[Servercert-wg] Ballot SCXX: Security Requirements for Air-Gapped CA Systems

Ben Wilson bwilson at mozilla.com
Mon Nov 16 09:31:49 MST 2020


Sorry for the cross-posting, but I am now looking for endorsers of this
ballot so that we can bring it to final discussion and vote.

On Thu, Nov 12, 2020 at 9:19 AM Ben Wilson <bwilson at mozilla.com> wrote:

> For informal discussion and comment, here is Ballot SCXX: Security
> Requirements for Air-Gapped CA Systems
>
>
> Ballot SC XX: Security Requirements for Air-Gapped CA Systems
>
> Purpose of the Ballot:
>
> This ballot increases the security of Air-Gapped/Offline CA systems
> (“Air-Gapped CA Systems”) by clarifying the controls that CAs must
> implement to protect them.
>
> Air-Gapped CA systems are maintained in entirely distinct zones, and while
> they can share certain exterior physical controls with online systems, they
> are not connected to online systems or the Internet. Thus, they have
> different operational requirements and controls due to their separate risk
> profile. While the scope of the current Network and Certificate System
> Security Requirements includes Air-Gapped CA systems, the document focuses
> on online systems and contains a number of requirements that are not
> practical to implement in an offline environment and could increase the
> risk to offline systems.
>
> As an example, access to offline systems frequently elevates the risk to
> the environment. A quarterly vulnerability scan in the offline environment
> is not practical, because there is an increased risk involved with
> attaching a scanning device to an Air-Gapped CA system. As another example,
> because such systems are not connected, the provisions of subsection 1.g
> (ports and protocols) are not applicable.
>
> This ballot develops a working definition for an “Air-Gapped CA System” to
> allow for a clear delineation between those system components that fall
> under this category of Air-Gapped/Offline requirements and those under
> other requirements. In doing so, the ballot creates two sets of
> requirements tailored to their respective operating environments and
> characteristics.
>
> Not only does this ballot introduce a new section 5, it also adds
> additional physical security requirements for air-gapped CAs by requiring
> video monitoring, intrusion detection, and other intrusion prevention
> controls to protect Air-Gapped CA Systems against unauthorized physical
> access attempts. The new section 5 presents logical security requirements
> in subsections a through m and physical security requirements in
> subsections p through w.
>
> These proposed subsections in a new section 5 come from the current NCSSRs
> as follows:
>
>
> Description
>
> Offline
>
> Criteria #
>
> General
>
> Criteria #
>
> Logical Security of Air-Gapped CA Systems
>
>
> Configuration review
>
> 5a
>
> 1h
>
> Appointing individuals to trusted roles
>
> 5b
>
> 2a
>
> Grant access to Air-Gapped CAs
>
> 5c
>
> 1i
>
> Document responsibilities of Trusted roles
>
> 5d
>
> 2b
>
> Segregation of duties
>
> 5e
>
> 2d
>
> Require least privileged access for Trusted Roles
>
> 5f
>
> 2e
>
> All access tracked to individual account
>
> 5g
>
> 2f
>
> Password requirements
>
> 5h
>
> 2gi
>
> Review logical access
>
> 5i
>
> 2j
>
> Implement multi-factor access
>
> 5j
>
> 2m
>
> Monitor Air-Gapped CA systems
>
> 5k
>
> 3b
>
> Review logging integrity
>
> 5l
>
> 3e
>
> Monitor archive and retention of logs
>
> 5m
>
> 3f
>
> Physical Security of Air-Gapped CA Systems
>
>
> Grant physical access
>
> 5p
>
> 1i
>
> Multi-person physical access
>
> 5q
>
> 1j
>
> Review physical access
>
> 5r
>
> 2j
>
> Video monitoring
>
> 5s
>
> 3a
>
> Physical access monitoring
>
> 5t
>
> 3a
>
> Review accounts with physical access
>
> 5u
>
> 2j
>
> Monitor retention of physical access of records
>
> 5v
>
> 3f
>
> Review integrity of physical access logs
>
> 5w
>
> 3e
>
> This motion is made by Ben Wilson of Mozilla and endorsed by David Kluge
> of Google Trust Services and ________ of _________.
>
>
> --- Motion Begins ---
>
> That the CA/Browser Forum Server Certificate Working Group adopt the
> following requirements as amendments to the Network and Certificate System
> Security Requirements.
>
> Replace 1.c. with " Maintain Root CA Systems in a High Security Zone and
> as Air-Gapped CA Systems, in accordance with Section 5;"
>
> Add definition of "Air-Gapped CA System" as "A system that is kept offline
> or otherwise air-gapped and separated from other systems and that is used
> by a CA or Delegated Third Party in storing and managing CA private keys
> and performing signing operations."
>
> Add a new Section 5 -
>
> 5. GENERAL PROTECTIONS FOR AIR-GAPPED CA SYSTEMS
>
> This Section 5 separates requirements for Air-Gapped CA Systems into two
> categories--logical security and physical security.
>
> Logical Security of Air-Gapped CA Systems
>
> Certification Authorities and Delegated Third Parties SHALL implement the
> following controls to ensure the logical security of Air-Gapped CA Systems:
>
> a. Review static configurations of Air-Gapped CA Systems at least on an
> annual basis to determine whether any changes violated the CA’s security
> policies;
>
> b. Follow a documented procedure for appointing individuals to Trusted
> Roles on Air-Gapped CA Systems;
>
> c. Grant logical access to Air-Gapped CA Systems only to persons acting in
> Trusted Roles and require their accountability for the Air-Gapped CA
> System's security;
>
> d. Document the responsibilities and tasks assigned to Trusted Roles and
> implement "separation of duties" for such Trusted Roles based on the
> security-related concerns of the functions to be performed;
>
> e. Ensure that an individual in a Trusted Role acts only within the scope
> of such role when performing administrative tasks assigned to that role;
>
> f. Require employees and contractors to observe the principle of "least
> privilege" when accessing, or when configuring access privileges on,
> Air-Gapped CA Systems;
>
> g. Require that all access to systems and offline key material can be
> traced back to an individual in a Trusted Role (through a combination of
> recordkeeping, use of logical and physical credentials, authentication
> factors, video recording, etc.);
>
> h. If an authentication control used by a Trusted Role is a username and
> password, then, where technically feasible require that passwords have at
> least twelve (12) characters;
>
> i. Review logical access control lists at least annually and deactivate
> any accounts that are no longer necessary for operations;
>
> j. Enforce Multi-Factor Authentication OR multi-party authentication for
> administrator access to Air-Gapped CA Systems;
>
> k. Identify those Air-Gapped CA Systems capable of monitoring and logging
> system activity and enable those systems to continuously monitor and log
> system activity. Back up logs to an external system each time the system is
> used or on a quarterly basis, whichever is less frequent;
>
> l. On a quarterly basis or each time the Air-Gapped CA System is used,
> whichever is less frequent, check the integrity of the logical access
> logging processes and ensure that logging and log-integrity functions are
> effective;
>
> m. On a quarterly basis or each time the Air-Gapped CA System is used,
> whichever is less frequent, monitor the archival and retention of logical
> access logs to ensure that logs are retained for the appropriate amount of
> time in accordance with the disclosed business practices and applicable
> legislation.
>
> n. Reserved for future use
>
> o. Reserved for future use
>
> Physical Security of Air-Gapped CA Systems
>
> Certification Authorities and Delegated Third Parties SHALL implement the
> following controls to ensure the physical security of Air-Gapped CA Systems:
>
> p. Grant physical access to Air-Gapped CA Systems only to persons acting
> in Trusted Roles and require their accountability for the Air-Gapped CA
> System’s security;
>
> q. Ensure that only personnel assigned to Trusted Roles have physical
> access to Air-Gapped CA Systems and multi-person access controls are
> enforced at all times;
>
> r. Implement a process that removes physical access of an individual to
> all Air-Gapped CA Systems within twenty four (24) hours upon termination of
> the individual’s employment or contracting relationship with the CA or
> Delegated Third Party;
>
> s. Implement video monitoring, intrusion detection, and intrusion
> prevention controls to protect Air-Gapped CA Systems against unauthorized
> physical access attempts;
>
> t. Implement a Security Support System that monitors, detects, and reports
> any security-related configuration change to the physical access to
> Air-Gapped CA Systems;
>
> u. Review all system accounts on physical access control lists at least
> every three (3) months and deactivate any accounts that are no longer
> necessary for operations;
>
> v. On a quarterly basis or each time the Air-Gapped CA System is used,
> whichever is less frequent, monitor the archival and retention of the
> physical access logs to ensure that logs are retained for the appropriate
> amount of time in accordance with the disclosed business practices and
> applicable legislation.
>
> w. On a quarterly basis or each time the Air-Gapped CA System is used,
> whichever is less frequent, check the integrity of the physical access
> logging processes and ensure that logging and log-integrity functions are
> effective.
>
> --- Motion Ends ---
>
> Discussion Period -
>
> This ballot proposes a Final Maintenance Guideline.
>
> The procedure for approval of this ballot is as follows:
>
> Discussion (7+ days)
>
> Start Time: 2020-11-XX 17:00 UTC
>
> End Time: not before 2020-11-XX 17:00 UTC
>
> Vote for approval (7 days)
>
> Start Time: TBD
>
> End Time: TBD
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.cabforum.org/pipermail/servercert-wg/attachments/20201116/94de11fb/attachment-0001.html>


More information about the Servercert-wg mailing list