Prioritizing Trust: Certificate Authority Best Practices

Similar documents
Frequently Asked Questions. Frequently Asked Questions: Securing the Future of Trust on the Internet

White Paper. Securing the Future of Trust on the Internet The Way Forward for the PKI Ecosystem

NETWORK AND CERTIFICATE SYSTEM SECURITY REQUIREMENTS

Payment Card Industry Data Security Standard

Comparing Cost of Ownership: Symantec Managed PKI Service vs. On- Premise Software

Preparing for a Cyber Attack PROTECT YOUR PEOPLE AND INFORMATION WITH SYMANTEC SECURITY SOLUTIONS

Infor CloudSuite. Defense-in-depth. Table of Contents. Technical Paper Plain talk about Infor CloudSuite security

North American Electric Reliability Corporation (NERC) Cyber Security Standard

CONTINUOUS DIAGNOSTICS BEGINS WITH REDSEAL

Cybersecurity Report on Small Business: Study Shows Gap between Needs and Actions

Cisco Advanced Services for Network Security

Licensing Symantec Certificates

Five keys to a more secure data environment

ensure prompt restart of critical applications and business activities in a timely manner following an emergency or disaster

Simplify SSL Certificate Management Across the Enterprise

White paper. How to choose a Certificate Authority for safer web security

ALTERNATIVES TO CERTIFICATION AUTHORITIES FOR A SECURE WEB

Based on: CA/Browser Forum. Baseline Requirements for the Issuance and Management of Publicly-Trusted Certificates Version 1.1.

Security Issues in Cloud Computing

Wildcard and SAN: Understanding multi-use SSL Certificates

Independent Accountants Report

Larry Wilson Version 1.0 November, University Cyber-security Program Critical Asset Mapping

2012 Endpoint Security Best Practices Survey

Enterprise Cybersecurity Best Practices Part Number MAN Revision 006

Securing Microsoft Exchange 2010 with Symantec SSL Certificates

WEBTRUST FOR CERTIFICATION AUTHORITIES SSL BASELINE REQUIREMENTS AUDIT CRITERIA V.1.1 [Amended 1 ] CA/BROWSER FORUM

Business Continuity and Breach Protection: Why SSL Certificate Management Is Critical to Today s Enterprise

KASPERSKY SECURITY INTELLIGENCE SERVICES. EXPERT SERVICES.

Leveraging innovative security solutions for government. Helping to protect government IT infrastructure, meet compliance demands and reduce costs

White Paper. Business Continuity and Breach Protection: Why SSL Certificate Management is Critical to Today s Enterprise

Securing Microsoft Exchange 2010 With VeriSign Authentication Services

REGULATIONS FOR THE SECURITY OF INTERNET BANKING

Seven Things To Consider When Evaluating Privileged Account Security Solutions

NIST ITL July 2012 CA Compromise

Cybersecurity and internal audit. August 15, 2014

Xerox Litigation Services. In the Cybersecurity Hot Seat: How Law Firms are Optimizing Security While Reducing Cost and Risk

Compliance Guide ISO Compliance Guide. September Contents. Introduction 1. Detailed Controls Mapping 2.

March

The President s Critical Infrastructure Protection Board. Office of Energy Assurance U.S. Department of Energy 202/

Solution Brief: Enterprise Security

Open Data Center Alliance Usage: Provider Assurance Rev. 1.1

Technology Blueprint. Protect Your Servers. Guard the data and availability that enable business-critical communications

White Paper: Consensus Audit Guidelines and Symantec RAS

S E C U R I T Y A S S E S S M E N T : B o m g a r B o x T M. Bomgar. Product Penetration Test. September 2010

Using Automated, Detailed Configuration and Change Reporting to Achieve and Maintain PCI Compliance Part 4

CS 356 Lecture 25 and 26 Operating System Security. Spring 2013

DEFENSE THROUGHOUT THE VULNERABILITY LIFE CYCLE WITH ALERT LOGIC THREAT AND LOG MANAGER

Gain a New Level of Trust with Extended Validation SSL Certificates

White paper. Implications of digital certificates on trusted e-business.

Autodesk PLM 360 Security Whitepaper

KEY STEPS FOLLOWING A DATA BREACH

NETWORK ACCESS CONTROL AND CLOUD SECURITY. Tran Song Dat Phuc SeoulTech 2015

Privilege Gone Wild: The State of Privileged Account Management in 2015

White Paper. Simplify SSL Certificate Management Across the Enterprise

Media Shuttle s Defense-in- Depth Security Strategy

Protecting Your Name on the Internet The Business Benefits of Extended Validation SSL Certificates

CORE Security and the Payment Card Industry Data Security Standard (PCI DSS)

Privilege Gone Wild: The State of Privileged Account Management in 2015

White Paper. Enhancing Website Security with Algorithm Agility

Integrated Threat & Security Management.

How To Monitor Your Entire It Environment

Symantec Cyber Threat Analysis Program Program Overview. Symantec Cyber Threat Analysis Program Team

ETSI TR V1.1.1 ( )

SANS Top 20 Critical Controls for Effective Cyber Defense

Advanced Service Desk Security

Does your Citrix or Terminal Server environment have an Achilles heel?

Data Management Policies. Sage ERP Online

1 Introduction Product Description Strengths and Challenges Copyright... 5

Achieving PCI Compliance Using F5 Products

Information security controls. Briefing for clients on Experian information security controls

External Supplier Control Requirements

Passing PCI Compliance How to Address the Application Security Mandates

Attachment A. Identification of Risks/Cybersecurity Governance

PCI Requirements Coverage Summary Table

SECURITY OVERVIEW FOR MY.ENDNOTE.COM. In line with commercial industry standards, Thomson Reuters employs a dedicated security team to protect our

NERC CIP VERSION 5 COMPLIANCE

Symantec Protection Suite Enterprise Edition for Servers Complete and high performance protection where you need it

Nine Steps to Smart Security for Small Businesses

Comodo Certificate Manager. Centrally Managing Enterprise Security, Trust & Compliance

S E C U R I T Y A S S E S S M E N T : B o m g a r A p p l i a n c e s

Internet threats: steps to security for your small business

AIRDEFENSE SOLUTIONS PROTECT YOUR WIRELESS NETWORK AND YOUR CRITICAL DATA SECURITY AND COMPLIANCE

Finding Security in the Cloud

Choosing a Cloud Hosting Provider with Confidence

GFI White Paper PCI-DSS compliance and GFI Software products

Worldwide Security and Vulnerability Management Forecast and 2008 Vendor Shares

Licensing VeriSign Certificates

TOP 10 WAYS TO ADDRESS PCI DSS COMPLIANCE. ebook Series

FormFire Application and IT Security. White Paper

Computer System Security Updates

AIRDEFENSE SOLUTIONS PROTECT YOUR WIRELESS NETWORK AND YOUR CRITICAL DATA SECURITY AND COMPLIANCE

Transcription:

WHITE PAPER: PRIORITIZING TRUST: CERTIFICATE AUTHORITY BEST PRACTICES White Paper Prioritizing Trust: Certificate Authority Best Practices A Policy for Commercial Certificate Authorities

Prioritizing Trust: Certificate Authority Best Practices A Policy for Commercial Certificate Authorities CONTENTS Abstract / Executive Summary... 3 Introduction... 3 Certificate Authorities Are the Guardians of Trust Online... 4 CA Security Breaches Have Undermined the Public Trust... 5 CAs Should Not be Granted Equal Trust Without Providing Equal Assurance... 6 Security IS the Bottom Line... 6 Setting a New Baseline for the CA Industry... 7 Maintaining a Secure IT Infrastructure... 7 Enforcing Rigorous Identify Validation Practices... 8 Demonstrating Compliance with Policies and Regulations... 9 Going Beyond the Baseline Requirements... 9 Governance... 11 Design... 11 Implementation... 12 Conclusion... 13 2

Abstract / Executive Summary SSL certificates form the basis of trust on the public Internet, and for more than a decade, CAs have acted as brokers of trust. But in 2011, a string of highly publicized CA security breaches sparked a debate as to whether SSL certificate technology (and the entire CA industry) is fundamentally broken. Fortunately, the answer is unequivocally no. However, these security breaches are proof-positive that while commercial CAs are generally trusted equally by browsers, CAs do not all follow the same strict security practices, and not provide equal levels of assurance. This fundamental problem of equal trust without equal assurance must be addressed. Symantec and other members of the CA/Browser Forum took the first step towards a more robust, sustainable PKI ecosystem in December 2011 with the release of Baseline Requirements for the Issuance and Management of Publicly- Trusted Certificates, the first international baseline standard for the operation of Certification Authorities (CAs) issuing organization and domain validated SSL/TLS digital certificates natively trusted in browser software. 1 And further work is being discussed in the CA/Browser Forum, specifically on Certificate Authority security practices. This white paper will discuss the urgent need for all commercial CAs to implement better security standards, starting with these CA/Browser Baseline Requirements, and the steps that Web browser developers, SSL certificate subscribers, and relying parties can to do hold CAs accountable for complying with these requirements. This document will also give you insight into Symantec s rigorous security and authentication practices lead the industry in reputation qualification measures to establish an online business credibility. Introduction For more than a decade, commercial Certificate Authorities (CAs) have acted as trusted third parties, protecting the exchange of private information over the public Internet. But in recent months, there has been a cloud of controversy hanging over the head of commercial certificate authorities. A string of highly publicized CA security breaches of 2011 sparked a debate as to whether SSL certificate technology and the entire CA industry that distributes it are fundamentally broken. 2 Fortunately, the answer is categorically and unequivocally no. Digital certificates and PKI still provides excellent protection against evolving cybersecurity threats. With the right tools and processes, CAs are fully capable of providing the greatest assurance possible that their certificates and the websites that use the certificates are genuine and safe for online business. 1 http://www.cabforum.org/baseline_requirements_v1.pdf 2 http://www.symantec.com/connect/blogs/bright-outlook-ssl 3

The most significant challenge facing the PKI ecosystem is not a technological flaw or limitation, but rather the way it is being implemented and the practices around it specifically Certificate Authority practices. To address this problem, Symantec and other members of the CA/Browser Forum took the first step towards a more robust, sustainable PKI ecosystem in December 2011 with the release of Baseline Requirements for the Issuance and Management of Publicly-Trusted Certificates, the first international baseline standard for the operation of Certification Authorities (CAs) issuing organization and domain validated SSL/TLS digital certificates natively trusted in browser software. 3 These baseline requirements are just the beginning, however, Symantec is working with CA/Browser forum on a set of guidelines for defining better CA security practices and advocates for many CAs to embrace higher standards for their security practices. Certificate Authorities Are the Guardians of Trust Online A Certificate Authority (CA) is an organization that issues digital certificates to individuals and organizations. CAs are responsible for securing each certificate with strong encryption using the SSL/TLS protocol. But perhaps the most important responsibility that commercial CAs have is to authenticate the identity of each certificate holder, which forms the basis for trust on the Internet. For more than a decade, CAs have acted as trust brokers between entities on the Internet, and it is estimated that more than 4.5 million sites are using SSL certificates issued by a certificate authorities 4 such as Symantec more than double the number in 2005. As the #1 provider of trust online, Symantec operates a certificate-based PKI (public key infrastructure) to enable the worldwide deployment and use of these certificates. By operating a world-class certificate infrastructure and protecting it with robust security measures and top-down policy governance, Symantec is able to provide the greatest assurance possible that its certificates and the organizations that use the certificates are genuine and secure. The core or kernel of trust in the PKI system rests the assumption that commercial CAs maintain a commitment to security that is beyond reproach. Digital certificates are verified using a chain of trust, and root CAs act as trust anchors for each certificate. Consequently, Web browser developers must be able to trust that CAs will do the following: Verify the identity of the requester. Ensure that there is no way to issue a certificate without a permanent record. Keep unalterable logs of all certificates they have signed. Audit those logs frequently for evidence of unauthorized issuance. Proactively communicate security events and certificate revocations. Protect their infrastructure to prevent intrusion or fraudulent certificate issuance. 5 3 http://www.cabforum.org/baseline_requirements_v1.pdf 4 Netcraft February 2012 SSL Survey 5 http://dev.chromium.org/home/chromium-security/root-ca-policy 4

When browser developers feel confident that a CA is living up to these responsibilities, they include that CA s root certificate in the browser s Root CA store. All certificates in a browser s root store are trusted equally. CA Security Breaches Have Undermined the Public Trust There is a common misperception that CAs and other businesses in the security space are more secure, but in reality, they face the same security challenges as other organizations. The number of commercial CAs has grown quickly in the past decade, from a handful then to hundreds now. Netcraft data 6 indicates that there are nearly 300 CAs in operation today, and according to a report from the Electronic Frontier Foundation s SSL Observatory project, there were at least 650 organizations that function as CAs with roots trusted directly or indirectly by Mozilla or Microsoft Web browsers. 7 Browsers utilize third-party audits such as WebTrust as one qualification point to get into the browser root store, but these audits don t get into the details of how CAs operate. In the past, there was no overarching system or authority to govern how CAs operate or verify that they can truly provide equal levels of assurance about their security and authentication practices. There are a number of CA practices that have identified as being potentially problematic, 8 but the full extent of these problems only came to light in 2011 after several highly publicized attacks on CAs: In March 2011, an attack compromised the access credentials of a Comodo partner in Italy and used the partner s privileges to generate fraudulent SSL certificates. In May, It was reported that another Comodo partner was hacked: ComodoBR in Brazil. In June, StartCom, the CA operating StartSSL was attacked unsuccessfully. In July, an internal audit discovered an intrusion within DigiNotar s infrastructure indicating compromise of their cryptographic keys. The breach of these keys resulted in the fraudulent issuance of public key certificates to a several dozen domains, including the domain Google.com. On August 28, 2011 a false DigiNotar wildcard SSL certificate issued for Google was discovered still in the wild. In September 2011, Dutch government and other Diginotar customers suddenly had to replace all Diginotar certificates as the major Web browser vendors removed Diginotar from their trusted root stores. DigiNotar files for bankruptcy. 6 Netcraft report, May 2012 7 https://www.eff.org/observatory 8 https://wiki.mozilla.org/ca:problematic_practices 5

March Italian Comodo partner breached June Unsuccessful attack on StartSSL August Fraudulent Diginotar certificate for Google found in the wild May Brazilian Comodo partner breached July Discovery of Diginotar breach September Diginotar roots removed; company files bankruptcy Figure 1. Timeline of Attacks on CAs in 2011 CAs Should Not be Granted Equal Trust Without Providing Equal Assurance Frameworks for assessing the adequacy and effectiveness of the controls employed by Certification Authorities (CAs) have existed since at least the year 2000. 9 However, there is historically been no binding requirements or standards to govern the implementation of rigorous security and identity verification practices followed by CAs that provide SSL certificates and associated trust services. The events of 2011 are proof-positive that CAs do not follow the same strict security practices, and not provide equal levels of assurance. At the same time, all CAs are trusted equally once they have been added to a browser s root list. This fundamental problem of equal trust without equal assurance must be addressed in order to ensure the future of the PKI ecosystem. Security is the Bottom Line Not surprisingly, the 2011 CA breaches sparked a debate as to whether SSL technology and the entire CA industry that distributes it are fundamentally broken. 10 Fortunately, the answer is categorically and unequivocally no. SSL certificates still provide excellent protection against evolving cyber security threats. With the right tools and processes, CAs are fully capable of providing the greatest assurance possible that their certificates and the websites that use the certificates are genuine and safe for online business. But last year, we witnessed a variety of bad actors targeting CAs ranging from recreational hackers to serious cyber terrorists, and we see no indication that these threats will slow down or go away. Over the next several years, it is critical that CAs develop business strategies and top-down security policies that address the following key needs: 1. Diligent investment in and upkeep of a secure application and network infrastructure 2. Rigorous and consistent authentication and identity validation processes 3. Comprehensive auditing and responsible breach notification practices 9 http://www.webtrust.org/homepage-documents/item27839.aspx 10 http://www.symantec.com/connect/blogs/bright-outlook-ssl 6

Focusing their operational planning efforts around these and other strategic objectives will help CAs to make security-conscious decisions and ensure the long-term sustainability of their business models. Browser developers also have an important part to play by being more selective about trusting CA roots, implementing stricter online revocation controls, and insisting that CAs maintain compliance with the CA/Browser Baseline Requirements and other standards that may come out in the future. Setting a New Baseline for the CA Industry The CA/Browser Forum is a voluntary organization of Certification Authorities (CAs) and web browser vendors. The CA/B Forum s mission is to enable secure connections, establish online business identity, and help prevent online fraud. In response to the problem of uneven CA security practices, the CA/Browser Forum has developed a set of Baseline Requirements for the Issuance and Management of Publicly-Trusted Certificates that went into effect on July 1, 2012. The initiative to develop baseline requirements for all publicly trusted certificates has been ongoing for the better part of two years, and this standard is a first for governing the operation of Certification Authorities (CAs) issuing SSL/TLS digital certificates that are natively trusted in browser software. Maintaining a Secure IT Infrastructure Certificate authorities need to invest in infrastructure, which includes deploying up-to-date malware-protection systems, conducting regular third-party audits, running vulnerability assessments to ensure no holes exist that can be exploited, implementing multiple layers of security, and continuously monitoring the environment so that breaches can be detected as quickly as possible and stopped. Here are some of the many design considerations that CAs must account for: Segregation of security zones CA certificate infrastructures should be completely isolated from normal business operations, and segment certificate systems into networks based on the functions that those systems perform. Root CA Systems should be maintained in a High Security Zone, either in an offline state or air-gapped from all other networks. Network defense in depth Emphasize multiple, overlapping, and mutually supportive defensive systems to guard against single-point failures in any specific technology or protection method. This should include the deployment of regularly updated firewalls, as well as gateway antivirus, intrusion detection, intrusion protection systems, and Web security gateway solutions throughout the network. Verification practices CAs should confirm that applicants either have the right to use, or had control of, the Fully-Qualified Domain Name(s) and IP address(es) listed in the Certificate, or was authorized by a person having such right or control (e.g. under a Principal-Agent or Licensor-Licensee relationship) to obtain a Certificate containing the Fully-Qualified Domain Name(s) and IP address(es). Personnel security Prior to the engagement of any person in the Certificate Management Process, whether as an employee, agent, or an independent contractor of the CA, the CA should verify the identity and trustworthiness of such person. 7

Password policies Weak passwords are a huge risk, and a good CA will utilize strong password policy across their entire data center production infrastructure. Passwords should be changed regularly, at least once every 90 days, and users should not be permitted to use their previous 4-5 passwords. Physical security Physical security is often overlooked, but it is critically important to protecting network, server and storage equipment, as well as the keys themselves. All Network and server equipment should reside in a data center that meets or exceeds the criteria for a Tier 3, ANSI/TIA-942, facility. Ideally, the most sensitive areas of the certificate infrastructure, such as the root private key storage, should be air-gapped as an additional layer of defense to complement logical boundaries. Access to the building should be controlled and limited on an as-needed basis. All key-related activity should take place in a access-controlled area that requires no fewer than three individuals and multiple authentication factors for access, with audio/video monitoring equipment to record all activities. Secure application development All systems and applications should be developed in a secure, change-controlled environment and follow a secure development process from system architecture design all the way through QA and security testing. Symantec develops and implements applications in accordance with our systems development and change management policies. All such software, when first loaded, provides a method to verify that the software on the system originated from Symantec, has not been modified prior to installation, and is the version intended for use. Enforcing Rigorous Identify Validation Practices In addition to securing their critical information assets, CAs must consistently follow rigorous identity validation practices to ensure that the organizations and individuals they issue certificates to are genuine and safe to do business with. In accordance with the CA/Browser requirements, CAs should confirm that all applicants currently have the right to use the fully-qualified domain name(s) and IP address(es) listed in their Certificate. CAs should also take care to identify high risk certificate requests, conduct additional verification activity, and take any additional precautions that are reasonably necessary to ensure that such requests are properly verified under the CA/Browser requirements. When a certificate is issued by the Root CA, it should require an individual authorized by the CA (i.e. the CA system operator, system officer, or PKI administrator) to deliberately issue a direct command in order for the Root CA to perform a certificate signing operation. Verifying the revocation status of existing certificates is also another critical activity. CAs should maintain a continuous 24x7 ability to accept and respond to revocation requests and related inquiries. This is not easy to accomplish without making a significant investment in a robust and reliable infrastructure that can scale to handle millions of requests each day, with complete, geographically distributed redundancy for backup, high availability, and rapid disaster recovery. In accordance with the Baseline Requirements, CA must operate and maintain their CRL and OCSP capabilities with resources sufficient to provide a response time of 10 seconds or less under normal operating conditions. If the subscriber certificate 8

is for a high-traffic domain, the CA may rely on OSCP stapling to distribute its OCSP responses. In this case, the CA should ensure that the subscriber staples the OCSP response for the certificate in its TLS handshake. Demonstrating Compliance with Policies and Regulations Without properly demonstrating compliance with internal policies and the CA/ Browser Forum Requirements, there is no way to determine whether a CA has actually implemented the policies set forth in their Certification Practice Statement (CPS) documents. For this and many other reasons, it is critical that CAs undergo an audit in conformance with WebTrust guidelines and other comparable audit schemes at least once each year. Here are some of the many items that CAs must allow to be audited in order to ensure proper implementation of security policies and controls: Key ceremony It is essential that the key ceremony produces an unbroken evidentiary path demonstrating that every aspect of the certificate-generation process occurred in accordance with methods and procedures that comply with SAS-70 standards. You must ensure that sufficient evidentiary material is generated to demonstrate in any legal proceeding that proper practices were followed during the ceremony. For this reason, you conduct every key ceremony from a written script. To achieve a high degree of confidence, each ceremony step must be witnessed, documented, and certified. Monitoring and alerts It is vital that CAs monitor their network for intrusions, propagation attempts and other suspicious traffic patterns, and identify attempted connections to known malicious or suspicious hosts. System and event logging CAs should record details of the actions taken to process a certificate request and to issue a certificate, including all information generated and documentation received in connection with the certificate request; the time and date; and the personnel involved. The CA should make these records available to its auditor as proof of compliance with these Requirements. Vulnerability management Most software vendors work diligently to patch exploited software vulnerabilities; however, such patches can only be effective if adopted in the field. Be wary of deploying standard corporate images containing older versions of browsers, applications, and browser plug-ins that are outdated and insecure. Wherever possible, automate patch deployments to maintain protection against vulnerabilities across the organization, and work to keep your systems as close to the most recently released patch level as possible. Going Beyond the Baseline Requirements The importance of establishing a common baseline standard for CA practices cannot be overstated. However, baseline requirements do not address all of the issues relevant to the issuance and management of publicly-trusted certificates, and are intended as a starting point of what is an ongoing effort to improve security practices. Symantec s core business is information security and we take the security of our own infrastructure very seriously. Running the world s largest certificate authority, Symantec constantly monitors our networks, both online and offline, in 9

search of threats and vulnerabilities. Symantec has invested-in and built likely the most robust and scalable certificate authentication, issuance, management and hierarchy infrastructure in the industry. We believe that the security strength of our operations is an important part of the value our customers get when they buy their certificates from us. We are diligent about monitoring our networks and continuously work to ensure that our infrastructure remains the gold standard. Our ability to maintain a strong security posture is based on the definition and enforcement of strong, effective security policies through an ongoing process that revolves around three activities: 1. Policy governance Security policies should be planned, managed and supported at the highest level of the organization. They should cover every aspect of digital certificate life cycle and all associated trust services, not just for the CA but also for all partners, affiliates, and subscribers. 2. Policy design The application and network infrastructure, along with all business processes, should be designed to meet the security audit requirements in support of the CAs policies. 3. Policy implementation CAs must be able to demonstrate the implementation of rigorous policies and disciplined operation of the CA through monitoring, logging, and third-party audits. By following this approach, Symantec is able to ensure that their entire organization is aligned around security from the top down, and that the policies they define are rigorous, detailed, and consistently implemented. CA Security Policy Management The Symantec Approach IMPLEMENTATION Relentless Discipline DESIGN Physical, Locical, Network GOVERNANCE Security First 10

It is also important that CAs should also hold their partners and affiliates accountable for adhering to the same standards and audit requirements, as demonstrated by the March 2011 attack that compromised the access credentials of a Comodo partner in Italy. Governance The CA/Browser Forum Baseline Requirements state that all CAs must develop, implement, enforce, and annually update a Certificate Policy and/or Certification Practice Statement that describes in detail how the CA implements the latest version of these Requirements, and that CAs must publish the document and commit to comply with it. 11 At Symantec, we take our responsibility as a CA very seriously, and decisions about security or authentication cannot be made by individuals, or for business convenience. Symantec s Certificate Policy and Certification Practices Statement (CPS), which delineates the practices underlying the Symantec Trust Network public CA services, is an extremely detailed and comprehensive document and is used internationally as a foundation for PKI practices. 12 The problem with many CP or CPS documents published by other CAs is that they are vague and lack details, thus making them very open to interpretation and not a strong model for defining and maintaining strict security policies. Granularity and detail are critically important in the context of policy creation. It is one thing to define a policy that states, the CA must have a disaster recovery system in place and another thing altogether to define specific operational goals for that system, such as time-to-recovery targets. Separation of duties is another important principle to follow. At Symantec, a cross-functional policy working group, with a voting member structure comprised of individuals from separate departments who do not report up to the same chain of management, must approve all changes to the Symantec CP, CPS, design, and implementation. Symantec has implemented technical and procedural mechanisms that require the participation of multiple trusted individuals to perform sensitive CA cryptographic operations. Symantec uses Secret Sharing to split the activation data needed to make use of a CA private key into separate parts called Secret Shares which are held by trained and trusted individuals called Shareholders. A threshold number of Secret Shares (m) out of the total number of Secret Shares created and distributed for a particular hardware cryptographic module (n) is required to activate a CA private key stored on the module. Design The physical construction of our Operations Center is comparable to Governmentgrade protection of military and intelligence services communications. Our operations use a tiered approach to our physical environment comprised of 5 tiers with increasing levels of security. Individuals are granted selective access to tiers on only a need to know basis. The highest tiers require two or more authorized 11 http://www.cabforum.org/baseline_requirements_v1.pdf 12 http://www.verisign.com.au/repository/cps/cpsv3.8.2_final.pdf 11

people to enter or remain. Use of video monitoring is employed throughout our Operations Center. In addition, we use a layered approach to our security architecture that isolates sensitive signing servers and certificate databases from business operations. This architecture provides defense in depth, as an intruder must pass through or compromise multiple firewalls and air gaps just to reach the back-end infrastructure. Implementation Implementing a secure design based on robust policies requires a high degree of skill, experience, and discipline. CAs must regularly have their systems tested and audited to ensure ongoing compliance with internal policies and external requirements. Symantec s rigorous security and authentication practices, audited annually by KPMG, set a very high standard in reputation qualification measures to establish an online business credibility. We actively monitor our systems for any signs of intrusion on a non-stop basis. Every component of our infrastructure is monitored for security compromises or attempted security compromises. In the event of a detected compromise, our monitoring system is able to notify the appropriate personnel for action. Notification is by multiple methods, such as e-mail alert, pager alert, and console monitoring. Logs are generated for routers, firewalls and network machines; database activities and events; transactions; operating systems; access control systems; and mail servers. These logs are archived and retained in a secure location for a minimum of 12 months. We also log all key life cycle management events, certificate life cycle management events, and security-related events such as firewall activity and facility visitor entries. To ensure constant vigilance of security in the environment, we constantly perform assessments. Daily vulnerability scans and audits are performed to ensure that adequate security measures are in place. The vulnerability scans are performed by trained individuals who understand the impact as well as assess the results. These scans are performed both internal and external to the network. Any findings of sufficient security vulnerability are remediated within 24 hours. We also regularly perform penetration tests: a series of exercises performed from outside the system to determine if there are any exploitable openings or vulnerabilities in the network. In particular, it uses the known techniques and attacks of hackers to verify that the network is safe from unauthorized penetration. We employ an independent third party to conduct penetration tests on our network. 12

Conclusion The security breaches of 2011 demonstrated that not all CAs are created equal, and that we have to raise the bar and do the right thing to ensure the long-term sustainability of the CA industry, and to protect the trust model that the Internet relies on every single day. No security infrastructure is immune to breaches, but CAs must be willing to invest in infrastructure and commit to making security their first priority. At Symantec, protecting against online threats isn t just a business. It is our mission. Symantec secures more than one million web servers worldwide, more than any other Certificate Authority. 75 percent of the 500 largest e-commerce sites in North America, and 93 of the 100 largest financial institutions worldwide use SSL Certificates sold by Symantec (including all subsidiaries, affiliates, and resellers). These organizations trust Symantec because of our unwavering commitment to security. At Symantec, we strongly believe that security by convenience is no security at all. Developing and maintaining a strong security posture is not easy and it s not convenient for our employees. It also takes time and experience; you can t build a global trust model overnight. But in times like these, it s good to know that that policy remains a good practice. 13 The threat landscape is rapidly evolving as CAs come under increasing pressure from external attacks. Now, more than ever, it is critical to partner with a CA vendor who has network infrastructure security measures in place to defend itself, and your data from emerging cyber-threats. Symantec is the world s largest data security company and the best suited CA to ensure the highest level or root protection and encryption of data in transit. 13 http://www.symantec.com/connect/blogs/authentication-business 13

More Information Visit our website http://go.symantec.com/trustontheinternet To speak with a Product Specialist in the U.S. Call 1 (866) 893-6565 or 1 (650) 426-5112 To speak with a Product Specialist outside the U.S. For specific country offices and contact numbers, please visit our website. About Symantec Symantec is a global leader in providing security, storage, and systems management solutions to help consumers and organizations secure and manage their information-driven world. Our software and services protect against more risks at more points, more completely and efficiently, enabling confidence wherever information is used or stored. Symantec World Headquarters 350 Ellis Street Mountain View, CA 94043 USA 1 (800) 721 3934 www.symantec.com Copyright 2012 Symantec Corporation. All rights reserved. Symantec, the Symantec Logo, BindView, Enterprise Security Manager, Sygate, Veritas, Enterprise Vault, NetBackup and LiveState are trademarks or registered trademarks of Symantec Corporation or its affiliates in the U.S. and other countries. Other names may be trademarks of their respective owners. UID:125/7/2012

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information