Dear members,
Below you can find the minutes from the working group call on the 10th of July.
Recording: https://cloudsecurityalliance.zoom.us/rec/share/4lKIAsZ5ZYzmwHwR1MMlMefz6Q-N6A7H6hqSTYBlFdkXF1rHXBcIhhwa1OqgJzDm.JQVm2haVAdruSjeh (Passcode: @@8+!jv6)
Minutes:
Multi-Cloud KMS document:
Section Progress and Upcoming Review
Simon reported that he had completed sections related to confidentiality, integrity, availability, and separation of duties. Adeeb committed to review and update Simon's sections over the weekend and mark Sam for review once completed. The team also planned to address additional tasks in a subsequent meeting dedicated to this deliverable.
Key Material Terminology and Concepts
Simon proposed that key material, which includes the key itself, random numbers, IVs, key agreement specifications, and parameters, should be referred to as the 'blob of data' stored by any key management system. Sam agreed with Simon's proposal but cautioned about the use of 'key' for any encryption function and suggested using 'secret' for passwords and 'key metadata' for parameters. Sam also recognized 'components' and 'shares' as common key material and opened the floor for discussion about these concepts.
Defining Key Material for Cryptography
The group discussed the need to provide a clear definition for 'key material' in this document. They agreed to reference authoritative definitions and glossaries, with Sam suggesting they could provide their own definition if it hasn't already been defined elsewhere. The definition would include any overlapping segments of a string that can be used as symmetric cryptographic keys and secret parameters. Alex raised a common misconception that HSM stores key material, which Sam corrected. Sam agreed to compile a list of references for the definition of 'key material' from various special publications and ISO.
Yuvaraj's completed section, which Sam agreed to review.
Best Practices Paper Progress and Refinement:
The paper is almost at a complete first draft. The only thing pending is the addressing and resolving of the comments made by Michael Roza in the context of internal review. Michael Roza provided some diagrams as well for better appearance of the paper.
Previous action items:
Next action items:
-
-
- Prepare first draft
- Sunil ( @Sunil Arora) to include diagrams as the ones provided by M. Roza's as exmples, address comments, and add missing references using Marina's example in page 9 and 22.
- Document 2: Multi-Cloud KMS:
-
-
- Sam ( @Sam Pfanstiel) will review and refine the multi-cloud KMS section in the document, ensuring it includes a clear introduction, risk considerations, and use cases.
- Sam ( @Sam Pfanstiel) to author 2.3.9 Regulation / Governance / Forensic,2.4.10 Third-party Risk, 2.5.1 Organizational Maturity, 2.5.2 Cost, 2.5.3 Time, 3.3 Directed Key Management
- Sam ( @Sam Pfanstiel) to review Rajat's completed sections to review 3.1 and 3.2
- Smita will review the document, provide feedback, and suggest any necessary changes, focusing on the sections she is familiar with.
- Simon ( @Simon Keates) to author 2.4.6 User/System Access, 2.4.7 Rotation/Destruction
- Sunil ( @Sunil Arora) to author 3.4 Hybrid Cloud
- Simon ( @Simon Keates) and Iain ( @Iain Beveridge) to author 3.5 Third-party Multi-Cloud KMS (MCKMS)
- Adeeb ( @Adeeb Mohammed) to review Simon's sections 2.4.3, 2.4.5, 2.4.6
- Akshay ( @Akshay Bhardwaj) to author 2.3.8 Key Sharing.
Assigned and Unassigned document's sections:
Next working group call:
Date: Wednesday, July 24
Time: 09:00 a.m. PDT / 12:00 p.m. EDT / 16:00 GMT
URL: https://zoom.us/j/93617880747
Meeting ID: 936 1788 0747
Passcode: 536522
Kind regards,
Marina
------------------------------
Marina Bregkou,
Senior Research Analyst,
CSA
------------------------------