Cloud Key Management

Dear members,

Below you can find the meeting minutes from our working group call on the 26th of the July

Minutes:

• Working group decided not creating an Appendix section for the Responsibilities content. The table in section 4. Responsibilities will remain in the main body of the HSMaaS document.
• Marina went through the whole Key Mgmt Lifecycle Best Practices document and restructured parts of the doc, resolved and addressed comments and identified last pending actions that need to be completed as the final step
• Working group decided to keep the eIDAS use case (in the HSM document) as it will be a future looking case that may influence the industry and adds value by helping to prepare.
  

Previous action items:

Document 1 - Key Mgmt Lifecycle Best Practices:

• Alex review the additional text written in section 2.5 Encryption Overview by Parth.Alex will you please review the additional text written in section 2.5 Encryption Overview by Parth. - DONE
• Marina to write section 3.2.3 Key Use. - DONE
• Partha to please address comments made by Alex Sharpe and Alex Rebo and review and do a sanity check to section 2- Key Mgmt Refresher, where is the lead author.- PENDING
• Partha to please review section 4.1 Compliance and Regulatory Requirements. written by Vani.- PENDING
• Partha to please write Conclusions section 8, page 48.- PENDING
• Vani as section 4 lead, to review and provide feedback to the subsections 4.3, 4.4, 4.5 that Rajat, Vanesa and Vasan have submitted.- DONE
  
• Santosh to please address comments made to 2.4.1 by EA (Alex Rebo). - PENDING (action item implemented by Marina)
• Santosh to clean and polish section 5.1 - Deployment Approach. - DONE
• Santosh please review section 5.3 - Operations and Maintenance written by Rajat. - DONE
• Carlos and Vasan Kidambi please write section 6 - Industry Specific differences. - DONE
• @All: Are we adding 'Key Loading' in the Key Lifecycle diagram? - DONE (is not going to be added)

• Document 2: HSM-as-a-Service:
  • Sam to review and approve or modify the document structure as a whole. - PENDING
  • Sam to help out Carlos in use case 3.4 and describe how it adds value to HSM-as-a-Service - DONE (action item completed by Marina)
  • Sam to write an intro paragraph for the 4. Responsibilities section, page 22. - DONE (action item completed by Marina)
  • Sam to decide if we need to synthesize Responsibility references throughout the document, altogether under section 4. Responsibilities, OR to create the appendix we discussed on the call. - PENDING
  • Sam to review page 50, the remote key attestation section Thanos included and decide if it goes with the rest of section 8. Key Mgmt Considerations. - PENDING
  • Sam review section 10. Vendor Selection best practices, page 53-54. - PENDING
  • Iain OR Michael create a diagram depicting the HSM architecture overview. - DONE (by Marina)
  • Iain to review the content added by Marina in the eIDAS use case, page 18. - PENDING
  • Iain to review and approve/comment the paragraph on CC Thanos added in 5.2, page 29. - PENDING
  • Marina to make reference to the shared responsibility model included in the CCM, in the 4. Responsibilities section. - DONE
  • Marina to add intro section to 5. HSM Hardware. - DONE
  • As mentioned on the call, Thanos to update section 5.2 Hardware HSM by mentioning some critical elements of the device: e.g. anti-tampering modules, crypto-processor, etc. - DONE
  • Simon to address the 'note to self' in section 5.2.2 Payments HSM and to expand on key granularity and ownership/possession. - DONE
  • Partha to finish the comparison table (Marina started) that includes the physical and logical security controls side by side in section 6, page 35. - PENDING
  • Who is collecting the responsibilities mentions throughout the document and include them in the Responsibilities Appendix created specifically for this?- Not applicable as responsibilities section remains in the core document.

New action items:

Document 1 - Key Mgmt Lifecycle Best Practices:

• Partha to decide whether we are including ' Key Auditing' as a phase of the key lifecycle and having 9 phases instead of 8 that we have right now. If Key auditing isn't included in the lifecycle after all, then the content of 3.2.9 can be moved to section 5.4 Auditing Requirements.
• Partha to review section 4 - Planning for Key Management. and re-structure if necessary.
  
• Partha to review section 6 - Industry Specific Differences (page 51) and decide if the content adds value to the paper or not.
• Partha to review and finalize section 8 - Conclusions of the paper, page 54. Sunil has already written some best practices there.
• Partha to address/resolve all existing comments in page 8 and 9.
• ALL Authors to review their respective sections and address - resolve existing comments. E.g. @Sam Pfanstiel, in page 33, @Michael Roza page 27, @Sunil Arora, page 19, 20, 24-26, @Santosh Bompally in page 19, 20, 23, 25, 48, @Iain Beveridge in page 15, @Aakash Shah in page 13, 14, @Alex Sharpe in page 10-12, etc.

Document 2: HSM-as-a-Service:

• Sam ( @Sam Pfanstiel) to decide if we need to synthesize Responsibility references throughout the document, altogether under section 4. Responsibilities, OR to create the appendix we discussed on previous calls.
• Sam ( @Sam Pfanstiel) to review section 7, and section 8. Key Mgmt Considerations.
• Sam ( @Sam Pfanstiel) to write Conclusions section 11, page 61.
• Iain ( @Iain Beveridge) to review the content added by Marina in the eIDAS use case, page 21. Iain to review and approve/comment the paragraph on CC Thanos added in 5.2, page 35, 36.
• Partha to finish the comparison table (Marina started) that includes the physical and logical security controls side by side in section 6, page 40.

Next working group call: 23rd August

Time: 08:00 a.m. PST / 11:00 a.m. EST / 16:00 GMT / 18:00 EET

URL: https://zoom.us/j/93617880747  (Meeting ID: 936 1788 0747)

Kind regards,

Marina

------------------------------
Marina Bregkou,
Senior Research Analyst,
CSA
------------------------------