Cloud Key Management

Dear members,

Below you can find the minutes from the working group call on the 12th of June.

Recording: https://cloudsecurityalliance.zoom.us/rec/share/UXCscuILnAU0IX_Ky1B_mKROZ3knh5_aPoGdYvn7FNzf2vy-rLXpQGMxHBV6-vrG.FSOOjv4f-Mhwb0ny (Passcode: 4!0vGp#%)

Minutes:

Multi-Cloud KMS document
The focus was on key sharing and the scenarios where multiple keys might exist across various providers. Simon committed to scheduling the work for the following week with a target completion date of Friday. The team agreed to continue working on this bi-weekly, with Sam and Marina acting as checkpoints to ensure all content areas are drafted by the week prior.
Deadline for first draft
First draft completion by the end of June. They plan to review each other's work and aim to have the next call on July 11th.

Best Practices Paper Progress and Refinement
The scope and focus of the document related to key management best practices was discussed. Sunil suggested the addition of a table and clarification of certain points. Partha recommended sticking to the original scope to keep the document concise and focused.
Balancing TLS and Network Layer Encryption
The group discussed the use of Transport Layer Security (TLS) and network layer encryption in data security. Sunil argued that while TLS is beneficial, organizations still prefer network layer encryption due to its reliability and ability to withstand disruptions. Partha suggested a balance between the two, recommending network layer encryption for use cases where web channel coverage or S/MIME (Secure/Multipurpose Internet Mail Extensions) is not possible, and TLS with PKI (Public Key Infrastructure) for cases where S/MIME is available. Santosh agreed and proposed defining these use cases in a table for easy reference. The team agreed on the need for a minimum level of encryption to ensure data security.
Robust Validation Procedures in Migration
Discussed was the importance of robust validation procedures during data migration. Sunil stressed the need to ensure complete data transfer, regardless of the mechanism used, while Partha emphasized the necessity of validation at each layer of the OSI stack. They agreed that any data corruption during transfer could undermine the entire migration process. Partha proposed a risk-tolerance-based approach to security solutions, suggesting it be described as a 'if needed' guideline, rather than a hard and fast rule. Both agreed that this approach should be documented in policy, procedure, standard, and guideline.
Finalizing Content and Call for Paper
The group agreed on a plan to finalize and review content within the next two weeks, with the aim to complete the project by the next meeting (June 26). Sunil committed to working on the conclusion section.

Previous action items:

• Best Practices for Managing Keys when uploading Data from on-prem to Cloud' document
  • Sunil to connect with Yuvaraj and identify the updated sections of 2 and 3 and 4.4 OR make the review and verification of this action independently if possible. - DONE
    
  • Sections 1 and 2 update by Partha. - DONE (by Sunil)
    
  • Michael to Concise section 4.1 and 4.2 on key points. Too many examples: perhaps using less is possible. -DONE
  • Phani to review and provide feedback/comments at the paper's content. (If this action item is not implemented by next call, it will be dissolved). - PENDING (removed as action item for this volunteer)
• The group of contributors of the 'Multi-Cloud' document.
  
  • Vani to go through and address comments by Sam and EA on sections 2.2, 2.3, 2.3.4, 2.3.5. - DONE
  • Vani to add context on Key Exchange in 2.3.4 as discussed on the call. - DONE
  • Alex Rebo to provide feedback to questions Sam had addressed to him and Marina has tagged. - partially PENDING

Next action items:

Document 1 - Best Practices when Migrating:

• Address comments by Alex Rebo (EA) throughout the content.

Document 2: Multi-Cloud KMS:

• Author needed for 2.3.6 Privacy / Usage / Propagate Directive
• Author needed for 2.1 Feasibility assessment
• Adeeb ( @Adeeb Mohammed) to author 2.4.4 Portability and 2.4.5 Usage Limitation with Simon
• Simon ( @Simon Keates) to author 2.4.6 User/System Access, 2.4.7 Rotation/Destruction, 2.4.10 Third-party Risk.
• Sam ( @Sam Pfanstiel) to author 2.3.9 Regulation / Governance / Forensic, 2.5.1 Organizational Maturity, 2.5.2 Cost, 2.5.3 Time, 3.3 Directed Key Management
• Rajat ( @Rajat Dubey) to author 3.1 BYOK, 3.2 HYOK.
• Sunil ( @Sunil Arora) to author 3.4 Hybrid Cloud
• Simon ( @Simon Keates) and Iain ( @Iain Beveridge) to author 3.5 Third-party Multi-Cloud KMS (MCKMS)

Assigned and Unassigned document's sections:

• 2.1 Feasibility assessment - author: Unassigned
• 2.2 Key Management Models - author: Vani ( @Vani Murthy)
  
• 2.3.1 Data Lakes - author: Chandra ( @Chandra Prakash)
• 2.3.2 Data Pipelines - author: Chandra ( @Chandra Prakash)
• 2.3.3 Streaming - author: Sunil ( @Sunil Arora)
• 2.3.4 TLS Transmission - author: Vani ( @Vani Murthy)
• 2.3.5 Signing/Verification - author: Vani ( @Vani Murthy)
  
• 2.3.6 Privacy / Usage / Propagate Directives author: Unassigned
• 2.3.7 E2EE / Application Encryption - author: Chandra ( @Chandra Prakash)
• 2.3.8 Key Sharing - author:  Marina
• 2.3.9 Regulation / Governance / Forensic - author: Sam ( @Sam Pfanstiel)
• 2.4.1 Confidentiality - authors: Simon, Adeeb ( @Adeeb Mohammed)
• 2.4.2 Integrity - authors: Simon, Adeeb ( @Adeeb Mohammed)
• 2.4.3 Availability - authors: Simon, Adeeb ( @Adeeb Mohammed)
• 2.4.4 Portability - author: Adeeb ( @Adeeb Mohammed)
• 2.4.4 Separation of Duties - author: Simon, Adeeb ( @Adeeb Mohammed)
• 2.4.5 Usage Limitation - author: Simon ( @Simon Keates), Adeeb ( @Adeeb Mohammed)
  
• 2.4.6 User/System Access - author: Simon ( @Simon Keates)
• 2.4.7 Rotation/Destruction - author: Simon ( @Simon Keates)
• 2.4.10 Third-party Risk - author: Sam ( @Sam Pfanstiel)
• 2.4.11 Regulatory Constraints - author: Sam ( @Sam Pfanstiel)
  
• 2.5.1 Organizational Maturity  - author: Sam ( @Sam Pfanstiel)
• 2.5.2 Cost - author: Sam ( @Sam Pfanstiel)
• 2.5.3 Time - author: Sam ( @Sam Pfanstiel)
• 3.1 BYOK - author: Rajat ( @Rajat Dubey)
• 3.2 HYOK - author: Rajat ( @Rajat Dubey)
• 3.3 Directed Key Management - author: Sam ( @Sam Pfanstiel)
• 3.4 Hybrid Cloud - author: Sunil ( @Sunil Arora)
• 3.5 Third-party Multi-Cloud KMS (MCKMS) - author: Simon ( @Simon Keates)
  

Next working group call:

Date: Wednesday, June 26th
Time: 09:00 a.m. PDT / 12:00 p.m. EDT / 16:00 GMT
URL: https://zoom.us/j/93617880747
Meeting ID: 936 1788 0747
Passcode: 536522

Kind regards,
Marina

Hi @Marina Bregkou,

Can you please assign section 2.3.6 Privacy / Usage / Propagate Directives author: Unassigned from Multi-Cloud KMS.

Thanks!

Yuvaraj Madheswaran

Dear members,

Below you can find the minutes from the working group call on the 12th of June.

Recording: https://cloudsecurityalliance.zoom.us/rec/share/UXCscuILnAU0IX_Ky1B_mKROZ3knh5_aPoGdYvn7FNzf2vy-rLXpQGMxHBV6-vrG.FSOOjv4f-Mhwb0ny (Passcode: 4!0vGp#%)

Minutes:

Multi-Cloud KMS document
The focus was on key sharing and the scenarios where multiple keys might exist across various providers. Simon committed to scheduling the work for the following week with a target completion date of Friday. The team agreed to continue working on this bi-weekly, with Sam and Marina acting as checkpoints to ensure all content areas are drafted by the week prior.
Deadline for first draft
First draft completion by the end of June. They plan to review each other's work and aim to have the next call on July 11th.

Best Practices Paper Progress and Refinement
The scope and focus of the document related to key management best practices was discussed. Sunil suggested the addition of a table and clarification of certain points. Partha recommended sticking to the original scope to keep the document concise and focused.
Balancing TLS and Network Layer Encryption
The group discussed the use of Transport Layer Security (TLS) and network layer encryption in data security. Sunil argued that while TLS is beneficial, organizations still prefer network layer encryption due to its reliability and ability to withstand disruptions. Partha suggested a balance between the two, recommending network layer encryption for use cases where web channel coverage or S/MIME (Secure/Multipurpose Internet Mail Extensions) is not possible, and TLS with PKI (Public Key Infrastructure) for cases where S/MIME is available. Santosh agreed and proposed defining these use cases in a table for easy reference. The team agreed on the need for a minimum level of encryption to ensure data security.
Robust Validation Procedures in Migration
Discussed was the importance of robust validation procedures during data migration. Sunil stressed the need to ensure complete data transfer, regardless of the mechanism used, while Partha emphasized the necessity of validation at each layer of the OSI stack. They agreed that any data corruption during transfer could undermine the entire migration process. Partha proposed a risk-tolerance-based approach to security solutions, suggesting it be described as a 'if needed' guideline, rather than a hard and fast rule. Both agreed that this approach should be documented in policy, procedure, standard, and guideline.
Finalizing Content and Call for Paper
The group agreed on a plan to finalize and review content within the next two weeks, with the aim to complete the project by the next meeting (June 26). Sunil committed to working on the conclusion section.

Previous action items:

• Best Practices for Managing Keys when uploading Data from on-prem to Cloud' document
  • Sunil to connect with Yuvaraj and identify the updated sections of 2 and 3 and 4.4 OR make the review and verification of this action independently if possible. - DONE
    
  • Sections 1 and 2 update by Partha. - DONE (by Sunil)
    
  • Michael to Concise section 4.1 and 4.2 on key points. Too many examples: perhaps using less is possible. -DONE
  • Phani to review and provide feedback/comments at the paper's content. (If this action item is not implemented by next call, it will be dissolved). - PENDING (removed as action item for this volunteer)
• The group of contributors of the 'Multi-Cloud' document.
  
  • Vani to go through and address comments by Sam and EA on sections 2.2, 2.3, 2.3.4, 2.3.5. - DONE
  • Vani to add context on Key Exchange in 2.3.4 as discussed on the call. - DONE
  • Alex Rebo to provide feedback to questions Sam had addressed to him and Marina has tagged. - partially PENDING

Next action items:

Document 1 - Best Practices when Migrating:

• Address comments by Alex Rebo (EA) throughout the content.

Document 2: Multi-Cloud KMS:

• Author needed for 2.3.6 Privacy / Usage / Propagate Directive
• Author needed for 2.1 Feasibility assessment
• Adeeb ( @Adeeb Mohammed) to author 2.4.4 Portability and 2.4.5 Usage Limitation with Simon
• Simon ( @Simon Keates) to author 2.4.6 User/System Access, 2.4.7 Rotation/Destruction, 2.4.10 Third-party Risk.
• Sam ( @Sam Pfanstiel) to author 2.3.9 Regulation / Governance / Forensic, 2.5.1 Organizational Maturity, 2.5.2 Cost, 2.5.3 Time, 3.3 Directed Key Management
• Rajat ( @Rajat Dubey) to author 3.1 BYOK, 3.2 HYOK.
• Sunil ( @Sunil Arora) to author 3.4 Hybrid Cloud
• Simon ( @Simon Keates) and Iain ( @Iain Beveridge) to author 3.5 Third-party Multi-Cloud KMS (MCKMS)

Assigned and Unassigned document's sections:

• 2.1 Feasibility assessment - author: Unassigned
• 2.2 Key Management Models - author: Vani ( @Vani Murthy)
  
• 2.3.1 Data Lakes - author: Chandra ( @Chandra Prakash)
• 2.3.2 Data Pipelines - author: Chandra ( @Chandra Prakash)
• 2.3.3 Streaming - author: Sunil ( @Sunil Arora)
• 2.3.4 TLS Transmission - author: Vani ( @Vani Murthy)
• 2.3.5 Signing/Verification - author: Vani ( @Vani Murthy)
  
• 2.3.6 Privacy / Usage / Propagate Directives author: Unassigned
• 2.3.7 E2EE / Application Encryption - author: Chandra ( @Chandra Prakash)
• 2.3.8 Key Sharing - author:  Marina
• 2.3.9 Regulation / Governance / Forensic - author: Sam ( @Sam Pfanstiel)
• 2.4.1 Confidentiality - authors: Simon, Adeeb ( @Adeeb Mohammed)
• 2.4.2 Integrity - authors: Simon, Adeeb ( @Adeeb Mohammed)
• 2.4.3 Availability - authors: Simon, Adeeb ( @Adeeb Mohammed)
• 2.4.4 Portability - author: Adeeb ( @Adeeb Mohammed)
• 2.4.4 Separation of Duties - author: Simon, Adeeb ( @Adeeb Mohammed)
• 2.4.5 Usage Limitation - author: Simon ( @Simon Keates), Adeeb ( @Adeeb Mohammed)
  
• 2.4.6 User/System Access - author: Simon ( @Simon Keates)
• 2.4.7 Rotation/Destruction - author: Simon ( @Simon Keates)
• 2.4.10 Third-party Risk - author: Sam ( @Sam Pfanstiel)
• 2.4.11 Regulatory Constraints - author: Sam ( @Sam Pfanstiel)
  
• 2.5.1 Organizational Maturity  - author: Sam ( @Sam Pfanstiel)
• 2.5.2 Cost - author: Sam ( @Sam Pfanstiel)
• 2.5.3 Time - author: Sam ( @Sam Pfanstiel)
• 3.1 BYOK - author: Rajat ( @Rajat Dubey)
• 3.2 HYOK - author: Rajat ( @Rajat Dubey)
• 3.3 Directed Key Management - author: Sam ( @Sam Pfanstiel)
• 3.4 Hybrid Cloud - author: Sunil ( @Sunil Arora)
• 3.5 Third-party Multi-Cloud KMS (MCKMS) - author: Simon ( @Simon Keates)
  

Next working group call:

Date: Wednesday, June 26th
Time: 09:00 a.m. PDT / 12:00 p.m. EDT / 16:00 GMT
URL: https://zoom.us/j/93617880747
Meeting ID: 936 1788 0747
Passcode: 536522

Kind regards,
Marina