Cloud Key Management

  • 1.  Vaulted Tokenization Key Management

    Posted Apr 25, 2023 07:46:00 AM

    What is the contemporary thinking on how often the master key should be changed? It came up on a call this morning. Thought I would ask.

    Cheers,
    alex.



    ------------------------------
    Alex Sharpe
    Principal
    Sharpe42
    [email protected]
    Co-Chair Philosophy & Guiding Principles Working Group
    Co-Chair Organizational Strategy & Governance Working Group
    ------------------------------


  • 2.  RE: Vaulted Tokenization Key Management

    Posted Apr 26, 2023 08:09:00 AM
    ... anywhere from often to never, depending on paranoia to regulation ratio.

    We planned to address it, if recalling correctly.

    Cheers!





  • 3.  RE: Vaulted Tokenization Key Management

    Posted Apr 26, 2023 08:59:00 AM

    Like with most things, you need to perform a risk analysis.




    ------------------------------
    Michael Roza CPA, CISA, CIA, CC, MBA, Exec MBA
    ------------------------------



  • 4.  RE: Vaulted Tokenization Key Management

    Posted Apr 26, 2023 01:01:00 PM
    Indeed, results of threat / weakness over
    resource availability driven risk analysis
    should inform these decision, Michael, in the
    ideal world.
    However, there are s/c "best practices" that
    are largely influencing individual enterprise
    decisions in the real world.
    This group might want to at least to set the
    foundation for the risk based approach.

    Best,
    --------------------------------------------------------------
    Strategic Efficiency, GRC
    CEA, PMP, CISSP
    , CCSP, AWS CSA, ITIL

    " Rite information to Rite roles at Rite time "





  • 5.  RE: Vaulted Tokenization Key Management

    Posted Apr 26, 2023 01:48:00 PM

    Hi,

    That is all still part of the risk analysis.



    ------------------------------
    Michael Roza CPA, CISA, CIA, CC, MBA, Exec MBA
    ------------------------------



  • 6.  RE: Vaulted Tokenization Key Management

    Posted Apr 29, 2023 12:59:00 PM

    We agree. It is on our list of items to address. I am wondering if we can come up with a near-term placeholder. Worse case, the working group can revisit it when it bubbles up on the agenda.

    I also agree 150% that best practices are much better than hoping individual organizations will make good decisions.



    ------------------------------
    Alex Sharpe
    Principal
    Sharpe42
    [email protected]
    Co-Chair Philosophy & Guiding Principles Working Group
    Co-Chair Organizational Strategy & Governance Working Group
    ------------------------------



  • 7.  RE: Vaulted Tokenization Key Management

    Posted Apr 29, 2023 09:57:00 PM
    ... it is likely my fault, Alex: 
    I insuccinctly formulated and 
    delivered my message.

    Regrettably, we know so little about the provenance and the circumstances under which this or that s/c "best practice"
    was developed. 
    It might indeed be the best for
    the given organization under given circumstances.

    It might not be for you.
    What is usually missing from 
    most of those BP - context.

    Where did original AWS advice to change master every 3 years came from?

    And yet, it gained the status of the BP.

    Does this clarify my position?

    Best,