Cloud Key Management

Dear members,

Below you can find the minutes from the working group call on the 4th of September.

You can find the recording here: https://cloudsecurityalliance.zoom.us/rec/share/SM_oJbv5-icJJ64Gh2MeYWEa27TVHRaHA7OY5pVLWFpbkNJP26VVAyCzF4F4bZTA.oXkZuFq8Jr2T-NOC (Passcode: f5%w^965)

Minutes:

• Best Practices for Key Management when Migrating Data from On-Prem to the (public) Cloud  paper is open for Public Peer Review until the 7th of October.
  
  
• Multi-Cloud KMS document: 
  Work Stream Participation and Meeting Schedule
  The group mentioned the need to make certain areas more readable and associated with use cases.
  Data Streaming Section Restructuring Discussion
  The team discussed how to structure the section on data streaming. Sunil explained his approach of introducing data streaming and its complexities before delving into specific considerations.
  Alex suggested restructuring the dense text to improve readability. Sam proposed focusing on the technical content first, leaving readability improvements for the tech writer's review. The team agreed to refine the document based on these suggestions.
  
  

Previous action items:

• Best Practices for Managing Keys when uploading Data from on-prem to Cloud' document
  • • Sam to review the 2nd half of the 'Best Practices when Migrating Data' document. - DONE
• For the 'Multi-Cloud' document.
  
  • Yuvaraj to address or resolve Alex's comments in section 2.3.6 - PENDING
  • Simon to address/resolve Alex's comments in sections 2.4.3 and 2.4.5 - PENDING
    
  • Simon and Smita to author 2.4.7 Rotation/Destruction - DONE (by Smita)
  • Iain to author 3.5 Third-party Multi-Cloud KMS (MCKMS) - PENDING
  • Adeeb to review sections 2.4.6 - PENDING
  • Smita to review the document, provide feedback, and suggest any necessary changes, focusing on the sections she is familiar with. - DONE
    
  • Sam to review and clean up sections on risks and impacts related to multi-cloud key management. - In Progress
    
  • Sam to address open sections on user system access (IAM), key rotation, and destruction in the context of multi-cloud risks. - In Progress
    
  • Sam to add a recommendation about using FIPS-validated or otherwise validated cryptographic modules in the application encryption section. - PENDING
    
  • Sam to author 2.5.1 Organizational Maturity, 2.5.3, 2.5.5 Time. - PENDING (2.5.3 was taken by Marina)
  • Marina to review section 3.1 Customer Managed KMS - PENDING
    
  • Akshay to review section 3.2 Customer Held KMS with BYOE in mind. - PENDING

Next action items:

• Document: Multi-Cloud KMS:
  • • Sam ( @Sam Pfanstiel) to address open sections on user system access (IAM), key rotation, and destruction in the context of multi-cloud risks
      
    • Sam to refactor and improve readability of use cases sections in the multi-cloud document.
    • Sam to work on drafting sections 2.5.1, and 2.5.5 on organizational maturity, time considerations, and organization technology capabilities
    • Sam to add a recommendation about using FIPS-validated or otherwise validated cryptographic modules in the application encryption section.
    • Team to discuss and potentially restructure the streaming section (2.3.3) of the multi-cloud document to improve readability and clarity.
    • Yuvaraj ( @Yuvaraj Madheswaran) to address or resolve Alex's comments in section 2.3.6
    • Adeeb ( @Adeeb Mohammed) to review sections 2.4.6.
    • Smita to attempt writing content for section 2.4.7 on user system access.
    • Akshay ( @Akshay Bhardwaj) to review section 3.2 Customer Held KMS with BYOE in mind
    • Chandra to review and contribute to section 3.4 on third-party multi-cloud KMS.

Next working group call: 

Date: Wednesday, September 18th
Time: 09:00 a.m. PDT / 12:00 p.m. EDT / 16:00 GMT
URL: https://zoom.us/j/93617880747
Meeting ID: 936 1788 0747
Passcode: 536522

Kind regards,
Marina

------------------------------
Marina Bregkou,
Senior Research Analyst,
CSA
------------------------------