What is a Certificate Authority (CA) ?

A Certificate Authority (CA) is an organization that issues digital certificates to be used by other parties. These certificates contain the certificate holder’s public key, and also authenticate the certificate holder’s identity. CAs are needed because they act as trusted third parties that certify the identity of certificate owners, and sign the digital certificates which enable encryption of data transmitted between certificate owners and relying parties.

What are the most critical responsibilities that a CA should be focused on?

In general, there are three basic areas of responsibility that CAs should focus on:
  • Security: Securing the certificate infrastructure through physical and logical controls
  • Performance: Maintaining a highly available, highly responsive infrastructure, especially the infrastructure needed to serve certificate revocation status
  • Authentication: Following strict authentication practices and procedures is extremely important because authentication forms the basis of trust on the Internet

What are some of the most important environmental controls to consider?

Here are a few of the most important IT infrastructure controls that CAs should implement:
  • Security planning and governance: Information security should be planned, managed and supported at the highest level of the organization. There should be an information security policy document that includes physical, personnel, procedural and technical controls, and that is approved by management and published and communicated to all employees
  • Asset classification and management: CA assets and subscriber and relying party information should receive an appropriate level of protection
  • Personnel security: CAs should provide reasonable assurance that personnel and employment practices enhance and support the trustworthiness of the CA’s operations, identifying Trusted Roles, assigning specific responsibilities to (and performing background checks on) people in these roles
  • Physical security: Physical access to CA facilities and equipment must be limited to authorized individuals, protected through restricted security perimeters. This includes the facility itself, as well as all equipment
  • Operations: CAs must ensure the correct and secure operation of CA information processing facilities, minimize the risk of system failure or infection by malware/viruses, develop incident reporting and response procedures, and protect media from theft, loss, damage or unauthorized access
  • System access: CAs must limit access to authorized individuals; this includes user access controls, as well as access to operating systems, databases, and applications
  • System development: CAs must provide assurance that development and maintenance activities are documented, tested, authorized, and properly implemented to maintain CA system integrity
  • Business continuity: CAs must develop and test a business continuity plan that includes a disaster recovery process to minimize potential disruptions to Subscribers and Relying Parties as a result of the cessation or degradation of the CA’s services
  • Monitoring and compliance: CAs should be able to demonstrate conformance with the relevant legal, regulatory and contractual requirements; compliance with the CA’s security policies and procedures; maximization of the effectiveness of the system audit process with minimal interference; and detection of unauthorized CA system usage