Marc Krisjanous is one of the first CCSS Auditors and assisted C4 in the development of their auditors program.
This post is part of our series on auditing against the CCSS. If you haven’t already, we recommend these other posts in the series.
In this article we will review in detail the CryptoCurrency Security Standard (CCSS) definition of the “Trusted Environment” term used by the standard. This term represents the output of an important process that the CCSS auditor (“CCSSA“) must undertake at the beginning of each audit.
What is the Trusted Environment?
The CCSS “Trusted Environment” term can be considered as: “in-scope environment” or “scope of the environment” or “scope of the audit” or “boundaries of the audit”.
One of the first and most important steps a CCSSA takes during the audit process is to confirm the boundaries of the audit to be undertaken. Ensuring that the boundaries for audit are correct is critical and dictates the success or failure of any audit.
Who Defines the Trusted Environment
It is the responsibility of the assessed entity to define their CCSS Trusted Environment. It is the responsibility of the CCSSA to confirm that the Trusted Environment is correct based on the requirements of CCSS.
As of version 8 of CCSS, the “Trusted Environment” definition is the only term used to represent the boundaries of the audit that this article author can identify.
The CCSS makes use of the term “Trusted Environment” in the following CCSS requirements:
- 1.04.2.1 All keys/seeds are only used in trusted environments.
- 2.04.1.2 All actions by all users are logged. Audit logs are retained for at least 1 year in a trusted environment.
Requirement 1.04.2.1 may appear on first glance to be a minor requirement but on second glance we can see that the transmission, processing and storage of any private key within the assessed entities environment is inside the boundaries of the audit. This requirement therefore provides important guidance to identifying the people, process and technology that are part of the “Trusted Environment ” and therefore within the boundary of the audit.
Defining the Trusted Environment
The CCSS glossary defines the “Trusted Environment” as noted below:
For the purposes of this specification, trusted environment is defined as the physical location, hardware and software used in any private key related operations.
Physical Locations
The definition takes into account the physical locations where private keys are transmitted, processed and stored. This includes data centers, retail stores, offices and third-party service provider managed locations providing services for private key operations.
Hardware
Hardware includes devices which provide private key functions such as physical HSM appliances, hardware wallets, servers on which software that provides private key functions are hosted on, backup storage systems media (tape, removable drives, wood, metal, paper etc…), network devices such as switches, routers.
Software
The software component includes software that provide private key functions for transmission, processing and storage of keys such as wallet software, key management software, operating systems of servers on which software providing private key functions are hosted on, backup software.
Logical & Physical Security Controls
The definition also includes logical and physical security controls such as physical door locks, CCTV, visitor registration systems, staff and visitor badges, alarm systems, physical destruction hardware such as disk shredders. Logical security controls include authentication and authorization systems, log management systems, data encryption, firewalls, anti-virus, File integrity monitoring (FIM) etc…
Personnel
The Trusted Environment definition also includes the personnel that develop, test, deploy, manage and operate the systems that provide private key functions. Further, the personnel that manage the physical and logical security controls which protect the systems which provide private key functions are “in-scope” for the CCSS audit.
Policies, Procedures, and Standards
The policy, standards and procedures that cover the people and technology components of the Trusted Environment are also “in-scope” for the CCSS audit.
Important Note
CCSS is not a baseline information security management standard such as ISO27001 and PCI DSS. CCSS only focuses on the systems which provide key management functions. It is the expectation and recommendation by the CCSS Committee that an entity does not solely rely on CCSS to provide information security management controls for all systems. The exact wording provided by the CCSS Committee is:
CCSS is designed to complement existing information security standards (i.e. ISO 27001:2013) by introducing guidance for security best practices with respect to cryptocurrencies such as Bitcoin. CCSS is not designed to substitute or replace these standards; in fact, following the CCSS to the letter while ignoring standards like ISO 27001:2013 will likely lead to compromise. CCSS is a cryptocurrency standard that augments standard information security practices.
However, the CCSSA must ensure that the assessed entity has implemented what is considered base-line security controls such as patch management, configuration management, access management, deployment management, secure coding standards, time management, release management, change management, to name a few, to all components of the Trusted Environment.
Why Baseline Security Matters
Consider if an assessed entity provides a cryptocurrency wallet to their customers which meets the applicable CCSS requirements but the server(s) on which the wallet software is hosted has not been patched in 2 years and all personnel have administrator access to the server(s) regardless of role. The CCSSA must consider the failure of base-line security controls (patch management and access management in this example) to impact the security of the cryptocurrency wallet and mark the applicable CCSS requirements not in-place. If all personnel within the assessed entities organization has administrator privileges on the server(s) that hosts the cryptocurrency wallet then the wallet is not secure from unauthorized access regardless of how secure the wallet software is.
Summary
The “Trusted Environment” CCSS term represents the people who develop, test, deploy, manage and operate the systems which provide private key functions. The policy, standards and procedures which govern how the private key functions are to be developed, tested, deployed, managed and operated. The technology components that provide private key functions within the assessed entities environment. Also, the security controls both physical and logical which protect the people, process and technology that provide private key functions.
