Enabling quorum approval policy for a group in Fortanix Self-Defending Key Management Service (KMS) prevents a single user (or administrator) to be able to access or use a highly sensitive key.
Enabling quorum approval policy on groups
A group administrator may enable a quorum approval policy on a group, which mandates that all security-sensitive operations in that group would require a quorum approval. Such operations include using a key for cryptographic operations or deleting or updating a group. The list of security-sensitive operations include:
- Key deletion
- Key metadata update
- Key export (only when key is marked exportable)
- Encryption and decryption
- Signature generation
- Mac generation
- Wrap key
- Unwrap key
- Derive key
- AgreeKey (ECDH)
- Plugin create and update
- Get app credential (API Key/Password)
- Updating group level metadata
- Update/Delete quorum policy
Modifying the quorum approval policy would also require quorum approval.
- The quorum approval policy may be defined simply as the minimum number of approvals required among the total number of group administrators or applications for the group.
- A policy may also include specific identity of users or applications who form the quorum, and not just the size of the quorum.
- An advanced policy could be a combination of quorum rules. For example, a quorum could be defined as “one out of users A and B”; “three out of users C, D, E, F, and G”, and "two out of Apps H, I, J, K".
- A quorum policy may also include optional authentication methods for approval:
- Two-Factor authentication for approval: This option can be enabled for prompting using for additional authentication methods such as Yubikey or other U2F supported services during approval.
- Password re-entry for approval: This option can be enabled for prompting user to re-enter password during quorum approval.
Figure 1: Add a quorum policy
Figure 2: Add a quorum policy
Workflow for quorum approval
Whenever a sensitive operation is performed in a group enabled for quorum approval, a workflow for quorum approval is triggered.
- This involves sending notification to all users who can grant approval. This is done by sending emails, as well as generating a task in the approvers’ accounts, which they see on the dashboard as soon as they log in to their Fortanix Self-Defending KMS account.
- The users can then grant approvals from the UI. The sensitive operation is blocked until the quorum is met.
- Once the quorum is met, the operation is performed, and the event is logged including the names of users who approved the request.
Figure 3: Quorum approval
Quorum Approval Request for Security Objects Update
When a Security Object is updated such as changing the SO name, changing the permitted SO permissions, updating the expiry date for SO, or deleting/deactivating an SO, such operations will trigger a quorum approval request such as the following:
Figure 4: Quorum approval for security object update - diff view
In the approval window, the Existing column shows the existing state of the security object and the New column shows the updates made to the security object. A user can APPROVE or DECLINE the request.