Entrust PKI as a Service

Management, operational and physical controls

See below for the certificate life-cycle operational requirements.

Physical Security Controls

See below for the practice statement on physical security controls.

  • Site location and construction:

    • The HSM and Activation Data are located in Tier III, SSAE-18 datacenters or stored in a two-person-controlled safe in a facility where only Entrust-authorized personnel have access. Access to these facilities is restricted to personnel in Trusted Roles.

    • One or more public clouds provide the computing facilities that host the Certificate issuance, revocation, and status service components. The physical security controls imposed on components residing within a Public Cloud are outside the scope of this CPS.

  • Physical access: Two-person control is required for physical access to the HSM. Alarm mechanisms notify security personnel of any violation of the rules for access to the HSM.

  • Power and air conditioning: The HSM is hosted in Tier III datacenters.

    • The security zone is equipped with:

      • Filtered, conditioned, power connected to an appropriately sized UPS and generator;
      • Heating, ventilation, and air conditioning appropriate for a commercial data processing facility; and
      • Emergency lighting.

    • The environmental controls conform to local standards and are appropriately secured to prevent unauthorized access and/or tampering with the equipment. Temperature control alarms and alerts are activated upon detection of threatening temperature conditions.

  • Water exposures: The HSM is hosted in Tier III datacenters and is not in danger of exposure to water. No liquid, gas, exhaust, etc. pipes traverse the controlled space other than those directly required for the area’s HVAC system and for the pre-action fire suppression system. Water pipes for the pre-action fire suppression system are only filled when multiple fire alarms are activated.

  • Fire prevention and protection: The HSM is hosted in Tier III datacenters equipped with fire suppression mechanisms. The facility is fully wired for fire detection, alarm, and suppression. Routine, frequent inspections of all systems are made to assure adequate operation.

  • Media storage: All media is stored away from sources of heat and from obvious sources of water or other obvious hazards. Electromagnetic media (e.g. tapes) are stored away from obvious sources of strong magnetic fields.

  • Waste disposal: Waste containing sensitive information shall be destroyed, such that the information is unrecoverable, before disposal. Media used to store sensitive data shall be destroyed before disposal, such that the information is unrecoverable.

  • Off-Site Backup: Backups of the CA key material and CA databases, sufficient to recover from system failure, shall be made on a periodic schedule in accordance with the disaster recovery requirements.

Procedural controls for the CA

See below for the practice statements on procedural controls for the CA.

  • Trusted roles: Personnel in Trusted Roles will not be assigned other responsibilities that conflict with their operational responsibilities for the CA. Their privileges will be limited to the minimum required to carry out their assigned duties.

  • Number of persons required per task: The CA Private Keys are backed up, stored, and recovered only by personnel in Trusted Roles using dual control in a physically secured environment.

  • Identification and authentication for each role: An individual performing a Trusted Role shall identify and authenticate their identity before being permitted to perform any actions or responsibilities associated with that Trusted Role.

  • Roles requiring separation of duties: Personnel in Trusted Roles who can deploy to or access the PKIaaS production systems do not have the ability to commit software code, and development team members who can commit code cannot deploy to or access PKIaaS production systems.

Personnel controls

See below for the practice statements on personnel controls.

  • Qualifications, experience, and clearance requirements: Personnel in Trusted Roles must undergo background investigations and must be trained for their specific role.

  • Background check procedures: Background checks are conducted as per the Entrust hiring processes.

  • Training requirements: Personnel in Trusted Roles will receive training. Where applicable, training will be conducted in the following areas:

    • CA security principles and mechanisms
    • PKI duties they are expected to perform
    • Disaster recovery and business continuity procedures; and
    • Stipulations of this CPS.

  • Retraining frequency and requirements: No stipulation.

  • Job rotation frequency and sequence: No stipulation.

  • Sanctions for unauthorized actions: No stipulation.

  • Contracting personnel requirements: Contractor personnel employed to perform functions pertaining to the PKIaaS must meet applicable requirements as set forth in this CPS.

  • Documentation supplied to personnel: No stipulation.

Audit logging procedures

See below for the practice statements on audit logging procedures.

  • Types of events recorded: Significant security events in the CAs are automatically time-stamped and recorded as audit logs. Audit logs are archived periodically. Where these events cannot be electronically logged, the CA shall supplement electronic audit logs with physical logs as necessary. The foregoing record requirements include, but are not limited to, an obligation to record the following events:

    • CA Certificate key lifecycle events, including:
      • CA Private Key generation, backup, storage destruction, and recovery
      • CA certificate requests and CA certificate revocation;
      • Cryptographic device lifecycle management events;
    • Subscriber Certificate lifecycle management events, including:
      • Certificate issuance requests and revocation requests;
    • Generation of CRLs; Security events, including:
      • Successful and unsuccessful PKI system access attempts;
      • PKI and security system actions performed;
      • Entries to and exits from the facility housing the HSM.

  • Frequency of processing data: A security Information and Event Management (SIEM) system continuously monitors the audit logs. Policy violations and other significant events generate alerts that operations and security teams review for malicious activity.

  • Retention period for security audit data: The audit logs are retained on the PKI system for at least three months and periodically archived in accordance with section Records Archival.

  • Protection of security audit data: Audit logs remain stored on the PKI systems until archived in accordance with section Records Archival. Only Trusted Role personnel have access to the PKI systems.

  • Audit log backup procedures: Audit logs are periodically archived in accordance with section Records Archival.

  • Audit collection system: Audit collection processes are integral to the system and cover its entire deployment time. Should it become apparent that an automated audit system has failed, the Operational Authority will be notified and will consider suspending operations until the audit capability can be restored.

  • Notification to event-causing subject: No stipulation.

  • Vulnerability assessments: Vulnerability scans are conducted monthly to identify system weaknesses and patching requirements for operating systems and supporting infrastructure. Identified vulnerabilities are analyzed and addressed in accordance with Entrust’s Patch and Vulnerability Management Standards.

  • Risk assessments:

    • An annual risk assessment.

      1. Identifies foreseeable internal and external threats that could result in unauthorized access, disclosure, misuse, alteration, or destruction of any Certificate data or Certificate management processes;
      2. Assesses the likelihood and potential damage of these threats, taking into consideration the sensitivity of the Certificate data and Certificate management processes; and
      3. Assesses the sufficiency of the policies, procedures, information systems, technology, and other arrangements that the CA has in place to counter such threats.

    • Based on the risk assessment, a security plan is developed, implemented, and maintained, consisting of security procedures, measures, and products designed to achieve the above objectives and manage and control the risks identified during the risk assessment.

      • The security plan includes administrative, organizational, technical, and physical safeguards appropriate to the sensitivity of the Certificate data and Certificate management processes.
      • The security plan also considers the available technology and the cost of implementing the specific measures. It implements a reasonable level of security appropriate to the harm that might result from a security breach and the nature of the data to be protected.

Records Archival

See below the practice statement on record archival.

  • Types of records archived: The audit logs, data, and revocation information for the CAs are archived, as are data necessary to access or verify archive contents.

  • Retention period for archive: PKIaaS retains audit logs for a maximum of 6 years. The data and revocation information of expired or deleted CAs are permanently deleted within 60 days.

  • Protection of archive: The archive data is stored in a two-person-controlled safe in a facility to which only Entrust-authorized personnel have access.

  • Archive backup procedures: No stipulation.

  • Requirements for time-stamping of records: No stipulation.

  • Archive collection system: Archive data will be collected as part of the routine system backup procedures, along with physical materials such as cryptographic modules and datacenter access logs, which will be stored manually.

  • Procedures to obtain and verify archive information: No stipulation.

Key changeover

CAs will not be re-keyed.

  • CA key pairs will be retired from service at the end of their lifetimes.

  • New CA key pairs will be created as required to support the continuation of CA Services.

  • Each CA will continue to publish CRLs signed with the original key pair until all Certificates issued using that original key pair have expired.

Compromise and Disaster Recovery

See below for the practice statement on compromise and disaster recovery.

  • Incident and compromise handling procedures:

    • The disaster recovery plan addresses the following:

      • The conditions for activating the plans
      • Resumption procedures
      • A maintenance schedule for the plan
      • Awareness and education requirements
      • The responsibilities of the individuals
      • Recovery point objective (RPO) of fifteen minutes
      • Recovery time objective (RTO) of 24 hours for essential CA operations, which include Certificate revocation, and issuance of Certificate revocation status
      • Testing of recovery plans

    • To mitigate the event of a disaster, the CAs have implemented the following:

      • Four datacenters with highly available HSMs and secure on-site and off-site storage of backup HSMs containing copies of all CA Private Keys
      • Secure on-site and off-site storage of all requisite activation materials
      • Database replication between primary and secondary regions
      • Daily database backups within both the primary and secondary regions
      • Weekly backup of critical data to a secure off-site storage facility
      • Secure off-site storage of the disaster recovery plan and disaster recovery procedures

    • Entrust has implemented physical data centers near Dallas, TX, and Denver, CO. It has also implemented physical data centers for European Union coverage in Munich and Frankfurt, Germany.

    • Cloud-based components utilize multiple availability zones for high availability and a secondary region for disaster recovery.

    • Entrust requires rigorous security controls to maintain the integrity of the CAs. Entrust views the compromise of the Private Key used by a CA as being very unlikely; however, Entrust has policies and procedures that will be employed in the event of such a compromise. At a minimum, all RAs will be informed as soon as practicable of such a compromise. Certificates signed by the compromised CA will be revoked.

  • Computing resources, software, or data are corrupted: No stipulation.

  • Entity private key compromise procedures: In the event of a compromised RA credential, the credential is revoked.

  • Business continuity capabilities after a disaster: No stipulation.

  • CA termination: In the event of termination because the Customer has terminated service, new Customer issuance and revocation operations will be rejected, and publication of certificate status will cease.