Operation

Entrust PKIaaS implements the following operational procedures.

Physical locations

In each region, Entrust has implemented two physical data centers with failover between the two.

Region	Data centers
US	Dallas (TX), Denver (CO)
EU	Munich (Germany), Frankfurt (Germany)

Cloud-based components use multiple availability zones for high availability and a second region for disaster recovery.

The HSM and Activation Data are located in either:

The personnel with a Trusted Role:

Can backup, store, and recover CA Private Keys using dual control in a physically secured environment.
Receive alarm notifications on any violation of the rules for accessing the HSM or a CA.
Are trained for their specific role and must undergo background investigations.
Cannot change the product code.

When a customer requests to provision a new CA, an API-based process generates the CA key pair within HSMs in a physically secured environment.

Significant security events in the CAs are automatically time-stamped and recorded as internal audit logs. Audit logs are:

Periodically archived.
Constantly monitored by the Entrust Security Information and Event Management (SIEM) system.

Additionally:

The operations and security teams review the alerts generated by possible policy violations and other significant events.
You can see the basic audit logs related to your Entrust PKIaaS account in the Enterprise UI using the Reports function.

To mitigate the event of a disaster, Entrust PKIaaS utilizes:

Two data centers in each region (US and EU) with highly available HSMs
Secure on-site and off-site storage of backup HSMs containing copies of all CA private keys
Real-time database replication between primary and secondary cloud regions
Daily database backups in both the primary and secondary cloud regions
Weekly backup of critical data to a secure off-site storage facility