[cabf_netsec] Threat Modeling meeting - 15.10.2020
Mariusz Kondratowicz
mkondratowicz at opera.com
Thu Oct 15 11:13:08 MST 2020
Hi,
Today we brainstormed differences between on-premise CAs versus the use of
cloud service providers.
Differences:
1.
CAs accepting auditor attestations in place of directly managing aspects
of their environment.
1.
CA personnel can’t see the HSMs so they can’t visually verify them
2.
What types of audits would be suitable? ISO, SOC, New WebTrust?
3.
Do auditors visit all physical locations of the HSMs? Annually?
4.
How important is identifying specific hardware vs operating
configurations and practices. For example usually auditors take a list of
HSM serials numbers for auditing sampling purposes.
2.
Remote access only. Fundamentally CloudServices are designed to be
accessed via apis. Also, CSP wouldn’t allow anyone to enter their DC and
plug things in.
3.
Activation materials - usually provided by the vendor. Different concept
in cloud - no smartcards / tokens used remotely by cloud customers
4.
Key management (entire life-cycle) - different than typical, traditional
CA key generation ceremonies and subsequent CA key management. You have to
rethink CA key security and the CA key lifecycle.
5.
Publicly trusted root outside CSP infrastructure - as an one of the
options
6.
Two-person, multi-person controls (in-person) is not possible for the CA
personnel to do this (but cloud service personnel can maintain multi-person
controls for hardware maintenance)
7.
CA is freed from the maintenance and physical security hardware - it’s
in the cloud, not tied to specific HSM devices
8.
Possibly Cloud CA could be less focused on engineering in staff
9.
Cloud specific threats - OWASP TOP10 Cloud Security (link
<https://owasp.org/www-pdf-archive/Cloud-Top10-Security-Risks.pdf>)
Potential risk areas:
-
CA Equipment
-
Abusing shared responsibility model
-
Single-region-Cloud-CA
Best regards,
Mariusz
Mariusz Jacek Kondratowicz | Information Security Manager
[image: Opera]
The information in this email and any attachments is CONFIDENTIAL
INFORMATION and is solely for the attention of the intended recipient. If
you are not the intended recipient, then you have received this message in
error and therefore reading it, copying it, or in any way disclosing its
content to any other person is unauthorized. If you have received this
message in error, please notify the sender by reply email and then
immediately delete this email (including any attachments).
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.cabforum.org/pipermail/netsec/attachments/20201015/68d28538/attachment-0001.html>
More information about the Netsec
mailing list