30(a) Security Policy: Summary of the security policy for the proposed registry
|gTLD||Full Legal Name||E-mail suffix||Detail|
KSregistry GmbH, as the registry backend provider of the KSregistry system (KSR), attaches great importance to the security of the entire registry infrastructure as well as business and customer data. Having more than ten years of experience in the domain business, Key-Systems has imparted extensive expertise about threats, possible vulnerabilities, and suitable countermeasures to its new subsidiary KSregistry GmbH. In case of an attack, the entire staff working on the KSR is trained to react quickly to any security issue that may arise. Distinct escalation plans with clear roles for each employee at KSregistry GmbH are defined for any possible incident. All team members have access to these plans at any time, according to their security clearance and role.
These plans and security rules are subject to a regular audit schedule and are documented in KSregistry GmbHʹs security policy, which includes the Registry Information Security Policy that covers the basic registry services. These services include, but are not limited to, the safety of the technical backend (covering items such as EPP and RDDS, DNS and DNSSEC policies, an ESCROW policy, SFTP, etc.).
A. Security Policy
KSregistry GmbH has established a security policy that contains the complete Registry Service Policy, covering the basic registry services. The Registry Service Policy is complimented by policies regarding technical, organizational, and personnel issues for:
- Network structure
- Network and system access
- Wireless networks
- Setup of servers and client systems
- System and software updates
- Firewall and IDS
- Removable media
- Backups and ESCROW
- Physical Security
- Emergencies and Monitoring
Additional policies cover the behavior of employees concerning passwords, remote access, general communication and allowed tools and describe the handling of general procedures, audits, maintenance and monitoring. These policies are described in detail and attached to AGB question 30b.
The security policy drafted by KSregistry GmbH is based on an extensive threat analysis and is thus tailored closely to the registry services. The introductory investigation of both common and rare security issues to the registry service and to the business in general is accompanied by examples with representative solutions and references to the corresponding policies.
Based on the analysis, certain notable aspects of the policy, as determined by the threat analysis, are (a more complete description of the policy is detailed in answer 30b):
- To prevent unauthorized access to internal and external services as well as data of all possible security levels, all employees are only provided with the access rights needed for their assigned role and obliged to follow a strict policy regarding the strength, the periodical change and the storage of their password. Updates or new software installations can not be deployed by engineers themselves but must be managed by the change manager, who reviews the quality management reports and determines deployment procedures
- The administration is also split into different roles to prevent too much access being given to one single point. Access to servers is only possible with individual user rights, there are no superuser logins. All actions on the servers are logged and monitored. All servers are secured against external manipulation by physical separation and limitation to internal IP addresses as far as possible. The network is also separated into different layers depending on each layerʹs function and security level with each layer having its own security measures installed, including firewalls that check every request traveling from one layer to another
- The object data stored by KSregistry GmbH is secured in several, geographically distributed data centers with high security standards and which are constantly being backed up to prevent the danger of data loss and to guarantee continuity
- Denial of Service attacks are countered by measures appropriate to the target within the infrastructure. The DNS infrastructure of KSregistry GmbH is widespread and reliable to withstand attacks and is additionally secured against manipulation by DNSSEC. Attacks against other services are immediately identified by the Intrusion Detection System and repelled by the firewall and its corresponding rules
- Authorized registrars connect to services offered by KSregistry GmbH via encrypted communication. The EPP gateway can be only used with SSL or TSL and an additional check is made for correct authorization credentials for each connection. Each writing operation is logged which allows the reconstruction of every past transaction
- The registrarsʹ frequency of usage of the non-public services is generally monitored to prevent flooding and to guarantee reliable and stable services for all other registrars
- All software used by KSregistry GmbH, both developed in-house and acquired from third-party providers, is not deployed until it has been intensely tested by the quality management team. All registry systems, both hardware and software, are under constant monitoring from at least two different locations, and quick reaction times from the Administration Team, the ERT and the engineers are guaranteed 24 X 7 with defined emergency plans and procedures for all kinds of security issues or misbehavior of any component of the infrastructure. The monitoring is fully redundant on system and network level with different software solutions being used to additionally eliminate possible malfunction. Two leading enterprise monitoring solutions are used with the services running on separate hardware. All checks within the monitoring are continuously optimized by engineers and administrators, especially after software updates which are followed by determined check reviews
Regular audits of policies and procedures ensure a steady state of preparation for the entire team and allow for fast and appropriate escalation procedures. In case of an emergency incident, the administration will be very quickly mobilized by the monitoring and then follow the defined emergency procedures by either solving the problem immediately or activating the responsible roles within the company. Procedures and guidelines for any possible incident have been defined from the preceding threat analysis and describe:
- all required steps such as data restoration from backups or fail over to a secondary data center;
- the affected, involved, and responsible roles; and
- the necessary details for the concluding report
After the incident, the involved team members file an accurate report which they forward to the role responsible for the corresponding policies, who then checks the policies for complete coverage. The policies then undergo a review by the responsible team members and the Chief Security Officer (CSO) of KSregistry GmbH to determine necessary changes based on the report. In case of changes, the CSO is responsible for a final review and the supervision of the policy revisions. Policy reviews are also triggered prior to software updates, the introduction or change of processes, or changes to the infrastructure in general. This procedure guarantees that the policies are continuously up to date and that their coverage is complete.
The beginning and end of employment of a team member also follow defined routines especially the assignation and termination of access rights, respectively. Each policy contains strict rules for enforcement and the measures taken in case of policy violation. The CSO of KSregistry GmbH holds the general responsibility for policy compliance. The security policy describes additional responsibilities of certain roles and the corresponding policies and lists all affected roles within the company.
The KSregistry GmbH develops these policies alongside the ISO⁄IEC 27001 requirements, accompanied by the code of practice given in the ISO⁄IEC 27002 (source: http:⁄⁄www.iso.org⁄iso⁄catalogue_detail?csnumber=42103). More details can be found in section B. The backup strategy is a TIER 4 strategy following the best practice guide by IBM redBooks (source: http:⁄⁄www.redbooks.ibm.com⁄abstracts⁄tips0340.html?Open).
B. Independent Assessment
As a merchant using credit card payment systems, KSregistry GmbH is obligated to meet the requirements defined by the Payment Card Industry Data Security Standard (PCIDSS). Validation of compliance is done annually by an externally Qualified Security Assessor. For KSregistry GmbH this validation is provided by the IT security experts from Acertigo AG located in Stuttgart, Germany. Security requirements of the standard are reviewed using a Self Assessment Questionnaire covering the following control objectives: build and maintain a secure network, protect cardholder data, maintain a vulnerability management program, implement strong access control measures, regularly monitor and test networks, and maintain an information security policy. The review of the questionnaire is accompanied by vulnerability scans for all systems which are also carried out by Acertigo quarterly. The resulting reports document a constant security level and certify compliance to the PCIDSS standard, thereby also meeting the security requirements for the registry services.
The PCI security scans facilitate the identification of vulnerabilities and misconfigurations of web sites and all infrastructures with public services including, for example, mailservers and internet access for employees. Acertigo determines active IP addresses and services by probing a complete list of external IP addresses relevant to the PCIDSS (provided by KSregistry GmbH) and also ensures that only services intended for external use are accessible. The list includes web, application, and mail servers, as well as domain name servers and virtual hosts. Acertigo also scans for open IP addresses outside the scope given by KSregistry GmbH to ensure the integrity of the scans. The IDS of the KSR is configured to allow access to all systems for the IP addresses from which the scans originate.
Since the introduction of the PCIDSS, KSregistry GmbH has constantly been compliant to the standard. The quarterly scan reports are reviewed by KSregistry GmbH administrators and the chief security officer and necessary measures are taken immediately. In addition to the benefits for the security of KSregistry GmbHʹs proprietary software, the scans also help to keep third-party software up to date and add another level of malware detection to the already established detection system.
While its policies already cover a part of the ISO⁄IEC 27001 standard and are are compliant to it, the KSregistry GmbH is also working towards an official certification. This implies the implementation of an Information Security Management System (ISMS) compliant to ISO⁄IEC 27001 and includes changes to and extensions of the security policies and procedures. Part of the requirements of the ISMS are periodic internal audits which will be executed by the ʹsafe and secure systems – evaluation and verificationʹ department of the DFKI GmbH (the German Research Center for Artificial Intelligence), the leading German AI research institute and an officially approved ISO⁄IEC 27001 auditor. The DFKI GmbH will also certificate the complete compliance to ISO⁄IEC 27001 until the end of 2012 and subsequently provide periodical assessment reports.
KSregistry GmbH, the registry backend technology provider for the domain registrar Key-Systems, benefits from Key-Systemsʹ more than ten years of experience in the domain business and its associated processes (with some team members working even longer in this field). As an ICANN accredited registrar and member in several work groups and technical boards representing a range of registries, Key-Systems is developing all systems in keeping with the requirements of registrars, registrants, and brandowners worldwide.
These requirements are covered by our security policy in general and are implemented in certain policies as our registry service policy or other specifically mentioned policies. The customers of KSregistry GmbH can rely on:
- Secure storage and handling of confidential customer data, with clearly defined access rules for virtual access in our “Network and System Access Policy” and physical access in our “Physical Security Policy”
- All objects are stored in one secured, central registry database as KSregistry GmbH supports a thick registry system
- A reliable and widespread DNS system, additionally secured by DNSSEC with its rules being defined in our “DNSSEC Policy”
- Secure communication from the registrants, over the registrars to the registry
- A guarantee that no changes to the registry technology will be made if these changes bear a risk of malfunction, as described in our specific “System and Software Update Policy”
KSregistry GmbH will also enforce the policies distributed on all levels of usage of the registry system. The complete staff is trained and audited in every policy the team member is affected by and constantly aware of the great importance of a secure system.
The registry operator is obligated to inform the registrars about all important agreements, general terms and conditions, events and notifications, and must also include these in its own registration agreement that is passed to the registrants. KSregistry GmbHʹs extensive documentation of the registry system interfaces such as EPP is provided as white-label and can be forwarded from the registry to registrars or even registrants if desired.
Accredited registrars should nominate persons who are authorized to contact the KSregistry GmbH 24⁄7 support in urgent emergency cases. These individuals have to prove their identity with a previously agreed passphrase. It is the registrars responsibility to provide support for their registrants and to decide if support requests have to be escalated to the registry at any time benefiting from KSregistry GmbHs Support described above.
D. gTLD Specific
KSregistry GmbH guarantees a high level of security that is also reviewed and refined on a regular basis. The security policies and procedures comply with the general requirements of a technical registry operator with no need for deviation for this TLD. If any changes to the description of this TLD should occur in the future, KSregistry GmbH is able to rapidly adapt new policies and procedures as required.
E. Resources and Roles
E.1 Trusted Roles
Key-Systems GmbH has gathered experience in various roles in the domain business for more than ten years and has access to extensive knowledge in the domain business. This deep industry knowledge and experience has also been transferred to KSregistry GmbH, the technical provider of the KSregistry system (KSR) and is evident in many trusted persons serving in different roles throughout the company.
All employees, contractors, and consultants that have access to or control of the KSregistry system are regarded as trusted persons.
The following Trusted Roles are used for managing the KSR solution:
- Security Role: Chief Security Officer (CSO)
- Designated Engineering Role
- System Administration Role
- Security Administrator Role
- DNS⁄DNSSEC Role
- Operational Role
- Support Role
- Quality Management Role
- Change Management ⁄ Project Management Role
- Financial ⁄ Controlling Role
- Legal Role
Each role is staffed with multiple human resources for backup and capacity purposes.
Prior to employment in a Trusted Role, KSregistry GmbH performs the following background checks on a prospective candidate:
- Criminal Records Bureau check
- Verification of previous employment
- Check of professional references
Complete role descriptions are given in the security policy in answer 30b.
E.2 Project Resources
The table in fig. Q30a_Figure1.pdf shows how the roles described above are planned for the SRS system. All resources at KSR are dedicated to the registry business. The calculations differ between the project phase and the years after the operational start. The project phase requires more resources as there is much planning, managing, and development required. All resources are engaged in the domain industry only and are experts in their field.
However, as the resources are shared among the TLDs operated through KSR and are not dedicated exclusively to one SRS project, the columns in the attached figure contain the number of human resources available for this role and the percentage of time those people are working for this specific string. This percentage is the guaranteed time the resources are allocated to each SRS project.
F. List of attachments
Similar gTLD applications: (30)
|gTLD||Full Legal Name||E-mail suffix||z||Detail|
|.allfinanzberatung||Allfinanz Deutsche Vermögensberatung Aktiengesellschaft||thomsentrampedach.com||-4.05||Compare|
|.spiegel||SPIEGEL-Verlag Rudolf Augstein GmbH & Co. KG||thomsentrampedach.com||-4.05||Compare|
|.allfinanzberater||Allfinanz Deutsche Vermögensberatung Aktiengesellschaft||thomsentrampedach.com||-4.05||Compare|
|.zuerich||Kanton Zürich (Canton of Zurich)||thomsentrampedach.com||-4.05||Compare|
|.bmw||Bayerische Motoren Werke Aktiengesellschaft||thomsentrampedach.com||-4.05||Compare|
|.mini||Bayerische Motoren Werke Aktiengesellschaft||thomsentrampedach.com||-4.05||Compare|
|.avery||AVERY DENNISON CORPORATION||thomsentrampedach.com||-4.05||Compare|
|.allfinanz||Allfinanz Deutsche Vermögensberatung Aktiengesellschaft||thomsentrampedach.com||-4.05||Compare|
|.dvag||Deutsche Vermögensberatung Aktiengesellschaft DVAG||thomsentrampedach.com||-4.05||Compare|
|.vermögensberatung||Deutsche Vermögensberatung Aktiengesellschaft DVAG||thomsentrampedach.com||-4.05||Compare|
|.vermögensberater||Deutsche Vermögensberatung Aktiengesellschaft DVAG||thomsentrampedach.com||-4.05||Compare|
|.pohl||Deutsche Vermögensberatung Aktiengesellschaft DVAG||thomsentrampedach.com||-4.05||Compare|
|.desi||Desi Networks LLC||desinetwork.in||-4.03||Compare|
|.CAM||AC Webconnecting Holding B.V.||rodenbaugh.com||-3.79||Compare|
|.gmbh||InterNetWire Web-Development GmbH||internetwire.de||-2.7||Compare|
|.taxi||Taxi Pay GmbH||taxi.eu||-2.66||Compare|
|.swiss||Swiss International Air Lines Ltd.||swiss.com||-2.65||Compare|