Cloud Key Management

Meeting Minutes 3 April 2024

  • 1.  Meeting Minutes 3 April 2024

    Posted Apr 15, 2024 11:00:00 AM

    Dear members,

    Below you can find the minutes from the group's meeting on the 3rd of April.


    Best Practices for Managing Keys when uploading Data from on-prem to Cloud' document:

    Partha discussed the need to revise and concise the document, with individual authors requested to review and condense their respective sections.
    Partha took responsibility for rewriting the introduction, scope, and purpose sections, aiming to broaden the scope and better highlight the key aspects of the paper. He also requested that these updates be completed by the next meeting.

    Discussing 'Keep Your Own Key' Concept
    Damneet and Partha discussed the concept of 'keep your own key' in the context of data security. Partha initially presented the idea as an example, but Damneet recommended emphasizing 'keep your own key' as an industry standard, especially for high-level security. They agreed to include this in their presentation. AR asked about the sensitivity levels of data and how it affected their discussion. Damneet explained the concept in relation to FIPS certification and the financial or regulated industries. Sam then asked about the terminology used, with Damneet confirming that 'keep your own key' was the term used by IBM, but 'hold your own key' was the term commonly used by the CSA. Both terms were deemed acceptable.
    Integrating Data Preparation, Security, and Narrative
    Partha and Sunil discussed the interconnectedness of data preparation, security, and the overall narrative of their project. They agreed on the importance of an integrated approach and the need to incorporate planning and security requirements into their migration strategy. The team also discussed the structure and content of their artifact, with a focus on streamlining the data preparation section, adding more details on the migration process, and balancing the level of detail on data security and key management. Revision of the document, with Sunil and Rajat leading the effort to combine the security and migration sections, was agreed upon.
    Improving Document Structure and Content
    Partha and Sunil discussed the necessity for improving the document's structure and content for clarity and brevity without compromising quality. Partha suggested reducing the number of examples in the unit testing section, omitting the '4.0' section name, and renaming '4.4 Ensuring Data Integrity' to '4.3 Data Integrity Compliance Requirements'. He also proposed focusing more on a new section (4.3) that would be more specific to their topic, rather than testing and validation, which was considered too broad. Sunil agreed with Partha's recommendations, emphasizing the importance of balancing brevity and quality in the document's content.
    Clarifying Documentation Terminology and Structure
    Discussion about the terms and sections used in their documentation, particularly focusing on 'transition and optimization' versus 'migration and management'. After understanding the context, Rajat and Sunil clarified that 'transition and optimization' was related to the post-migration process, while 'migration and management' referred to the entire migration process. Partha suggested relocating the 'transition and optimization' section to 'adoption and optimization' for clarity and better resonance. Furthermore, Partha proposed combining the 'rollback plan and disaster recovery' section from 'transition and optimization' to 'adoption and optimization', as he believed it was part of the service improvement process.
    Adjusting Rollback and Disaster Recovery Document
    Sunil, Partha, and Rajat discussed the need for adjustments in the rollback and disaster recovery section of their document. Partha proposed breaking down the compliance requirements for a more general audience, while also emphasizing the importance of granular compliance for expertise. There were suggestions to move certain sections, such as transition and optimization, to more suitable locations, and to remove repetitive content. The team agreed on the need for continuous improvement and adoption, with Partha suggesting that these aspects be included in section five. The team planned to review these changes in their next meeting, with the aim of finalizing the document in about two weeks.

    Document 2: 'Multi-Cloud KMS':

    Sam proceeded to present a brainstorming document, which contained the original work done by Iain and other team members, including Michael Rosa and former chair Paul Rich. The document was not finalized, and Sam encouraged feedback and further development.
    Cryptographic Key Management Discussion
    Sam led a discussion on the importance of cryptographic key management for ensuring confidentiality, integrity, and secure data sharing, particularly in multi-cloud environments. He presented a draft document outlining the security, technical, and regulatory considerations involved, which he and Alex were soliciting feedback on. The document also discussed the challenges and potential solutions for accessing and sharing key material across multiple cloud service providers. The team agreed to continue working on the document and seek additional volunteers for the project.

    Action items:

    • Best Practices for Managing Keys when uploading Data from on-prem to Cloud' document:
      • Sections 1 and 2 to be updated by Partha
      • Section 3: Sunil ( @Sunil Arora) to concise section and include bullet points in order to avoid repetition with other sections as well.
      • Section 4: Concise section 4.1 and 4.2 on key points. Too many examples: perhaps using less is possible. @Michael Roza and @Yuvaraj Madheswaran.
        (Section 4.3 is more on the point of the overall paper)
      • Section 5.1-Planning and Execution merged with Section 2. - Santosh ( @Santosh Bompally)
      • Section 5.1.2 - Rollback Plan, should be part of section 4 to complete the Migration story. - Yuvaraj ( @Yuvaraj Madheswaran)
      • Section 5: Named - Transition and Optimization and will include Post Migration Monitoring and Optimization, while also mentioning Continuous improvement and Adaption
    • Document 2: 'Multi-Cloud KMS':
      • Sam ( @Sam Pfanstiel) will continue to lead the effort in compiling and organizing the document, facilitating contributions and feedback from the team.

    Next working group call:

    Date: Wednesday, 17 April
    Time: 09:00 a.m. PST /12:00 p.m. EST / 17:00 GMT:
    Meeting ID: 936 1788 0747
    Passcode: 536522

    Kind regards,

    Marina Bregkou,
    Senior Research Analyst,