Keys and Certificates are a vital part of any companies’ security infrastructure and need to be regularly audited to maximize their effectiveness. For quick reference, the 7 steps to get started are:
- Ensure SSL and SSH policies are in place and scheduled for annual review.
- Maintain a system-generated inventory of keys and certificates.
- Confirm all keys and certificates are policy-compliant.
- Have your private key management processes reviewed.
- Put safeguards in place to prevent the migration of non-production keys and certificates to production.
- Always be ready in case of for certificate authority (CA) compromise.
- Confirm the effectiveness of EKCM controls with a process capability assessment.
Industry Research
Global Security Report: Rapid Increase in Ransomware Threats Drives Need for Security Controls That Speed the Kill Chain
Let’s take a deeper look at each of these steps!
- Ensure SSL and SSH policies are in place and scheduled for annual review.
- Certificate/key attributes thresholds defined
- Minimum key lengths
- Approved cryptographic algorithms
- Maximum certificate and private key validity (rotation) periods
- Identification of approved certificate authorities (CAs)
- Guidelines for selecting proper CA (e.g., internal versus external)
- Approved trusted root certificates.
- Certificate management policies; including:
- Enrollment procedures for new and renewed certificates
- Registration authority procedures
- Minimum renewal periods
- Private key management policies, including:
- Administrative access to private keys
- Allowed keystore types
- Separation of duties
- Dual control
- Logging requirements
- Roles and responsibilities of all stakeholders
- Revocation checking is enabled and enforced on relying party systems
- Certificate/key attributes thresholds defined
- Maintain a system-generated inventory of keys and certificates.
- Network scans are performed periodically
- Onboard scans are performed periodically
- Well-defined procedures are in place for the reliable registration of certificates and private key instances that cannot be discovered by network or onboard scanning.
- All locations for certificates and private keys
- All owners or contacts are identified
- All relevant attributes of the certificates are collected as part of the inventory
- Confirm all keys and certificates are policy-compliant.
- Have your private key management processes reviewed.
- Administrators should not have direct access to private keys
- Private keys that have been directly accessed by administrators are replaced when those administrators are reassigned or leave the organization
- Strong credentials are being used for access to the keystores where private keys are stored
- Separation of duties are enforced (controlled via granular access controls)
- Dual control is enforced (controlled via workflow review and approvals)
- All management operations are logged to a secure audit log
- Put safeguards in place to prevent the migration of non-production keys and certificates to production.
- Keys exposed to many more administrators
- Movement of Dev/Test key to production creates significant security risk
- Security on Dev/Test systems is much lower
- Solution: only allow test CAs to be used to non-production systems
- Test CAs should not be trusted on production systems (i.e., test root certificates are not installed)
- Ensures that certificates (and private keys) used in Dev/Test do not move into production
- Always be ready in case of for certificate authority (CA) compromise.
- Security and operations of internal & external certificate authorities (CAs) is regularly audited
- Backup CAs are in place:
- External CAs: Active contractual relationships are maintained with more than one vendor.
- Internal CAs: Alternate CA be activated but kept offline
- Preparation and recovery plans for a CA compromise
- Reliable procedures for rapidly replacing all certificates issued from each CA currently in use
- Reliable procedures for rapidly removing trusted root certificates from all applicable trust stores in case of a root CA compromise.
- Technologies and processes for tracking and monitoring the progress of replacement operations
- Roles and responsibilities during a CA compromise response
- Confirm the effectiveness of EKCM controls with a process capability assessment.
- Perform a sanity check using something like Cobit….
Free Risk Assessment