Security Guidance

Your nShield HSM protects the confidentiality and integrity of your Security World keys. KeySafe 5 allows an authorized client to remotely configure and manage an estate of nShield HSMs. All network traffic between KeySafe 5 and clients using the WebUI, the REST API, or both, passes through a secure channel. This TLS based secure channel is set up using token-based client authentication. The administrator of the KeySafe 5 system must remain diligent concerning the entities who are given access to the system and the secure configuration of the system.

Entrust recommends the following security-related actions for KeySafe 5 deployments:

  • Ensure that log levels are set appropriately for your environment.

    More verbose log levels might expose information that is useful for auditing users of KeySafe 5, but the log information also reveals which REST API operations were performed. While this log information might be useful for diagnostics, it could also be considered sensitive and should be suitably protected when stored.

  • Rotate the logs regularly. The log files could grow quickly if left unattended for a long time. The system administrator is responsible for log rotation.

  • Verify the integrity of the KeySafe 5 tar file before executing it. You can verify the integrity of this file with the hash provided with the software download.

  • Suitably protect the network environment of KeySafe 5 to maintain its availability, for example using firewalls and intrusion detection and prevention systems.

  • Ensure that the KeySafe 5 platform’s system clock is set accurately and only authorized system administrators can modify it so that the platform correctly interprets certificate and token lifetimes.

  • Ensure that only authorized system administrators have access to the KeySafe 5 system, and only trusted software is run on the platform hosting KeySafe 5.

  • Take standard virus prevention and detection measures on the platform hosting KeySafe 5.

  • The system administrator should consider whether threats in the KeySafe 5 deployment environment would justify the encryption of the sensitive configuration data held in Kubernetes secrets, see Kubernetes documentation.

Customer security responsibilities

There are a number of third-party components that are required for correct KeySafe 5 operation, but which are not provided with KeySafe 5. These are considered the responsibility of the customer/operator.

It is the responsibility of the customer to:

  • Ensure that the Web Browser contains all the latest security updates from the Web Browser provider.

  • Ensure that only authenticated users, that are trusted not to perform malicious actions, are given access to the KeySafe 5 system

  • Ensure the integrity of any components that is downloaded from an external source. For example, by verifying the downloaded component using trusted 'hash fingerprints' or signatures.

  • Ensure that a component is updated when an impacting CVE is published for the component.

  • Ensure that all components are configured in a secure fashion and deployed in a secure environment.

  • Ensure that all third-party components are configured in a secure fashion. For example, all third-party components should use mutually-authenticated secure channels to communicate with the KeySafe 5.

  • Ensure that all certificates and keys, used for securing the communications between the third-party components and KeySafe 5, are uncompromised and of sufficient security strength.

  • Ensure that the permissions required to access any sensitive configuration items are sufficient. For example, the permissions to access and manipulate a third-party component’s server certificates and their associated private key should only be provided to authorised and trusted administrators.

  • Ensure that the external identity provider that is providing the bearer token used to authenticate the KeySafe 5 user implements a bearer token with a short lifetime. That is, the bearer token is reissued regularly, as this will mitigate the impact of a compromised bearer token, which would allowing unapproved access to KeySafe 5 for a prolonged period.

  • Ensure that a threat analysis of the KeySafe 5 deployed environment has been performed, and that the results of this analysis justify any changes of KeySafe 5 default configuration.