Cloud Key Management

Dear members,

Below you can find the minutes from the working group call on the 26th of June.

Recording: https://cloudsecurityalliance.zoom.us/rec/share/qkqd75_kV-mxKAql_edDaGjHHQd6fmF1pDIDVzCkksw-gVass4csCDnrumvmCZjR._WSEtwZrpZy8rDLR (Passcode: 1iBQ6ov).

Minutes:

Multi-Cloud KMS document: 

Improving Use Cases Document and Multi-Cloud KMS Guidance
The clarity and focus of the document on use cases was discussed and the group suggested that the descriptions should be more practical and less general. Sam will review the sections himself to provide a clearer direction. Smita showed interest in reviewing the document's content as well. 
Sam emphasized the necessity of the document in guiding decisions for using multi-cloud KMS, including identifying risks and understanding interoperability.
Different Sections and Key Management Progress
Sam outlined the scope of the sections for use cases, risks, and business impacts. Alex emphasized the original intent of the paper, cautioning against premature key management and the need for a certain level of maturity. Sam reported progress on the key management solution, with plans to refine the examples of key usage based on risk and business impact assessments. The team also discussed the importance of focusing on the document's purpose and agreed to avoid redundancy by referencing content from other documents.
HSMs, KMS, and Business Continuity
The team discussed the necessity of Hardware Security Modules (HSMs) in a Key Management System (KMS). Simon clarified that an HSM is beneficial but not mandatory, depending on the organization's risks. The team also addressed the relationship between manageability, compliance, and risk, with a focus on business continuity. The group agreed on the need for improved key management solutions due to the risks of losing keys and potential ransomware attacks. The discussion also touched on the role of compliance managers and the potential benefits of availability controls for business continuity.
Metrics Discussion and Improvement
Alex questioned the existence of metrics to compare between two solutions. Sam confirmed the existence of such metrics and suggested a more detailed discussion on their application. Iain offered to assist by detailing metrics from their perspective and encouraging others to contribute. Sam proposed a new section to capture metrics related to organizational maturity and technical capabilities, emphasizing their relevance in understanding the organization's landscape. The team agreed to continue refining the definitions and categorizations of these metrics.
Vendor Selection, HYOK Session, and Improvements
Sam and Iain agreed to incorporate common vendor selection criteria in the sections to ensure fairness. Iain committed to contributing content on this topic. There was also discussion about a previous informative session by Jeremy Stieglitz from AWS on HYOK. Furthermore, concerns were raised by Sunil about the presentation and organization of the hybrid cloud section, prompting Sam to request a review of the overview section for improvements.

Best Practices Paper Progress and Refinement:

The paper is almost at a complete first draft. The only thing pending is the addressing and resolving of the comments made by Alex Rebo in the context of internal review.

Previous action items:

• Best Practices for Managing Keys when uploading Data from on-prem to Cloud' document
  • Address comments by Alex Rebo (EA) throughout the content. - In Progress
• The group of contributors of the 'Multi-Cloud' document.
  
  • Author needed for 2.3.6 Privacy / Usage / Propagate Directive - DONE (Yuvaraj completed it.)
  • Author needed for 2.1 Feasibility assessment - Complete
  • Adeeb to author 2.4.4 Portability - PENDING
  • 2.4.5 Usage Limitation with Simon - DONE
  • Simon to author 2.4.6 User/System Access, 2.4.7 Rotation/Destruction, 2.4.10 Third-party Risk. - PENDING
  • Sam to author 2.3.9 Regulation / Governance / Forensic, 2.5.1 Organizational Maturity, 2.5.2 Cost, 2.5.3 Time, 3.3 Directed Key Management - PENDING
  • Rajat to author 3.1 BYOK, 3.2 HYOK. - PENDING
  • Sunil to author 3.4 Hybrid Cloud - PENDING
  • Simon and Iain to author 3.5 Third-party Multi-Cloud KMS (MCKMS) - PENDING

Next action items:

• Marina to look into and distribute again the presentation done by Jeremy AWS on HYOK.
• Document 1 - Best Practices when Migrating:

• • • Address and resolve comments by Alex Rebo (EA).
• Document 2: Multi-Cloud KMS:

• • • Sam ( @Sam Pfanstiel) will review and refine the multi-cloud KMS section in the document, ensuring it includes a clear introduction, risk considerations, and use cases.
    • Sam ( @Sam Pfanstiel) to author 2.3.9 Regulation / Governance / Forensic, 2.5.1 Organizational Maturity, 2.5.2 Cost, 2.5.3 Time, 3.3 Directed Key Management
    • Smita will review the document, provide feedback, and suggest any necessary changes, focusing on the sections she is familiar with.
    • Simon ( @Simon Keates) to author 2.4.6 User/System Access, 2.4.7 Rotation/Destruction, 2.4.10 Third-party Risk.
    • Rajat ( @Rajat Dubey) to author 3.1 BYOK, 3.2 HYOK.
    • Sunil ( @Sunil Arora) to author 3.4 Hybrid Cloud
    • Simon ( @Simon Keates) and Iain ( @Iain Beveridge) to author 3.5 Third-party Multi-Cloud KMS (MCKMS)
    • Akshay ( @Akshay Bhardwaj) to author 2.3.8 Key Sharing.

Assigned and Unassigned document's sections:

• 2.1 Feasibility assessment - author: Unassigned
• 2.2 Key Management Models - author: Vani ( @Vani Murthy)
  
• 2.3.1 Data Lakes - author: Chandra ( @Chandra Prakash)
• 2.3.2 Data Pipelines - author: Chandra ( @Chandra Prakash)
• 2.3.3 Streaming - author: Sunil ( @Sunil Arora)
• 2.3.4 TLS Transmission - author: Vani ( @Vani Murthy)
• 2.3.5 Signing/Verification - author: Vani ( @Vani Murthy)
  
• 2.3.6 Privacy / Usage / Propagate Directives author: Yuvaraj ( @Yuvaraj Madheswaran)
• 2.3.7 E2EE / Application Encryption - author: Chandra ( @Chandra Prakash)
• 2.3.8 Key Sharing - author:  Akshay ( @Akshay Bhardwaj)
• 2.3.9 Regulation / Governance / Forensic - author: Sam ( @Sam Pfanstiel)
• 2.4.1 Confidentiality - authors: Simon, Adeeb ( @Adeeb Mohammed)
• 2.4.2 Integrity - authors: Simon, Adeeb ( @Adeeb Mohammed)
• 2.4.3 Availability - authors: Simon, Adeeb ( @Adeeb Mohammed)
• 2.4.4 Portability - author: Adeeb ( @Adeeb Mohammed)
• 2.4.4 Separation of Duties - author: Simon, Adeeb ( @Adeeb Mohammed)
• 2.4.5 Usage Limitation - author: Simon ( @Simon Keates), Adeeb ( @Adeeb Mohammed)
  
• 2.4.6 User/System Access - author: Simon ( @Simon Keates)
• 2.4.7 Rotation/Destruction - author: Simon ( @Simon Keates)
• 2.4.10 Third-party Risk - author: Sam ( @Sam Pfanstiel)
• 2.4.11 Regulatory Constraints - author: Sam ( @Sam Pfanstiel)
  
• 2.5.1 Organizational Maturity  - author: Sam ( @Sam Pfanstiel)
• 2.5.2 Cost - author: Sam ( @Sam Pfanstiel)
• 2.5.3 Time - author: Sam ( @Sam Pfanstiel)
• 3.1 BYOK - author: Rajat ( @Rajat Dubey)
• 3.2 HYOK - author: Rajat ( @Rajat Dubey)
• 3.3 Directed Key Management - author: Sam ( @Sam Pfanstiel)
• 3.4 Hybrid Cloud - author: Sunil ( @Sunil Arora)
• 3.5 Third-party Multi-Cloud KMS (MCKMS) - author: Simon ( @Simon Keates)
  

Next working group call:

Date: Wednesday, July 10
Time: 09:00 a.m. PDT / 12:00 p.m. EDT / 16:00 GMT
URL: https://zoom.us/j/93617880747
Meeting ID: 936 1788 0747
Passcode: 536522

Kind regards,
Marina

------------------------------
Marina Bregkou,
Senior Research Analyst,
CSA
------------------------------