According to Symantec and the Online Trust Alliance (OTA), CAs should ensure the correct and secure operation of CA information processing facilities, minimize the risk of systems failure and infection by malware, and develop incident reporting and response procedures. In addition, steps should be taken to protect media from theft, loss or damage and unauthorized account access, and employee and partner revocation systems should be in place and tested.
2Asset Classification and Management
CA assets, subscriber and relying party information should receive an appropriate level of protection, according to Symantec and the OTA. This means classifying data according to its level of importance and sensitivity and applying the appropriate defenses against attacks. In addition, security vendor Venafi suggested regular third-party audits and reviews be performed to ensure that processes, policies, and security mechanisms are properly implemented and cover all possible attacks.
3Monitor CA Security and Demonstrate Compliance
“CAs should be able to demonstrate conformance with the relevant legal, regulatory and contractual requirements; compliance with the CA’s security policies and procedures; maximization of the effectiveness of the system audit process with minimal interference; and detection of unauthorized CA system usage,” Symantec and the OTA advised.
6Prepare for the Worst: Inventory
To prepare for the possibility of a CA breach, NIST and Venafi suggest that organizations establish an inventory of all certificates in their environment and identify owners and other relevant data—such as the issuing CA—for the certificate. Organizations should also establish an inventory of all trust anchors (CA root certificates used to validate user and device certificates), and identify owners and other data for these trust anchors.
7Prepare for the Worst: Documentation
Another step organizations can take to prepare for a possible breach at a certificate authority is to document all certificate expiration dates, encryption algorithms and key lengths.