Problem solve Get help with specific problems with your technologies, process and projects.

Generic PKI CA threat model

Are you aware of a generic PKI CA threat model that can be adopted by my enterprise?

Generically, consider your CA to be a valuable server, and treat it like you would treat any other valuable server, such as one protecting HR data, financial information and so on. That means keeping it physically protected, too. Also consider your own software and network protections; intrusion-detection systems, a separate firewall for it and so on. Even better is to keep your CA server off of your normal network and only use "sneakernet" to get to it, but that often doesn't mix well with the whole reason for having a CA server, namely that it is a server. CAs are special in that you can buy special purpose hardware to speed them up and secure their most sensitive components, too. SANS and CSI have courses and publications about protecting systems. Look over their Web sites. However, hardly any system is generic. The specifics of how you protect your system depend on what you are doing with it. For more information on this topic, visit these other SearchSecurity.com resources: Best Web Links: News & Analysis: CA edges into enterprise PKI
This was last published in July 2001

Dig Deeper on PKI and digital certificates