST Cyber Security Framework and AWS Cloud

Earlier AWS team published a guide on how to implement the NIST CSF in an AWS cloud environment. AWS recommends using NIST CSF as a mechanism to have baseline security in place that can improve the cloud security objectives of an organization. NIST CSF contains a comprehensive controls catalogue derived from the ISO/IEC 27001 (1), NIST SP 800-53 (2), COBIT (3), ANSI/ISA-62443 (4), and the Top 20 Critical Security Controls (CSC) (5).

There is a listing on the AWS portal that specifies the alignment of NIST CSF to various AWS services that are known as “AWS Services and Customer Responsibility matrix for Alignment to the CSF” (6). This is a comprehensive list that customers can use to align their needs with the CSF in the AWS cloud for their security requirements. Also, this enables the customer to design their baseline security requirements to meet their security goals.

AWS Cloud Adoption Framework

Before setting up a baseline, it is important for a customer to have a clear understanding of their business use cases and the customer-owned responsibilities for “security in the AWS cloud”. The customer should review the “AWS Cloud Adoption Framework” (7) to evaluate the governance model that will be required while implementing the NIST CSF into the AWS cloud services. The AWS CAF (Cloud Adoption Framework) lists pointers known as “CAF Perspectives” to identify gaps in security skills, capabilities, and cybersecurity processes.

NIST CSF Functions and Responsibilities (Customer-owned & AWS-owned)

AWS team has come up with the concept of NIST CSF Functions categories & sub-categories into 108-outcome based security activities. Every function depicts the Customer-owned and AWS-owned responsibilities that mean security of the cloud owned by AWS and security in the cloud owned by the Customer. Business owners/stakeholders can use the AWS link of “AWS Services and Customer Responsibility matrix for Alignment to the CSF” to tailor their needs as per the organization’s tiers and profile level in the CSF.

The below figure represents the CSF core functions (Identify, Protect, Detect, Respond, and Recover) with categories defined and those that have been converted to 108-outcome based security activities (8) by AWS.

Till now we have discussed the NIST CSF alignment with the AWS Cloud Services and how the customer can use CAF (Cloud Adoption Framework) to evaluate the skill gap, capability, and cybersecurity processes using the CAF Perspectives.    

Let’s discuss how appropriate AWS services can be leveraged to set up effective Security Architecture using NIST Cyber Security Framework.

The table below provides a summarized view of AWS Cloud Services categorized into the NIST CSF Core Functions based on the nature of the service:

2Security HubCertificate ManagerMacieLambdaCloudFormation
3ConfigKMSInspectorDetectiveS3 Glacier
4Trusted AdvisorNetwork FirewallSecurity HubCloudTrailSnapshot
5Systems ManagerWAF Systems ManagerArchive
6Control TowerFirewall Manager Step FunctionsCloudEndure Disaster Recovery
7 CloudHSM   
8 IAM   
9 Direct Connect   
11 Single-Sign-On   


Having the AWS Cloud Services aligned with the NIST CSF enables the customer to improve their cloud security posture with appropriate risk management and industry-compliant cloud services. Encryption Consulting, a leading cyber-security firm, offers various AWS and NIST related cybersecurity consulting Services catering to its customers a risk and security control maturity assessment based on the outlined standards. Encryption Consulting helps customers to get them familiarized with NIST CSF and AWS security tools & documentation and assist them in conducting a meaningful and quantifiable cybersecurity assessment while keeping the organization’s business goals intact.

  1. ISO/IEC 27001:2013, Information Technology – Security techniques – Information Security management systems – Requirements. ISO. Retrieved February 18, 2021, from:
  2. NIST Special Publication (SP) 800-53, Rev. 5, Security and Privacy Controls for Information Systems and Organizations. National Institute for Standards and Technology. Retrieved February 18, 2021, from:
  3. Control Objectives for Information and Related Technology (COBIT), an ISACA Framework. Information Systems Audit and Control Association (ISACA). Retrieved February 18, 2021 from:
  4. ANSI/ISA-62443-2-4-2018 / IEC 62443-2-4:2015+AMD1:2017 CSV, Security for industrial automation and control systems. International Society of Automation (ISACA).
  5. The 20 CIS Controls & Resources. Center for Internet Security (CIS). Retrieved February 18, 2021, from:
  6. AWS Services and Customer Responsibility Matrix for Alignment to the CSF can be downloaded from here:
  7. An overview of the AWS Cloud Adoption Framework (CAF), Ver. 2. Amazon Web Services, Inc.
  8. An overview of AWS capabilities that can be leveraged with NIST CSF:

Free Downloads

Datasheet of Encryption Consulting Services

Encryption Consulting is a customer focused cybersecurity firm that provides a multitude of services in all aspects of encryption for our clients.

Encryption Services

About the Author

Dipanshu Bhatnagar is a Principal Consultant Cloud Security Specialty at Encryption Consulting working with PKIs, AWS Cloud Cryptographic services and tools, Google Cloud Cryptographic Services, and helping high profile clients towards their cloud journey with complete data privacy assurance.

Read Time: 7 min

In today’s world, protecting your data is the most critical job at hand for any security expert. Once the data is protected with the help of some data protection tool and passphrases or passwords, then the next challenge is how to protect the passphrases or passwords or secrets itself. That’s when you need a software or hardware tool which can help you manage the secrets effectively and efficiently. AWS Secrets Manager is one such tool that can manage, retrieve, and rotate the passwords, database credentials, API keys, and other secrets throughout their lifecycle. It provides the central credential management with security at its best, resulting in avoidance of hard coding of credentials in the code.

Today, we will discuss the AWS Secrets Manager and its role in credential management facilitating some of the critical security use cases.

Characteristics of AWS Secrets Manager

AWS Secrets Manager provides various characteristics with respect to credentials management, such as:

  1. Integration with AWS KMS: AWS Secrets Manager is fully integrated with AWS KMS service and encrypts secrets as data-at-rest encryption with the Customer managed KMS keys. While retrieving the secrets, it decrypts the secrets using the same CMK KMS keys used earlier for encryption and transmits the secrets to your local environment securely.
  2. Secret Rotation: AWS Secrets Manager enables you to meet security and compliance requirements as per your organization’s goal. It provides you the secret rotation functionality on-demand or on a scheduled basis through the AWS management console, AWS SDK, or AWS CLI.
  3. Integrating with AWS Database services: AWS Secrets Manager supports native AWS database services such as Amazon RDS, Amazon DocumentDB, and Amazon Redshift. It also provides you the capability to rotate other types of secrets such as API Keys, OAuth tokens, and other credentials with the help of customized lambda functions.
  4. Contains multiple versions of secrets: AWS Secrets Manager can contain multiple versions of secrets with the help of staging labels attached with the version while rotating the secrets. Each secrets’ version contains a copy of the encrypted secret value.
  5. Manage access with fine-grained policies:  AWS Secrets Manager provides you flexible access management using IAM policies and resource-based policies. For e.g., you can retrieve secrets from your custom application running on EC2 to connect to a specific database instance (on-prem or cloud).
  6. Secure and audit secrets centrally: AWS Secrets Manager is fully integrated with AWS CloudTrail service for logging and audit purposes. For e.g., AWS CloudTrail will show the API calls related to creating the secret, retrieving the secret, deleting the secret, etc.

We have discussed some of the characteristics of the Secrets Manager. Now, below are the key points to be kept in mind while working with Secrets Manager:

  1. You can manage secrets for databases, resources in On-prem & AWS cloud, SaaS applications, third-party API keys, and SSH keys, etc.
  2. AWS Secrets Manager provides compliance with all the major industry standards such as HIPAAPCI-DSS, ISO, FedRAMP, SOC, etc.
  3. Secrets Manager doesn’t store the secrets in plaintext in persistent storage.
  4. Since the Secrets Manager provides the secrets over the secure channel, it doesn’t allow any request from any host in an unsecure fashion.
  5. Secrets Manager supports the AWS tags feature, so you can implement tag-based access control on secrets managed by the secrets manager.
  6. To keep the traffic secured and without passing through the open internet, you can configure a private endpoint within your VPC to allow communication between your VPC and Secrets Manager.
  7. Secrets Manager doesn’t delete the secrets immediately; rather, it schedules the deletion for a minimum period of 7 days. Within those 7 days, you may recover the secrets depending upon your requirements and post the scheduled period; the secrets are deleted permanently. However, through the AWS CLI, you may delete any secrets on an immediate basis.
  8. The AWS Secrets Manager offers a cost-effective pricing model where it charges $0.40 per secret per month or $0.05 per 10K API calls.

Use cases for AWS Secrets Manager

  1.  Secrets Manager avoids the need for hard-coding the credentials or sensitive information in your application code. It serves the purpose of having an API call to the secrets manager to retrieve the secret programmatically. Having this mechanism in place restricts anyone from compromising sensitive information or credentials as secret information doesn’t exist in the plaintext in the code.
  2. Secrets Manager provides centralized credential management, which reduces the operational burden resulting in the active rotation of credentials at regular intervals to improve the security posture of the organization.



Secret management plays a critical role in data protection for any organization in any environment (On-prem or Cloud). AWS Secrets Manager provides a rich feature set when it comes to secret management solutions. It supports a wide variety of secrets such as database credentials, credentials for On-prem resources, SaaS application credentials, API keys, and SSH keys, etc. In today’s security world, there are a number of secret management solutions available; however, considering the fact that AWS Secrets Manager works seamlessly in the AWS environment, it also provides great compatibility with other environments (On-prem) as well.

Free Downloads

Datasheet of Encryption Consulting Services

Encryption Consulting is a customer focused cybersecurity firm that provides a multitude of services in all aspects of encryption for our clients.

Encryption Services

About the Author

Dipanshu Bhatnagar is a Principal Consultant Cloud Security Specialty at Encryption Consulting working with PKIs, AWS Cloud Cryptographic services and tools, Google Cloud Cryptographic Services, and helping high profile clients towards their cloud journey with complete data privacy assurance.

Read Time: 10 min

E-commerce businesses are going to be ever more dependent on digital economy and electronic information which enables them to have exacting data privacy compliance and data security framework.

Public Key Infrastructure (PKI) is becoming quintessential to build and map the secure relation between users, devices, services and Organizations to their digital identities in the form of digital signatures and certificates.

To all the crypto engineers out there, have you ever thought of a PKI implementation with minimalistic configuration and a fully scalable feature set comprising of all the benefits which Cloud implementation has to offer?

Welcome to AWS Certificate Manager Private Certificate Authority (ACM PCA). ACM PCA offers almost all the same features provided by On-prem PKI providers.

Let’s understand the PKI offerings from AWS

AWS offers two services in the Cloud PKI space:

  1. AWS Certificate ManagerIs an AWS managed service known as ACM which provisions SSL/TLS based X.509 public certificates used for various purposes (e.g Web Server Authentication etc.). This service is targeted at customers who need a secure web existence using TLS certificates.ACM deploys certificates using AWS integrated services –
    • Amazon
    • CloudFront
    • Elastic Load Balancing
    • Amazon API Gateway
    • and other integrated services.

    Enterprises with a secure public website with significant web traffic will prefer this certificate management service which offers auto renewal, multi domain support and a hassle-free certificate management experience.

    Note: Kindly note that you can’t export the SSL/TLS public Certificate from the ACM, as the ACM doesn’t allow users to export the private keys of certificates.

  2. AWS Certificate Manager Private Certificate AuthorityIs an AWS managed private CA service, also known as ACM PCA, which provisions X.509 certificates. The ACM PCA is most suited for small and medium enterprise customers who desire to build their own Public Key Infrastructure (PKI) within AWS Cloud and distributed for private use within the organization. Within a private CA, users can create their own CA hierarchy and issue certificates for authenticating internal users, applications, services, IOT devices etc.

Now, let’s discuss the various Two-tier Cloud PKI Models offered by AWS for ACM PCA:

  1. Private Cloud: In this environment, both the Root CA and Subordinate CA exist in the AWS Cloud.
    Private Cloud
  2. Hybrid Cloud: In this environment, the Root CA exists in an On-prem data center, whereas the Subordinate CA is in the AWS Cloud. This requires you to have the Root CA (On-prem) sign the CSR for the Subordinate CA in the AWS Cloud.
    hybrid cloud

In the Private Cloud architecture, you can host the Root CA or Subordinate CA in the AWS Cloud and use it for all your certificate needs, On-prem as well as Cloud infrastructure. In the Hybrid Cloud architecture, however, you can host the Root CA On-prem and the Subordinate CA in the AWS Cloud for all the certificate requirements of the enterprise.Both these models have their pros and cons. The “Private Cloud Model” provides you all the cloud benefits (high availability, ease of management, access control etc.), but, as a security best practice approach, you might want to have full control over your Root CA with all the cryptographic keys being managed in the On-prem HSM which you don’t have in this approach.On the other hand, the “Hybrid Cloud Model” provides you with complete control over your On-prem Root CA, however, this adds some complexity to the overall architecture by hosting two CAs (Root and Subordinate CA) at different places (On-prem and AWS Cloud).Note: There are various combinations possible for placing the CAs (Root/Policy/Subordinate/Issuing) either in On-prem or Cloud environment/s depending upon the architectural needs of the Organization (like Management of CA lifecycle, DR planning etc.)

Let’s deep dive more on the ACM PCA Service:

With ACM Private CA, you can create a hierarchy of certificate authorities with up to five levels i.e. the root CA, at the top of a hierarchy tree can have as many as four levels of subordinate CAs. You may create multiple hierarchies, each with its own root as well.

The ACM PCA can issue X.509 end-entity certificates for creating encrypted channels, authenticating users, computers, API endpoints, and IoT devices, code signing scenarios and also implementing Online Certificate Status Protocol (OCSP) for obtaining certificate revocation status.

As mentioned, ACM PCA provides X.509 certificates to the end-entity; if AWS Certificate Manager issues a private certificate, the certificate can be associated with any service that is integrated with ACM (e.g. Amazon CloudFront, Elastic Load Balancing, Amazon API Gateway etc.). This is applicable in both scenarios, like the Root CA can be in the AWS Cloud or not, but, the Subordinate CA can only be in the AWS Cloud. Also, if you use the ACM Private CA API or AWS CLI to issue/export a private certificate from ACM, you can install the certificate anywhere depending upon your use-case.

After provisioning the ACM private CA, you can directly issue certificates without having any validation requirement from any third-party CA and as per the customization for your enterprise internal needs. A few of the standard use-cases are:

  • Provision certificates with any subject name/ expiration timeline.
  • Improving the uptime through the automated workflows for certificate management
  • Restraint certificate issuance using templates.

ACM PCA offers the shared responsibility model for AWS Cloud Security in which “Security of the Cloud” belongs to AWS and “Security in the Cloud” belongs to the “Customer”. This shared security model could be implemented with the help of AWS Data Protection services (e.g. Macie, IAM, Cross Account Access, Logging, Monitoring, Audit Report etc.).

As a final note, I would like to draw your attention to some of the best practices to effectively use ACM PCA:

  1. Logical explanation of your PKI Infrastructure (placement of CAs)
  2. Document policy procedures for validity periods/ path length
  3. Keep your private key secure and avoid any form of compromise
  4. Keep your PKI certificate management updated. Revoke certificates when necessary, clear out old/unused certificates, and formulate a documented procedure for certificate renewals and expirations.

Quick Note on Pricing:
The AWS account is being charged a monthly fee of $400 for each private CA starting from the time that you create it. There is a charge associated with each certificate you issue/export (with its private key) with the model “the more you generate/issue the less you pay”.For the latest ACM Private CA pricing information, see the ACM Pricing page on the AWS website as prices may vary from time to time.


If you want to secure your data end-to-end with the assurance of legitimate sender source then usage of Public Key Infrastructure (PKI) is must. There are multiple PKI implementations doing the rounds with various complexity levels, however, AWS Certificate Manager Private CA provides this with maximum ease and robust infrastructure providing all the benefits of cloud i.e. pruning maintenance cost, scalability, business continuity, efficiency, flexibility and sec-ops automation.

Free Downloads

Datasheet of Encryption Consulting Services

Encryption Consulting is a customer focused cybersecurity firm that provides a multitude of services in all aspects of encryption for our clients.

Encryption Services

About the Author

Dipanshu Bhatnagar is a Principal Consultant Cloud Security Specialty at Encryption Consulting working with PKIs, AWS Cloud Cryptographic services and tools, Google Cloud Cryptographic Services, and helping high profile clients towards their cloud journey with complete data privacy assurance.

Let's talk