This article discusses the relevant factors, roles, and methods, required for remote monitoring, including auditing, identifying , and recording key management security events in four key dimensions.
To ensure the system's security and allowed operation, a Key Management System (KMS) must identify, prevent, and alert the audit administrator of any potential security event. If KMS monitoring and auditing are not handled properly, it may lead to key leakage, where an attacker obtains the key and retrieves the sensitive data.
Security monitoring and audit logs
Monitoring is a process that is parallel to the entire key management lifecycle. Security experts recommend that every server and device connected to the Internet be monitored for malicious activities. There are four important aspects of remote monitoring to consider:
- Monitor for unauthorized administrative access to systems to ensure that unapproved key management operations are not performed.
- Monitoring the performance of systems is important. The performance of cryptographic calculations tends to be CPU-intensive.
- Monitor the key in a production environment to ensure that the key has been generated and deployed properly. If a corrupted key is deployed too quickly without proper examination, the results could be catastrophic.
- A key management system (KMS) should audit every security-relevant event by detecting and recording the following details:
- Type of event
- Date and time of the event occurrence
- Identity or role of the entity initiating the event
- Event status such as success or failure
The following factors are mandatory for an effective audit:
- The audit log should provide a record of the relevant security functions performed.
- The audit capability should have the ability to detect and report to the audit administrator role any unusual events that should be investigated as soon as possible.
- The audit capability and audit log should be protected from unauthorized modification so that the integrity of the audit system can be assured.
The audit administrator is responsible for inspecting all facets of a Key Management System in order to confirm its security by monitoring and reviewing the event logs.
It should also be noted that the audit administrator should not have access to any operational key other than their own keys. The unauthorized modification of a Key Management System can be detected using tools that run on a secure platform and monitor any modification to a file, such as changes to the file content hash value or changes to a file’s attributes.
If the monitoring program or event log detects unauthorized modifications to critical files, these files should be replaced with known valid and secure data located in secure storage.
If pervasive, unauthorized changes are made to the software, it must be retrieved.
Automated Monitoring Tools
Automated assessment tools, such as those specified in the Security Content Automation Protocol (SCAP), are becoming increasingly useful in assessing computer systems' current status and integrity. These tools can interrogate an operating system to determine its status in real-time.
Software version numbers can be validated for accuracy, and the confidentiality of the data files can be verified. Monitoring tools may execute on the platform being monitored or on another platform dedicated to monitoring other hosts. These monitoring tools can detect modifications to system files and post alerts and audits.
The KMS design should specify system monitoring requirements for sensitive system files to detect and/or prevent their modification or any modification to their security attributes, such as their access control lists. A Key Management System should be able to detect, report, and correct vulnerabilities in a timely and secure manner.
A Key Management System that employs automated techniques is highly desirable because it permits it to continuously monitor its own security status, reporting potential problems to an authorized person fulfilling an appropriate KMS role, and minimizing reliance on human monitoring of events that occur infrequently.