Secureworks Certification Practices Statement
May 22, 2017
©2017 Secureworks, Inc.
This statement defines the policies and procedures followed by Secureworks in the issuance of Public Key Certificate credentials.
The following terms are used in this document:
- SOC - Secure Operations Center at Secureworks
- Client - An organization that is a customer of Secureworks
- Community - Those individuals or entities directly connected with Secureworks
Secureworks issues certificates to members of its community. Members include Secureworks-internal organizations, Secureworks' Clients contacts, resellers, and multi-tenant Clients that provision and monitor their clients and their tenants. In addition, Secureworks may issue a modest number of certificates to others who maintain a loose affiliation with Secureworks but who are not officially listed as clients. Secureworks also issues certificates for device authentication between Client-monitored devices and the Secureworks data center.
Member certificates are issued for authentication and encryption to Secureworks portal as well as S/MIME signing and encryption of email messages between Secureworks and its members.
Device certificates are issued for the sole purpose of authenticating client devices and internal Secureworks devices to monitoring equipment servers in Secureworks' data centers.
Although Secureworks makes its best efforts to ensure that correct credentials are issued only to appropriate members of its community, Secureworks has no actual control over how members of its community protect their own credentials. UNDER NO CIRCUMSTANCES IS SECUREWORKS RESPONSIBLE FOR THE CONSEQUENCES OF A RELYING PARTY OF MAKING USE OF CREDENTIALS SECUREWORKS ISSUES TO ITS MEMBERS. SECUREWORKS OFFERS NO WARRANTY OF ANY KIND AND DISCLAIMS ALL WARRANTIES OF ANY KIND, INCLUDING BUT NOT LIMITED TO ANY WARRANTY OF MERCHANTABILITY OR OF FITNESS FOR A PARTICULAR PURPOSE. IN NO EVENT SHALL SECUREWORKS BE HELD LIABLE TO ANY MEMBER OR ANY RELYING PARTY FOR ANY DAMAGES OF ANY KIND WHETHER DIRECT, INDIRECT, SPECIAL, INCIDENTAL OR CONSEQUENTIAL DAMAGES HOWEVER CAUSED AND REGARDLESS OF THEORY OF LIABILITY EVEN IF SECUREWORKS HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES.
CA Private Key Protection
The private key for this PKI Certificate Authority (CA) is maintained on an access-restricted network connected computer. The CA private key passphrase is known by two (2) employees of Secureworks. The private key may be stored on two fully-redundant HSMs. When not stored on HSMs, the keys are protected using the physical controls defined below. The HSMs are nCipher FIPS level-2 hardware devices. Secureworks makes no representation of the strength of the hardware protection, it is a user of technology provided by nCipher and cannot provide assurances beyond what nCipher has provided.
A limited number of Secureworks SOC employees with elevated privileges are in a position to issue certificates signed by this key. A small number of technical operations employees have physical access to the key but without the ability to issue certificates signed by this key.
Authentication upon Registration
In general Secureworks verifies the identity of people it issues certificates to in a way that is generally considered proper and appropriate for a business providing managed security services. Specifically:
The Secureworks Registration Authority (RA) operates under the auspices of the Secureworks CA. The RA is a combination of computers and humans. Humans provide RA for initial credentials and certificates while computers may act as the RA for certain authenticated self-service renewal processes.
Principal members are highly vetted contacts of a Secureworks client. The Principal members are provisioned in Secureworks Customer Relationship Management (CRM) system by implementation engineers who have direct contact with these individuals either in-person or by phone. Due to the nature of Secureworks' business, individual contact between implementation engineers and the principal members are very social during initial service-line implementation. Principle members are issued certificates directly by the Registration Authority with guidance supplied by implementation engineers having information gathered directly from the principle members.
Non-principal members may be provisioned by principal members only for their direct corporate affiliations. Non-principle members are issued certificates via on-line registration with Secureworks web portal. When provisioned, the non-principle member is sent a one-time password via email so that he/she may gain access to the portal in order to complete a Certificate Signing Request (CSR). The CSR for first time credentials is validated by Secureworks Registration Authority personnel ensuring the user is provisioned, that access is allowed for the client, and that the email address of the user specifies a domain owned by the client.
Secureworks personnel are issued certificates via the RA with direction from Secureworks' Human Resources.
The possession of a certificate issued by this PKI CA implies that at some point Secureworks believed that the possessor was a member of its community. However, the mere possession of a certificate should not be construed by relying parties that possessor has a current association with Secureworks or that possessor my legally bind Secureworks in any manner or for any commitment.
Lifetime of Issued Credential
Validity periods longer than 27 months are not allowed.
Normally certificates issued to individuals by this PKI CA are valid from the date of issuance for a period of 24 months. The renewal period for a given certificate is that of one (1) month prior to expiration of the certificate. The maximum validity period of 27 months can be adjusted to meet specific concerns of the parties involved. Note however that some applications may require, and the CA may choose to issue, certificates that have arbitrarily shorter or longer (up to 27 months) validity periods.
This PKI CA revokes certificates for the following reasons:
- Client service contract has terminated
- Secureworks has been notified by the Client that a members employment with the Client has been terminated
- Certificate owner notifies Secureworks that the certificate private key has been compromised or has been lost
Revocation status is available through an On-line Certificate Status Protocol (OCSP) service when defined in the certificate extension data.
During the renewal period for a valid certificate, the user is notified of impending expiration via email or at login time on the portal. While accessing the portal with valid credentials the user is directed to self-service renewal of the expiring certificate at which time the user generates a CSR within the portal which is delivered to the RA. The RA automatically validates the current credentials for the user, creates the new certificate and returns it through the browser in a MIME document of type application/x-pkcs12-certificate along with instructions on how to import the new certificate. The original certificate remains valid throughout its defined validity period.
Rekey After Revocation
Secureworks will not rekey a previously revoked member certificate that is still within its validity period. In such cases, the certificate will be un-revoked by human validation of the Registration Authority. This validation requires the owner of the revoked certificate to validate himself to the RA using a series of pre-established interrogations defined by the member in accordance with the SOC's user validation policies.
End-User Private Key Protection
Secureworks does not establish standards for how individual private keys are maintained. It is expected that many keys will be stored in browser preferences files as many end-users obtain their credentials via a web browser. Keys stored on the hard drives of individually owned or maintained computer systems will likely be as secure (or not) as other information stored on such systems.
End-User Private Key Backup
Secureworks does not perform key escrow. When a key is lost or forgotten it is impossible for Secureworks to re-issue the key in such a way as it can become usable. Lost keys are considered revoked and forgotten passwords can not be recovered. Secureworks does keep keys for its members and will deliver a copy of the original key when the owner has maintained control of the key but it has otherwise become unreadable. End-user validation is performed by the RA before the key is delivered.
The CA is protected by numerous physical and logical controls. The CA server(s) are stored within two mutually redundant data centers (DCs) protected by biometric locks. Only Secureworks IT personnel have physical access to the DCs. CA servers are protected by internal and external firewalls and hardened to ensure that only the services necessary for CA functions are accessible. The number of CA maintainers and RA administrators are limited to 5 employees of Secureworks Each of these employees acquires access to their particular function via secure shell access or an X509 authenticated and SSL encrypted web service.