Cloud Key Management

Back to discussions
Expand all | Collapse all

Key Mgmt WG Meeting Minutes, 7th August 2024

  • 1.  Key Mgmt WG Meeting Minutes, 7th August 2024

    Posted Aug 09, 2024 05:47:00 AM

    Dear members,

    Below you can find the minutes from the working group call on the 7th of August.

    You can find the recording here: https://cloudsecurityalliance.zoom.us/rec/share/YOLVNTpC5JaEXsvhPSwKMqsF69Qs-BAx_NFZicorLA2Oc2vrEGQmOuPBxfkGsyJe.DoG5UtzJm80hyd9g  (Passcode: 1EQ=w=+*)

    Announcement: 
    The team decided to take a two-week break to allow for relaxation and reconvene on September 4th    .
    The next Multi-Cloud KMS document call will take place on the 30th of August.

    Minutes:

    Multi-Cloud KMS document: 
    The group discussed the progress of the team's respective tasks. The team focused on ensuring everyone completed their assigned sections, with Sam encouraging members to contribute where they could, given their conflicting priorities and commitments.
    Progress:
    Sam suggested updating the title to better reflect the contents and emphasized the importance of authors reviewing comments and providing responses.
    Sam highlighted the importance of considering the usage of keys, their impact on applications and services, and the associated risks, such as confidentiality, integrity, and availability loss. He also stressed the need to consider general risk factors and other considerations that could impact key usage across providers, with user access being a crucial aspect.
    Task Delegation
    Sam delegated tasks to the team to alleviate Simon's workload. Michael agreed to review and possibly complete a section on user system access and rotation destruction, while Smita offered to review both user system access and business impacts.
    Discussing Directed Key Management Concept
    Sam and Michael discussed the concept of directed key management in the context of cloud service providers. Sam suggested removing this topic from the document as it might confuse their audience. Michael agreed, but emphasized the importance of understanding the decisions taken and what's happening in case something goes wrong.
    Third-Party Providers, SaaS Standards, and KMS Integration
    Michael highlighted the need for third-party providers to meet financial and regulatory standards when using SaaS. Sam proposed incorporating this aspect into discussions about third-party risk, including vetting processes, discovery, and due diligence. Sam also suggested a model where third-party KMS providers could offer fully managed keys to reduce customer risk. 
    Key Management Terminology
    Sam led a discussion on the terminology used in key management solutions, clarifying that the term "key management solution" or "key management system" should be used instead of "service". The team also agreed to differentiate between customer-controlled key stores and key management models.
    Sam was tasked with articulating these distinctions more clearly in future communications. 

    Best Practices Paper finalization:

    The group discussed the finalization of the document. Sam has reviewed half of the document and has made several comments, including the addition of a practice to identify the current key crypto system. As soon as Sam finished with the second half of his review the document will proceed with the peer review process. 
    Document Revisions:
    The group discussed revisions to the document, including swapping the order of "1.2.1" and "1.2.2" sections, updating a title to remove the word "sensitivity," and moving a bullet point about cryptosystems to the "Data Classification" section. Smita suggested renaming the "Data Classification and Sensitivity" section header to "Determining Appropriate Data Classification." Sam assigned Sunil to make the discussed changes, insert a new diagram, and accept all tracked changes before finalizing the document. 

    Previous action items:

    • Best Practices for Managing Keys when uploading Data from on-prem to Cloud' document
      • Sam to review document as a proof reading before public peer review. -Half DONE
    • For the 'Multi-Cloud' document.
      • Sam to author 2.4.10 Third-party Risk, 2.5.1 Organizational Maturity, 2.5.3, 2.5.5 Time, 3.3 Directed Key Management. Also to review Rajat's completed sections to review 3.1 and 3.2 - PENDING (2.4.10 completed by Yuvaraj, 3.3 completed by Rajat and Sam)
      • Sam to add a recommendation about using FIPS-validated or otherwise validated cryptographic modules in the application encryption section. - PENDING
      • Sam to address open sections on user system access (IAM), key rotation, and destruction in the context of multi-cloud risks. - PENDING
      • Sam to review and clean up sections on risks and impacts related to multi-cloud key management. - PENDING
      • Smita to review the document, provide feedback, and suggest any necessary changes, focusing on the sections she is familiar with. - PENDING
      • Simon to author 2.4.7 Rotation/Destruction - PENDING
      • Sunil to complete section 3.4 Hybrid Cloud - DONE
      • Iain to author 3.5 Third-party Multi-Cloud KMS (MCKMS) - PENDING
      • Adeeb to review Simon's sections 2.4.3, 2.4.5, 2.4.6 - PENDING 2.4.6
      • Akshay to author 2.3.9 BYOE - Section Removed
      • Alex to review the privacy section of the document. - DONE


    Next action items:

        • Yuvaraj ( @Yuvaraj Madheswaran) to address or resolve Alex's comments in section 2.3.6
        • Simon ( @Simon Keates) to address/resolve Alex's comments in sections 2.4.3 and 2.4.5
        • Simon ( @Simon Keates) and Smita to author 2.4.7 Rotation/Destruction
        • Iain ( @Iain Beveridge) to author 3.5 Third-party Multi-Cloud KMS (MCKMS)
        • Adeeb ( @Adeeb Mohammed) to review sections 2.4.6
        • Smita to review the document, provide feedback, and suggest any necessary changes, focusing on the sections she is familiar with.
        • Sam ( @Sam Pfanstiel) to review and clean up sections on risks and impacts related to multi-cloud key management. 
        • Sam ( @Sam Pfanstiel) to address open sections on user system access (IAM), key rotation, and destruction in the context of multi-cloud risks
        • Sam ( @Sam Pfanstiel) to add a recommendation about using FIPS-validated or otherwise validated cryptographic modules in the application encryption section.
        • Sam ( @Sam Pfanstiel) to author 2.5.1 Organizational Maturity, 2.5.3, 2.5.5 Time.
        • Marina to review section 3.1 Customer Managed KMS
        • Akshay ( @Akshay Bhardwaj) to review section 3.2 Customer Held KMS with BYOE in mind.

    Next working group call:

    Date: Wednesday, September 4th
    Time: 09:00 a.m. PDT / 12:00 p.m. EDT / 16:00 GMT
    URL: https://zoom.us/j/93617880747
    Meeting ID: 936 1788 0747
    Passcode: 536522

    Kind regards,
    Marina



    ------------------------------
    Marina Bregkou,
    Senior Research Analyst,
    CSA
    ------------------------------