[cabf_netsec] Ballot SCXX (Security Requirements for Air-Gapped CA Systems)

Ben Wilson bwilson at mozilla.com
Sun Sep 20 21:05:32 MST 2020 

All we need is another endorser.


Ballot SC XX: Security Requirements for Air-Gapped CA Systems

Purpose of the Ballot:

Air-Gapped (Offline) CA systems operate differently than online systems and
have a different risk profile. While including the Air-Gapped CA systems,
the current Network and Certificate System Security Requirements focus on
online systems and contain a number of requirements that are not practical
to implement in an offline environment and could increase the risk to an
offline environment.

As an example, access to offline systems frequently elevates the risk to
the environment. A quarterly vulnerability scan in the offline environment
is not practical, because there is an increased risk involved with
attaching a scanning device to an Air-Gapped CA system.

This ballot develops a working definition for an “Air-Gapped CA System” to
allow for a clear delineation between those system components that fall
under this category of air-gapped/offline requirements and those under all
other requirements. While this ballot introduces a new section 5, this
ballot only makes minor changes to the current requirements by replacing
some online requirements with physical security requirements for air-gapped
CAs. The new section 5 presents logical security requirements in
subsections a through m and physical security requirements in subsections p
through w. Otherwise, this ballot does not add any new requirements. This
will create a separate set of requirements that apply only to Air-Gapped CA
Systems.

These proposed subsections in a new section 5 come from the current NCSSRs
as follows:


Description

Offline

Criteria #

General

Criteria #

Logical Security of Air-Gapped CA Systems


Configuration review

5a

1h

Appointing individuals to trusted roles

5b

2a

Grant access to Air-Gapped CAs

5c

1i

Document responsibilities of Trusted roles

5d

2b

Segregation of duties

5e

2d

Require least privileged access for Trusted Roles

5f

2e

All access tracked to individual account

5g

2f

Password requirements

5h

2gi

Review logical access

5i

2j

Implement multi-factor access

5j

2m

Monitor Air-Gapped CA systems

5k

3b

Review logging integrity

5l

3e

Monitor archive and retention of logs

5m

3f

Physical Security of Air-Gapped CA Systems


Grant physical access

5p

1i

Multi-person physical access

5q

1j

Review physical access

5r

2j

Video monitoring

5s

3a

Physical access monitoring

5t

3a

Review accounts with physical access

5u

2j

Monitor retention of physical access of records

5v

3f

Review integrity of physical access logs

5w

3e

This motion is made by Ben Wilson of Mozilla and endorsed by David Kluge of
Google Trust Services and ________ of _________.


--- Motion Begins ---

That the CA/Browser Forum Server Certificate Working Group adopt the
following requirements as amendments to the Network and Certificate System
Security Requirements.

Replace 1.c. with " Maintain Root CA Systems in a High Security Zone and as
Air-Gapped CA Systems, in accordance with Section 5;"

Add definition of "Air-Gapped CA System" as "A system that is kept offline
or otherwise air-gapped and separated from other systems used by a CA or
Delegated Third Party in storing and managing CA private keys and
performing signing and logging operations."

Add a new Section 5 -

5. GENERAL PROTECTIONS FOR AIR-GAPPED CA SYSTEMS

This Section 5 separates requirements for Air-Gapped CA Systems into two
categories--logical security and physical security.

Logical Security of Air-Gapped CA Systems

Certification Authorities and Delegated Third Parties SHALL implement the
following controls to ensure the logical security of Air-Gapped CA Systems:

a. Review static configurations of Air-Gapped CA Systems at least on an
annual basis to determine whether any changes violated the CA’s security
policies;

b. Follow a documented procedure for appointing individuals to Trusted
Roles on Air-Gapped CA Systems;

c. Grant logical access to Air-Gapped CA Systems only to persons acting in
Trusted Roles and require their accountability for the Air-Gapped CA
System's security;

d. Document the responsibilities and tasks assigned to Trusted Roles and
implement "separation of duties" for such Trusted Roles based on the
security-related concerns of the functions to be performed;

e. Ensure that an individual in a Trusted Role acts only within the scope
of such role when performing administrative tasks assigned to that role;

f. Require employees and contractors to observe the principle of "least
privilege" when accessing, or when configuring access privileges on,
Air-Gapped CA Systems;

g. Require that all access to systems and offline key material can be
traced back to an individual in a Trusted Role (through a combination of
recordkeeping, use of logical and physical credentials, authentication
factors, video recording, etc.);

h. If an authentication control used by a Trusted Role is a username and
password, then, where technically feasible require that passwords have at
least twelve (12) characters;

i. Review logical access control lists at least annually and deactivate any
accounts that are no longer necessary for operations;

j. Enforce Multi-Factor Authentication OR multi-party authentication for
administrator access to Air-Gapped CA Systems;

k. Identify those Air-Gapped CA Systems capable of monitoring and logging
system activity and enable those systems to continuously monitor and log
system activity. Back up logs to an external system each time the system is
used or on a quarterly basis, whichever is less frequent;

l. On a quarterly basis or each time the Air-Gapped CA System is used,
whichever is less frequent, check the integrity of the logical access
logging processes and ensure that logging and log-integrity functions are
effective;

m. On a quarterly basis or each time the Air-Gapped CA System is used,
whichever is less frequent, monitor the archival and retention of logical
access logs to ensure that logs are retained for the appropriate amount of
time in accordance with the disclosed business practices and applicable
legislation.

n. Reserved for future use

o. Reserved for future use

Physical Security of Air-Gapped CA Systems

Certification Authorities and Delegated Third Parties SHALL implement the
following controls to ensure the physical security of Air-Gapped CA Systems:

p. Grant physical access to Air-Gapped CA Systems only to persons acting in
Trusted Roles and require their accountability for the Air-Gapped CA
System’s security;

q. Ensure that only personnel assigned to Trusted Roles have physical
access to Air-Gapped CA Systems and multi-person access controls are
enforced at all times;

r. Implement a process that removes physical access of an individual to all
Air-Gapped CA Systems within twenty four (24) hours upon termination of the
individual’s employment or contracting relationship with the CA or
Delegated Third Party;

s. Implement video monitoring, intrusion detection, and prevention controls
to protect Air-Gapped CA Systems against unauthorized physical access
attempts;

t. Implement a Security Support System that monitors, detects, and reports
any security-related configuration change to the physical access to
Air-Gapped CA Systems;

u. Review all system accounts on physical access control lists at least
every three (3) months and deactivate any accounts that are no longer
necessary for operations;

v. On a quarterly basis or each time the Air-Gapped CA System is used,
whichever is less frequent, monitor the archival and retention of the
physical access logs to ensure that logs are retained for the appropriate
amount of time in accordance with the disclosed business practices and
applicable legislation.

w. On a quarterly basis or each time the Air-Gapped CA System is used,
whichever is less frequent, check the integrity of the physical access
logging processes and ensure that logging and log-integrity functions are
effective.

As indicated in the following redline:

https://github.com/cabforum/documents/compare/6b870f92d4788a52c2bbc9d96a1db17751e906b1..7bc1e8350fc53ee39e36a952850a3cb7d1283fbc

--- Motion Ends ---

Discussion Period -

This ballot proposes a Final Maintenance Guideline.

The procedure for approval of this ballot is as follows:

Discussion (7+ days)

Start Time: 2020-09-XX 17:00 UTC

End Time: not before 2020-09-XX 17:00 UTC

Vote for approval (7 days)

Start Time: TBD

End Time: TBD
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.cabforum.org/pipermail/netsec/attachments/20200920/6dd5b7a1/attachment-0001.html>

More information about the Netsec mailing list