Cloud Key Management

Back to discussions
Expand all | Collapse all

Key Mgmt Meeting Minutes 24 July 2024

  • 1.  Key Mgmt Meeting Minutes 24 July 2024

    Posted Aug 02, 2024 07:15:00 AM

    Dear members,

    Below you can find the minutes from the working group call on the 24th of July.

    Minutes:

    Multi-Cloud KMS document: 
    Sam led the discussion on the multi-cloud KMS document, seeking feedback and making changes to improve clarity and focus. He proposed to finalize the scope of the document to better manage content. Adeeb's updated flow description was reviewed and approved, with some minor changes made. Sam also introduced a new section on key inventory, which was agreed to be a useful addition. The document was then assigned for further review and feedback.
    Cryptographic Modules and Multi-Cloud KMS Paper
    Sam discussed the need for contributions from key players in the field of cryptographic modules and devices, specifically in relation to a paper on multi-cloud KMS. He outlined the paper's structure, which includes discussing various architectures, their risks, and the relevance of these to multi-cloud KMS. Sunil agreed to review and potentially revise a section of the paper related to hybrid KMS, as he and Sam shared concerns about its clarity and direction.
    Hybrid KMS Model Clarification
    The group discussed the hybrid KMS model, which uses an on-premises HSM for cryptographic key management and protection, with the keys potentially being imported into a cloud-based KMS. There was some confusion about whether the HSM must be on-premises or if it could exist within a cloud environment. Sunil confirmed that the HSM could be anywhere, either on-premises or in the cloud. Sam emphasized the need for clear understanding of these patterns to avoid internal confusion.
    Diagram Representation and Key Management System
    The group discussed the representation of a diagram and agreed on Sunil drafting the section containing the diagram and corresponding steps, with a focus on various patterns or solutions in a hybrid cloud standpoint. They also deliberated on the label "Multi cloud key management system," suggesting it might be too prescriptive and should be more flexible to address multiple use cases. The team agreed to review the section, with Sunil set to write it and then revisit potential updates to the name. Sam led a review session of the sections that were ready for review, assigning Partha to review the streaming section, which was marked as ready for review.
    Document Review and Assignment
    Sam identified several sections of the document that required review, including issues related to key exchange, scope, and the relevance of certain use cases to multi-cloud. Sam assigned himself to these tasks, with the exception of the privacy section, which was given to Alex. Sam also noted that the application encryption section was ready for review and asked for a volunteer to review it within the scope of the document.
    Encryption in Applications and CSP Usage
    The group discussed the use of encryption in applications, particularly those residing in IaaS or PaaS environments. They agreed that applications should not develop their encryption capabilities, but instead use the dedicated, validated cryptographic services provided by the CSP. This would ensure compliance with industry standards and best practices. Sam raised a concern about the potential overlap between best practices and multi-cloud key management, but agreed that the use of CSP-provided cryptographic services should be mentioned as a best practice.

    Best Practices Paper Progress and Refinement:

    The team discussed the completion of the document and its preparation for public review. Sunil and Santosh made significant contributions to the document, which included updates and the addition of a diagram to reflect the different stages of migration. Sam agreed to review the document as an external check, and if approved, it would be forwarded to Marina for the next steps towards publication. A point of improvement was identified regarding the use of the term "strategy" in the document, and it was agreed that this would be clarified.

    Previous action items:

    • Best Practices for Managing Keys when uploading Data from on-prem to Cloud' document
      • Prepare first draft - DONE
      • Sunil ( @Sunil Arora) to include diagrams as the ones provided by M. Roza's as examples, address comments, and add missing references using Marina's example in page 9 and 22. - DONE
    • For the 'Multi-Cloud' document.
      • Sam will review and refine the multi-cloud KMS section in the document, ensuring it includes a clear introduction, risk considerations, and use cases. - DONE
      • Sam to author 2.4.10 Third-party Risk, 2.5.1 Organizational Maturity, 2.5.3, 2.5.5 Time, 3.3 Directed Key Management - PENDING
      • Sam to review Rajat's completed sections to review 3.1 and 3.2 - PENDING
      • Smita will review the document, provide feedback, and suggest any necessary changes, focusing on the sections she is familiar with. - PENDING
      • Simon to author 2.4.6 User/System Access, 2.4.7 Rotation/Destruction - Partially done (2.4.7 pending)
      • Sunil to author 3.4 Hybrid Cloud - In Progress
      • Simon and Iain to author 3.5 Third-party Multi-Cloud KMS (MCKMS) - PENDING
      • Adeeb to review Simon's sections 2.4.3, 2.4.5, 2.4.6 - PENDING
      • Akshay to author 2.3.8 Key Sharing.- DONE


    Next action items:

        • Sam ( @Sam Pfanstiel) to author 2.4.10 Third-party Risk, 2.5.1 Organizational Maturity, 2.5.3, 2.5.5 Time, 3.3 Directed Key Management. Also to review Rajat's completed sections to review 3.1 and 3.2
        • Sam ( @Sam Pfanstiel) to add a recommendation about using FIPS-validated or otherwise validated cryptographic modules in the application encryption section.
        • Sam ( @Sam Pfanstiel) to address open sections on user system access (IAM), key rotation, and destruction in the context of multi-cloud risks.
        • Sam ( @Sam Pfanstiel) to review and clean up sections on risks and impacts related to multi-cloud key management.
        • Smita to review the document, provide feedback, and suggest any necessary changes, focusing on the sections she is familiar with.
        • Simon ( @Simon Keates) to author 2.4.7 Rotation/Destruction
        • Sunil ( @Sunil Arora) to complete section 3.4 Hybrid Cloud
        • Iain ( @Iain Beveridge) to author 3.5 Third-party Multi-Cloud KMS (MCKMS)
        • Adeeb ( @Adeeb Mohammed) to review Simon's sections 2.4.3, 2.4.5, 2.4.6
        • Akshay ( @Akshay Bhardwaj) to author 2.3.9 BYOE
        • Alex to review the privacy section of the document.

    Next working group call:

    Date: Wednesday, August 7
    Time: 09:00 a.m. PDT / 12:00 p.m. EDT / 16:00 GMT
    URL: https://zoom.us/j/93617880747
    Meeting ID: 936 1788 0747
    Passcode: 536522

    Kind regards,
    Marina



    ------------------------------
    Marina Bregkou,
    Senior Research Analyst,
    CSA
    ------------------------------