This article describes the relevant factors, roles and tools, required for remote monitoring, including auditing, detecting and recording key management security events in four key dimensions.
A Key Management System (KMS) should detect, prevent and warn the audit administrator in case of a possible security event to verify the system security and authorized operation. If KMS monitoring and auditing is not handled properly, it may lead to key leakage, where an attacker obtains the key and recovers the sensitive data.
Monitoring is a process that is parallel to the entire key management lifecycle. Security experts recommend that every server and device that is connected to the Internet must be monitored for malicious activities. There are four key dimensions to remote monitoring that should be considered:
The following factors are mandatory for an effective audit:
The audit administrator is responsible for auditing all aspects of a Key Management System to verify its security by managing and reviewing the event logs.
It should also be noted that the audit administrator should not have access to any operational key other than their own keys. The unauthorized modification of a Key Management System can be detected using tools that run on a secure platform and monitor any modification to a file such as changes to the file content hash value or changes to a file’s attributes.
Unauthorized modifications of critical files can be detected by the monitoring utility or indicated in the event log, these files should be replaced using known valid and secure files located in secure storage.
If pervasive, unauthorized changes to software are made, the software should be recovered.
Automated assessment tools, such as those specified in the Security Content Automation Protocol (SCAP), are becoming increasingly useful in assessing the current status and integrity of computer systems. These tools can interrogate an operating system to determine its status in real time.
Software version numbers can be checked for accuracy, and confidentiality of the data files can be verified. Monitoring tools may execute on the platform being monitored or on another platform dedicated to monitoring other hosts. These monitoring tools can detect modifications to system files and post alerts and audit.
The KMS design should specify system monitoring requirements for sensitive system files to detect and/or prevent their modification or any modification to their security attributes, such as their access control lists. A Key Management System should have the capability to detect, report, and fix flaws in a prompt and secure manner.
A Key Management System that employs automated techniques is highly desirable because it permits to continuously monitor its own security status, report potential problems to an authorized person fulfilling an appropriate KMS role, and minimize reliance on human monitoring of events that occur infrequently.