KC Responsibilities

Release Notes
- SAKA 4.12.0
- SAKA 4.11.0
- Back
Preface
- Default Paths and Filenames
- Third-Party Website References
- Strongkey Welcomes Your Comments!
- Back
KAM Introduction
Architecture
Installation
- Preliminary Steps
- Install Components (Primary)
- Install Components (Secondary)
- Define KCs (Primary)
- Verify KCs (Secondary)
- Set Personal Identification Numbers (PINs) [Primary]
- Set PINs and Complete Key Migration [Secondary]
- Create System Users [Primary]
- Create a New Encryption Domain [Primary]
- Complete Second Domain Key Migration [Secondary]
- Add System Users [Primary]
- Configure the SKCE domain [Primary]
- Replicate the CEM Domain [Secondary]
- Back
CCS Web Service Operations
- CCReturnObject
- Manufacturer Identifiers for Processing CardHolder Data (CHD)
- CCS Module GetCardCaptureData Mechanics
- CCS Module DukptEncrypt Mechanics
- CCS Module DukptDecrypt Mechanics
- CCS Module DukptMAC Mechanics
- CCS Module ReencryptPINBlock Mechanics
- Back
KAM Web Service Operations
- KAM Encryption Mechanics
- KAM Decryption Mechanics
- Notes on the Mechanics
- KAM Deletion Mechanics
- KAM Search Mechanics
- KAM Entropy Mechanics
- KAM General Purpose Key Encryption Mechanics
- KAM General Purpose Key Decryption Mechanics
- KAM Batch Operations
- KAM Relay Mechanics
- HTTPS Interface
- SOAP Interface
- Back
KMS Web Service Operations
- CCReturnObject
- CCKeyComponentType
- CCCryptographicMaterialType
- CCEncryptedAnsiX9241KeyType
- KMS Module loadKeyComponent Mechanics
- KMS Module loadBaseDerivationKey Mechanics
- KMS Module generateBaseDerivationKey Mechanics
- KMS Module generateInitialKey Mechanics
- KMS Module storeAnsiX9241Key Mechanics
- KMS Module replaceAnsiX9241Key Mechanics
- KMS Module deleteAnsiX9241Key Mechanics
- KMS Module updateAnsiX9241Key Mechanics
- Back
KAM Batch Operations
- SKLESBatchInput Element
- SKLESBatchOutput Element
- Generating the SBI XML file
- Transferring XML Files to and from the Appliance
- Submitting Batch Operations
- Back
KAM DemoClients
- Installing SAKA Clients
- sakaclient.jar Operations
- Back
KAM KCSetPINTool
- Setting KC Preferences
- Changing KC Passwords
- Setting the KC PIN on the SAKA Server
- Back
KAM DACTool
- Changing DA Passwords
- Preferences
- Systems
- Domains
- Users
- Jobs
- Configuration
- Back
KAM Key Migration Tool
- Prerequisites
- Back
KAM KMS ConsoleTool
- Loading Key Components
- Loading a BDK
- Storing ANSI X-924.1 Keys from Key Components
- Storing ANSI X-924.1 Keys from Wrapped Keys
- Back
KAM Configuration
- Immutable Configuration
- Mutable Configuration
- Sample Configuration File
- Back
KAM Key Management
- Cryptographic Hardware Modules
- Back
HSM Integration
- Building the HSM Driver
  - Rebuilding the HSM Driver
  - Back
- HSM Administration Basics
- Clearing the HSM
- Setting Up the HSM
- Backing up the HSM
- Restoring from a Backup
- Back
Managing Credentials
- KAM Credentials
- HSM Credentials
- System Credentials
- Linux strongauth
- Back
Changing Hostname and IP
- Changing the IP Address
- service iptables restart
- Changing the Hostname
- Back
Internal Repositories
- Repository Requirements
- Choosing an Online Mirror
- Internal Repository Setup
- KA Setup
- Back
Appliance Security
- Physical Security
- Operating System
- Appliance Credentials
- Back
PCI DSS 3.2
- Requirement 3: Protect Stored Cardholder Data
- Requirement 6: Develop and Maintain Secure Systems and Applications
- Back
KC Responsibilities
Add New SKCE Domain
KAM Replication
- Replicate Essentials Only
- Back
Appendices
- Using a Custom Trust Store
- Using the Key Migration Tool (KMTool)
  - Pre-requisites
  - Mechanics
  - Details
  - Back
- Modifying the Appliance's IP Address or Hostname
- Relay Webservice
  - Mechanics of the Relay
  - Deploying the service
  - Relay Webservice Client
  - HTTP interface
  - SOAP interface
  - Back
- Installing KCSPTool and DACTool on Windows
  - Installation
  - Back
- KAM KC Replace Tool
  - Prerequisites
  - Validating Credentials
  - Recreate a set of Key Custodians
  - Create a new set of Key Custodians
  - Back
- Migration Information
- Using HAProxy as a Load Balancer
- MariaDB Audit Logging Configuration
  - Enable MariaDB Audit Logging
  - Monitoring the MariaDB for Replication anomalies
  - Disable MariaDB Audit Logging
  - The counts_v2.sql file
  - Back
- Application Development Guide
  - Application Design for “Card Not Present” transactions
  - Storing Encryption Domain Identifier (DID)
  - Securing Decryption Credentials
  - Cluster Communications
  - Relay Processing
  - Summary on “Card Not Present” transactions
  - Back
- Setting up LACP Bonding on Tellaro KA
- Strongkey Tellaro & Ransomware Protection
- Adding an Additional Server to a Cluster
  - Step #1 on an EXISTING server
  - Step #2 on the NEW server
  - Step #3 On the EXISTING node
  - Step #4 on the NEW node
  - Back
- Adding a Data Recovery Server to a Cluster
  - Step #1 on an EXISTING server
  - Step #2 on the NEW server
  - Step #3 on the EXISTING node
  - Step #4 on the NEW node
  - Post-Installation
  - Back
- Batch Delete Tokens
- CIS Hardening Verification RHEL 7.X
- CIS Hardening Verification ROCKY 9.X
- Migrating from Centos to Rocky
  - Rocky Linux Kickstart USB Guide
  - Step 1: On an Existing Production Server in the Cluster
  - Step 2: On the Same Machine after Installing Rocky 9.2
  - Back
- KA Replace EOL Node
  - Prerequisites
  - Step 1 (On New SAKA)
  - Step 2 (On EOL SAKA)
  - Step 3 (On New SAKA)
  - Step 4 (On EOL SAKA)
  - Step 5 (On New SAKA)
  - Step 6 (On EOL SAKA)
  - Step 7 (On New SAKA)
  - Back
- Cleanup SAKA Disk Space
  - Cleanup Old Distributions and Files
  - Cleanup Database Tables
    - Cleanup Encryption Requests Table
    - Back
  - Back
- Using Custom SSL/TLS Certificates
  - Generating a TLS certificate with the SAN extension
  - Installing the keystore on SAKA
  - Conclusion
  - Back
- Reboot StrongKey Tellaro
  - Pre-Reboot
  - Reboot
  - Post-Reboot
  - Back
- Configure Syslog
- Back

This section answers two questions:

What are Key Custodian (KC) responsibilities in an environment running SAKA?
How are these responsibilities carried out?

Security policies at companies define what company employees may and may not do with company resources. Since Enterprise Key Management (EKM) is a relatively new and specialized discipline, companies are unlikely to have policies associated with EKM and what specific roles within the EKM Infrastructure (EKMI)can do.

The following is a template of a policy that can be adapted and used by SAKA customers to define the responsibilities of Key Custodians and other roles touching upon the SAKA. While it is unlikely to cover all possible situations, it does identify the core responsibilities of the roles involved.

POLICY INFORMATION

Version

1.0

Effective Date

September 12, 2018

Intranet URL

http://intranet.company.com/policies/security/pci-dss/keycustodians.html

NOTE: You may want to link this policy to an internal website for distribution.

CONTENTS

General Information

Roles

Resources

Processes

Responsibilities

Related Policies

Other Resources

Document Information

GENERAL INFORMATION

Purpose

This document defines COMPANYNAME's policy for the responsibilities of Key Custodians (KC) as required by the Payment Card Industry's Data Security Standard (PCI DSS).

Applicability

This policy applies to all Employees, Contractors, Consultants, Outsourcers, and Service Providers of COMPANYNAME who are designated and required to perform in the capacity of a KC.

Background

The Payment Card Industry Data Security Standard^‡ (PCI DSS) is an industry regulation for the protection of sensitive credit card data. Amongst many security requirements, it mandates the encryption of Personal Account Numbers (PAN) when stored on a computerized device. Cryptographic encryption keys used for protecting the information are required to be managed with “appropriate key management” operations as defined in the PCI DSS Key Management (KM) section of Requirements and Security Assessment Procedures, Version 3.2, dated April 2016.

Policy Owner

The creation, implementation and any subsequent changes to this policy is the responsibility of the Chief Security Officer (CSO). This policy and any subsequent changes must be approved by two or more of the following officers of the company:

Chief Executive Officer
Chief Operating Officer
Chief Financial Officer
Chief Legal Officer
Internal Auditor

NOTE: Depending on the size of the company, you can choose to use any role appropriate for authorizing policies of this nature.

Sensitive Data

Confidential personal information (to be hereinafter called Sensitive Data) is currently defined by the company, to be any one of the following:

US Social Security Number
Drivers License or California Identification Card number
Account number, Credit or Debit Card number in combination with any required security code, access code, or password that would permit access to an individual's financial account

NOTE: You can choose to define whatever information you want as Sensitive Data to cover more than what's mandated by law, or which you believe will get included into law as time goes by. Examples are – credit scores, health information, etc.

ROLES

Chief Security Officer

The CSO is the owner of this policy.

Key Custodian

The KC is a part owner of the cryptographic keys established by COMPANYNAME to protect Sensitive Data.

Encryption Domain Administrator

The encryption domain administrator (EDA or DA) is the technical administrator of the cryptographic keys and data created and maintained by COMPANYNAME.

Authorized Users

Any human user or software application executing on any device that needs to access Sensitive Data is an Authorized User (AU). AUs must be explicitly permitted to perform any function within the cryptographic systems established by COMPANYNAME.

RESOURCES

StrongAuth KeyAppliance

COMPANYNAME has purchased and deployed the StrongKey KeyAppliance (SAKA) to comply with PCI DSS requirements for encryption and key management (EKM). While many of the statements in this policy document are technology-independent, some statements are specific to the implementation chosen by COMPANYNAME and how they are carried out within SAKA.

In the event SAKA conflicts with this policy, COMPANYNAME will work with the vendor to resolve the differences. Where SAKA goes above and beyond this policy, all roles are required to adhere to the requirements of the SAKA implementation.

NOTE: Put in information about other resources deployed in COMPANYNAME to comply with this policy.

PROCESSES

Requesting Access to the SAKA

NOTE: Define your process by which a user and/or an application may request access to the cryptographic services on the SAKA. The process must describe how to grant access to an existing encryption domain, how to create a new encryption domain and how To modify access to an existing encryption domain.

Revoking Access to the SAKA

NOTE: Define the conditions and process by which a user's and/or an application's access to the cryptographic services on the SAKA may/must be revoked.

RESPONSIBILITIES

All Employees

All Employees, Contractors and Consultants employed by COMPANYNAME are required to comply with this policy, without exception.

Chief Security Officer

The CSO is responsible for:

Implementing this policy and ensuring it stays current—i.e., it must conform to PCI DSS and other regulations which cover COMPANYNAME's business operations
Ensuring people in roles related to this policy are trained to comply with this policy
Providing annual reports to COMPANYNAME's Audit Committee on compliance to this policy

Key Custodians

The KC is responsible for:

Maintaining strict control over the credential/token they are entrusted with to activate the cryptographic module on the SAKA
Making a complex password—alphabet, numeral, and special characters—with a minimum length of eight (8) characters
Never revealing their credential password to anyone
Never handling more than one KC credential at any time
Never copying anything on the token intended for their credential
Never copying their credential file to any computer
Notifying the CSO of any loss of, or compromise to the credential, as soon as feasible

Encryption Domain Administrator

The EDA/DA is responsible for:

Maintaining strict control over the credential/token they are entrusted with to manage an encryption domain on the SAKA
Selecting a complex password—alphabet, numeral, and special character—for their credential, of a minimum length of eight (8) characters
Never revealing their credential password to anyone
Never handling a KC credential at any time
Never copying anything on the token intended for their credential
Never copying their credential file to any computer
Notifying the CSO of any loss of, or compromise to the credential, as soon as feasible
Never granting, revoking or modifying privileges to the SAKA without complying with the processes described in this policy

Internal Auditor

The IA is responsible for:

Periodically reviewing the SAKA environment for policy compliance
Notifying the CSO of violations and/or deficiencies in compliance to this policy; In the absence of the CSO rectifying the violation/deficiency within 60 days, the IA will notify COMPANYNAME's Audit Committee of the violation and/or deficiency

RELATED POLICIES

NOTE: Fill in links to other policies within your company that have a bearing on this one. For example, one that has a direct relationship to this is an Information Protection Policy that defines how information is classified within your company and what polices define its protection.

OTHER RESOURCES

Payment Card Industry Data Security Standard

SAKA Documentation

NOTE: Fill in links to other resources within and outside your company that have a bearing on this.

DOCUMENT INFORMATION

Version

1.0

Date

Notes

DRAFT template of policy

Author

John Doe, Legal

Reviewed By

John Doe, Legal

Sherlock Holmes, Internal Audit

Approved By

James T. Kirk, CEO