Q

Generic PKI CA threat model

Are you aware of a generic PKI CA threat model that can be adopted by my enterprise?


Generically, consider your CA to be a valuable server, and treat it like you would treat any other valuable server, such as one protecting HR data, financial information and so on. That means keeping it physically protected, too. Also consider your own software and network protections; intrusion-detection systems, a separate firewall for it and so on. Even better is to keep your CA server off of your normal network and only use "sneakernet" to get to it, but that often doesn't mix well with the whole reason for having a CA server, namely that it is a server.

CAs are special in that you can buy special purpose hardware to speed them up and secure their most sensitive components, too.

SANS and CSI have courses and publications about protecting systems. Look over their Web sites.

However, hardly any system is generic. The specifics of how you protect your system depend on what you are doing with it.


For more information on this topic, visit these other SearchSecurity.com resources:
Best Web Links: Public and private keys/PKI
News & Analysis: CA edges into enterprise PKI

This was last published in July 2001

Dig Deeper on PKI and Digital Certificates

PRO+

Content

Find more PRO+ content and other member only offers, here.

Have a question for an expert?

Please add a title for your question

Get answers from a TechTarget expert on whatever's puzzling you.

You will be able to add details on the next page.

Start the conversation

Send me notifications when other members comment.

By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy

Please create a username to comment.

-ADS BY GOOGLE

SearchCloudSecurity

SearchNetworking

SearchCIO

SearchConsumerization

SearchEnterpriseDesktop

SearchCloudComputing

ComputerWeekly

Close