Security Best Practices
The ActivID Credential Management System (CMS) has been developed as a security product to provide a high level of security assurance to its owners, operators, and users. HID Global security processes have been implemented to meet the following ActivID CMS security objectives: ensuring the confidentiality, integrity and availability of keys, secrets, and other sensitive identity-related information so that only approved roles can access, manage, or use such information through ActivID CMS and its subsystem interfaces. Deploying such a security product without controlling and maintaining at all times a secure configuration and operating environment does not, however, provide the assurance that all of the product security objectives are met.
The topics in this section provide the most important security recommendations for reliably countering threats to the ActivID CMS security objectives. These security recommendations result from extensive experience with smart card solution deployments in a variety of IT-maintained network environments.
By adhering to the recommendations described in this section, you should be able to protect yourself against a number of threats that have been identified, but it does not completely guarantee that ActivID CMS and the assets it protects are fully and permanently secured. Deploying and maintaining a secure system involves a sustained effort that requires IT security expertise and cooperation between IT professionals and other network and technical staff to ensure the proper execution and maintenance of security measures.
Security Roles and Personnel Control
ActivID CMS roles and other subsystem operating roles should only be assigned to authenticated personnel. A priority and necessary role is that of the local ActivID CMS Security Officer (SO). The SO role in ActivID CMS is in charge of monitoring the application of security policies and procedures by local personnel and by the hardware at the operating site.
Specifically, the ActivID CMS SO role must supervise and manage control so that role separation is maintained and that the access privileges are not abused or misused. When a deployment spans over multiple operating sites, this then requires that there be multiple ActivID CMS SOs to supervise, monitor, and maintain security policies. The ActivID CMS SO should obtain and maintain records with the role assignments and their revocations.
Hardware and Physical Setup and Maintenance
ActivID CMS server must be located in a physically secure environment with restricted levels of access that are only allowed based upon an authorized role. For example, personnel using a key, an access badge, or other supported means are restricted to the type or level of access to the ActivID CMS server that their specific role type provides.
Like any critical application, the ActivID CMS application must be deployed on robust and fault-tolerant server hardware. ActivID CMS should be configured with a Hardware Security Module (HSM). To support the HSM device attached to the server hardware, there must be an available PCI slot or other hardware resource as specified by the HSM provider (unless a network HSM is used).
During the installation and configuration of ActivID CMS, it may be necessary to have a direct console connection to the ActivID CMS server. It is recommended that during ActivID CMS deployment, the server hardware should be physically accessible. In addition, the following is also recommended:
-
ActivID CMS servers should be configured with a minimum of two network cards. This allows for there to be network segregation between the primary network accessed by operators and users to connect to the ActivID CMS portals, and the secondary network used by ActivID CMS to communicate with all of its back-end components.
-
It is recommended to configure ActivID CMS with an NTP server to avoid time change attacks on the server hosting ActivID CMS.
-
Special care should be exercised when deploying ActivID CMS in production on a virtual machine environment. From the standpoint of security and reliability, the virtual machine environment must be considered just as secure and as reliable as the physical machines it replaces. Also, the HSM vendor must support the specific virtual machine environment that is used.
-
As per standard physical controls to protect IT equipment in a deployment, the site requirements for the room housing the ActivID CMS server(s) should provide adequate system cooling and safeguards to protect against fires and other environmental hazards.
For specific hardware and software prerequisites related to the installation of ActivID CMS servers, refer to Installation Prerequisites.
Topics in this section: