So you’re running your own internal CA, or at least thinking about it. And your plan is to do it all in-house?
For many, the answer is simple: ‘I don’t trust a third-party to manage my CA because we have very sensitive data we would prefer to keep internal’.
Maybe you’re a federal agency and you have a big enough budget to spend on keeping your cryptographic data and infrastructure secure. In more extreme cases, you could be setting up your own dedicated CA server rooms with Faraday cages and laser beams for motion detection. If this sounds like your organization, you should stop reading now as this blog probably isn’t for you.
Another reason for running your own internal CA in-house is to avoid having this type of data in the cloud, perhaps because you don’t trust the cloud or you don’t trust the third-party managing the cloud solution for you.
What’s so scary about the cloud? We asked our Twitter audience to tell us why they think organizations are afraid of cloud adoption and they seemed to think that security was a top concern.
I’m not here to demystify the cloud or give you reasons why the cloud is a great place to store your data. These blogs have been done time and time again. At GlobalSign, we have published content giving you some preliminary questions to ask potential new cloud or managed service providers. We firmly believe that you’re not putting your trust in the cloud, you’re putting your trust in the organization who provides the cloud services and solution - in this case, us.
Any company that offers a managed solution, in or out of the cloud, is responsible for explaining why you can put your trust in them. After all, with new regulations entering the market daily and data becoming more and more valuable to a business, giving responsibility to a third-party to manage it can feel almost as dangerous as giving your new born baby to a stranger to take care of for the evening – now there’s a frightening thought!
Laying Our Cards on the Table
As I’ve said, I’m not here to defend the cloud as a whole, or even third-party managed services…I’m here simply to explain why running a private CA in GlobalSign’s cloud infrastructure is not something to fear.
So, here’s my pitch.
The Average Corporate Environment
Most companies run their own Microsoft CA through Active Directory. All employees access the internet (external and internal websites) through this corporate network with the same domain controller. If you run a dedicated CA internally, even assuming you are using separate servers, you’re probably running them in the same physical network or server room as your file and application servers, which are indirectly connected to the internet. See a threat vector yet?
If a computer that is able to request a certificate from the internal CA is also infected with malware, well, you know the rest.
Even assuming you have built your internal CA with two FIPS-compliant HSMs, access and authentication is likely only given to a root admin.
Note: It is best practice to give HSM access to multiple admins, but we find that all too often, organizations with smaller teams or resources will only give credentials to one admin or in some cases the same credentials to a whole team.
So, how does the root admin gain access? A password? Maybe a token or smartcard? The root admin still has the ability to make a backup of the security world and restore it at home, assuming they have to have a similar HSM and original operator cards but that doesn’t stop it from being a vulnerability. An admin also has the ability to issue certificates or a sub CA while deleting all logs on record. Luckily we have a blog on cryptographic key storage best practice, feel free to have a read.
Or what happens if an admin goes rogue? Hardening can limit the amount of damage an admin can do this but this can't prevent your admin from going rogue or causing a major impact to the trust of your PKI. It’s also worth noting that hardening is an additional cost whether you go in-house or third-party.
All of these threat vectors are holes that cost money to plug. Money that is often, at times, too unrealistic for an organization to pay out. The primary reason being a gap between an IT department's knowledge of what is needed and the board level executives’ willingness to dish out the cash.
If only there was an affordable solution that offered the amount of physical and virtual security you knew you needed…
In Comes GlobalSign’s CA Environment
Envision a large building surrounded by high fences and CCTV surveillance cameras running and being monitored by security staff 24/7. Security is monitored by both an onsite and offsite team and any alarm bells ring to either one or both teams depending on the type of alarm.
All people in the building need to be supervised unless you have passed a certification. If you’re lucky enough to be a regular visitor who has passed their certification and verified to operate in a trusted role, you will enter the building using a card and biometrics.
To get into our server room, you need to be pre-registered and have two authentication factors. But this won't give you access to the server room that hosts any of the CAs.
If you want to get into the CA server room, which is a dedicated secure room inside the server room, you need to be with a colleague. The room itself doesn’t just use a simple cage construction but is constructed from slab to slab (concrete floor to concrete ceiling) with strong and extra secure materials. All air conditioning and gas suppression have been designed so that any maintenance required does not need to be done inside the server room that holds any of our key materials. Every wall, door and inch of space is monitored by multiple sensors to detect motion and/or intrusion.
To add even more security to this well-built fortress, every single server rack has doors that require authentication to get into. If the doors are opened, we know who opened it, when it was opened and if they were forced open. Of course with CCTV, we will also see who is actually opening the door. Once in, any changes to the server itself are monitored and new code executions cannot be implemented without first being verified.
Our CA is reachable from the cloud, but that doesn’t mean it’s reachable from the cloud.
Confused? What we mean by this, is that even though we say our issuing CA is in the cloud, a request still needs to be sent via an API. This request needs to be processed and verified, after which it is queued for the CA to say ‘everything is OK, I want the certificate now’. After authenticating the request, the CA then issues the certificate and sends it back to the queue to be collected. This connection is known as an airgap. And of course, all internal communication requires mutual TLS authentication.
Hardening is another technique we use to ensure that only certain IP addresses have access to the system using multiple credentials. For our customers, we can even use a multi-hosted set-up on an active/active environment for greater reliability.
Most organizations will run an active/standby environment, but in that scenario, what happens if a failure occurs? How long can you afford to have your CA not running?
GlobalSign also invests in monitoring and auditing. All certificates can be traced back so if anything goes wrong, we can investigate it fully and find the root of the problem immediately. Alongside several very expensive audits, our fortress is complete.
On a final note, we aren’t just about securing it and leaving it. We perform regular background checks on all staff with access to our systems, we continuously review our infrastructure and make adjustments from a physical and virtual perspective and we have external companies brought in to test our physical and virtual security. These third-parties perform vulnerability checks on all external access points to ensure continued security. Additionally, we monitor all of our network traffic 24/7 for any signs of an anomaly from an incursion or an oversight of rogue behavior.
Our business would be nothing if we didn’t have security, so we make it our business to be as good as we can possibly be at it. To quote our Technology Solutions Director, Paul van Brouwershaven:
Security doesn't stop, wait or simplify any environment, it's constantly moving and requires tremendous investments, time and resources to maintain at the highest level.
At the end of the day, we have no idea what your business environment looks like. Maybe it’s more secure than or even just as secure as ours. Only you know the answer to that.
But let me pose this question to you: knowing what you know now, can you still say that you trust your own environment more than ours?
If the answer is anything less than a whole-hearted yes, let’s have a chat about how you can save time, money and resources by moving your environment over to us.