[Servercert-wg] [EXTERNAL] Fwd: [cabf_netsec] SCXX: Offline CA Security Requirements
Bruce Morton
Bruce.Morton at entrustdatacard.com
Thu Aug 20 11:12:02 MST 2020
Hi Ben,
Sections under BR 5.2 address Trust Roles; however, the BR sections don’t have much text. Would it make sense to add some of the proposed ballot Trusted Role text to the BRs? I’m thinking items sections 5b, d, e and possibly f. This text appears that it should apply to Trusted Roles even if they are not performing NetSec tasks.
Thanks, Bruce.
From: Servercert-wg <servercert-wg-bounces at cabforum.org> On Behalf Of Ben Wilson via Servercert-wg
Sent: Thursday, August 20, 2020 12:42 PM
To: CA/B Forum Server Certificate WG Public Discussion List <servercert-wg at cabforum.org>
Subject: [EXTERNAL][Servercert-wg] Fwd: [cabf_netsec] SCXX: Offline CA Security Requirements
WARNING: This email originated outside of Entrust Datacard.
DO NOT CLICK links or attachments unless you trust the sender and know the content is safe.
________________________________
Before we finalize this as a ballot, the NetSec group wanted to see if there were any comments to this latest approach of replacing "Offline CA System" with "Air-Gapped CA System."
Thanks in advance for your comments.
Ben
Purpose of the Ballot:
Air-Gapped (Offline) CA systems operate differently than online systems and have a different risk profile. While including the Air-Gapped CA systems, the current Network and Certificate System Security Requirements focus on online systems and contain a number of requirements that are not practical to implement in an offline environment and could increase the risk to an offline environment.
As an example, access to offline systems frequently elevates the risk to the environment. A quarterly vulnerability scan in the offline environment is not practical, because there is an increased risk involved with attaching a scanning device to an Offline CA system.
This ballot develops a working definition for an “Air-Gapped CA System” to allow for a clear delineation between those system components that fall under this category of air-gapped/offline requirements and those under all other requirements. While this ballot introduces a new section 5, this ballot only makes minor changes to the current requirements by replacing some online requirements with physical security requirements for air-gapped CAs. The new section 5 presents logical security requirements in subsections a through m and physical security requirements in subsections p through w. Otherwise, this ballot does not add any new requirements. This will create a separate set of requirements that apply only to Air-Gapped CA Systems.
These proposed subsections in a new section 5 have their counterpart and come from the current NCSSRs as follows:
Description
Air-Gapped CA Criteria Section #
Current General
Criteria Section #
Logical Security
Configuration review
5a
1h
Appointing individuals to trusted roles
5b
2a
Grant access to offline CAs
5c
1i
Document responsibilities of Trusted roles
5d
2b
Segregation of duties
5e
2d
Require least privileged access for Trusted Roles
5f
2e
All access tracked to individual account
5g
2f
Password requirements
5h
2gi
Review logical access
5i
2j
Implement multi-factor access
5j
2m
Monitor offline CA systems
5k
3b
Review logging integrity
5l
3e
Monitor archive and retention of logs
5m
3f
Physical Security
Grant physical access
5p
1i
Multi-person physical access
5q
1j
Review physical access
5r
2j
Video monitoring
5s
3a
Physical access monitoring
5t
3a
Review accounts with physical access
5u
2j
Monitor retention of physical access of records
5v
3f
Review integrity of physical access logs
5w
3e
BALLOT TEXT
Replace 1.c. with " Maintain Root CA Systems in a High Security Zone and as Air-Gapped CA Systems, in accordance with Section 5;"
Add definition of "Air-Gapped CA System" as " A system that is kept offline or otherwise air-gapped and separated from other systems used by a CA or Delegated Third Party in storing and managing CA private keys and performing signing and logging operations."
Add a new Section 5 -
5. GENERAL PROTECTIONS FOR AIR-GAPPED CA SYSTEMS
This Section 5 separates requirements for Air-Gapped CA Systems into two categories--logical security and physical security.
Logical Security of Air-Gapped CA Systems
Certification Authorities and Delegated Third Parties SHALL implement the following controls to ensure the logical security of Air-Gapped CA Systems:
a. Review static configurations of Air-Gapped CA Systems at least on an annual basis to determine whether any changes violated the CA’s security policies;
b. Follow a documented procedure for appointing individuals to Trusted Roles on Air-Gapped CA Systems;
c. Grant logical access to Air-Gapped CA Systems only to persons acting in Trusted Roles and require their accountability for the Air-Gapped CA System's security;
d. Document the responsibilities and tasks assigned to Trusted Roles and implement "separation of duties" for such Trusted Roles based on the security-related concerns of the functions to be performed;
e. Ensure that an individual in a Trusted Role acts only within the scope of such role when performing administrative tasks assigned to that role;
f. Require employees and contractors to observe the principle of "least privilege" when accessing, or when configuring access privileges on, Air-Gapped CA Systems;
g. Require that all access to systems and offline key material can be traced back to an individual in a Trusted Role (through a combination of recordkeeping, use of logical and physical credentials, authentication factors, video recording, etc.);
h. If an authentication control used by a Trusted Role is a username and password, then, where technically feasible require that passwords have at least twelve (12) characters;
i. Review logical access control lists at least annually and deactivate any accounts that are no longer necessary for operations;
j. Enforce Multi-Factor Authentication OR multi-party authentication for administrator access to Air-Gapped CA Systems;
k. Identify those Air-Gapped CA Systems capable of monitoring and logging system activity and enable those systems to continuously monitor and log system activity. Back up logs to an external system each time the system is used or on a quarterly basis, whichever is less frequent;
l. On a quarterly basis or each time the Air-Gapped CA System is used, whichever is less frequent, check the integrity of the logical access logging processes and ensure that logging and log-integrity functions are effective;
m. On a quarterly basis or each time the Air-Gapped CA System is used, whichever is less frequent, monitor the archival and retention of logical access logs to ensure that logs are retained for the appropriate amount of time in accordance with the disclosed business practices and applicable legislation.
n. Reserved for future use
o. Reserved for future use
Physical Security of Air-Gapped CA Systems
Certification Authorities and Delegated Third Parties SHALL implement the following controls to ensure the physical security of Air-Gapped CA Systems:
p. Grant physical access to Air-Gapped CA Systems only to persons acting in Trusted Roles and require their accountability for the Air-Gapped CA System’s security;
q. Ensure that only personnel assigned to Trusted Roles have physical access to Air-Gapped CA Systems and multi-person access controls are enforced at all times;
r. Implement a process that removes physical access of an individual to all Air-Gapped CA Systems within twenty four (24) hours upon termination of the individual’s employment or contracting relationship with the CA or Delegated Third Party;
s. Implement video monitoring, intrusion detection, and prevention controls to protect Air-Gapped CA Systems against unauthorized physical access attempts;
t. Implement a Security Support System that monitors, detects, and reports any security-related configuration change to the physical access to Air-Gapped CA Systems;
u. Review all system accounts on physical access control lists at least every three (3) months and deactivate any accounts that are no longer necessary for operations;
v. On a quarterly basis or each time the Air-Gapped CA System is used, whichever is less frequent, monitor the archival and retention of the physical access logs to ensure that logs are retained for the appropriate amount of time in accordance with the disclosed business practices and applicable legislation.
w. On a quarterly basis or each time the Air-Gapped CA System is used, whichever is less frequent, check the integrity of the physical access logging processes and ensure that logging and log-integrity functions are effective.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.cabforum.org/pipermail/servercert-wg/attachments/20200820/1d28f8a8/attachment-0001.html>
More information about the Servercert-wg
mailing list