A Public SaaS provider does not rotate cryptographic keys based on a crypto period. The decision not to implement automated periodic key rotation in a public SaaS solution may be influenced by a combination of technical, financial, operational, and regulatory factors, as well as the provider's risk management strategy and customer priorities. However they are willing to provide ad-hoc demand based key rotation annually. This practice could potentially pose security risks and may not comply with certain legal and regulatory standards, depending on the jurisdiction and the nature of the data being handled. What could a cloud customer do in such scenario? Ultimately, the decision to proceed with a Multi-Tenant SaaS solution without automated key rotation depends on organization's risk tolerance, compliance requirements, and confidence in the SaaS provider's security practices. Can someone recommend what could be the best course of action in this scenario if the cloud customer has sensitive data associated with Multi-tenant SaaS Application?
Appreciate your recommendations and sharing experience in such contexts.
Thanks
------------------------------
SVS Chandra Mouli
Security Architect
Gen Digital
------------------------------