Cloud Key Management

Dear members,
Please find below the meeting minutes from our last 2024 call on the 11th of December.

Minutes:

The group discussed the publication of the ‘Key Mgmt when Migrating to the Cloud’ on the 18th of December and the multi-Cloud KMS document, mentioning updates for the following year. They also briefly discussed the group’s plans for 2025.

Post-Quantum Cryptography Transition Guidance
The team discussed the potential need for guidance on transitioning to post-quantum cryptography (PQC) and key management practices. Partha suggested creating a document outlining best practices for organizations to move from traditional cryptography to a hybrid model incorporating PQC, eventually reaching a full PQC state. Imran noted there are ongoing discussions around hybrid approaches for specific protocols like TLS, but no clear guidance yet from NIST. They agree it may be valuable for CSA to provide thought leadership on transition considerations, even if details need to be revised as PQC matures. The discussion also touched on differentiating cryptographic vs. non-cryptographic secrets and key sharing techniques.
Marina reminded everyone of the Post-Quantum paper they had started in 2024 and put aside to work on at a later moment.
Potential Update of Previous Publications
They also discussed the importance of ensuring that all previous publications are still current and relevant. The team agreed to review and refresh these publications, with a focus on ensuring their relevance and accuracy. Lastly, they touched on the topic of secrets management, with the team agreeing to include it in future discussions for publication.
Zero Trust Integration and Prioritization
Partha proposed the integration of ZT in key management best practices, leveraging AI and generative AI to optimize key management operations, and addressing challenges in key management in edge computing. Imran suggested prioritizing based on criticality and maturity of technologies, while Partha emphasized the importance of creating an ROI model to determine the return on time invested in these documents. Sam added that availability of expertise and interest from experts could also be a factor in prioritization. The team agreed to list out the ideas, focus areas, and reasons for each, and then prioritize based on these factors.
Topics Discussion
Partha proposed structuring the ideas for the next meeting, with a brief description of the focus area and relevance to the group. Sam agreed, suggesting that those with strong opinions on a topic should be prepared to present it at the next meeting.
Multi-Cloud Document Progress
The team discussed the remaining tasks and the need for a thorough review of the last section of the white paper (section 3.4 Third Party Multi-Cloud KMS). Sam highlighted the need for a review of the content provided by Thalis and welcomed Imran's fresh perspective. The team also discussed the need for a more comprehensive review of the last section, which was identified as a key area for improvement.

Next steps:

• Sam ( @Sam Pfanstiel) to review Thalis' contribution to the multi-cloud KMS document (section 3.4 Third Party Multi-Cloud KMS).

• Imran ( @IMRAN KHAN) to review the full multi-cloud KM document and provide feedback.

• Leadership to update charter document for 2025.

• All members to prepare brief proposals for potential 2025 topics, including focus area and rationale, for discussion at the next meeting

• All members to review existing Cloud Key Management Working Group publications for relevance, accuracy and need to be updated.

• The group will have a new kick-off meeting on the 22nd of January where they will show previous work and discuss future goals. Leadership to present.

Next call: 22 January 2025

------------------------------
Marina Bregkou,
Senior Research Analyst,
CSA
------------------------------