Introduction
A quorum policy is composed of one or more quorum policy rules. A quorum policy rule is composed of:
- Quorum Group: A set of members in the group that are needed to approve an operation.
- Administrator: Minimum number of administrators that need to approve the operation.
- Application: an application that approves a sensitive operation for a specific use case.
- Using a second-factor security key to approve the request.
- Password re-entry required to approve the request.
In addition, the quorum policy can establish if “all” or “any” of the quorum policy rules are required to have a quorum and approve the requested operation.
Quorum Policy - Enabling Quorum Approval Policy on Groups
A group administrator may enable a quorum approval policy on a group, which mandates that all security-sensitive operations in that group would require a quorum approval. Such operations include using a key for cryptographic operations or deleting or updating a group. The list of security-sensitive operations include:
- Key deletion
- Key metadata update
- Key export (only when key is marked exportable)
- Encryption and decryption
- Signature generation
- Mac generation
- Wrap key
- Unwrap key
- Derive key
- AgreeKey (ECDH)
- Plugin create and update
- Get app credential (API Key/Password)
- Updating group level metadata
- Update/Delete quorum policy
Group Quorum Policy
Create a Quorum Policy for a Group
- Go to the detailed view of a group, and in the INFO tab, in the Quorum approval policy section click the ADD POLICY.
Figure 1: Add quorum policy - In the Quorum approval policy form, fill the details such as the number/name of administrators or applications that need to approve sensitive operations with keys and plugins.
- Click the Advanced button to add more combinations for the quorum policy.
- There are two optional check boxes:
- Using a second-factor security key is required to approve requests.
- Password re-entry is required to approve the request.
- The Operations that require Quorum approval section allows configuring which operations in the group will require a quorum approval. The following operations are selected by default and cannot be altered as these operations mandatorily require a quorum approval.
- Add, Update Plugin
- Update Group Configuration (Cryptographic and Quorum Policy)
The user can configure the following operations for quorum approval:
- Destroy Key, Update Key
- Cryptographic Operations
Figure 2: Choose operations that require quorum approval - Click the SAVE POLICY In the QUORUM POLICY window, review the quorum approval details and click the SAVE button. This window will show a summary of the values that were added to the Quorum approval policy screen.
Figure 3: Confirm quorum policy details
Update Group Quorum Policy
To update a group quorum policy:
- Go to the detailed view of a group and in the INFO tab, in the Quorum approval policy section click the EDIT POLICY button.
Figure 4: Update quorum policy details - In the Quorum approval policy form, make the required changes, and click the SAVE POLICY button.
Figure 5: Update the quorum policy
Account Quorum Policy
Create a Quorum Policy for an Account
To set a quorum policy at the account level:
- Go to the Account Settings page in Fortanix Self-Defending KMS. Click the QUORUM POLICY tab.
- In the Quorum approval policy page, click the ADD POLICY FOR THE ACCOUNT button to edit the Account Quorum Policy.
Figure 6: Edit account level quorum policy - In the Quorum approval policy form, fill the details such as the number/name of administrators that need to approve sensitive operations with keys and plugins.
- Click the Advanced button to add more combinations for the quorum policy.
- There are two optional check boxes:
- Using a second-factor security key is required to approve requests.
- Password re-entry is required to approve the request.
- The Operations that require Quorum approval section allows you to configure which operations in the account will require a quorum approval. The operation listed below is selected by default and cannot be altered as this operation mandatorily requires a quorum approval.
- Quorum policy update
The user can configure the following operations for quorum approval.
- Update authentication methods
- Cryptographic policy update
- Log Management
Figure 7: Choose operation that requires approval - Quorum policy update
- Click the SAVE POLICY button. In the Quorum policy window, review the quorum approval details and click the SAVE button. This window will show a summary of the values that were added to the Quorum approval policy screen.
Figure 8: Review and save account quorum policy
Update Account Quorum Policy
To edit an account quorum policy:
- Click the EDIT POLICY button on the Quorum Approval Policy page.
Figure 9: Edit account policy - To set the approval request expiration time, click the EDIT button for the Approval requests expiration time field.
Quorum Approval
Modifying the quorum approval policy would also require quorum approval.
- The quorum approval policy may be defined simply as the minimum number of approvals required among the total number of group administrators or applications for the group.
- A policy may also include the specific identity of users or applications who form the quorum, and not just the size of the quorum.
- An advanced policy could be a combination of quorum rules. For example, a quorum could be defined as “one out of users A and B”; “three out of users C, D, E, F, and G”, and "two out of Apps H, I, J, K".
- A quorum policy may also include optional authentication methods for approval:
- Two-Factor authentication for approval: This option can be enabled for prompting using for additional authentication methods such as Yubikey or other U2F supported services during approval.
- Password re-entry for approval: This option can be enabled for prompting the user to re-enter password during quorum approval.
Workflow for Quorum Approval
Whenever a sensitive operation is performed in a group enabled for quorum approval, a workflow for quorum approval is triggered.
- This involves sending a notification to all users who can grant approval. This is done by sending emails, as well as generating a task in the approvers’ accounts, which they see on the dashboard as soon as they log in to their Fortanix Self-Defending KMS account.
- The users can then grant approvals from the UI. The sensitive operation is blocked until the quorum is met.
- Once the quorum is met, the operation is performed, and the event is logged including the names of users who approved the request.
Figure 10: Approving quorum request
Quorum Approval Request to Update Group Quorum Policy
Since updating a quorum policy is a sensitive operation, this change in quorum policy should be approved by the administrators/applications who were part of the policy before the update. So, the original approvers/administrators will receive the following approval request to approve the new policy. The window shows what was the old policy in the Existing column and what update was made in the New column.
Click the APPROVE or DECLINE button to approve or decline the policy.
Figure 11: Quorum approval for Group Policy update - diff view
In the approval window, the Existing column shows the existing state of the security object and the New column shows the updates made to the security object. A user can APPROVE or DECLINE the request.
Quorum Approval Request for Security Object Updates
When a Security Object is updated such as changing the SO name, changing the permitted SO permissions, updating the expiry date for SO, or deleting/deactivating an SO, such operations will trigger a quorum approval request such as the following:
Figure 11: Quorum approval for Group Policy update - diff view
In the approval window, the Existing column shows the existing state of the security object and the New column shows the updates made to the security object. A user can APPROVE or DECLINE the request.
Quorum Approval Request for Cryptographic Policy Updates
When a cryptographic policy is updated it triggers the following Quorum Approval request:
Figure 13: Quorum approval for Cryptographic Policy update - diff view
In the approval window, the Existing column shows the existing state of the security object and the New column shows the updates made to the security object. A user can APPROVE or DECLINE the request.
Quorum Approval Request for Plugin Code Change
When you update the code for a Fortanix Self-Defending KMS plugin, it triggers the following quorum approval request:
Figure 14: Quorum approval for Plugin code change - diff view
In the approval window, the Existing column shows the existing state of the security object and the New column shows the updates made to the security object. A user can APPROVE or DECLINE the request.