Cloud Key Management

  • 1.  Meeting Minutes May 3rd, 2023.

    Posted May 11, 2023 01:05:00 PM

    Dear members,

    Below you can find the minutes from our working group call on the 3rd of May.

    Previous action items:

    • Partha and Alex to provide feedback to the presentation from the DLT/Blockchain WG leadership, on the Framework for Digital Certification Governance Security Recommendations.  (Link to the recommendations document: https://docs.google.com/spreadsheets/d/1iJ9yvX7JMCunld10ct-ickhTfg4TDPFR/edit#gid=632422826. - PENDING  
    • Partha to review the sections that are populated (respectively: section 2 with 2.2, 2.3, 2.4, 2.5, 2.6, and 3.2.1) - PENDING
    • Thanos to please review section 2.2 and 2.4 and 2.5 - Partially PENDING
    • Vrettos to please review section 2.5 - DONE
    • Sam will write section 3.2.7-Key Auditing. - PENDING
    • Alex will include Crypto Agility in 2.1-KMS Overview - PENDING
    • Sam to develop section 1 (1.2 and 1.3 and 1.4) in paragraph form. - DONE
    • Alex to author section 8: Key Mgmt Considerations? - PENDING
    • Author needed for section 10: Vendor Selection Best Practices. - PENDING

    Discussion:
    During the discussion on the Key Mgmt Lifecycle document, Iain Beveridge proposed to consider including considerations about cloud deployment versus on-prem and nuances to be considered between on prem and cloud instantiations. Partha will create some content on this with Sunil and Santosh and we are having a placeholder for this as section 7 at the end of the document until we decide where it could be placed better.


    New action items to be implemented by our next call on the 17th of May:

    • Document 1: Key Mgmt Lifecycle Best Practices
      • Working group to discuss Thanos' comment on including the key phases as are defined in the NIST 800-57pt1 rev.5 document as discussed initially.
      • All authors to please address and resolve comments made to their particular sections. Either incorporate or justify why the comment is not being addressed.
      • Marina to put out a call for additional authors to contribute to 3.2.2, 4.2, 4.3, 4.4 and 4.5, 5.2, 5.3. Perhaps practitioners that already works on these topics.
      • Partha to add the overview content of the section 3. Dive deep into each item in the life cycle.
      • Iain ( @Iain Beveridge) to please update the diagram with the Key Mgmt lifecycle according to the terminology and the phases we are using in this paper. (Under section 3.1, page 22)
      • Michael Roza ( @Michael Roza) to write the 3.2.5 Key Revocation section.
      • Sam ( @Sam Pfanstiel) to write section 3.2.7. Key Auditing.
      • Marina ( @Marina Bregkou) to write section 3.2.8 Key Destruction.
      • Vani ( @Vani Murthy) to write section 4.1 Compliance and Regulatory Requirements.
      • Partha, Sunil and Santosh will include some content for a new section called 'On-prem Considerations' which is to cover the cloud and on-prem instantiations. It has a placeholder as section 7 for now at the end of the document.
    • Document 2: HSM-as-a-Service:
      • Thanos ( @Thanos Vrachnos) and Santosh ( @Santosh Bompally) to review section 1 written by Sam.
      • Sam ( @Sam Pfanstiel) to provide feedback to Thanos questionnaire on identifying additional drivers for HSM-as-a-Service.
      • Thanos ( @Thanos Vrachnos) to include a new question as the first one of the survey asking the respondent: 'Are you familiar with the 'HSM-as-a-Service' term?' After that the rest of the survey, with its term and purpose description can follow.
      • Thanos ( @Thanos Vrachnos) include a short term (HSM-as-a-Service) and purpose description on the top of his survey on HSM drivers.
      • Marina to check the previous Cloud Key Mgmt papers  in order to recognize any references to HSM from the CSP/on-prem perspective and perhaps include the non-CSP perspective (on-prem) in this paper. (Check footnotes for Utimaco, Entryst mentions, etc.)

    Next working group call:

    Date: Wednesday, 17th May 2023.

    Time: 08:00 a.m. PST / 11:00 a.m. EST / 16:00 GMT / 17:00 CET / 18:00 EET

    URL: https://zoom.us/j/93617880747  (Meeting ID: 936 1788 0747)

    Kind regards,

    Marina



    ------------------------------
    Marina Bregkou,
    Senior Research Analyst,
    CSA
    ------------------------------


  • 2.  RE: Meeting Minutes May 3rd, 2023.

    Posted May 16, 2023 05:11:00 AM

    Just wanted to let you know I will most likely not be able to attend tomorrow's call. The Zero Trust working group developing the business value document moved its biweekly call to the same hour. I am one of the primary authors of the document and need to attend. I have a couple of open actions for the Key Management Life Cycle Best Practices, which I should be able to get to next week. Sections 2.1 and 2.5 are in final draft. Cheers, alex.



    ------------------------------
    Alex Sharpe
    Principal
    Sharpe42
    [email protected]
    Co-Chair Philosophy & Guiding Principles Working Group
    Co-Chair Organizational Strategy & Governance Working Group
    ------------------------------



  • 3.  RE: Meeting Minutes May 3rd, 2023.

    Posted May 16, 2023 06:33:00 AM

    Hi Alex,

    Thank you for notifying.

    I will send you your pending action items in a personal email then, after tomorrow's WG call.

    Kind regards,
    Marina



    ------------------------------
    Marina Bregkou,
    Senior Research Analyst,
    CSA
    ------------------------------