Cloud Key Management

Dear members,

The additional call focused on The Key Lifecycle document didn't happen on 19th of July.

Below you can find the meeting minutes from our working group call on the 12th of the July

Minutes:

- Working group call focused and evolved around the progress and work of the  HSM-as-a-Service document.

- We discussed creating an Appendix section for the Responsibilities content. This means that the table in section 4. Responsibilities and the 7.1 section (that was re-located under section 4, now numbered 4.1) may be included there instead of the main body of the HSMaaS document.

- Discussed the possibility of adding an HSM Architecture Overview diagram. Will Iain ( @Iain Beveridge) or Michael ( @Michael Roza) be able to help with this?

- Decided to move the 'Definition of HSM' from section 5 to section 2. Background as section 2.1

- Marina and Thanos went through the whole document in another separate session and restructured parts of the doc, resolved comments and identified last pending actions.

Previous action items:

• Document 1: HSM-as-a-Service:
  • Sam to review and approve or modify the document structure as a whole. - PENDING
  • Thanos to merge the 2 different perspectives in use case 3.3 and write it as one. - DONE
  • Sam to help out Carlos in use case 3.4 and describe how it adds value to HSM-as-a-Service. - PENDING
  • Sam to review use case 3.6 Custom Applications. - DONE (Action item done by Thanos)
  • Sam to review page 45, the remote key attestation section Thanos included and decide if it goes with the rest of section 8. Key Mgmt Considerations. - PENDING
  • Sam to review section 9. Governance, page 47. - DONE (action completed by M. Roza)
  • Sam to review section 10. Vendor Selection best practices, page 49. - PENDING
  • Iain to help out with the eIDAS use case as it is still in draft shape. - DONE
  • Iain to review and approve/comment the section on CC Thanos added in 5.1 Introduction to HSM, page 22, 23. - PENDING
  • Marina to make reference to the shared responsibility model included in the CCM, in the 4. Responsibilities section. - PENDING
  • Marina to add intro section to 5. HSM Hardware. - PENDING
  • Simon to address the 'note to self' in section 5.2.2 Payments HSM and to expand on key granularity and ownership/possession.- PENDING
  • Move section 7.1 written by Bruno to section 4. Responsibilities. Sam to approve content of 7.1 and decide if it links to section 4. Responsibilities.- DONE
  • Partha to include in section 6, page 27,28, a comparison table that includes the physical and logical security controls side by side. - Partially Done (by Marina)
  • Partha to review section 6.4 Other controls (page 31) and decide whether it's finalized or needs updating. - PENDING
  • Thanos and Bruno to discuss and decide on the re-shaping of section 7. Interfacing and Remote Administration. - DONE
  • Michael to review section 9 and 10 on page 47 and 49. For the Governance section, please take into consideration the relevant other document we are working on.- DONE
• Document 2: Key Mgmt Lifecycle Best Practices:
  • Partha to do a full review of the Key Mgmt document. - DONE
  • Alex will you please review the additional text written in section 2.5 Encryption Overview by Parth. - PENDING
  • Sam to write section 3.2.8. Key Auditing. - DONE
  • Marina to write section 3.2.3 Key Use.- PENDING
  • Partha to please address comments made by Alex Sharpe and Alex Rebo and review and do a sanity check to section 2- Key Mgmt Refresher, where is the lead author. - PENDING
  • Partha to please review section 4.1 Compliance and Regulatory Requirements. written by Vani.- PENDING
  • Vani as section 4 lead, to review and provide feedback to the subsections 4.3, 4.4, 4.5 that Rajat, Vanesa and Vasan have submitted. - PENDING
    As the Lead for section4 you need to check and decide on the flow, the content and the "voice" of the subsections that fall under you. - In Progress
    
  • Santosh please review additional content added under 2.4.1 by Vasan. - DONE
  • Santosh to include missing diagrams and references in section 5.1 - Deployment Approach. - DONE
  • Santosh please review section 5.3 - Operations and Maintenance written by Rajat. - PENDING
  • Carlos and Vasan Kidambi please write section 6 - Industry Specific differences. - PENDING
  • Partha, Sunil, Santosh to review and approve/disapprove additional text included in section 7 - On-prem Considerations by Parth Jamodkar. - DONE
  • Sunil , Partha, Alex Rebo and Sam to connect and decide on 'Key rotation' - DONE
  • @All: Are we adding 'Key Loading' in the Key Lifecycle diagram? - PENDING

New action items:

• Document 1: HSM-as-a-Service:
  • Sam ( @Sam Pfanstiel) to review and approve or modify the document structure as a whole.
  • Sam ( @Sam Pfanstiel) to help out Carlos in use case 3.4 and describe how it adds value to HSM-as-a-Service
  • Sam ( @Sam Pfanstiel) to write an intro paragraph for the 4. Responsibilities section, page 22.
  • Sam ( @Sam Pfanstiel) to decide if we need to synthesize Responsibility references throughout the document, altogether under section 4. Responsibilities, OR to create the appendix we discussed on the call.
  • Sam ( @Sam Pfanstiel) to review page 50, the remote key attestation section Thanos included and decide if it goes with the rest of section 8. Key Mgmt Considerations.
  • Sam ( @Sam Pfanstiel) review section 10. Vendor Selection best practices, page 53-54.
  • Iain ( @Iain Beveridge) OR Michael (@Michael Roza) create a diagram depicting the HSM architecture overview ?
  • Iain ( @Iain Beveridge) to review the content added by Marina in the eIDAS use case, page 18.
  • Iain ( @Iain Beveridge) to review and approve/comment the paragraph on CC Thanos added in 5.2, page 29.
  • Marina to make reference to the shared responsibility model included in the CCM, in the 4. Responsibilities section.
  • Marina to add intro section to 5. HSM Hardware.
  • As mentioned on the call, Thanos ( @Thanos Vrachnos) to update section 5.2 Hardware HSM by mentioning some critical elements of the device: e.g. anti-tampering modules, crypto-processor, etc.
  • Simon to address the 'note to self' in section 5.2.2 Payments HSM and to expand on key granularity and ownership/possession.
  • Partha to finish the comparison table (Marina started) that includes the physical and logical security controls side by side in section 6, page 35.
  • Who is collecting the responsibilities mentions throughout the document and include them in the Responsibilities Appendix created specifically for this?
• Document 2 - Key Mgmt Lifecycle Best Practices:
  • Alex ( @Alex Sharpe) to please review the additional text written in section 2.5 Encryption Overview by Parth.Alex will you please review the additional text written in section 2.5 Encryption Overview by Parth.
  • Marina to write section 3.2.3 Key Use.
  • Partha to please address comments made by Alex Sharpe and Alex Rebo and review and do a sanity check to section 2- Key Mgmt Refresher, where is the lead author.
  • Partha to please review section 4.1 Compliance and Regulatory Requirements. written by Vani.
  • Partha to please write Conclusions section 8, page 48.
  • Vani ( @Vani Murthy) as section 4 lead, to review and provide feedback to the subsections 4.3, 4.4, 4.5 that Rajat, Vanesa and Vasan have submitted.
  • Santosh ( @Santosh Bompally) to please address comments made to 2.4.1 by EA (Alex Rebo)
  • Santosh ( @Santosh Bompally) to clean and polish section 5.1 - Deployment Approach.
  • Santosh ( @Santosh Bompally) please review section 5.3 - Operations and Maintenance written by Rajat.
  • Carlos ( @Carlos Rombaldo Junior) and Vasan Kidambi please write section 6 - Industry Specific differences.
  • @All: Are we adding 'Key Loading' in the Key Lifecycle diagram?

Next working group call: Wednesday 26 July

Time: 08:00 a.m. PST / 11:00 a.m. EST / 16:00 GMT / 18:00 EET

URL: https://zoom.us/j/93617880747  (Meeting ID: 936 1788 0747)

Kind regards,

Marina

------------------------------
Marina Bregkou,
Senior Research Analyst,
CSA
------------------------------