Question DCTR-17
Does your cloud vendor have access to your encryption keys?
| Weight | 20 |
| High Risk | No |
| Required | No |
| Compliant Answer | No |
Standard Guidance
Describe your key management practices.
Answering "NO"
EDUCAUSE provides no guidance here
Answering "YES"
EDUCAUSE provides no guidance here
Reason for Question
Understanding how key management is handled and the safeguards implemented by the vendor to ensure key confidentiality in all components of a system(s) can provide insight into other complex details of a vendor's infrastructure. Use vendor responses to this question as a way to pivot to other infrastructure specifics, as needed to clarify potential risks.
Follow-Up Inquiries
Follow-up with the vendor to ensure that all components of the system are considered. This includes system-to-system, system-to-client, applications, system accounts, etc.
HECVAT Pro Advice
[Add expert insights and best practices]
Implementation Tips
[Add practical steps for SME SaaS vendors]
FAQ
[Add common questions related to this HECVAT item]
Resources
[Add links to relevant articles or tools]