This article describes the relevant factors, roles and tools, required for remote monitoring, including auditing, detecting and recording key management security events in four key dimensions.
A Key Management System (KMS) should detect, prevent and warn the audit administrator in case of a possible security event to verify the system security and authorized operation. If KMS monitoring and auditing is not handled properly, it may lead to key leakage, where an attacker obtains the key and recovers the sensitive data.
Security monitoring and audit logs
Monitoring is a process that is parallel to the entire key management lifecycle. Security experts recommend that every server and device that is connected to the Internet must be monitored for malicious activities. There are four key dimensions to remote monitoring that should be considered:
- Monitor for unauthorized administrative access to systems to ensure that unapproved key management operations are not performed.
- Monitor the performance of systems is important. The performance of cryptographic calculations tends to be CPU-intensive.
- Monitor the key in production environment to ensure that the key has been generated and deployed properly. If a corrupted key is deployed too quickly without proper examination, the results could be catastrophic.
- A key management system (KMS) should audit every security relevant event by detecting and recording the following details:
- Type of event
- Date and time of the event occurrence
- Identity or role of the entity initiating the event
- Event status such as success or failure
The following factors are mandatory for an effective audit:
- The audit log should provide a record of the relevant security functions performed.
- The audit capability should have the ability to detect and report to the audit administrator role any unusual events that should be investigated as soon as possible.
- The audit capability and audit log should be protected from unauthorized modification so that the integrity of the audit system can be assured.
The audit administrator is responsible for auditing all aspects of a Key Management System to verify its security by managing and reviewing the event logs.
It should also be noted that the audit administrator should not have access to any operational key other than their own keys. The unauthorized modification of a Key Management System can be detected using tools that run on a secure platform and monitor any modification to a file such as changes to the file content hash value or changes to a file’s attributes.
A layered system of protections is often built into a Key Management System. When protective mechanisms are built into the system, they need to be protected from the same threats as the system itself.
Unauthorized modifications of critical files can be detected by the monitoring utility or indicated in the event log, these files should be replaced using known valid and secure files located in secure storage.
If pervasive, unauthorized changes to software are made, the software should be recovered.
Automated Monitoring Tools
Automated assessment tools, such as those specified in the Security Content Automation Protocol (SCAP), are becoming increasingly useful in assessing the current status and integrity of computer systems. These tools can interrogate an operating system to determine its status in real time.
Software version numbers can be checked for accuracy, and confidentiality of the data files can be verified. Monitoring tools may execute on the platform being monitored or on another platform dedicated to monitoring other hosts. These monitoring tools can detect modifications to system files and post alerts and audit.
The KMS design should specify system monitoring requirements for sensitive system files to detect and/or prevent their modification or any modification to their security attributes, such as their access control lists. A Key Management System should have the capability to detect, report, and fix flaws in a prompt and secure manner.
A Key Management System that employs automated techniques is highly desirable because it permits to continuously monitor its own security status, report potential problems to an authorized person fulfilling an appropriate KMS role, and minimize reliance on human monitoring of events that occur infrequently.
References and further reading
- NIST Special Publication 800-130 - A Framework for Designing Cryptograhic Key Management Systems (2013) by E.Barker, M.Smid, D.Branstad, S.Chokhani
- The Key Management Life-Cycle (2008) by Ben Tomhave