Cloud Key Management

Meeting Minutes May 17th, 2023.

  • 1.  Meeting Minutes May 17th, 2023.

    Posted May 29, 2023 02:21:00 PM
    Edited by Marina Bregkou May 30, 2023 09:00:34 AM

    Dear members,

    Below you can find the minutes from our working group call on the 17th of May.

    Discussion:
    Bruno Kovacs mentioned considering the new ISO 13491 that mentions management of a HSM, for the HSM-as-a-Service document.

    Previous action items:

    • Document 1: Key Mgmt Lifecycle Best Practices
      • Working group to discuss Thanos' comment on including the key phases as are defined in the NIST 800-57pt1 rev.5 document as discussed initially. - PENDING
      • All authors to please address and resolve comments made to their particular sections. Either incorporate or justify why the comment is not being addressed. - Partially DONE.
      • Marina to put out a call for additional authors to contribute to 3.2.2, 4.2, 4.3, 4.4 and 4.5, 5.2, 5.3. Perhaps practitioners that already works on these topics. - DONE
      • Partha to add the overview content of the section 3. Dive deep into each item in the life cycle. - DONE
      • Iain to please update the diagram with the Key Mgmt lifecycle according to the terminology and the phases we are using in this paper. (Under section 3.1, page 22) - DONE
      • Michael Roza to write the 3.2.5 Key Revocation section. - PENDING
      • Sam to write section 3.2.7. Key Auditing. - PENDING
      • Marina to write section 3.2.8 Key Destruction. - PENDING
      • Vani to write section 4.1 Compliance and Regulatory Requirements. - PENDING
      • Partha, Sunil and Santosh will include some content for a new section called 'On-prem Considerations' which is to cover the cloud and on-prem instantiations. It has a placeholder as section 7 for now at the end of the document. - DONE
    • Document 2: HSM-as-a-Service:
      • Thanos and Santosh to review section 1 written by Sam. - DONE
      • Sam to provide feedback to Thanos questionnaire on identifying additional drivers for HSM-as-a-Service. - DONE
      • Thanos to include a new question as the first one of the survey asking the respondent: 'Are you familiar with the 'HSM-as-a-Service' term?' After that the rest of the survey, with its term and purpose description can follow. - DONE
      • Thanos include a short term (HSM-as-a-Service) and purpose description on the top of his survey on HSM drivers. - DONE
      • Marina to check the previous Cloud Key Mgmt papers  in order to recognize any references to HSM from the CSP/on-prem perspective and perhaps include the non-CSP perspective (on-prem) in this paper. (Check footnotes for Utimaco, Entryst mentions, etc.) - PENDING

    New action items: 

    • Document 1: HSM-as-a-Service:
      • Marina to check the previous Cloud Key Mgmt papers  in order to recognize any references to HSM from the CSP/on-prem perspective and perhaps include the non-CSP perspective (on-prem) in this paper. (Check footnotes for Utimaco, Entryst mentions, etc.)
      • Sam ( @Sam Pfanstiel) to address and resolve comments made to section 1 by Thanos and Alex.
      • Carlos ( @Carlos Rombaldo Junior) to write use case of section 3.5 - Full Homomorphic Encryption
      • Iain ( @Iain Beveridge ) to write section 5.2.1 - General Purpose HSM
      • Simon Keates to write section 5.2.2 - Payments HSM
      • Tim ( @Tim Winston) to write in paragraph mode the bullet points he has included in sections 6.1 and 6.2  - Physical and Logical Security Controls
      • Simon Keates to write section 6.3 - Multi-tenant Segregation
      • Alex ( @Alex Sharpe) to write section 8 - Key Mgmt Considerations, which will be linked with the Key Mgmt Best practices parallel document.
      • Sam ( @Sam Pfanstiel) to review and approve section 9 - Governance written by Rajat Dubey.\
      • Sam ( @Sam Pfanstiel) to review and approve section 10 - Vendor Selection Best Practices written by Rajat Dubey.
    • Document 2: Key Mgmt Lifecycle Best Practices
      • Working group to discuss Thanos' comment on including the key phases as are defined in the NIST 800-57pt1 rev.5 document as discussed initially.
      • Michael Roza ( @Michael Roza) to write the 3.2.5 Key Revocation section.
      • Sam ( @Sam Pfanstiel) to write section 3.2.7. Key Auditing.
      • Marina to write section 3.2.8 Key Destruction.
      • Vani ( @Vani Murthy) to write section 4.1 Compliance and Regulatory Requirements.
      • Vasan Kidambi to write section 4.2 - Technical Considerations
      • Rajat ( @Rajat Dubey) to write section 4.3 - Operational Considerations
      • Vanesa Arias to write section 4.4 - Financial Considerations
      • Vani ( @Vani Murthy) as section 4 lead, to review section 4.5 written by Vasan Kidambi.
      • Santosh ( @Santosh Bompally ) to include missing diagrams and references in section 5.1 - Deployment Approach
      • Santosh ( @Santosh Bompally) to review and approve/disapprove content added in section 5.2 - Deployment Considerations, by Amit Butail.
      • Rajat ( @Rajat Dubey) to write section 5.3 - Operations and Maintenance
      • Carlos ( @Carlos Rombaldo Junior) to write section 5.4 Auditing Requirements.
      • Partha, Sunil, Santosh ( @Sunil Arora / @Santosh Bompally ) to review and approve/disapprove additional text included in section 7 - On-prem Considerations by Parth Jamodkar.

    Next working group call:

    Wednesday, 31st May, at 08:00 a.m. PST / 11:00 a.m. EST / 16:00 GMT / 18:00 EET.
    (https://zoom.us/j/93617880747 Meeting ID: 936 1788 0747)

    Kind regards,

    Marina



    ------------------------------
    Marina Bregkou,
    Senior Research Analyst,
    CSA
    ------------------------------