Closed
Bug 1968246
Opened 3 months ago
Closed 1 month ago
Entrust: Incomplete privileged access removal within 24 hours
Categories
(CA Program :: CA Certificate Compliance, task)
CA Program
CA Certificate Compliance
Tracking
(Not tracked)
RESOLVED
FIXED
People
(Reporter: bruce.morton, Assigned: bruce.morton)
Details
(Whiteboard: [ca-compliance] [policy-failure])
User Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/136.0.0.0 Safari/537.36
|
Assignee | |
Comment 1•3 months ago
|
||
Preliminary Incident Report
Summary
- Incident description: On 2025-05-21 (20 :15 UTC), Entrust discovered during quarterly access review that one (1) infrastructure personnel did not have all of their privileged access to Certificate Systems disabled within twenty four (24) hours upon termination of their employment.
- Relevant policies: Network and Certificate System Security Requirements Version 1.7, Section 2.l. states “Each CA or Delegated Third Party SHALL: Implement a process that disables all privileged access of an individual to Certificate Systems within twenty four (24) hours upon termination of the individual’s employment or contracting relationship with the CA or Delegated Third Party.”
- Source of incident disclosure: Entrust discovered during quarterly access review that one (1) infrastructure personnel's privileged access to Certificate Systems infrastructure was only partially disabled within twenty four (24 hours) upon termination of their employment.
|
||
Updated•3 months ago
|
Assignee: nobody → bruce.morton
Status: NEW → ASSIGNED
Type: defect → task
Whiteboard: [ca-compliance] [policy-failure]
|
|
Assignee | |
Comment 2•2 months ago
|
||
Final incident report is being drafted and will be posted no later than 2025-06-04.
Status: ASSIGNED → NEW
|
|
Assignee | |
Comment 3•2 months ago
|
||
Full Incident Report
Summary
- CA Owner CCADB unique ID: A011701
- Incident description:
- Incident description: On 2025-05-21 (20:15 UTC), Entrust discovered during quarterly access review that one (1) infrastructure personnel did not have all of their privileged access to Certificate Systems disabled within twenty four (24) hours upon termination of their employment.
- Timeline summary:
- Non-compliance start date: 2025-04-18
- Non-compliance identified date: 2025-05-21
- Non-compliance end date: 2025-05-21
- Relevant policies: Network and Certificate System Security Requirements Version 1.7, Section 2.l.
- Source of incident disclosure: Self-Reported
Impact
- Total number of certificates: 0
- Total number of "remaining valid" certificates: 0
- Affected certificate types: N/A
- Incident heuristic: No certificates were impacted.
- Was issuance stopped in response to this incident, and why or why not?: No. The still-active privilege enabled access to an out-of-band network management application. That application does not provide access to any certificate issuance system, and as a result there was no risk of mis-issuance.
- Analysis: N/A
- Additional considerations: N/A
Timeline
All times are UTC.
2025-04-17:
- Last day of one Entrust employee holding System Administrator Trusted Role.
- Trusted Role Departure process is initiated, physical, and logical access is removed.
2025-05-21:
- 16:48 Quarterly access review begins
- 17:59 Terminated employee with incomplete access removal discovered.
- 18:21 Access removal is completed.
- 22:18 Audit logs were reviewed and confirmed that no unauthorized access occurred.
2025-05-22:
- 13:00 Compliance incident review meeting.
2025-05-23:
- 13:52 Preliminary incident report posted.
Related Incidents
| Bug | Date | Description |
|---|---|---|
| [Related Bug ID](Related Bug URL) | Date Related Bug was opened | A description of how the subject Bug is related to the Bug referenced. |
| Bug #1931413 | 2024-11-14 | New hire onboarding deviation from written process is about providing access to trusted roles |
| Bug #1848279 | 2023-08-10 | Trusted Role Control Failure. |
Root Cause Analysis
Contributing Factor #1: Trusted Role de-registration process should be more explicit
- Description: The out of band network management system was implemented in August 2023 ; this incident occurred with the first person who departed with a privilege for this system. The de-registration process did not explicitly require removal of this particular privilege ; as such, the access removal to this system was not understood or identified by the actioner.
- Timeline: Error occurred at the time the de-registration process was defined , since the process did not explicitly list all privileges which need to be removed.
- Detection: The problem was detected during the next quarterly access review. That review was conducted by persons distinct from the person responsible for actioning the de-registration.
- Interaction with other factors: The Trusted Role de-registration process needs to be updated to resolve contributing factors 1 and 2.
Contributing Factor #2: Trusted Role de-registration process should be more robust
-
Description: The access removal process was driven and verified by one individual. What access needed to be removed and verification that access removal had been actioned/completed relied on that one person. Additional review occurred only during the quarterly internal audit.
-
Timeline: Error occurred at the time the de-registration process was defined, since the process did not require multiple persons to ensure completeness of the de-registration process.
-
Detection: The problem was detected during the quarterly access review. That review was conducted by persons distinct from the person responsible for actioning the de-registration.
-
Interaction with other factors: The Trusted Role de-registration process needs to be updated to resolve contributing factors 1 and 2.
-
Root Cause Analysis methodology used:
Lessons Learned
What went well
- No certificates were mis-issued.
- Remaining access was revoked on the day of detection.
- No unauthorized access was possible and confirmed due to:
- Physical access was removed on time as part of the standard process.
- Corporate accounts and devices were removed on time as part of the standard process.
- With the exception of the out of band network management system, all physical and logical access was removed on time for this trusted role.
- Error was detected during quarterly review.
What didn't go well
- Not all access was removed on time.
- De-registration process was not sufficiently explicit for all privileges.
- De-registration process was managed by one individual and reviewed only quarterly thereafter.
Where we got lucky
Action Items
| Action Item | Kind | Corresponding Root Cause(s) | Evaluation Criteria | Due Date | Status |
|---|---|---|---|---|---|
| Complete disabling employee’s remaining privileges | Prevent | Complete the de-registration for this employee | 2025-05-21 | Done | |
| Change process to require an additional review of correct access removal by a second trusted role | Prevent | Root cause 1 and 2 | Action will be considered effective based on successful monthly access reviews | 2025-05-30 | Done |
| Change process to explicitly detail privileges to be removed | Prevent | Root cause 1 and 2 | Action will be considered effective based on successful monthly access reviews | 2025-05-30 | Done |
| Change process to review access on a monthly basis | Detect | Process update will detect issues on a more rapid basis | 2025-05-22 | Done |
|
|
||
Updated•2 months ago
|
Status: NEW → ASSIGNED
|
|
Assignee | |
Comment 4•2 months ago
|
||
We are monitoring this bug. If there are no comments, we will request closure this week.
|
|
Assignee | |
Comment 5•2 months ago
|
||
Report Closure Summary
- Incident description: Incomplete trusted user privileged access removal within 24 hours.
- Incident Root Cause(s): De-registration process was not sufficiently explicit for all privileges. In addition, the de-registration process was managed by one individual and reviewed only quarterly thereafter.
- Remediation description: Change the de-registration process to require an additional review of correct access removal by a second trusted role. The de-registration process updated to explicitly detail privileges to be removed. To help minimize the an incident period, trusted role access will be reviewed on a monthly basis.
- Commitment summary: Entrust will continue to update and improve procedures to help ensure smooth operations and protect the relying parties and subscribers.
All Action Items disclosed in this report have been completed as described, and we request its closure.
|
|
||
Updated•2 months ago
|
Flags: needinfo?(incident-reporting)
|
||
Comment 6•2 months ago
|
||
This is a final call for comments or questions on this Incident Report.
Otherwise, it will be closed on approximately 2025-07-01.
Whiteboard: [ca-compliance] [policy-failure] → [close on 2025-07-01] [ca-compliance] [policy-failure]
|
|
||
Updated•1 month ago
|
Status: ASSIGNED → RESOLVED
Closed: 1 month ago
Flags: needinfo?(incident-reporting)
Resolution: --- → FIXED
Whiteboard: [close on 2025-07-01] [ca-compliance] [policy-failure] → [ca-compliance] [policy-failure]
You need to log in
before you can comment on or make changes to this bug.
Description
•