Cloud Key Management

  • 1.  Key Mgmt WG Short Survey!!!!!!

    Posted Jul 27, 2022 06:05:00 AM

    Dear members,
    as discussed on the WG's call and mentioned in meeting minutes from the 20th of July, we'd like to conduct a short survey and understand what are the important needs of our community.

    Please have a look and comment on the draft of the questions of this survey.

    We want to run it before our next call next week on the 3rd of August.

    Cloud Key Mgmt WG Survey questions under the WG's revision:

    1. On a scale of 1-10 (where 10 is Most Important), how would you rank the topic of Bring Your Own Key?
    2. Please allocate twenty $1 bills to spend on the following aspects of cloud key management: Technical, Operational, Legal, Regulatory, Financial.
    3. If you would like to see CSA publish guidance for key management, please describe the desired content (open text).
    4. The Cloud Key Management working group would like to have brief talks with those answering #3. Please enter your contact information and we'll schedule a 15-minute call to do so.

    Kind regards,
    Marina

    ------------------------------
    Marina Bregkou,
    Senior Research Analyst,
    CSA
    ------------------------------


  • 2.  RE: Key Mgmt WG Short Survey!!!!!!

    Posted Aug 18, 2022 02:08:00 AM
    Edited by Thanos Vrachnos Aug 18, 2022 07:09:47 AM

    Dear all,

    After the WG call on 17.08.2022 and the various opinions heard during the last minutes of the call regarding important topics/considerations, I would like to provide an aspect when thinking about what topics to include for key management. Avoiding the low-level,/technical/implementation-wise matters, a helpful path to identify topics for consideration/elaboration is by looking at the various use cases and applicable regulation/compliance matters around key management. 

    1. The sole control of the private key is a very common requirement in standards (e.g. ETSI TS family of standards, NIST), eIDAS regulation (which enables several new products in the eID market, all having a substantial dependency in private keys and keys management in general) and of course, the TSP market and all publicly trusted CAs which offer certificate issuance using an unexportable, customer private key generated inside a cloud HSM. Since our focus is on cloud KMS solutions, some very frequent concern I have seen in consulting and auditing projects is the level of isolation of the private key offered in a public cloud KMS vs a cloud HSM, since cloud KMS solutions have some core implementation differences compared to cloud HSM solutions (mainly different FIPS 140-2 levels and of course, whether the provider can ultimately access a subscriber's private key). Compliance requirements and risk vs cost are the factors which will dictate what solution should be used.
    2. Additionally, as Alex Sharpe mentioned(if I remember correctly), key backup and key recovery is also a frequent concern, since a private key originally is considered to reside in a secure environment in 0 copies, a key backup operation multiplies the copies of the private key (possibly wraps it in order to be exported) and increases the probability of risks related to key's security. Key backups can be secured in a variety of ways, not only related to the security of the storage location itself but also, using key sharding and assigning a set of shards to different owners, so that multi-owner input will be required to restore a key.
    3. Key destruction can be easily derived as an extra concern based on (2).

    To conclude, I believe there are 3 points to consider regarding the approach of the study we aim to publish:
    • a distinction should be made between the cloud KMS vs cloud HSM terms and what are the different levels of protection they provide. 
    • apart from the most frequent topics, focus should be given in the management framework of keys. A private key is an asset that may require complex management operations around it, especially in large-scale environments or in case the value of data it protects is very high. There are KMS solutions which do provide an implementation of a key management framework, so that key backup, key ACL, key restoration, key destruction, key sharding etc. are supported, managed and even, automated.
    • seek topics not only in open-surveys and discussions but also in studying well-known standards, publication and/or regulations (eIDAS, ETSI, ENISA papers...I am mainly involved in the EU sector so feel free to consider US/APAC resources as well)

      Best regards



    ------------------------------
    Thanos Vrachnos

    OffensiveOps | GRC | PKI & eID Subject-matter Expert
    SPEARIT
    ------------------------------



  • 3.  RE: Key Mgmt WG Short Survey!!!!!!

    Posted Aug 18, 2022 07:02:00 AM
    Hi Thanos,

    Thank you so much for this enlightening post.

    The points that you mention are very valuable and insightful.
    Will discuss for sure on our next working group call on the 31st of August!

    Kind regards,
    Marina


    ------------------------------
    Marina Bregkou,
    Senior Research Analyst,
    CSA
    ------------------------------