Ask the Expert

Generic PKI CA threat model

Are you aware of a generic PKI CA threat model that can be adopted by my enterprise?

    Requires Free Membership to View

Generically, consider your CA to be a valuable server, and treat it like you would treat any other valuable server, such as one protecting HR data, financial information and so on. That means keeping it physically protected, too. Also consider your own software and network protections; intrusion-detection systems, a separate firewall for it and so on. Even better is to keep your CA server off of your normal network and only use "sneakernet" to get to it, but that often doesn't mix well with the whole reason for having a CA server, namely that it is a server.

CAs are special in that you can buy special purpose hardware to speed them up and secure their most sensitive components, too.

SANS and CSI have courses and publications about protecting systems. Look over their Web sites.

However, hardly any system is generic. The specifics of how you protect your system depend on what you are doing with it.

For more information on this topic, visit these other resources:
Best Web Links: Public and private keys/PKI
News & Analysis: CA edges into enterprise PKI

This was first published in July 2001

There are Comments. Add yours.

TIP: Want to include a code block in your comment? Use <pre> or <code> tags around the desired text. Ex: <code>insert code</code>

REGISTER or login:

Forgot Password?
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy
Sort by: OldestNewest

Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to: