Cloud Key Management

Dear members,

This is a kind reminder of the Cloud Key Mgmt working group call scheduled fro tomorrow 26th of July at 08:00 a.m. PST / 11:00 a.m. EST / 16:00 GMT.

Please find below the action items you are to complete for tomorrow's call. Please remember that if all action items are finalized, after tomorrow's call we can send the HSM document for peer review.

New action items:

• Document 1: HSM-as-a-Service:
  • Sam ( @Sam Pfanstiel) to review and approve or modify the document structure as a whole.
  • Sam ( @Sam Pfanstiel) to help out Carlos in use case 3.4 and describe how it adds value to HSM-as-a-Service
  • Sam ( @Sam Pfanstiel) to write an intro paragraph for the 4. Responsibilities section, page 22.
  • Sam ( @Sam Pfanstiel) to decide if we need to synthesize Responsibility references throughout the document, altogether under section 4. Responsibilities, OR to create the appendix we discussed on the call.
  • Sam ( @Sam Pfanstiel) to review page 50, the remote key attestation section Thanos included and decide if it goes with the rest of section 8. Key Mgmt Considerations.
  • Sam ( @Sam Pfanstiel) review section 10. Vendor Selection best practices, page 53-54.
  • Iain ( @Iain Beveridge) OR Michael (@Michael Roza) create a diagram depicting the HSM architecture overview ?
  • Iain ( @Iain Beveridge) to review the content added by Marina in the eIDAS use case, page 18.
  • Iain ( @Iain Beveridge) to review and approve/comment the paragraph on CC Thanos added in 5.2, page 29.
  • Marina to make reference to the shared responsibility model included in the CCM, in the 4. Responsibilities section.
  • Marina to add intro section to 5. HSM Hardware.
  • As mentioned on the call, Thanos ( @Thanos Vrachnos) to update section 5.2 Hardware HSM by mentioning some critical elements of the device: e.g. anti-tampering modules, crypto-processor, etc.
  • Simon to address the 'note to self' in section 5.2.2 Payments HSM and to expand on key granularity and ownership/possession.
  • Partha to finish the comparison table (Marina started) that includes the physical and logical security controls side by side in section 6, page 35.
  • Who is collecting the responsibilities mentions throughout the document and include them in the Responsibilities Appendix created specifically for this?
• Document 2 - Key Mgmt Lifecycle Best Practices:
  • Alex ( @Alex Sharpe) to please review the additional text written in section 2.5 Encryption Overview by Parth.Alex will you please review the additional text written in section 2.5 Encryption Overview by Parth.
  • Marina to write section 3.2.3 Key Use.
  • Partha to please address comments made by Alex Sharpe and Alex Rebo and review and do a sanity check to section 2- Key Mgmt Refresher, where is the lead author.
  • Partha to please review section 4.1 Compliance and Regulatory Requirements. written by Vani.
  • Partha to please write Conclusions section 8, page 48.
  • Vani ( @Vani Murthy) as section 4 lead, to review and provide feedback to the subsections 4.3, 4.4, 4.5 that Rajat, Vanesa and Vasan have submitted.
  • Santosh ( @Santosh Bompally) to please address comments made to 2.4.1 by EA (Alex Rebo)
  • Santosh ( @Santosh Bompally) to clean and polish section 5.1 - Deployment Approach.
  • Santosh ( @Santosh Bompally) please review section 5.3 - Operations and Maintenance written by Rajat.
  • Carlos ( @Carlos Rombaldo Junior) and Vasan Kidambi please write section 6 - Industry Specific differences.
  • @All: Are we adding 'Key Loading' in the Key Lifecycle diagram?

To connect on the call tomorrow:

Time: 08:00 a.m. PST / 11:00 a.m. EST / 16:00 GMT / 18:00 EET

URL: https://zoom.us/j/93617880747  (Meeting ID: 936 1788 0747)

Kind regards,

Marina

------------------------------
Marina Bregkou,
Senior Research Analyst,
CSA
------------------------------