Dear members,
Below you can find the minutes from our working group call on the 17th of May.
Discussion:
Bruno Kovacs mentioned considering the new ISO 13491 that mentions management of a HSM, for the HSM-as-a-Service document.
Previous action items:
- Document 1: Key Mgmt Lifecycle Best Practices
- Working group to discuss Thanos' comment on including the key phases as are defined in the NIST 800-57pt1 rev.5 document as discussed initially. - PENDING
- All authors to please address and resolve comments made to their particular sections. Either incorporate or justify why the comment is not being addressed. - Partially DONE.
- Marina to put out a call for additional authors to contribute to 3.2.2, 4.2, 4.3, 4.4 and 4.5, 5.2, 5.3. Perhaps practitioners that already works on these topics. - DONE
- Partha to add the overview content of the section 3. Dive deep into each item in the life cycle. - DONE
- Iain to please update the diagram with the Key Mgmt lifecycle according to the terminology and the phases we are using in this paper. (Under section 3.1, page 22) - DONE
- Michael Roza to write the 3.2.5 Key Revocation section. - PENDING
- Sam to write section 3.2.7. Key Auditing. - PENDING
- Marina to write section 3.2.8 Key Destruction. - PENDING
- Vani to write section 4.1 Compliance and Regulatory Requirements. - PENDING
- Partha, Sunil and Santosh will include some content for a new section called 'On-prem Considerations' which is to cover the cloud and on-prem instantiations. It has a placeholder as section 7 for now at the end of the document. - DONE
- Document 2: HSM-as-a-Service:
- Thanos and Santosh to review section 1 written by Sam. - DONE
- Sam to provide feedback to Thanos questionnaire on identifying additional drivers for HSM-as-a-Service. - DONE
- Thanos to include a new question as the first one of the survey asking the respondent: 'Are you familiar with the 'HSM-as-a-Service' term?' After that the rest of the survey, with its term and purpose description can follow. - DONE
- Thanos include a short term (HSM-as-a-Service) and purpose description on the top of his survey on HSM drivers. - DONE
- Marina to check the previous Cloud Key Mgmt papers in order to recognize any references to HSM from the CSP/on-prem perspective and perhaps include the non-CSP perspective (on-prem) in this paper. (Check footnotes for Utimaco, Entryst mentions, etc.) - PENDING
New action items:
- Document 1: HSM-as-a-Service:
- Marina to check the previous Cloud Key Mgmt papers in order to recognize any references to HSM from the CSP/on-prem perspective and perhaps include the non-CSP perspective (on-prem) in this paper. (Check footnotes for Utimaco, Entryst mentions, etc.)
- Sam ( @Sam Pfanstiel) to address and resolve comments made to section 1 by Thanos and Alex.
- Carlos ( @Carlos Rombaldo Junior) to write use case of section 3.5 - Full Homomorphic Encryption
- Iain ( @Iain Beveridge ) to write section 5.2.1 - General Purpose HSM
- Simon Keates to write section 5.2.2 - Payments HSM
- Tim ( @Tim Winston) to write in paragraph mode the bullet points he has included in sections 6.1 and 6.2 - Physical and Logical Security Controls
- Simon Keates to write section 6.3 - Multi-tenant Segregation
- Alex ( @Alex Sharpe) to write section 8 - Key Mgmt Considerations, which will be linked with the Key Mgmt Best practices parallel document.
- Sam ( @Sam Pfanstiel) to review and approve section 9 - Governance written by Rajat Dubey.\
- Sam ( @Sam Pfanstiel) to review and approve section 10 - Vendor Selection Best Practices written by Rajat Dubey.
- Document 2: Key Mgmt Lifecycle Best Practices
- Working group to discuss Thanos' comment on including the key phases as are defined in the NIST 800-57pt1 rev.5 document as discussed initially.
- Michael Roza ( @Michael Roza) to write the 3.2.5 Key Revocation section.
- Sam ( @Sam Pfanstiel) to write section 3.2.7. Key Auditing.
- Marina to write section 3.2.8 Key Destruction.
- Vani ( @Vani Murthy) to write section 4.1 Compliance and Regulatory Requirements.
- Vasan Kidambi to write section 4.2 - Technical Considerations
- Rajat ( @Rajat Dubey) to write section 4.3 - Operational Considerations
- Vanesa Arias to write section 4.4 - Financial Considerations
- Vani ( @Vani Murthy) as section 4 lead, to review section 4.5 written by Vasan Kidambi.
- Santosh ( @Santosh Bompally ) to include missing diagrams and references in section 5.1 - Deployment Approach
- Santosh ( @Santosh Bompally) to review and approve/disapprove content added in section 5.2 - Deployment Considerations, by Amit Butail.
- Rajat ( @Rajat Dubey) to write section 5.3 - Operations and Maintenance
- Carlos ( @Carlos Rombaldo Junior) to write section 5.4 Auditing Requirements.
- Partha, Sunil, Santosh ( @Sunil Arora / @Santosh Bompally ) to review and approve/disapprove additional text included in section 7 - On-prem Considerations by Parth Jamodkar.
Next working group call:
Wednesday, 31st May, at 08:00 a.m. PST / 11:00 a.m. EST / 16:00 GMT / 18:00 EET.
(https://zoom.us/j/93617880747 Meeting ID: 936 1788 0747)
Kind regards,
Marina
------------------------------
Marina Bregkou,
Senior Research Analyst,
CSA
------------------------------