Integrate GSA Feedback on Offline Root CA Systems #1
Conversation
| @@ -17,21 +17,21 @@ a. Segment Certificate Systems into networks based on their functional or logica | |||
|
|
|||
| b. Apply equivalent security controls to all systems co-located in the same network with a Certificate System; | |||
|
|
|||
| c. Maintain Root CA Systems in a High Security Zone and in an offline state or air-gapped from all other networks; | |||
| c. Maintain Root CA Systems in a High Security Zone and in an offline state or air-gapped from all other networks. Offline Root CA systems shall be a non-networked, stand-alone system that is powered down when not in use; | |||
There was a problem hiding this comment.
The existing definition may be enough, but look at changes if they are changed by removing this line.
There was a problem hiding this comment.
See my comment below. If we define those terms, I don't know that it matters if they remove that line.
|
|
||
| d. Maintain and protect Issuing Systems, Certificate Management Systems, and Security Support Systems in at least a Secure Zone; | ||
|
|
||
| e. Implement and configure Security Support Systems that protect systems and communications between systems inside Secure Zones and High Security Zones, and communications with non-Certificate Systems outside those zones (including those with organizational business units that do not provide PKI-related services) and those on public networks; | ||
|
|
||
| f. Configure each network boundary control (firewall, switch, router, gateway, or other network control device or system) with rules that support only the services, protocols, ports, and communications that the CA has identified as necessary to its operations; | ||
|
|
||
| g. Configure Issuing Systems, Certificate Management Systems, Security Support Systems, and Front-End / Internal-Support Systems by removing or disabling all accounts, applications, services, protocols, and ports that are not used in the CA’s or Delegated Third Party’s operations and allowing only those that are approved by the CA or Delegated Third Party; | ||
| g. Configure all systems used during a certificate life-cycle event by removing or disabling all accounts, applications, services, protocols, and ports that are not used in the CA’s or Delegated Third Party’s operations and allowing only those that are approved by the CA or Delegated Third Party; |
There was a problem hiding this comment.
Maybe too broad a statement.
There was a problem hiding this comment.
I agree that it's too broad. I'd prefer to be more specific.
| @@ -17,21 +17,21 @@ a. Segment Certificate Systems into networks based on their functional or logica | |||
|
|
|||
| b. Apply equivalent security controls to all systems co-located in the same network with a Certificate System; | |||
|
|
|||
| c. Maintain Root CA Systems in a High Security Zone and in an offline state or air-gapped from all other networks; | |||
| c. Maintain Root CA Systems in a High Security Zone and in an offline state or air-gapped from all other networks. Offline Root CA systems shall be a non-networked, stand-alone system that is powered down when not in use; | |||
There was a problem hiding this comment.
I think some of these requirement can be clarified if definitions are provided to the terminology used:
Air-gapped: Physically segregated (NOTE: it is not sufficient for logical segregation alone (e.g., firewall rules, VLANs, etc.)
Offline: Stand-alone or networked computer system that is maintained in a powered off state when not actively in use.
Non-Networked - System that is only accessible from a console, and cannot access any resources outside of those directly connected to the system.
| @@ -17,21 +17,21 @@ a. Segment Certificate Systems into networks based on their functional or logica | |||
|
|
|||
| b. Apply equivalent security controls to all systems co-located in the same network with a Certificate System; | |||
|
|
|||
| c. Maintain Root CA Systems in a High Security Zone and in an offline state or air-gapped from all other networks; | |||
| c. Maintain Root CA Systems in a High Security Zone and in an offline state or air-gapped from all other networks. Offline Root CA systems shall be a non-networked, stand-alone system that is powered down when not in use; | |||
There was a problem hiding this comment.
The problem I have with this OR statement is it now allows Root CAs to be online, similar to how we have Common:
Maintain Root CA Systems in a High Security Zone and in an offline state AND air-gapped from all other networks.
| @@ -17,21 +17,21 @@ a. Segment Certificate Systems into networks based on their functional or logica | |||
|
|
|||
| b. Apply equivalent security controls to all systems co-located in the same network with a Certificate System; | |||
|
|
|||
| c. Maintain Root CA Systems in a High Security Zone and in an offline state or air-gapped from all other networks; | |||
| c. Maintain Root CA Systems in a High Security Zone and in an offline state or air-gapped from all other networks. Offline Root CA systems shall be a non-networked, stand-alone system that is powered down when not in use; | |||
There was a problem hiding this comment.
See my comment below. If we define those terms, I don't know that it matters if they remove that line.
|
|
||
| d. Maintain and protect Issuing Systems, Certificate Management Systems, and Security Support Systems in at least a Secure Zone; | ||
|
|
||
| e. Implement and configure Security Support Systems that protect systems and communications between systems inside Secure Zones and High Security Zones, and communications with non-Certificate Systems outside those zones (including those with organizational business units that do not provide PKI-related services) and those on public networks; | ||
|
|
||
| f. Configure each network boundary control (firewall, switch, router, gateway, or other network control device or system) with rules that support only the services, protocols, ports, and communications that the CA has identified as necessary to its operations; | ||
|
|
||
| g. Configure Issuing Systems, Certificate Management Systems, Security Support Systems, and Front-End / Internal-Support Systems by removing or disabling all accounts, applications, services, protocols, and ports that are not used in the CA’s or Delegated Third Party’s operations and allowing only those that are approved by the CA or Delegated Third Party; | ||
| g. Configure all systems used during a certificate life-cycle event by removing or disabling all accounts, applications, services, protocols, and ports that are not used in the CA’s or Delegated Third Party’s operations and allowing only those that are approved by the CA or Delegated Third Party; |
There was a problem hiding this comment.
I agree that it's too broad. I'd prefer to be more specific.
|
|
||
| h. Review configurations of Issuing Systems, Certificate Management Systems, Security Support Systems, and Front-End / Internal-Support Systems on at least a weekly basis to determine whether any changes violated the CA’s security policies; | ||
| h. Review configurations of Issuing Systems, Certificate Management Systems, Security Support Systems, and Front-End / Internal-Support Systems on at least a weekly basis to determine whether any changes violated the CA’s security policies. For offline Root CA systems, review configurations every 30 days or when the system is powered-on; |
There was a problem hiding this comment.
Change last sentence to:
Review configurations for Root CAs that are maintained in a non-networked and offline state at least every 30 days, or when the system is powered on.
|
|
||
| i. Grant administration access to Certificate Systems only to persons acting in Trusted Roles and require their accountability for the Certificate System’s security; | ||
|
|
||
| j. Implement Multi-Factor Authentication to each component of the Certificate System that supports Multi-Factor Authentication; | ||
| j. Implement Multi-Factor Authentication to each component of the Certificate System that supports Multi-Factor Authentication. For offline Root CA systems, Multi-Factor Authentication should be implemented and based on compensating access controls; |
There was a problem hiding this comment.
As long as they keep: "that supports Multi-Factor Authentication;" I'm ok with the original requirement.
|
|
||
| c. Implement automated mechanisms under the control of CA or Delegated Third Party Trusted Roles to process logged system activity and alert personnel, using notices provided to multiple destinations, of possible Critical Security Events; | ||
| c. Except for offline Root CA systesms, implement automated mechanisms under the control of CA or Delegated Third Party Trusted Roles to process logged system activity and alert personnel, using notices provided to multiple destinations, of possible Critical Security Events; |
There was a problem hiding this comment.
Except for "Except for air-gapped and offline, non-networked, Root CA systems"
| @@ -104,13 +104,13 @@ f. Maintain, archive, and retain logs in accordance with disclosed business prac | |||
|
|
|||
| Certification Authorities and Delegated Third Parties SHALL: | |||
|
|
|||
| a. Implement intrusion detection and prevention controls under the control of CA or Delegated Third Party Trusted Roles to protect Certificate Systems against common network and system threats; | |||
| a. Except for offline Root CA systems, implement intrusion detection and prevention controls under the control of CA or Delegated Third Party Trusted Roles to protect Certificate Systems against common network and system threats; | |||
There was a problem hiding this comment.
Except for "Except for offline, non-networked, Root CA systems"
|
|
||
| d. Undergo a Penetration Test on the CA’s and each Delegated Third Party’s Certificate Systems on at least an annual basis and after infrastructure or application upgrades or modifications that the CA determines are significant; | ||
| d. Undergo a Penetration Test on all non-offline Root CA’s and each Delegated Third Party’s Certificate Systems on at least an annual basis and after infrastructure or application upgrades or modifications that the CA determines are significant; |
There was a problem hiding this comment.
"Undergo a Penetration Test on all network connected Root CA’s and each Delegated Third Party’s Certificate Systems on at least an annual basis and after infrastructure or application upgrades or modifications that the CA determines are significant;"
There was a problem hiding this comment.
Do you really want this to apply to air-gapped systems?
|
|
||
| b. Document and follow a vulnerability correction process that addresses the identification, review, response, and remediation of vulnerabilities; | ||
|
|
||
| c. Undergo or perform a Vulnerability Scan (i) within one (1) week of receiving a request from the CA/Browser Forum, (ii) after any system or network changes that the CA determines are significant, and (iii) at least every three (3) months, on public and private IP addresses identified by the CA or Delegated Third Party as the CA’s or Delegated Third Party’s Certificate Systems; | ||
| c. Undergo or perform a Vulnerability Scan (i) within one (1) after any system or network changes that the CA determines are significant, and (ii) at least every three (3) months, on public and private IP addresses identified by the CA or Delegated Third Party as the CA’s or Delegated Third Party’s Certificate Systems; |
There was a problem hiding this comment.
Do we need to clarify that systems that only have a loopback address (127.0.0.1) or no network card should be excluded from this?
| **National Vulnerability Database (NVD):** A database that includes the Common Vulnerability Scoring System (CVSS) scores of security-related software flaws, misconfigurations, and vulnerabilities associated with systems (see http://nvd.nist.gov/home.cfm). | ||
| **National Vulnerability Database (NVD):** A database that includes the Common Vulnerability Scoring System (CVSS) scores of security-related software flaws, misconfigurations, and vulnerabilities associated with systems (see http://nvd.nist.gov/home.cfm). | ||
|
|
||
| **Offline Root CA System:** A Root CA System that is operated in a non-networked, stand-alone state and powered down when not in use. |
There was a problem hiding this comment.
Air-gapped: Physically segregated (NOTE: it is not sufficient for logical segregation alone (e.g., firewall rules, VLANs, etc.)
Offline: Stand-alone or networked computer system that is maintained in a powered off state when not actively in use.
Non-Networked - System that is only accessible from a console, and cannot access any resources outside of those directly connected to the system.
No description provided.