NIST National Cybersecurity Center of Excellence (NCCoE) published on 18 July 2019 the final draft of the NIST SP 1800-16, which is open for comments until 13 September 2019.
The full draft comprises the following volumes:
This is point where you might say “Why do I need one more publication for cryptographic material management or certificate management?” Well, on the surface you may be right, but…
Existing NIST publications, such as FIPS 140-2, SP 800-53, SP 800-57 Parts 1 & 2, Cybersecurity Framework are designed mostly for crypto managers, while SP 800-52 deals with the secure implementation and configuration of TLS servers.
The publication demonstrates, using commercially available technologies, how medium and large enterprises that rely on TLS can secure both customer-facing and internal applications and can better manage TLS server certificates by:
This practice guide can benefit executives, Chief Information Security Officers, system administrators, or anyone who has a stake in protecting his or her organization's data, privacy, and overall operational security.
It is written in simple language, providing in just three pages, all there is to know about certificate management, risks and solutions. It can be perfect for educating your bosses.
Volume B provides best practices and recommendations on how to develop policies for certificate management. Most certificate owners are typically not knowledgeable about the best practices for effectively managing TLS server certificates. Because certificate owners are responsible for the systems where certificates are deployed, it is imperative that they be provided with clear requirements and that those requirements be enforced as policies. This volume provides recommended TLS server certificate requirements and policies.
These requirements are bonded with recommended responsibilities for the certificate owners and the Certificate Services team in order to successfully meet those requirements and policies. Organizations should feel free to plagiarize, copy, delete, augment, or modify these recommended policies and responsibilities as needed to suit their own requirements.
It isn’t necessary to implement all requirements. First of all you need to identify your stakeholders who are needed to define and enforce your policies. Pick the policies you need, the ones that better address the most important risks to your organizations, modify and/or enhance the text to fit the needs of your organization. Then, you need to review the tailored requirements with all stakeholders so as to determine whether they are achievable, and they address your organizational risks. As a final step, you should define who is responsible to do what. Accountability is the factor that drives success.
Finally, organizations can advance their TLS management efforts by reading Volume C which explains the approach, architecture, and security characteristics, and Volume D which contains the how-to-guides to build the example solutions.
The internet has enabled rapid, seamless commerce across the globe. This is possible only because connections across the internet are trusted to be secure. Transport Layer Security (TLS) is fundamental to this trust. TLS, in turn, depends on TLS certificates. Organizations must deploy TLS certificates and corresponding private keys to their systems to provide them with unique identities that can be reliably authenticated. The TLS certificate enables anybody connecting to a system to know that they are sending their data to the right place. In addition, it also enables establishment of secure connections so that no one in the middle can eavesdrop on communications.
Even though TLS certificates are critical to the security of both internet-facing and private web services,
Instead, certificate management tends to be spread across different groups responsible for the various servers and systems in an organization, which even worse might be geographically distant. Central security teams struggle to make sure that certificates are being properly managed by each of these disparate groups.
This lack of a central certificate management service puts the organization at risk because
Organizations that improperly manage their certificates risk system outages and security breaches, which can result in revenue loss, harm to reputation, and exposure of confidential data to attackers. There are four primary types of negative incidents that result from certificate mismanagement:
At the core of the TLS certificate management challenges is the fact that:
TLS server certificates have a broad, enterprise-wide distribution. In addition, the processes needed to manage certificates, the multiple roles involved in certificate management and issuance, and the speed at which new TLS servers are being deployed are making certificate management even more complex and challenging.
TLS server certificates are typically issued by a Certificate Services team (often called PKI team), which is responsible for external and internal CAs, maintaining the certificate portal, running the help desk and assisting/supporting the certificate owners. However, the certificates are commonly installed and managed by the certificate owners, who are the groups and the system administrators responsible for individual web servers, application servers, network appliances, and other devices for which certificates are used.
The certificate owners typically are not knowledgeable about the risks associated with certificates or the best practices for effectively managing certificates.
Because the certificate services teams do not have the resources or access required to directly manage the deployed certificates, they are often engaged in a blame-game when TLS certificate incidents, such as outages, occur.
To effectively address the risks and organizational challenges related to TLS server certificates,
This program would fall under your overall machine identity management strategy.
For this program to succeed it is vital to seek and get executive leadership, guidance, and support. The formal TLS certificate management program should include clearly defined policies, processes, and roles and responsibilities for the certificate owners and the Certificate Services team, as well as a central Certificate Service. The program should be driven by the Certificate Services team but should include active participation by the certificate owners, whether they are responsible for traditional servers, appliances, virtual machines, cloud-based applications, DevOps, or other systems acting as TLS servers. It is also important that the various stages of the program run in parallel so as to achieve going live in a coordinated manner and within limited time span.
As mentioned before, in order to ensure the policy implementation, you should make sure to gain sponsorship from your executives so that they understand and support your requirements and responsibilities. Your executive can then educate their bosses about the need for policy requirements and can talk to their peers—the certificate owners executives—about their roles and responsibilities. Executive and leadership sponsorship can help enforce the policies, roles and responsibilities.
to minimize the risks that come with poor certificate management. NIST SP 1800-16 can certainly help you.
NIST SP 1800-16 has been published in the NIST NCCoE website for public comment. The comment period is open until Friday, September 13, 2019. NIST also accepts comments via email at email@example.com.
Published in April of 2015, PCI DSS v3.1 mandated the migration from SSL and early TLS to newer mRead More