Cloud Key Management

Back to discussions
Expand all | Collapse all

Meeting Minutes 10 January 2024

  • 1.  Meeting Minutes 10 January 2024

    Posted Jan 18, 2024 07:50:00 AM

    Dear members,

    Below you can find the meeting minutes from our working group call on the 10th of January.

    Minutes:

    • The HSM document, is in the phase of addressing its last peer review comments.
    • Working group discussed the new topics suggested for 2024 and parallel work-streams: 
      • Best Practices when uploading on-prem data to the cloud: The considerations and implications of migrating data to the cloud were discussed. The group agreed that not all data needs to be migrated and the decision depends on the client's interests and the organization's objectives and policies. They also acknowledged the need to understand the data landscape and plan the migration strategy. Partha suggested that the scope could expand to include the lifecycle of the data once it's in the cloud. They also considered the possibility of expanding the scope to include other hot topics, potentially through ongoing publications. The idea of an agile delivery method was also discussed. The team agreed to finalize the content structure by the next meeting, with contributions from interested team members. Smita highlighted the importance of regulatory ramifications in the discussion, which Partha agreed to include in the document outline.
      • Multi-cloud and multi-regional KMS: Sam and Alex discussed the idea of covering multi regional and multi cloud use in a single paper. They expressed concerns about covering different use cases that may have different recommendations. The team concluded that two separate documents might be more appropriate as multi cloud use often involves risk management and avoiding vendor lock-in. Alex Rebo pointed out that multi cloud use can be broader than just risk management. The team also discussed the relevance of a multi-region document in solving providers' problems. AR suggested that the problem might have already been solved by the providers, making the document unnecessary. Alex agreed, noting that the focus should shift towards the multi-cloud aspect.  Sam suggested starting from a previous draft, emphasizing the need for better visibility of the document's context and proposing the use of comments for questions. The team agreed with Sam's suggestions, but no final decision was made about adding a multi-regional aspect to the focus on multi-cloud KMS.
      • Post-Quantum Cryptography Key  Management with procedural steps on crypto-migration Ian raised the question of whether the group can add value to the post-quantum topic that is not already covered by NIST publications. It was mentioned that NIST will publish fully updated post-quantum algorithms in the next three to six months. The participants also discussed comparing the table of contents of the NIST documents with their own discussion to identify areas not covered by NIST.
        - Quantum Threat and Crypto Agility: The participants discussed the misconception that quantum only speeds up brute force attacks and emphasized that it enables new crypto-analytical attacks. They also mentioned different types of quantum computers and the need to address crypto harvesting and the significance of crypto agility. The impact of quantum on key management systems and the need to explain the reasons behind implementing post-quantum cryptography were also discussed. The participants highlighted the importance of understanding the impact of post-quantum cryptography on cloud implementations and key generation. Alex pointed out that many documents focus on the mechanics of these changes, but not the reasoning behind them. Iain suggested that as part of the key management working group, they should consider how quantum cryptography will impact key management, code signing, and key generation. Sam added that this is a much larger topic than just cloud and that the implementation through KMS systems in the cloud might provide a more nuanced perspective.         A shorter document would be more engaging with Partha proposing creating a concise publication that targets areas not covered by NIST.

    Previous action items: 

    • Sam to update Diagram 1: Debit PIN Translation Flow, page 13 and Diagram 2: Credit Card Transaction Flow, page 15. - PENDING
    • Sam and Alex Rebo to arrange a between call to discuss the 'Multi-Cloud and Multi-Regional' document's structure and purpose. - DONE
    • Partha to provide a "skeleton" for the 'Best Practices when uploading on-prem data to the cloud' paper. A potential table of contents. - DONE
    • Sunil to provide a 'Lesson Learned' list for what to avoid and what to manage more efficiently. - DONE
    • Members of the group to review the 3 new documents they are interested in joining for contribution. - DONE

    New action items:

    • Sam ( @Sam Pfanstiel) to update Diagram 1: Debit PIN Translation Flow, page 13 and Diagram 2: Credit Card Transaction Flow, page 15, in the HSM document.
    • Sam ( @Sam Pfanstiel) and Jim will work on the PIN-based payment card transactions use case that have comments pending.
    • Regarding the parallel documents:
      • Best Practices when Uploading On-Prem Data to the Cloud: Partha to expand the scope to include the lifecycle of the data once it is in the cloud.
      • Multi-Cloud and Multi-Regional KMS: Review the previous document on multi-cloud overview and decide whether to continue with it or start a new document. Sam ( @Sam Pfanstiel) will work on the structure of the document and source the content sections from current business considerations and challenges. Regulatory ramification to be included as the most important bullet point to consider when planning the migration to the cloud. Other areas of interest: assessment and planning, security aspects, migration execution and management, transitioning and moving.
      • Post-Quantum Cryptography Key Management with Procedural Steps on Crypto-Migration: Iain ( @Iain Beveridge) and others will review the NIST documents and discuss the possibility of creating a practical implementation guide for post-quantum cryptography. The document will focus on key management aspects of post-quantum cryptography. The team agreed to review existing documents and provide feedback on the value of creating a concise, actionable document in this area by contributing to the creation of the Table of Contents and consider how quantum cryptography will impact key management, code signing, and key generation.

    Next working group call: 24 January 2024

    Time: 09:00 a.m. PT / 12:00 p.m. ET / 17:00 GMT / 19:00 EET

    URL: https://zoom.us/j/93617880747  (Meeting ID: 936 1788 0747)

    Warm regards,

    Marina



    ------------------------------
    Marina Bregkou,
    Senior Research Analyst,
    CSA
    ------------------------------