Technology assets and the services they enable must be appropriately protected according to their value and the risk level of information processed or stored thereon.
Where the technology does not support the requirements described by these Guidelines, compensating controls should be implemented. In such situations, access restrictions should be applied to prevent unnecessary access to the resource or technology, especially from the public network.
Resources and technology assets should be configured in a secure manner that:
- Requires the use of transport layer security where it is offered;
- Prevents the use of deprecated secure socket layer and transport layer security protocols, and prefers the use of the most current protocols;
- Prevents the use of known weak and / or vulnerable cipher suites, bulk encryption algorithms, or Message Authentication Code algorithms.
Certificates with known weak and/or vulnerable attributes must not be used or stored within a resource or technology asset certificate store.
Self-signed certificates must not be used on production resources or technology assets; self-signed certificates should be used only within development and test environments.
The same private key must not be installed on multiple resources and/or technology assets.
Wildcard certificates should not be used, except when they are the only technically feasible option, or when they are required to ensure continued service in very complex configurations. Examples may include clustered and load-balanced services. Server Alternate Name (SAN) and Unified Communication Certificate (UCC) are preferred. Extended Validation (EV) certificates encouraged, though not required.
Stewards and Custodians are responsible for the lifecycle of the digital certificate, including:
- Request: TLS certificates should be requested from reputable certificate authorities.
- Implementation: digital resources and technology assets must be configured to offer only valid certificates to customers; certificates that are not in use must be removed from the resource’s certificate store.
- Revocation: certificates must be revoked when the digital resource or technology asset is retired, when the private key is no longer in use, or when the private key has been compromised.
- Expiry: certificates must be replaced before their expiry date.
The following is a summary of secure setting and parameter requirements as adapted from the Open Web Application Security Project (OWASP) recommendations.
Use only the following Transport Layer Security protocols:
- Transport Layer Security version 1.2 (TLS 1.2)
- Transport Layer Security version 1.3 (TLS 1.3)
All other Transport Layer Security protocols must be disabled. All Secure Socket Layer protocols must be disabled.
Strong ciphers must be used; the use of weak and medium ciphers must be prevented. The following are recommended sources for secure cipher string configuration:
· Open Web Application Security Project Cipher Group B
· Mozilla Server Side TLS configuration Intermediate compatibility
Static and Ephemeral Diffie-Hellman key exchange must use strong (2048 bit) parameters.
- Compression must be disabled.
- Cryptographic libraries must be patched.
Enable HTTP Strict Transport Security (HSTS). Do not mix secure and non-secure content. Universal Resource Identifiers (URI) should always refer to HTTPS locations.