CA Network Security Practices

CA/B Forum Guidelines on Network and Certificate System Security Requirements


On 3rd August 2012, the CA/B Forum adopted a set of guidelines regarding Network and Certificate System Security Requirements, to ensure best practice among all publicly trusted Certification Authorities and Delegated Third Parties.

The CA/B Forum, a voluntary organization of leading Certification Authorities (CAs) and vendors of Internet browser software and other applications, has been committed to defining standards for the Certificate Authority industry since 2005.

The new guideline, which will be effective from 01/01/2013, seeks to address the various attacks on trusted providers that happened during 2011, by setting a number of requirements to ensure a tight security around CA networks and systems and prevent further occurrences.

The guideline covers a number of areas including General Protections for the Network and Supporting Systems; Trusted Roles, Delegated Third Parties, and System Accounts; Logging, Monitoring and Alerting; as well as Vulnerability Detection and Patch Management.

All Member CAs including GlobalSign have agreed to comply by the effective date, hence leading the way in enhancing security levels in the CA industry as a whole.

General Protections for the Network and Supporting Systems

The guideline introduces the concept of Secure Zones and High Security Zones for the protection of essential CA systems, including Root CA systems, Issuing Systems, Certificate Management Systems, and Security Support Systems.

CAs shall provide greater control regarding access to Certificate Systems to only allow access to persons in Trusted Roles, and multi-factor authentication is mandatory where supported.

Trusted Roles, Delegated Third Parties, and System Accounts

Trusted Roles must be assigned based on the security concerns of the functions to be performed. Each individual in a trusted role must use a unique credential to authenticate to Certificate systems, to ensure they can only act within the scope of their role. This is further reinforced by a number of rules covering password policy, inactivity time-outs, and account lockouts.

Logging, Monitoring and Alerting

The new forum guideline requires CAs and Delegated Third Parties to implement a Security Support System that logs, monitors, detects and alerts of any security-related configuration change.

Trusted Role personnel must be required to follow-up on such alerts, and logs retained in accordance with applicable legislation/best practices, overall preventing unauthorized activities.

Vulnerability Detection and Patch Management

CAs and Delegated Third Parties must have detection and prevention controls in place to protect Certificate Systems against viruses or malicious software.

This section sets out a minimum requirement for quarterly vulnerability scans and yearly penetration testing, and defines standards for remediating critical vulnerabilities in a timely manner.

Full details of the guideline can be found on the website at: https://www.cabforum.org/Network_Security_Controls_V1.pdf