« ドイツ:BfDI発行2019年次報告書 | Main | 厚生労働省 新型コロナウイルス接触確認アプリ(COCOA) COVID-19 Contact-Confirming Application リリース »

2020.06.20

SP 1800-16 Securing Web Transactions: TLS Server Certificate Management

こんにちは、丸山満彦です。

NISTからTLSサーバー証明書管理のガイドが発行されましたね。。。

ちなみに、PDFは432ページあります。。。

内容は、

  • Volume A: Executive Summary
  • Volume B: Security Risks and Recommended Best Practices
  • Volume C: Approach, Architecture, and Security Characteristics;
  • Volume D: How-To Guides – instructions for building the example solution.

となっております。。。

NIST - ITL

・2020.06.16 SP 1800-16 Securing Web Transactions: TLS Server Certificate Management

・[PDF]

Supplemental Material:
 SP 1800-16 volumes and Project Homepage (other)

Related NIST Publications:
White Paper

Document History:
11/29/18: SP 1800-16 (Draft)
07/17/19: SP 1800-16 (Draft)
06/16/20: SP 1800-16 (Final)

 

 

Executive Summary


The internet has enabled rapid, seamless commerce across the globe. Billions of dollars’ worth of
transactions are performed across the internet every day. This is possible only because connections
across the internet are trusted to be secure. Transport Layer Security (TLS), a cryptographic protocol, is
fundamental to this trust.

Organizations leverage TLS to provide the connection security that has enabled today’s unprecedented
levels of commerce across the internet. TLS, in turn, depends on TLS certificates. Organizations must
deploy TLS certificates and corresponding private keys to their systems to provide them with unique
identities that can be reliably authenticated. The TLS certificate enables anybody connecting to a system
to know that they are sending their data to the site listed on the certificate. In addition, it also enables
establishment of secure connections so that no one in the middle can eavesdrop on communications.

Many organizations might be surprised to discover how many TLS certificates they have. A large- or
medium-scale enterprise may have thousands or even tens of thousands, each identifying a specific
server in their environment. This is because organizations use TLS not only to secure external
connections between themselves and their customers over the internet but also to establish trust
between different machines inside their own organization and thereby secure internal communications.

Even though TLS certificates are critical to the security of both internet-facing and private web services,
many organizations do not have the ability to centrally monitor and manage their certificates. Instead,
certificate management tends to be spread across each of the different groups responsible for the
various servers and systems in an organization. Central security teams struggle to make sure that
certificates are being properly managed by each of these disparate groups. This lack of a central
certificate management service puts the organization at risk because once certificates are deployed,
they require regular monitoring and maintenance. Organizations that improperly manage their
certificates risk system outages and security breaches, which can result in revenue loss, harm to
reputation, and exposure of confidential data to attackers.

The National Cybersecurity Center of Excellence (NCCoE) at the National Institute of Standards and
Technology (NIST) built a laboratory environment to explore and develop guidelines to help large and
medium enterprises better manage TLS server certificates by:

  • defining operational and security policies and identifying roles and responsibilities
  • establishing comprehensive certificate inventories and ownership tracking
  • conducting continuous monitoring of certificates’ operational and security status
  • automating certificate management to minimize human error and maximize efficiency on a large
    scale
  • enabling rapid migration to new certificates and keys when certificate authorities or
    cryptographic mechanisms are found to be weak, compromised, or vulnerable

The NCCoE has identified as a best practice that all enterprises establish a formal TLS server certificate
management program that is consistent with overall organizational security policies and that has
executive responsibility, guidance, and support for the following purposes:

  • Recognize the harm that improper management of TLS server certificates can cause to business
    operations and provide guidance to mitigate risks related to TLS certificates.
  • Ensure that the central certificate services team and the local application owners and system
    administrators understand the risks to the enterprise and are accountable for their roles in
    managing TLS server certificates.
  • Establish an action plan to implement these recommendations and track progress.

 

|

« ドイツ:BfDI発行2019年次報告書 | Main | 厚生労働省 新型コロナウイルス接触確認アプリ(COCOA) COVID-19 Contact-Confirming Application リリース »

Comments

Post a comment



(Not displayed with comment.)




« ドイツ:BfDI発行2019年次報告書 | Main | 厚生労働省 新型コロナウイルス接触確認アプリ(COCOA) COVID-19 Contact-Confirming Application リリース »