Protecting the Internet Trust Model
With National Cyber Security Month right around the corner, I wanted to take this chance to discuss Symantec’s point of view about the current state of the Certificate Authority (CA) industry.
After a year riddled with highly publicized CA security breaches that threatened to undermine confidence in the entire system the message is clear: In order to build public confidence and protect the trust model that the Internet relies on every single day (over 4.5 million sites!), the CA industry must pull together and focus on improving its operations and practices while adapting to a constantly evolving technological environment.
One way we do this is by actively supporting organizations such as the CAB Forum and the Online Trust Alliance (OTA). Coming up shortly is the Online Trust Forum in San Jose, CA on Oct 2-4. To learn more, visit: https://otalliance.org/forum.html. Use the code “bot20” to save 20 percent at registration.
Speaking of the OTA, we worked with its founder Craig Spiezle, to create a checklist of the most important IT infrastructure, data protection and privacy enhancing controls that CAs should implement in order to protect their operations, reputations, and customer relationships.
Check it out here:
- Security planning and governance: Information security should be planned, managed and supported at the highest level of the organization. There should be an information security policy document that includes physical, personnel, procedural and technical controls, is approved by management, published and communicated to all employees. Another key component is the development and implementation of a data loss incident response plan, aiding in key issues including data minimization, data destruction, work flow and first responder training.
- Asset classification and management: CA assets, subscriber, and relying party information should receive an appropriate level of protection.
- Personnel security: CAs should provide reasonable assurance that personnel and employment practices enhance and support the trustworthiness of the CA’s operations: Identifying Trusted Roles, performing background checks and assigning specific responsibilities to people in these roles.
- Physical security: Physical access to CA facilities and equipment must be limited to authorized individuals, protected through restricted security perimeters. This includes the facility itself, as well as all equipment.
- Operations: CAs must ensure the correct and secure operation of CA information processing facilities, minimize the risk of systems failure or infection by malware/viruses, develop incident reporting and response procedures, and protect media from theft, loss, damage or unauthorized access. In addition, account access and employee and partner revocation systems must be in place and tested.
- System access: CAs must limit access to authorized individuals; this includes user access controls, as well as access to operating systems, databases, and applications. CAs need to closely monitor user privileges, and the ability to automatically revoke access based on role and or employee changes.
- Systems development: CAs must provide assurance that development and maintenance activities are documented, tested, authorized, and properly implemented to maintain CA system integrity.
- Business continuity: CAs must develop and test a business continuity plan that includes a disaster recovery process to minimize potential disruptions to Subscribers and Relying Parties as a result of the cessation or degradation of the CA’s services.
- Monitoring and compliance: CAs should be able to demonstrate conformance with the relevant legal, regulatory and contractual requirements; compliance with the CA’s security policies and procedures; maximization of the effectiveness of the system audit process with minimal interference; and detection of unauthorized CA system usage.
- Privacy: CAs are entrusted with customer’s data and should demonstrate a commitment to privacy principles including prominent notice, usage, and purpose of what is collected as well as disclosure on any sharing with third parties. CAs are also required to abide by privacy laws not only in the region that they operate but also in the region where the customer resides. As such, CAs need to be aware of diverse rules laws as German data privacy act, EU privacy act and US privacy regulations. This should be a high priority for any CA that intends to respect the customer’s best interest.
For more than a decade, CAs have acted as Internet trust brokers, making it possible for people to trust and share information online. With the right tools and processes, CAs are fully capable of providing the greatest assurance possible that their certificates – and the websites that use the certificates – are genuine and safe for online business.
Symantec challenges all CAs to follow strict security best practices as advocated by the CAB Forum and OTA, and by so doing protect the trust model that we rely on every day to check e-mail, pay the bills, get the news, find the latest and greatest gadget, you get the picture.
If you are interested in speaking to Symantec or the founder of the OTA Craig Spiezle about the current challenges and opportunities facing the CA industry, join us in San Jose at the Online Trust Forum to learn more.