Cloud Key Management

Back to discussions
Expand all | Collapse all

Meeting Minutes June 28th, 2023+reminder of tomorrow's WG call!

  • 1.  Meeting Minutes June 28th, 2023+reminder of tomorrow's WG call!

    Posted Jul 11, 2023 02:51:00 PM

    Dear members,

    Tomorrow we have our working group call.

    Please note that the call will focus only on the HSM document as the leads for the Key Mgmt Lifecycle document are unable to attend.

    The Key Lifecycle document will be covered in an additional call, next Wednesday 19 July.

    Below you can find the recording from our working group call on the 28th of June.

    Minutes:

    Document 1: Key Mgmt Lifecycle Best Practices

    • Partha went through the document and reviewed the general overview.
    • Working group decided to remove the biggest part of the content that refers to 'Secrets Management' and agreed to use it later as a separate paper.
    • Finalized key phases as below (and based on NIST.SP.800-57pt1 revision 5): 

      Key Generation

      · Key Distribution

      · Key Storage

      · Key Usage

      · Key Revocation

      · Key Rotation

      · Key Backup/Recovery
      Key destruction/disposal

    Document 2: HSM-as-a-Service:

    • Sam decided to remove the 3d Authentication as a use case from the 3. Use Cases section.
    • In 3.3 Thanos and group decided to remove the 2 different perspectives of users/audience as it does not add any value.
    • For section 6. Security Consideration, Alex proposed to include a comparison table that includes the physical and logical security controls side by side.

    • Previous action items:

      • Partha to do a full review of the Key Mgmt document. - DONE
      • Alex will you please review the additional text written in section 2.5 Encryption Overview by Parth. - PENDING
      • Sam to write section 3.2.8. Key Auditing. - DONE
      • Marina to write section 3.2.3 Key Use.- PENDING
      • Partha to please address comments made by Alex Sharpe and Alex Rebo and review and do a sanity check to section 2- Key Mgmt Refresher, where is the lead author. - PENDING
      • Partha to please review section 4.1 Compliance and Regulatory Requirements. written by Vani.- PENDING
      • Vani as section 4 lead, to review and provide feedback to the subsections 4.3, 4.4, 4.5 that Rajat, Vanesa and Vasan have submitted. 
        As the Lead for section4 you need to check and decide on the flow, the content and the "voice" of the subsections that fall under you. - In Progress
      • Santosh please review additional content added under 2.4.1 by Vasan. - PENDING
      • Santosh to include missing diagrams and references in section 5.1 - Deployment Approach. - PENDING
      • Santosh please review section 5.3 - Operations and Maintenance written by Rajat. - PENDING
      • Carlos and Vasan Kidambi please write section 6 - Industry Specific differences. - PENDING
      • Partha, Sunil, Santosh to review and approve/disapprove additional text included in section 7 - On-prem Considerations by Parth Jamodkar. - PENDING
      • Sunil , Partha, Alex Rebo and Sam to connect and decide on 'Key rotation' - DONE
      • @All: Are we adding 'Key Loading' in the Key Lifecycle diagram? - PENDING

    Document 2: HSM-as-a-Service:

    • Marina to send to Santosh link with previous Key Mgmt documents. - DONE
    • Marina to check the previous Cloud Key Mgmt papers  in order to recognize any references to HSM from the CSP/on-prem perspective and perhaps include the non-CSP perspective (on-prem) in this paper. (Check footnotes for Utimaco, Entryst mentions, etc.) - PENDING
    • Iain to write section 5.2.1 - General Purpose HSM. - In progress
    • Sam to address and resolve comments made to section 1 by Alex Rebo. - In progress
    • Sam to review and approve section 9 - Governance written by Rajat Dubey. - PENDING
    • Sam to review and approve section 10 - Vendor Selection Best Practices written by Rajat Dubey.- PENDING
    • Simon Keates to write section 6.3 - Multi-tenant Segregation - DONE
    • Tim to develop in paragraph mode the bullet points he has included in sections 6.1 and 6.2  - Physical and Logical Security Controls - DONE
    • Simon Keates to write section 5.2.2 - Payments HSM - In Progress
    • Sunil to write section 8 - Key Mgmt Considerations, which will be linked with the Key Mgmt Best practices parallel document. - DONE

    New action items:

    • Sam ( @Sam Pfanstiel) to review and approve or modify the document structure as a whole.
    • Thanos ( @Thanos Vrachnos) to merge the 2 different perspectives in use case 3.3 and write it as one.
    • Sam ( @Sam Pfanstiel) to help out Carlos in use case 3.4 and describe how it adds value to HSM-as-a-Service.
    • Sam ( @Sam Pfanstiel) to review use case 3.6 Custom Applications
    • Sam ( @Sam Pfanstiel) to review page 45, the remote key attestation section Thanos included and decide if it goes with the rest of section 8. Key Mgmt Considerations.
    • Sam ( @Sam Pfanstiel ) to review section 9. Governance, page 47.
    • Sam ( @Sam Pfanstiel ) to review section 10. Vendor Selection best practices, page 49
    • Iain ( @Iain Beveridge) to help out with the eIDAS use case as it is still in draft shape.
    • Iain ( @Iain Beveridge) to review and approve/comment the section on CC Thanos added in 5.1 Introduction to HSM, page 22, 23.
    • Marina to make reference to the shared responsibility model included in the CCM, in the 4. Responsibilities section.
    • Marina to add intro section to 5. HSM Hardware.
    • Simon to address the 'note to self' in section 5.2.2 Payments HSM and to expand on key granularity and ownership/possession.
    • Move section 7.1 written by Bruno to section 4. Responsibilities. @Sam Pfanstiel to approve content of 7.1 and decide if it links to section 4. Responsibilities.
    • Partha to include in section 6, page 27,28, a comparison table that includes the physical and logical security controls side by side.
    • Partha to review section 6.4 Other controls (page 31) and decide whether it's finalized or needs updating.
    • Thanos ( @Thanos Vrachnos) and Bruno ( @Bruno Kovacs) to discuss and decide on the re-shaping of section 7. Interfacing and Remote Administration.
    • Michael ( @Michael Roza) to review section 9 and 10 on page 47 and 49. For the Governance section, please take into consideration the relevant other document we are working on.

    Next working group call: Tomorrow, Wednesday 12 July

    Time: 08:00 a.m. PST / 11:00 a.m. EST / 16:00 GMT / 18:00 EET

    URL: https://zoom.us/j/93617880747  (Meeting ID: 936 1788 0747)

    Kind regards,

    Marina



    ------------------------------
    Marina Bregkou,
    Senior Research Analyst,
    CSA
    ------------------------------