Inside look: the real cost of trust

Models for proving identity online are all built around the secure distribution of public and private encryption keys, which are used as part of the unique digital certificates that are used to sign all manner of financial and other transactions.

The importance of those certificates cannot be overstated: as the basis for the Secure Sockets Layer (SSL) technology used within Web browsers, their protection and integrity are paramount. Hence the furore earlier this year, when it was discovered that a bug in the commonly-used OpenSSL encryption library could have allowed unknown snoopers to listen in on the exchange of digital certificates that aren't normally accessible.

Even as public and private-sector organisations continue to work through the implications of that 'Heartbleed' flaw, others are working to ensure that the mechanisms for protecting certificates – and the public's trust in them – remain intact. Importantly, this includes physical as well as virtual controls to ensure that carefully defined security procedures are not violated.

Unbeknownst to many, much of that physical protection is being managed through a nondescript Melbourne office building that is just one of four sites worldwide where identity-management giant Symantec – the world's largest issuer of digital certificates since it bought up industry pioneer VeriSign – manages and issues new organisational digital certificates.

The facility is normally tightly held under lock and key, but GTR recently had the opportunity to visit its deepest and darkest corners to find out just how this critical part of the identity story is maintained and managed.

The site serves several functions, including the maintenance of an 80-strong contact centre through which companies wanting to obtain a digital certificate must work their way. This is a long and complex process that involves the secure management of a dizzying array of documents, as well as layer upon layer of anti-fraud checks that require sharp-eyed staff to be on the lookout for discrepancies in identity-related credentials from dozens of countries around the Asia-Pacific region.

And there are discrepancies: efforts to obtain control over certificates through fraudulent means are commonplace, as are efforts to get new certificates issued in legitimate organisations' names. Faxed passport title pages with incorrect names, business registration papers with contact details falsified – in today's online economy, fraudsters will try anything to infiltrate services over which they have no legitimate claim.

Beyond the contact centre – where we go as we wave to the many cameras continuously recording every movement in this locked-down site – begins the series of physical controls through which employees must pass before they come even close to the heart of the facility.

Those controls include not only the ubiquitous cameras, but a series of three ASIO-rated doors where fingerprint scanning is the norm and complicated access rules prevent more than one person from passing at a time. Thermal sensors in the ceilings continuously count the number of people in the room and raise the alarm if it doesn't match the number that have correctly scanned into and out of the facility. Forget about trying to force your way into this facility: vibration sensors in the floors, walls and ceilings will pick you up well before you swing the sledgehammer a second time. Not that it matters: military-grade steel mesh is built into the ceiling of the facility. Infrastructure inside the site has been equally well-considered, with cabling for security, data and power systems on separate trays that are out in the open with sensors to ensure nothing compromises their integrity. Fibre runs must be intact and unbroken as a matter of procedure.

Behind those doors is a team of specialists that work in a windowless room to provide technical support to customers around the world. And there, behind two further securely-locked and alarmed doors through which nobody can pass without the correct supervisor joining them, is a data centre in which several racks of servers stand next to two thick-walled steel enclosures.

“Don't call them safes,” senior principal systems engineer Nick Savvides tells us, although there is no other way to describe them. Inside are trays of USB keys on which the certificate authority's master digital certificates are stored.

These are, literally, the keys to the kingdom that is electronic commerce – the master certificates that are used to generate new root identities for e-commerce operators whose entire viability depends on the integrity of these systems.

Simply holding these keys, however, won't get you anywhere. The serialised storage devices are useless without being brought into yet another room – again, nobody is allowed in by themselves – where nondescript white walls and several computers sit waiting for what Symantec calls the Key Ceremony to begin.

Fittingly, the Key Ceremony requires the attention of the Key Master – a company employee who cannot be named – who facilitates the entire process of adding new certificates through complex, painstaking 'scripts' that can run to 600 pages or more and take two people eight hours or longer to complete.

Those scripts include specific actions that must be taken by each participant in the Key Ceremony. Food is forbidden in the room, water is limited, and toilet breaks require packing up everything in the room and locking it away before resuming. If a mistake is made, the certificate must be revoked and the process started over.

This procedure is carried out frequently, although neither Savvides nor the Key Master will say when, or even how often. Yet there they are: buried in that high-security facility, this team is the physical face of identity security – and a cornerstone of the entire idea of trust on the Internet. – David Braue

This story originally ran in the May/June 2014 issue of Government Technology Review.