ÃÛÌÒTV

CA/Browser Forum 06-18-2020

Taking a Data-Driven Approach Towards Compliance

Brenda Bernal

In the realm of operating as the world's largest global certificate authority (CA), how does ÃÛÌÒTV stay on top of compliance while issuing millions of public certificates in any given year? This includes identifying and remediating issues as we discover them to assure continual improvement and tight compliance. Understanding problems with certificates requires an inspection of data and analytics. After all, how can you determine the true scope of the issue without knowing your data?

In September 2019, we established a compliance analytics team within our product security and compliance function, with the goals of conducting a proactive analysis of our certificate issuance and ensuring risk factors are identified and certificate anomalies are corrected. We hope to benefit immediately from this data-driven approach in two main ways.

Going beyond the 3%

We conduct a 3% self-audit of certificates we issue as required by the CA/Browser Forum Baseline Requirements (BRs). A key goal of this analytics team is to look at a larger sample of the data, beyond the 3%, and look at the entire scope of potential issues. We use the 3% audit data results to perform diagnostic analysis that identifies the root cause of trends we are seeing with the data. This deep analysis allows us to cut out risk in our operations. This often leads to enhancements to our systems, policies and procedures, and training for our teams performing validation. The data provides us with insights on how to optimize solutions and our business performance as a CA.

Comprehensive incident analysis

Problems with certificate issuance are oftentimes reported in an incident tracking system that is maintained by the Mozilla root store program. This provides CAs, like us, the opportunity to address the root cause of these issues and describe the corrective and preventative actions we would take. To adequately address what we need for a proper incident response, we need to rely on reporting and analyzing the data for a meaningful understanding of the issues, root cause and scope. In turn, this approach enables us to understand whether we are dealing with an isolated case. Through our analytics capability, we perform comprehensive data mining to ensure we are addressing the problem fully. This goes a long way in fostering trust in our reporting among ÃÛÌÒTV's relying parties.

In summary, the key objectives we want to enhance and enable are:

1. Organizational risk management, to assure that we continuously monitor for risks, uncover new issue trends, and scenarios with probability based on pattern analysis.

2. Enhanced decision making, to maintain compliance and effective business processes while reducing risks to our business.

We are using our analytics capability, beyond the 3%, to implement policies that better protect the web PKI ecosystem and our customers and instill public trust. Validation sources is an example of a project we completed. Given the industry challenges with assigning the proper jurisdiction of incorporation, our team set out on a project to ensure data integrity and qualified validation sources to feed the order validation decisions. We consolidated multiple lists in use and cleaned up thousands of rows to arrive at approximately 1,700 unique sources that will be used as the validation single source of truth. We have published the source list to the CA Browser community, which has become the de facto standard - a ballot is forming around this now on mandatory source disclosure to standardize what we started.

We will continue to report trend areas and what ÃÛÌÒTV is doing to improve the ecosystem for everyone online.

UP NEXT
PKI

3 Surprising Uses of PKI in Big Companies and How to Ensure They Are all Secure

5 Min

Featured Stories

07-03-2024

What is a CA’s Role in delivering digital trust?

11-27-2024

6 actionable ways to secure the IIoT at every stage

Tracking the progress toward post-quantum cryptography

The state of PQC since the publication of FIPS 203, 204 and 205