[Suggestion] Integration of Certificate LCM with related security processes

[knowlengr]

trafficstars

Description: Add and integrate certificate management best practices, principles with other recommendations

Impact: Improve security posture for selected use cases, Enhance productivity where automation support can be added. Potentially add an additional trust layer for zero trust.

Scope: Minimally, a day of research, reading, a day of drafting with a second day to edit. A deeper, more opinionated / influential review would embed certificate recommendations into other CNCF Security TAG artifacts.

Suggested Subtopics | Selected References SDLC, for cloud native, particularly as integrated with CI/CD but also IaC

Identify best practices for three recognized categories of SSL certificate authentication types:

• Extended Validation (EV)
• Organization Validation (OV)
• Domain Validation (DV)

Protocol Support

• ACME: Automated Certificate Management Environment
• EST: Enrollment over Secure Transport
• SCEP: Simple Certificate Enrollment Protocol

Asset management: Protecting digital and non-digital assets; e.g., ServiceNow ITOM

Zero trust. See AppviewX post. E.g., cert revocation offers a trust layer

Where SPIFFE fits in

Certificate Discovery

Tool stack interop: e.g., ServiceNow, Collibra

Support for metadata management

How DevOps tools leverage PKI (suggested by Appviewx)

• Best practices for certificate management in DevOps pipelines
• Tools that can accomplish automation and integration of PKI and DevOps

Identity & Identity Access Management: tie to certificate LCM

Service as Orchestrated, Identified Asset (See INCOSE service metamodels)

From Venafi: Figure 6: The Blueprint for a Modern Machine Identity Management Architecture

TLS in Kubernetes https://kubernetes.io/docs/tasks/tls/ and https://snyk.io/blog/setting-up-ssl-tls-for-kubernetes-ingress/

Indirectly related topics:

• Security Operations (JSOC-administered automation and alerting)
• assurance (cert is installed properly. is compliant, observable)
• quality assurance (QoS, threshold monitoring, product safety)
• integration with policy-as-code (e.g., OPA)

Related IEEE/ISO Standards

• ISO/IEC 19770-1:2017 Information technology — IT asset management — Part 1: IT asset management systems — Requirements (See ISO note on rel to ISO 5500x)
• ISO 20000:2018 Information technology — Service management — Part 1: Service management system requirements

Less useful, except as applied to IoT

• ISO 55000 Asset management — Overview, principles and terminology
• ISO 55001 Asset management — Management systems — Requirements
• ISO 55002:2018 Asset management — Management systems — Guidelines for the application of ISO 55001

[lumjjb]

Could be relevant to #950 @achetal01 @mrsabath

[stale[bot]]

This issue has been automatically marked as inactive because it has not had recent activity.

[anvega]

Closing as this issue has been inactive for over a year. Please feel free to open if there is renewed interest. The scope here could be a great addition to the Zero Trust paper.