Securing PKI: Physical Controls for Securing PKI
Applies To: Windows Server 2003 with SP2, Windows Server 2008 R2, Windows Server 2012 R2, Windows Server 2012
In today’s threat landscape, physical security of hardware is often not a strong consideration when designing a system. When designing many systems, the physical security is assumed to be in place, and since the majority of attacks are occurring over the network, not much extra attention is given. When designing a PKI, additional consideration must be given to the physical security of the systems, as unauthorized physical access can lead to a complete compromise of the PKI, and subsequently lead to compromise of other critical systems that rely on it.
Designing physical security involves a substantial amount of planning before deploying a PKI because there are many aspects to consider, and there is not a one-size-fits-all solution. For example, the physical security for an organization wanting to deploy a simple HYPERLINK "file:///C:\\Users\\v-mlynd\\Desktop\\Securing%20Public%20Key%20Infrastructure%20(PKI).docx" \l "_CA_Hierarchy_Options_1" two-tier CA system for solving a single application needed in a low assurance situation is handled differently than the physical security for a PKI for a financial institution wishing to use their CAs for securing transactions.
The following information is not intended to be a checklist or “how-to” guide for building physical security for PKI. Instead, the concepts below should each be given consideration when implementing physical security controls for a PKI.
Functional Considerations
The level of physical security a PKI requires depends on the functions it allows. Consider the following when defining physical security requirements for PKI:
Assurance Level – The level of trust stated by the entity providing certificate services based on many different factors including the stringency of the method used to identify a person or entity receiving certificates, the criteria required for issuance, and the purpose of the certificates issued.
Function of the system – The function or functions a system has in relation to the PKI. Functions include acting as a CA (online or offline), enrollment functions, and revocation verification hosting. Different functions may require different levels of physical security.
Form Factor – The server operating system host type - virtual or physical.
Private Key Storage – The method by which the private keys are stored whether it is on a CA Server file system or a Hardware Security Module (HSM) which is a dedicated hardware device for this purpose.
PKI Artifact Storage – Storage of dependent components including HSM cards or tokens, backup drives, USB drives, smart card readers, or biometric devices. See Securing PKI: Protecting CA Keys and Critical Artifacts for more information. Strong physical access controls should be in place for any sensitive PKI artifacts.
Business Continuity and Disaster Recovery – Processes and procedures created to ensure a PKI is functionally available after a minimal amount of downtime after an event causing disruption of service.
Operational Considerations
In addition to functional considerations, consider the following operational aspects when designing physical security for PKI. These include but are not limited to:
Environmental – Ensure the availability of sufficient electrical power to operate servers, heating, ventilation, and air conditioning, logical security controls, and surveillance. Also ensure the ability to transition to secondary or facility-generated power in case of primary power source outage in primary or backup data center facilities.
Geographic Location – Consider the location of primary and backup data center facilities and the associated risks due to climate, power sources, available area-based workforce, and other geopolitical considerations.
Structure Hardening – Place controls in primary and backup data centers to mitigate the risk of unauthorized human entry as well as unwanted animal breach in addition to weather or environmental-related risks due to floods, tornadoes, earthquakes, or hurricanes. If necessary, place controls to prevent terror or wartime-related structural compromise.
Interior Climate Control – Place temperature and humidity consistency controls to prevent overheating of the servers, condensation, and static electricity.
Asset and Personnel Safety Measures – Ensure that appropriate heat and flame prevention and extinguishment are present. Also, ensure that safety of the personnel in the event of an emergency is accounted for in the design.
Designing Physical Security
Most data centers already have some physical security in their design or implementation. Typically they have doors requiring a proximity card for access with another form of verification such as a PIN pad, biometric scanners, or a security guard checking identification. Most data centers have some form of closed-circuit surveillance inside and out. Some have dedicated cages for servers identified as high-value assets. Some or all of these controls do not necessarily mean a PKI contained inside is secured.
Not all organizations have the luxury of designing their data center with PKI in mind. However, organizations with existing data centers with some of these controls in place should take advantage of their placement and use the existing controls to help mitigate risk. The following recommendations should be considered when designing PKI physical security.
Track and Audit Physical Access Requests
Consider implementing processes that allow all access requests to sensitive areas be tracked and have an audit trail. Consider having all access to a sensitive area require an approval workflow be completed prior to access being granted. For example, a process could be defined that requires data center operations staff to review all requests for access and ensure they are originating from known individuals with a legitimate need for access prior to temporary access being granted. Using an access approval process is a preventive control that allows for additional verification, where personnel with persistent access may misuse their credentials and access may not be detected until after the fact.
Periodically audit physical access to sensitive areas to ensure no unapproved access has occurred. Consider comparing physical access logs with known work orders that were executed and verifying that only trusted personnel were allowed into the sensitive area.
Consider Using Biometrics
Proximity access cards and keys can be easily stolen. Identification cards can be counterfeited. It is far more difficult to fake a person’s biometric signatures such as hand geometry, fingerprints, or retina data. Consider using biometric data as an authentication mechanism to access building areas where sensitive PKI assets are stored.
A key aspect of using biometrics is ensuring identity verification is performed during biometric enrollment, especially when the data is paired with a device such as a proximity card. In addition, it is important to ensure any biometric enforcement controls are configured to reject two persons with identical data in biometric enrollment. A person could conceivably have a valid stolen proximity card and pair it with their own biometric data to access an area as the owner of the stolen card.
Use Multi Person Control
For sensitive areas where PKI assets are stored, consider requiring multi person control to enter the area. Multi person control ensures that no single person can gain access to sensitive assets. This prevents a malicious insider from acting alone, forcing them to collude with another trusted individual to gain unauthorized access. In the case of physical breaches, it may be more likely that the breach is performed by an insider rather than an external attacker. With multi person control in place, it is more difficult for an attacker to obtain multiple credentials, or put multiple trusted people under duress to perform an action against their will.
Consider implementing technical controls that enforce multi person access, ideally with representation by persons in differing roles or organizations. Examples include door readers that require multiple distinct persons to present keys prior to allowing access, alarms that require two codes to disable, or safes that require multiple combinations to unlock. Further enforcement mechanisms of multi person control are discussed in the Securing PKI: Protecting CA Keys and Critical Artifacts section.
Eliminate Tailgating to Sensitive Areas
Access to sensitive areas should be limited only to authorized personnel. “Tailgating”, or allowing a user to enter behind another user based on their access should be prohibited. Consider implementing a man trap that only allows one user to enter the sensitive area at a time. Alternatively, a guard can control access by authenticating each individual as they enter the sensitive area. In cases where visitors need to access a sensitive area where they do not have access, consider implementing an override procedure where multiple authorized persons are required to override the system and allow the visitor to have access.
Use Alarm Systems as a Detective Control
Consider implementing alarm systems to detect unauthorized access to sensitive assets. For example, a server rack can be configured to trigger an alarm if it is opened without prior knowledge of the facility security team. Alarms can be used as a control to ensure that all access attempts come to the attention of the facility security team. For example, if the facility security team is required to disable the alarm prior to access, this would alert them that work is being performed and to be on heightened awareness since there are people in the sensitive area.
Use Cameras as a Detective Control
Consider using surveillance cameras in sensitive areas where access is limited to ensure that unauthorized access is detected. When cameras are used, ensure that they are placed such that they capture all entry/exit to the secure location and have a good view of the sensitive assets. Ensure that there are processes in place to ensure that access events are reviewed in a timely manner and that recordings are stored securely. According to policy in many organizations, key ceremonies are recorded. If you are able to utilize surveillance cameras to record or design the data center to allow line-of-sight surveillance to view artifact extraction, handling, storage, and inventory or even show screen access or use, an additional camera may not need to be used.
Geographically Separate Primary and Backup Sites
In case of primary site failure due to an act of nature such as an earthquake, hurricane, or flood, as well as acts of terror or war, the backup location should be geographically distinct and not susceptible to the same acts of nature or terror-related damage as the primary site. Additionally, separate staff should be available for primary and backup facilities. Where backup facilities are hosting sensitive hardware such as active HSMs, ensure that the physical controls present are equivalent to the controls at the primary location, and meet the defined corporate policy.
Use Security by Obscurity Carefully
Security through obscurity can be used to your advantage or to your detriment. Do not place CAs alongside servers administered by an organization different from the organization responsible for PKI. However, it can be to your advantage to discreetly name or tag systems to not immediately disclose the purpose or criticality of the system. Also, disseminate information regarding sensitive assets (location, purpose, etc.) on a need to know basis. Refrain from tracking information on the company intranet that would make it easy for an attacker to know the exact location of sensitive equipment.
Conclusion
Physical security controls help to provide assurance that the PKI will not be compromised by attacks requiring physical proximity to the PKI systems. Controls can help mitigate impersonation of authorized users, hardware attacks, and introduction of unauthorized software into offline environments. Implementing strong physical controls can also help mitigate risks associated with insider attacks including rogue or administrators under duress performing unauthorized actions.
For a complete list of the recommendations for planning physical controls for securing PKI, along with the level of Determining the Level of Protection Required at which you should consider implementing them, refer to Securing PKI: Appendix F: List of Recommendations by Impact Level.
See Also
Securing Public Key Infrastructure (PKI)
Securing PKI: Introduction
Securing PKI: Planning a CA Hierarchy
Securing PKI: PKI Process Security
Securing PKI: Technical Controls for Securing PKI
Securing PKI: Planning Certificate Algorithms and Usages
Securing PKI: Protecting CA Keys and Critical Artifacts
Securing PKI: Monitoring Public Key Infrastructure
Securing PKI: Compromise Response
Securing PKI: Appendix A: Events to Monitor
Securing PKI: Appendix B: Certification Authority Audit Filter
Securing PKI: Appendix C: Delegating Active Directory PKI Permissions
Securing PKI: Appendix D: Glossary of Terms
Securing PKI: Appendix E: PKI Basics
Securing PKI: Appendix F: List of Recommendations by Impact Level
Security and Protection
Secure Windows Server 2012 R2 and Windows Server 2012