That's an initiative worked by the CCM working group usually. So after the competition of our work we will need to (maybe shortly) collaborate with the CCM WG and discuss how the 2 topics can be "married".
Original Message:
Sent: Jul 26, 2023 11:22:59 PM
From: Thanos Vrachnos
Subject: HSMaaS Auditing Guidance
I think that the HSMaaS paper will generate a new artifact: recommended updates to CCM for HSM as a Service.
So in my opinion, there is no need for a separate, auditing guideline document. HSMaaS can be auditing under its dedicated section of the CCM. Besides, I've not seen other dedicated audit guideline documents published by CSA.
@Marina Bregkou how is this CCM-HSMaaS updates going to be triggered/handled? (see p.58 of our HSMaaS paper)
------------------------------
Thanos Vrachnos OffensiveOps | PKI & eID Subject-matter Expert
SPEARIT
Thessaloniki, Greece
Original Message:
Sent: May 23, 2023 12:11:33 AM
From: Thanos Vrachnos
Subject: HSMaaS Auditing Guidance
Coming from an auditing and certification place here, also CSA's CCAK structure is made for auditors, I would not worry about that aspect.
The idea is to provide a "2D" guidance, not only in internal audits as @Alex Sharpe mentioned but also in external, 3rd party audits as mentioned in my first message. Any of the popular standards which include/foresee requirements for HSMs: PCI, WebTrust for CA, eIDAS - ETSI TS 119 4xx standards, ISO 27017, etc. Also, CCAK's body of knowledge could include such a chapter in a next release.
But regarding the certification schemes, it should be examined whether HSMaaS is allowed as an option currently (in several of the above, it is not). One of the objectives of the upcoming HSMaaS paper is to provide awareness on this topic so that this technology option can be considered in future certification/audit scheme releases.
------------------------------
Thanos Vrachnos OffensiveOps | PKI & eID Subject-matter Expert
SPEARIT
GreeceThessaloniki
Original Message:
Sent: May 19, 2023 06:13:06 PM
From: E A
Subject: HSMaaS Auditing Guidance
Does collective we possess any real
auditing expertise worth mentioning?
If uncertain, I would stay away :
my experience working WITH auditors
taught me a good lesson: "we do not
understand much how they conduct
biz.
This is not to discourage the team
but to add a decision gate to the
process.
Best,
--------------------------------------------------------------
Strategic Efficiency, GRC
CEA, PMP, CISSP, CCSP, AWS CSA, ITIL
" Rite information to Rite roles at Rite time "
Original Message:
Sent: 5/19/2023 2:38:00 PM
From: Alex Sharpe
Subject: RE: HSMaaS Auditing Guidance
Good idea. I like it.
One of the top 3 causes of a breach is misconfiguration. Audits catch those kinds of errors. Might as well help them do an audit right.
------------------------------
Alex Sharpe
Principal
Sharpe42
[email protected]
Co-Chair Philosophy & Guiding Principles Working Group
Co-Chair Organizational Strategy & Governance Working Group
Original Message:
Sent: May 12, 2023 08:16:54 AM
From: Thanos Vrachnos
Subject: HSMaaS Auditing Guidance
Hi everyone,
As I had been reviewing our HSMaaS draft document, I thought of the following topic which may provide value to the IT auditing audience: "audit guidance on cloud HSM solutions/HSMaaS offerings" which of course may expand to include the KMS service offerings.
After our 2 publications (KM Lifecycle Best Practices & HSMaaS), a new, separate document could follow, providing some brief guidelines on auditing these types of systems, focusing in critical areas, as required by the audit/certification schemes (cryptographic operations, user management/access-control, audit and immutable/signed logs, network isolation, key attestation).
It is a cloud service which is increasingly adopted and is part of audited environments under various audit schemes (PCI, WebTrust, eIDAS and ETSI TS 119 4xx standards) and I have personally faced it as an audit object while performing WebTrust, ISO 27017 and eIDAS audits. Additionally, it could also be bound to other CSA's areas such as CCAK or Cloud Security Guidance to reach audience who will benefit at the first level).
Thoughts are more than welcome (mentioning also @Michael Roza who is always having an unbiassed view :) )
Also, @Hannah Rock @Anna Schorr
Best regards,
------------------------------
Thanos Vrachnos OffensiveOps | PKI & eID Subject-matter Expert
SPEARIT
Greece, Thessaloniki
------------------------------