Q

Generic PKI CA threat model

Are you aware of a generic PKI CA threat model that can be adopted by my enterprise?


Generically, consider your CA to be a valuable server, and treat it like you would treat any other valuable server, such as one protecting HR data, financial information and so on. That means keeping it physically protected, too. Also consider your own software and network protections; intrusion-detection systems, a separate firewall for it and so on. Even better is to keep your CA server off of your normal network and only use "sneakernet" to get to it, but that often doesn't mix well with the whole reason for having a CA server, namely that it is a server.

CAs are special in that you can buy special purpose hardware to speed them up and secure their most sensitive components, too.

SANS and CSI have courses and publications about protecting systems. Look over their Web sites.

However, hardly any system is generic. The specifics of how you protect your system depend on what you are doing with it.


For more information on this topic, visit these other SearchSecurity.com resources:
Best Web Links: Public and private keys/PKI
News & Analysis: CA edges into enterprise PKI

This was first published in July 2001

Dig deeper on PKI and Digital Certificates

Pro+

Features

Enjoy the benefits of Pro+ membership, learn more and join.

Have a question for an expert?

Please add a title for your question

Get answers from a TechTarget expert on whatever's puzzling you.

You will be able to add details on the next page.

0 comments

Oldest 

Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to:

SearchCloudSecurity

SearchNetworking

SearchCIO

SearchConsumerization

SearchEnterpriseDesktop

SearchCloudComputing

ComputerWeekly

Close