Security Considerations
Security & Compliance Guide
Section titled “Security & Compliance Guide”SSL-CLM manages the “keys to the kingdom”—your organization’s Private Keys. This document outlines the security architecture and best practices for hardening your deployment.
1. Zero Trust Architecture
Section titled “1. Zero Trust Architecture”SSL-CLM assumes a zero-trust network environment.
Micro-Segmentation
Section titled “Micro-Segmentation”- Agent Isolation: Agents initiate all connections outbound to the Backend. No Agent can talk to another Agent.
- Backend Isolation: The Backend should be placed in a secure zone, accessible only by Load Balancers (for UI) and Agents.
Transport Layer Security (TLS)
Section titled “Transport Layer Security (TLS)”- Protocol: All communication imposes TLS 1.3 (or at minimum TLS 1.2 with FS).
- Mutual TLS (mTLS): Agents can be configured to present a client certificate during handshakes, ensuring that only authorized devices can even connect to the API.
2. Authentication & IAM
Section titled “2. Authentication & IAM”Single Sign-On (SSO)
Section titled “Single Sign-On (SSO)”Do not manage local users. Integrate SSL-CLM with your Identity Provider (IdP).
- Protocols: SAML 2.0 (Okta, Azure AD), OIDC (Keycloak).
- MFA: Enforce Multi-Factor Authentication at the IdP level.
Detailed RBAC Matrix
Section titled “Detailed RBAC Matrix”Grant Least Privilege access.
| Role | Scope | Can View Keys? | Can Approve? | Use Case |
|---|---|---|---|---|
ROLE_VIEWER | Global | No | No | Audit, Compliance Teams |
ROLE_DEVOPS | Team: “Payments” | No | Yes (Auto) | Developers deploying code |
ROLE_SEC_OPS | Global | Limited | Yes (Manual) | Security Engineers |
ROLE_ADMIN | Global | Yes | Override | System Restores / Break-glass |
3. Cryptographic Protection
Section titled “3. Cryptographic Protection”Data at Rest
Section titled “Data at Rest”- Database Encryption: MongoDB fields (
privateKey,password) are AES-256 GCM encrypted. - Key Rotation: The Data Encryption Key (DEK) is rotated every 90 days.
- Envelope Encryption: The DEK is encrypted by a Key Encryption Key (KEK) stored in an HSM or Vault.
Hardware Security Modules (HSM)
Section titled “Hardware Security Modules (HSM)”For FIPS 140-2 compliance, SSL-CLM supports offloading CA keys to:
- Cloud: AWS CloudHSM, Azure Dedicated HSM.
- On-Prem: Thales Luna, Entrust nShield.
4. Operational Hardening
Section titled “4. Operational Hardening”Agent Hardening
Section titled “Agent Hardening”- Service Account: Run the Agent as a non-privileged user (e.g.,
NetworkServiceon Windows,sslclmuser on Linux). - File Permissions: Ensure only the service account can read the
agent.propertiesfile containing the auth token.
Audit & Forensics
Section titled “Audit & Forensics”- Immutable Logs: Audit logs are written to a write-only appended file or shipped immediately to Splunk.
- Tamper Evidence: Each log entry includes a SHA-256 hash of the previous entry, forming a cryptographic chain.
5. Software Supply Chain
Section titled “5. Software Supply Chain”We take the security of our own code seriously.
- SBOM: A Software Bill of Materials (CycloneDX format) is provided with every release, listing all 3rd party dependencies.
- Signing: All binaries (JARs, EXEs) are signed by “QCecuring Technologies Inc” using an EV Code Signing Certificate. Verify this signature before installation.
6. Compliance Mapping
Section titled “6. Compliance Mapping”| Standard | How SSL-CLM Helps |
|---|---|
| PCI-DSS 4.0 | Automates quarterly discovery of rogue wireless points; enforces strong crypto. |
| NIST 800-57 | Automates key rotation periods; prevents usage of deprecated algo (SHA-1). |
| GDPR | Provides an audit trail of “Who accessed this certificate/key?”. |