Cloud Key Management

Expand all | Collapse all

HSMaaS Auditing Guidance

  • 1.  HSMaaS Auditing Guidance

    Posted May 12, 2023 08:17:00 AM
    Edited by Thanos Vrachnos May 14, 2023 01:22:51 PM

    Hi everyone,

    As I had been reviewing our HSMaaS draft document, I thought of the following topic which may provide value to the IT auditing audience: "audit guidance on cloud HSM solutions/HSMaaS offerings" which of course may expand to include the KMS service offerings.

    After our 2 publications (KM Lifecycle Best Practices & HSMaaS), a new,  separate document could follow, providing some brief guidelines on auditing these types of systems, focusing in critical areas, as required by the audit/certification schemes (cryptographic operations, user management/access-control, audit and immutable/signed logs, network isolation, key attestation).

    It is a cloud service which is increasingly adopted and is part of audited environments under various audit schemes (PCI, WebTrust, eIDAS and ETSI TS 119 4xx standards) and I have personally faced it as an audit object while performing WebTrust, ISO 27017 and eIDAS audits. Additionally, it could also be bound to other CSA's areas such as CCAK or Cloud Security Guidance to reach audience who will benefit at the first level).

    Thoughts are more than welcome (mentioning also @Michael Roza who is always having an unbiassed view :) )

    Also, @Hannah Rock @Anna Schorr 

    Best regards,

    ------------------------------
    Thanos Vrachnos OffensiveOps | PKI & eID Subject-matter Expert
    SPEARIT
    Greece, Thessaloniki
    ------------------------------



  • 2.  RE: HSMaaS Auditing Guidance

    Posted May 15, 2023 03:35:00 PM
    If you wish to go that route, we might approach it from 3
    viewpoints 
    1. offering selection (to determine fitness 4 purpose),
    which is a form of an audit;
    2. validation of the above
    (after some time of using it)
    3. compliance with various 
    regulations

    The reason for #3 being the last is: comp audit is likely to be initiated by the provider.
    Results will be available to the customers.

    The 1st 2 are completely your, as a consumer, responsibility.
    Which might be better aligned with reader's interest.

    Best,







  • 3.  RE: HSMaaS Auditing Guidance

    Posted May 16, 2023 02:45:00 PM

    Hi Thanos,

    Sounds like an exciting topic to me. Thanks for sharing.

    Best,



    ------------------------------
    Anna Campbell Schorr
    Training Program Manager
    Cloud Security Alliance
    [email protected]
    ------------------------------



  • 4.  RE: HSMaaS Auditing Guidance

    Posted May 17, 2023 05:25:00 AM
    Edited by Thanos Vrachnos May 17, 2023 08:21:04 AM

    Thanks for the input @E A . Could you elaborate more on each option if possible? I think I will agree with you in general as far as I can understand your points. Would a feasibility "study", or a fit4purpose survey launched by CSA provide insights about the envisioned document? @Anna Schorr could you provide some high-level info regarding the CSA decision/purpose validation procedure (if available) on proposed guidance documents?

    Kind regards



    ------------------------------
    Thanos Vrachnos OffensiveOps | PKI & eID Subject-matter Expert
    SPEARIT
    Greece, Thessaloniki
    ------------------------------



  • 5.  RE: HSMaaS Auditing Guidance

    Posted May 18, 2023 10:00:00 AM
    When you start thinking of acquiring smth, apart from a whimsical latte, you perform 
    an audit of the offerings.
    When you recommend your acquisition to s/o else, you perform another audit, assessing how well this acquisition satisfies your needs.

    These are the 1st 2 audits you perform, regardless of what do you call them or whether
    you realise you perform an audit.

    Hope this helps.

    Best,





  • 6.  RE: HSMaaS Auditing Guidance

    Posted Jun 20, 2023 01:17:00 PM

    Hi Thanos, 

    If you think a research artifact is needed in the CSA portfolio, you simply need to propose it to the relevant working group, and then your CSA research analyst can walk you through the process. 

    Thank you for your contributions. 



    ------------------------------
    Anna Campbell Schorr
    Training Program Manager
    Cloud Security Alliance
    [email protected]
    ------------------------------



  • 7.  RE: HSMaaS Auditing Guidance

    Posted May 19, 2023 11:38:00 AM

    Good idea. I like it.

    One of the top 3 causes of a breach is misconfiguration. Audits catch those kinds of errors. Might as well help them do an audit right.



    ------------------------------
    Alex Sharpe
    Principal
    Sharpe42
    [email protected]
    Co-Chair Philosophy & Guiding Principles Working Group
    Co-Chair Organizational Strategy & Governance Working Group
    ------------------------------



  • 8.  RE: HSMaaS Auditing Guidance

    Posted May 19, 2023 06:14:00 PM
    Does collective we possess any real 
    auditing expertise worth mentioning?
    If uncertain, I would stay away :
    my experience working WITH auditors
    taught me a good lesson: "we do not 
    understand much how they conduct
    biz.

    This is not to discourage the team
    but to add a decision gate to the 
    process.

    Best,
     
    --------------------------------------------------------------
    Strategic Efficiency, GRC
    CEA, PMP, CISSP
    , CCSP, AWS CSA, ITIL

    " Rite information to Rite roles at Rite time "





  • 9.  RE: HSMaaS Auditing Guidance

    Posted May 23, 2023 12:12:00 AM

    Coming from an auditing and certification place here, also CSA's CCAK structure is made for auditors, I would not worry about that aspect.

    The idea is to provide a "2D" guidance, not only in internal audits as @Alex Sharpe mentioned but also in external, 3rd party audits as mentioned in my first message. Any of the popular standards which include/foresee requirements for HSMs: PCI, WebTrust for CA, eIDAS - ETSI TS 119 4xx standards,  ISO 27017, etc. Also, CCAK's body of knowledge could include such a chapter in a next release.

    But regarding the certification schemes, it should be examined whether HSMaaS is allowed as an option currently (in several of the above, it is not). One of the objectives of the upcoming HSMaaS paper is to provide awareness on this topic so that this technology option can be considered in future certification/audit scheme releases.



    ------------------------------
    Thanos Vrachnos OffensiveOps | PKI & eID Subject-matter Expert
    SPEARIT
    GreeceThessaloniki
    ------------------------------



  • 10.  RE: HSMaaS Auditing Guidance

    Posted Jul 26, 2023 11:23:00 PM

    I think that the HSMaaS paper will generate a new artifact: recommended updates to CCM for HSM as a Service. 

    So in my opinion, there is no need for a separate, auditing guideline document. HSMaaS can be auditing under its dedicated section of the CCM. Besides, I've not seen other dedicated audit guideline documents published by CSA.

    @Marina Bregkou how is this CCM-HSMaaS updates going to be triggered/handled? (see p.58 of our HSMaaS paper)



    ------------------------------
    Thanos Vrachnos OffensiveOps | PKI & eID Subject-matter Expert
    SPEARIT
    Thessaloniki, Greece
    ------------------------------



  • 11.  RE: HSMaaS Auditing Guidance

    Posted Jul 27, 2023 06:39:00 AM

    That's an initiative worked by the CCM working group usually. So after the competition of our work we will need to (maybe shortly) collaborate with the CCM WG and discuss how the 2 topics can be "married".



    ------------------------------
    Marina Bregkou,
    Senior Research Analyst,
    CSA
    ------------------------------