Cloud Key Management

  • 1.  latest document - revising the subject

    Posted Oct 25, 2021 11:03:00 PM
    Hi folks,
    I was just looking at our original (first) Working Group document and the third pattern is NOT multi-cloud KMS, it is "External KMS" where the KMS is entirely external to the cloud application/service. Since it was our intent to do the patterns in the order they are presented in our first WG paper, we need to switch paths and set aside the document that we have started (I may be the only person to have written substantial content at this point) and get started on the correct pattern, which is "External KMS". 

    We can discuss further tomorrow during our WG call.

    Sorry! ;-) But glad to catch this early.


    Paul Rich CIPP/US CIPP/G
    Executive Director

  • 2.  RE: latest document - revising the subject

    Posted Oct 26, 2021 02:25:00 PM

    Hi Paul,

    I took this from our first document:

    According to cloud KMS patterns presented in the first document, these are the patterns:

    (A) is a cloud service that leverages a KMS (including HSM) within that same cloud; (Otherwise known as the Native KMS document)
    (B) expands pattern (A) to allow for the import of key material from an external KMS; (Otherwise known as the External KMS document)
    (C) is a cloud KMS with a dedicated (private) HSM that is under control of the owning organization, but is physically hosted within the cloud provider's data center(s); (Does the External origin Key apply to this pattern? External Key document just came back from copy editor and will go into design) (Otherwise known as the External Origin Key document and is on the way to publication)
    (D) illustrates an on-premises KMS that is used for multi-cloud KMS integration/management that can be hosted either on premise or in the cloud and is linked to an on-premise cryptographic module such as an HSM or crypto card (So, this is the 4th pattern and should be the 5th document then as you mention)

    M B