CCSS Trusted Environment - An Interpretation
[Article Updated August 2023 for CCSS Version 8.1]
Marc Krisjanous is one of the first CCSS Auditors, assisted C4 in developing their auditors program and is a member of the CCSS Steering Committee.
**** Free CCSS Implementation Guide! ****
Marc also co-authored the CCSS Implementation Guide for a Full System - click here to download - it's free!
In this article, we will review in detail the CryptoCurrency Security Standard (CCSS) definition of the "Trusted Environment" term used by the standard. This term represents the output of a necessary process that the CCSS auditor ("CCSSA") must undertake at the beginning of each audit.
The CCSS "Trusted Environment" term can be considered as: "in-scope environment", "scope of the environment", "scope of the audit", or "boundaries of the audit".
One of the first and most important steps a CCSSA takes during the audit process is to confirm the boundaries of the audit to be undertaken. Ensuring that the boundaries for audit are correct is critical and dictates the success or failure of any audit.
It is the responsibility of the assessed entity to define their CCSS Trusted Environment. It is the responsibility of the CCSSA to confirm that the Trusted Environment is correct based on the requirements of CCSS.
As of version 8.1 of CCSS, the "Trusted Environment" definition is the only term used to represent the boundaries of the audit that this article's author can identify.
The CCSS makes use of the term "Trusted Environment" in the following CCSS requirements:?
1.04.2.1 All keys/seeds are only used in trusted environments.
2.03.1.2 All actions by all users are logged. Audit logs are retained for at least 1 year in a trusted environment.
Requirement 1.04.2.1 may appear at first glance to be a minor requirement but on second glance, we can see that the transmission, processing and storage of any private key within the assessed entity's environment is inside the boundaries of the audit. This requirement therefore provides essential guidance to identifying the people, processes and technology that are part of the "Trusted Environment " and, therefore, within the boundary of the audit.
The CCSS glossary defines the "Trusted Environment" as:
For the purposes of this specification, trusted environment is defined as the physical location, hardware and software used in any private key related operations.
The definition considers the physical locations where private keys are transmitted, processed and stored. This includes data centers, retail stores, offices, and third-party service provider-managed locations providing services for private key operations.
Hardware includes devices that provide private key functions such as physical HSM appliances, hardware wallets, servers on which software that provides private key functions are hosted, backup storage systems media (tape, removable drives, wood, metal, paper etc…), network devices such as switches, routers.
领英推荐
The software component includes software that provides private key functions for transmission, processing and storage of keys, such as wallet software, key management software, operating systems of servers on which software providing private key functions are hosted, and backup software.
The definition also includes logical and physical security controls such as physical door locks, CCTV, visitor registration systems, staff and visitor badges, alarm systems, and physical destruction hardware such as disk shredders. Logical security controls include authentication and authorization systems, log management systems, data encryption, firewalls, anti-virus, File integrity monitoring (FIM) etc…
The Trusted Environment definition also includes the personnel that develop, test, deploy, manage and operate the systems that provide private key functions. Further, the personnel that manage the physical and logical security controls that protect the systems that provide private key functions are "in-scope" for the CCSS audit.
The policy, standards and procedures that cover the people and technology components of the Trusted Environment are also "in-scope" for the CCSS audit.
Important Note
CCSS is not a baseline information security management standard such as ISO27001 and PCI DSS. CCSS only focuses on the systems that provide cryptocurrency functions. It is the expectation and recommendation by the CCSS Steering Committee that an entity does not solely rely on CCSS to provide information security management controls for all systems. The exact wording provided by the CCSS Steering Committee is below.
CCSS is designed to complement existing information security standards (i.e. ISO 27001:2013) by introducing guidance for security best practices with respect to cryptocurrencies such as Bitcoin. CCSS is not designed to substitute or replace these standards; in fact, following the CCSS to the letter while ignoring standards like ISO 27001:2013 will likely lead to compromise. CCSS is a cryptocurrency standard that augments standard information security practices.
However, the CCSSA must ensure that the assessed entity has implemented what is considered base-line security controls such as patch management, configuration management, access management, deployment management, secure coding standards, time management, release management, and change management, to name a few, to all components of the Trusted Environment.
Consider this scenario: if an assessed entity provides a cryptocurrency wallet to its customers that meets the applicable CCSS requirements. Still, the server(s) on which the wallet software is hosted has not been patched in 2 years, and all personnel have administrator access to the server(s) regardless of role. The CCSSA must consider the failure of baseline security controls (patch management and access management in this example) to impact the security of the cryptocurrency wallet and mark the applicable CCSS requirements as not in place. If all personnel within the assessed entities organization have administrator privileges on the server(s) that hosts the cryptocurrency wallet, then the wallet is not secure from unauthorized access regardless of how secure the wallet software is?
Summary
The "Trusted Environment" CCSS term represents the people who develop, test, deploy, manage and operate the systems that provide private key functions. The policy, standards and procedures that govern how the private key functions are to be developed, tested, deployed, managed and operated. The technology components provide private key functions within the assessed entity's environment. Also, the security controls, both physical and logical that protect the people, processes and technology that provide private key functions.