[Servercert-wg] Ballot SCXX: Security Requirements for Air-Gapped CA Systems

Corey Bonnell Corey.Bonnell at digicert.com
Thu Nov 19 14:54:55 MST 2020


Hi Ben,

I have a question on (k) for Logical Security, which reads:

 

> k. Identify those Air-Gapped CA Systems capable of monitoring and logging system activity and enable those systems to continuously monitor and log system activity. Back up logs to an external system each time the system is used or on a quarterly basis, whichever is less frequent;

 

I would like to confirm that the intention of this requirement is that systems that are capable of monitoring and logging system activity when powered on but are generally in a powered-off state need not remain powered on so they can continually monitor the system. Systems that are powered off are logically in the most secure state, so I want to ensure the proposed language does not preclude that.

 

Thanks,

Corey

 

From: Servercert-wg <servercert-wg-bounces at cabforum.org> On Behalf Of Ben Wilson via Servercert-wg
Sent: Thursday, November 12, 2020 11:19 AM
To: CA/B Forum Server Certificate WG Public Discussion List <servercert-wg at cabforum.org>
Subject: [Servercert-wg] Ballot SCXX: Security Requirements for Air-Gapped CA Systems

 

For informal discussion and comment, here is Ballot SCXX: Security Requirements for Air-Gapped CA Systems 

 

Ballot SC XX: Security Requirements for Air-Gapped CA Systems

 

Purpose of the Ballot:

 

This ballot increases the security of Air-Gapped/Offline CA systems (“Air-Gapped CA Systems”) by clarifying the controls that CAs must implement to protect them.

 

Air-Gapped CA systems are maintained in entirely distinct zones, and while they can share certain exterior physical controls with online systems, they are not connected to online systems or the Internet. Thus, they have different operational requirements and controls due to their separate risk profile. While the scope of the current Network and Certificate System Security Requirements includes Air-Gapped CA systems, the document focuses on online systems and contains a number of requirements that are not practical to implement in an offline environment and could increase the risk to offline systems. 

As an example, access to offline systems frequently elevates the risk to the environment. A quarterly vulnerability scan in the offline environment is not practical, because there is an increased risk involved with attaching a scanning device to an Air-Gapped CA system. As another example, because such systems are not connected, the provisions of subsection 1.g (ports and protocols) are not applicable.

This ballot develops a working definition for an “Air-Gapped CA System” to allow for a clear delineation between those system components that fall under this category of Air-Gapped/Offline requirements and those under other requirements. In doing so, the ballot creates two sets of requirements tailored to their respective operating environments and characteristics.

Not only does this ballot introduce a new section 5, it also adds additional physical security requirements for air-gapped CAs by requiring video monitoring, intrusion detection, and other intrusion prevention controls to protect Air-Gapped CA Systems against unauthorized physical access attempts. The new section 5 presents logical security requirements in subsections a through m and physical security requirements in subsections p through w. 

 

These proposed subsections in a new section 5 come from the current NCSSRs as follows:

 


Description

Offline 

Criteria #

General 

Criteria #


Logical Security of Air-Gapped CA Systems

		

Configuration review

5a

1h


Appointing individuals to trusted roles

5b

2a


Grant access to Air-Gapped CAs

5c

1i


Document responsibilities of Trusted roles

5d

2b


Segregation of duties 

5e

2d


Require least privileged access for Trusted Roles

5f

2e


All access tracked to individual account

5g

2f


Password requirements

5h

2gi


Review logical access

5i

2j


Implement multi-factor access

5j

2m


Monitor Air-Gapped CA systems

5k

3b


Review logging integrity 

5l

3e


Monitor archive and retention of logs

5m

3f


Physical Security of Air-Gapped CA Systems

		

Grant physical access

5p

1i


Multi-person physical access 

5q

1j


Review physical access

5r

2j


Video monitoring

5s

3a


Physical access monitoring

5t

3a


Review accounts with physical access

5u

2j


Monitor retention of physical access of records

5v

3f


Review integrity of physical access logs

5w

3e

 

This motion is made by Ben Wilson of Mozilla and endorsed by David Kluge of Google Trust Services and ________ of _________.

 

--- Motion Begins ---

 

That the CA/Browser Forum Server Certificate Working Group adopt the following requirements as amendments to the Network and Certificate System Security Requirements.

 

Replace 1.c. with " Maintain Root CA Systems in a High Security Zone and as Air-Gapped CA Systems, in accordance with Section 5;"

Add definition of "Air-Gapped CA System" as "A system that is kept offline or otherwise air-gapped and separated from other systems and that is used by a CA or Delegated Third Party in storing and managing CA private keys and performing signing operations."

Add a new Section 5 -

5. GENERAL PROTECTIONS FOR AIR-GAPPED CA SYSTEMS

This Section 5 separates requirements for Air-Gapped CA Systems into two categories--logical security and physical security.

Logical Security of Air-Gapped CA Systems

Certification Authorities and Delegated Third Parties SHALL implement the following controls to ensure the logical security of Air-Gapped CA Systems:

a. Review static configurations of Air-Gapped CA Systems at least on an annual basis to determine whether any changes violated the CA’s security policies;

b. Follow a documented procedure for appointing individuals to Trusted Roles on Air-Gapped CA Systems;

c. Grant logical access to Air-Gapped CA Systems only to persons acting in Trusted Roles and require their accountability for the Air-Gapped CA System's security;

d. Document the responsibilities and tasks assigned to Trusted Roles and implement "separation of duties" for such Trusted Roles based on the security-related concerns of the functions to be performed;

e. Ensure that an individual in a Trusted Role acts only within the scope of such role when performing administrative tasks assigned to that role;

f. Require employees and contractors to observe the principle of "least privilege" when accessing, or when configuring access privileges on, Air-Gapped CA Systems;

g. Require that all access to systems and offline key material can be traced back to an individual in a Trusted Role (through a combination of recordkeeping, use of logical and physical credentials, authentication factors, video recording, etc.);

h. If an authentication control used by a Trusted Role is a username and password, then, where technically feasible require that passwords have at least twelve (12) characters;

i. Review logical access control lists at least annually and deactivate any accounts that are no longer necessary for operations;

j. Enforce Multi-Factor Authentication OR multi-party authentication for administrator access to Air-Gapped CA Systems;

k. Identify those Air-Gapped CA Systems capable of monitoring and logging system activity and enable those systems to continuously monitor and log system activity. Back up logs to an external system each time the system is used or on a quarterly basis, whichever is less frequent;

l. On a quarterly basis or each time the Air-Gapped CA System is used, whichever is less frequent, check the integrity of the logical access logging processes and ensure that logging and log-integrity functions are effective;

m. On a quarterly basis or each time the Air-Gapped CA System is used, whichever is less frequent, monitor the archival and retention of logical access logs to ensure that logs are retained for the appropriate amount of time in accordance with the disclosed business practices and applicable legislation.

n. Reserved for future use

o. Reserved for future use

Physical Security of Air-Gapped CA Systems

Certification Authorities and Delegated Third Parties SHALL implement the following controls to ensure the physical security of Air-Gapped CA Systems:

p. Grant physical access to Air-Gapped CA Systems only to persons acting in Trusted Roles and require their accountability for the Air-Gapped CA System’s security;

q. Ensure that only personnel assigned to Trusted Roles have physical access to Air-Gapped CA Systems and multi-person access controls are enforced at all times;

r. Implement a process that removes physical access of an individual to all Air-Gapped CA Systems within twenty four (24) hours upon termination of the individual’s employment or contracting relationship with the CA or Delegated Third Party;

s. Implement video monitoring, intrusion detection, and intrusion prevention controls to protect Air-Gapped CA Systems against unauthorized physical access attempts;

t. Implement a Security Support System that monitors, detects, and reports any security-related configuration change to the physical access to Air-Gapped CA Systems;

u. Review all system accounts on physical access control lists at least every three (3) months and deactivate any accounts that are no longer necessary for operations;

v. On a quarterly basis or each time the Air-Gapped CA System is used, whichever is less frequent, monitor the archival and retention of the physical access logs to ensure that logs are retained for the appropriate amount of time in accordance with the disclosed business practices and applicable legislation.

w. On a quarterly basis or each time the Air-Gapped CA System is used, whichever is less frequent, check the integrity of the physical access logging processes and ensure that logging and log-integrity functions are effective.

 

--- Motion Ends ---

 

Discussion Period - 

 

This ballot proposes a Final Maintenance Guideline.

 

The procedure for approval of this ballot is as follows:

 

Discussion (7+ days)

Start Time: 2020-11-XX 17:00 UTC

End Time: not before 2020-11-XX 17:00 UTC

 

Vote for approval (7 days)

Start Time: TBD

End Time: TBD

 

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.cabforum.org/pipermail/servercert-wg/attachments/20201119/9ddfb730/attachment-0001.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 4990 bytes
Desc: not available
URL: <http://lists.cabforum.org/pipermail/servercert-wg/attachments/20201119/9ddfb730/attachment-0001.p7s>


More information about the Servercert-wg mailing list