Profile Applicability:
Level 2
Description:
Decryption capabilities for sensitive software artifacts must be restricted exclusively to authorized platforms or systems. This ensures that only trusted environments with proper security controls can access the contents of encrypted artifacts, preventing unauthorized disclosure or tampering.
Rationale:
Limiting decryption to authorized platforms protects intellectual property and sensitive data embedded within artifacts. It reduces the risk of exposure to malicious actors and supports compliance with data protection and security policies by enforcing strict access controls over decrypted content.
Impact:
Pros:
Protects sensitive artifact data from unauthorized access.
Maintains confidentiality and integrity of software components.
Supports compliance with security standards and regulations.
Enables enforcement of security policies across platforms.
Cons:
Requires robust platform authorization and access control mechanisms.
May introduce operational complexity in managing authorized platforms.
Default value:
By default, decryption capabilities may not be limited, potentially exposing artifacts to untrusted environments.
Audit:
Review platform access controls and decryption key management policies. Verify that only approved systems have access to decryption keys and can process encrypted artifacts.
Remediation:
Implement strong access controls and platform authentication mechanisms. Use hardware security modules (HSMs) or secure enclaves where possible. Maintain inventory of authorized platforms and enforce policies restricting decryption capabilities accordingly.
References:
NIST Special Publication 800-57: Key Management Guidelines - https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-57pt1r5.pdf
CIS Controls v8, Control 3 - Data Protection: https://www.cisecurity.org/controls/data-protection/
OWASP Software Supply Chain Security - https://owasp.org/www-project-software-supply-chain-security/