According to Symantec and the Online Trust Alliance (OTA), CAs should ensure the correct and secure operation of CA information processing facilities, minimize the risk of systems failure and infection by malware, and develop incident reporting and response procedures. In addition, steps should be taken to protect media from theft, loss or damage and unauthorized account access, and employee and partner revocation systems should be in place and tested.
Asset Classification and Management
CA assets, subscriber and relying party information should receive an appropriate level of protection, according to Symantec and the OTA. This means classifying data according to its level of importance and sensitivity and applying the appropriate defenses against attacks. In addition, security vendor Venafi suggested regular third-party audits and reviews be performed to ensure that processes, policies, and security mechanisms are properly implemented and cover all possible attacks.
Monitor CA Security and Demonstrate Compliance
"CAs should be able to demonstrate conformance with the relevant legal, regulatory and contractual requirements; compliance with the CA’s security policies and procedures; maximization of the effectiveness of the system audit process with minimal interference; and detection of unauthorized CA system usage," Symantec and the OTA advised.
According to GlobalSign, CAs should ensure that the status and validity of an issued certificate can be communicated quickly and reliably via the Online Certificate Status Protocol (OCSP) at any time. This keeps those relying on the certificate aware of what the certificate's status is.
CAs should work to develop and test a business continuity plan that includes a disaster recovery process to lessen potential disruptions to subscribers and other interested parties if the CA goes out of business or service is degraded, according to Symantec and the OTA.
Prepare for the Worst: Inventory
To prepare for the possibility of a CA breach, NIST and Venafi suggest that organizations establish an inventory of all certificates in their environment and identify owners and other relevant data—such as the issuing CA—for the certificate. Organizations should also establish an inventory of all trust anchors (CA root certificates used to validate user and device certificates), and identify owners and other data for these trust anchors.
Prepare for the Worst: Documentation
Another step organizations can take to prepare for a possible breach at a certificate authority is to document all certificate expiration dates, encryption algorithms and key lengths.