Both organizations and Qualified Security Assessors (QSAs) will benefit from this SIG. We have increased our reliance on keys and certificates that protect communications and authorize and authenticate servers, devices, software, cloud, and privileged administrators and users. As for the PCI DSS, keys and certificates are critical to securing cardholder data, as well as all sensitive electronic information, and are specifically mentioned throughout the standard. But the PCI DSS requirements demand more visibility and security over keys and certificates than most organizations can deliver.
Most organizations have not fully remediated Heartbleed. Venafi research shows that 97% of G2000 public-facing servers are still vulnerable because keys and certificates haven’t been changed—and this doesn’t include the behind-the-firewall systems that have been a low priority for remediation.
Are you one of the doubters that don’t think you’ll become a victim? It looks like many G2000 organizations are. But odds are you’re already a victim—according to Ponemon Institute research, every major enterprise has been attacked using compromised keys and certificates in the last 24 months. So, I hope all of the doubters are getting converted to believers—the likelihood that you’ll be a victim of an attack on trust is very high and, without the right security in place, the impact even higher. Advanced Persistent Threats (APTs) that target keys and certificates such as APT1, Mask, Energetic Bear, Crouching Yeti, and Zombie Zero—just to name a few—underscore the importance of strong key and certificate security and remediation capabilities.
The open approach of the PCI DSS requirements provides flexibility to implementing organizations, which is helpful when working to secure unique business environments. But organizations subject to the PCI DSS and QSAs need more clarity on how to secure keys and certificates to establish a foundation of trust for an effective security program and a defense against today’s cyber threats.
We have two primary objectives for this SIG:
Develop the document PCI DSS Cryptographic Key and Digital Certificate Security Guidelines
Draft a compliance checklist which outlines the different security options to meet the PCI DSS requirements for keys and certificates
Venafi co-submitted the PCI SIG proposal on Cryptographic Keys and Digital Certificates with SecurityMetrics, a leading QSA. SecurityMetrics brings extensive experience to the SIG—they have helped over 1 million organizations manage PCI DSS compliance and/or secure their network infrastructure, data communication, and other information assets. We also have several other participants committed to supporting the SIG, including QSAs, vendors, and merchants in the Global 2000.
So what’s next? The selected PCI SIGs will present at the 2014 PCI Community Meetings in North America (September) and Europe (October). An election will be held from October 13-23 and the PCI Participating Organizations will vote. The leading 2-3 SIG topics will become PCI SIG projects for 2015.