[cabf_netsec] Threat Modeling meeting - 15.10.2020

Mariusz Kondratowicz mkondratowicz at opera.com
Thu Oct 15 11:13:08 MST 2020 

Hi,

Today we brainstormed differences between on-premise CAs versus the use of
cloud service providers.

Differences:

   1.

   CAs accepting auditor attestations in place of directly managing aspects
   of their environment.
   1.

      CA personnel can’t see the HSMs so they can’t visually verify them
      2.

      What types of audits would be suitable? ISO, SOC, New WebTrust?
      3.

      Do auditors visit all physical locations of the HSMs?  Annually?
      4.

      How important is identifying specific hardware vs operating
      configurations and practices. For example usually auditors take a list of
      HSM serials numbers for auditing sampling purposes.
      2.

   Remote access only. Fundamentally CloudServices are designed to be
   accessed via apis. Also, CSP wouldn’t allow anyone to enter their DC and
   plug things in.
   3.

   Activation materials - usually provided by the vendor. Different concept
   in cloud - no smartcards / tokens used remotely by cloud customers
   4.

   Key management (entire life-cycle) - different than typical, traditional
   CA key generation ceremonies and subsequent CA key management. You have to
   rethink CA key security and the CA key lifecycle.
   5.

   Publicly trusted root outside CSP infrastructure - as an one of the
   options
   6.

   Two-person, multi-person controls (in-person) is not possible for the CA
   personnel to do this (but cloud service personnel can maintain multi-person
   controls for hardware maintenance)
   7.

   CA is freed from the maintenance and physical security hardware - it’s
   in the cloud, not tied to specific HSM devices
   8.

   Possibly Cloud CA could be less focused on engineering in staff
   9.

   Cloud specific threats - OWASP TOP10 Cloud Security (link
   <https://owasp.org/www-pdf-archive/Cloud-Top10-Security-Risks.pdf>)


Potential risk areas:

   -

   CA Equipment
   -

   Abusing shared responsibility model
   -

   Single-region-Cloud-CA


Best regards,
Mariusz

Mariusz Jacek Kondratowicz | Information Security Manager

[image: Opera]

The information in this email and any attachments is CONFIDENTIAL
INFORMATION and is solely for the attention of the intended recipient. If
you are not the intended recipient, then you have received this message in
error and therefore reading it, copying it, or in any way disclosing its
content to any other person is unauthorized. If you have received this
message in error, please notify the sender by reply email and then
immediately delete this email (including any attachments).
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.cabforum.org/pipermail/netsec/attachments/20201015/68d28538/attachment-0001.html>

More information about the Netsec mailing list