See more

User's Guide: Quorum Policy

  • Last updated:
  • access_time Reading time:

Introduction

A quorum policy is composed of one or more quorum policy rules. A quorum policy rule is composed of:

  • Quorum Group: A set of members in the group that are needed to approve an operation.
  • Administrator: Minimum number of administrators that need to approve the operation.
  • Application: an application that approves a sensitive operation for a specific use case.
  • Using a second-factor security key to approve the request.
  • Password re-entry required to approve the request.

In addition, the quorum policy can establish if “all” or “any” of the quorum policy rules are required to have a quorum and approve the requested operation.

Quorum Policy - Enabling Quorum Approval Policy on Groups

A group administrator may enable a quorum approval policy on a group, which mandates that all security-sensitive operations in that group would require a quorum approval. Such operations include using a key for cryptographic operations or deleting or updating a group. The list of security-sensitive operations include:

  • Key deletion
  • Key metadata update
  • Key export (only when key is marked exportable)
  • Encryption and decryption
  • Signature generation
  • Mac generation
  • Wrap key
  • Unwrap key
  • Derive key
  • AgreeKey (ECDH)
  • Plugin create and update
  • Get app credential (API Key/Password)
  • Updating group level metadata
  • Update/Delete quorum policy

Group Quorum Policy

Create a Quorum Policy for a Group

  1. Go to the detailed view of a group, and in the INFO tab, in the Quorum approval policy section click the ADD POLICY. Quorum1.png
    Figure 1: Add quorum policy
  2. In the Quorum approval policy form, fill the details such as the number/name of administrators or applications that need to approve sensitive operations with keys and plugins.
  3. Click the Advanced button to add more combinations for the quorum policy.
  4. There are two optional check boxes:
    • Using a second-factor security key is required to approve requests.
    • Password re-entry is required to approve the request.
  5. The Operations that require Quorum approval section allows configuring which operations in the group will require a quorum approval. The following operations are selected by default and cannot be altered as these operations mandatorily require a quorum approval.
    • Add, Update Plugin
    • Update Group Configuration (Cryptographic and Quorum Policy)

      The user can configure the following operations for quorum approval:

    • Destroy Key, Update Key
    • Cryptographic Operations
       
    Quorum2.png
    Figure 2: Choose operations that require quorum approval
     
  6. Click the SAVE POLICY In the QUORUM POLICY window, review the quorum approval details and click the SAVE button. This window will show a summary of the values that were added to the Quorum approval policy screen. Quorum3.png
    Figure 3: Confirm quorum policy details

Update Group Quorum Policy

To update a group quorum policy:

  1. Go to the detailed view of a group and in the INFO tab, in the Quorum approval policy section click the EDIT POLICY button. Quorum4.png
    Figure 4: Update quorum policy details
     
  2. In the Quorum approval policy form, make the required changes, and click the SAVE POLICY button.Quorum5.png
    Figure 5: Update the quorum policy

Account Quorum Policy

Create a Quorum Policy for an Account

To set a quorum policy at the account level:

  1. Go to the Account Settings page in Fortanix Self-Defending KMS. Click the QUORUM POLICY tab.
  2. In the Quorum approval policy page, click the ADD POLICY FOR THE ACCOUNT button to edit the Account Quorum Policy. Quorum8.png
    Figure 6: Edit account level quorum policy
     
  3. In the Quorum approval policy form, fill the details such as the number/name of administrators that need to approve sensitive operations with keys and plugins.
  4. Click the Advanced button to add more combinations for the quorum policy.
  5. There are two optional check boxes:
    1. Using a second-factor security key is required to approve requests.
    2. Password re-entry is required to approve the request.
  6. The Operations that require Quorum approval section allows you to configure which operations in the account will require a quorum approval. The operation listed below is selected by default and cannot be altered as this operation mandatorily requires a quorum approval.
    • Quorum policy update

      The user can configure the following operations for quorum approval.

    • Update authentication methods
    • Cryptographic policy update
    • Log Management
       
    Quorum6.png
    Figure 7: Choose operation that requires approval
     
  7. Click the SAVE POLICY button. In the Quorum policy window, review the quorum approval details and click the SAVE button. This window will show a summary of the values that were added to the Quorum approval policy screen. Quorum7.png
    Figure 8: Review and save account quorum policy

Update Account Quorum Policy

To edit an account quorum policy:

  1. Click the EDIT POLICY button on the Quorum Approval Policy page. Quorum9.png
    Figure 9: Edit account policy
  2. To set the approval request expiration time, click the EDIT button for the Approval requests expiration time field.

Quorum Approval

Modifying the quorum approval policy would also require quorum approval.

  • The quorum approval policy may be defined simply as the minimum number of approvals required among the total number of group administrators or applications for the group.
  • A policy may also include the specific identity of users or applications who form the quorum, and not just the size of the quorum.
  • An advanced policy could be a combination of quorum rules. For example, a quorum could be defined as “one out of users A and B”; “three out of users C, D, E, F, and G”, and "two out of Apps H, I, J, K".
  • A quorum policy may also include optional authentication methods for approval:
    • Two-Factor authentication for approval: This option can be enabled for prompting using for additional authentication methods such as Yubikey or other U2F supported services during approval.
    • Password re-entry for approval: This option can be enabled for prompting the user to re-enter password during quorum approval. 

Workflow for Quorum Approval

Whenever a sensitive operation is performed in a group enabled for quorum approval, a workflow for quorum approval is triggered.

  • This involves sending a notification to all users who can grant approval. This is done by sending emails, as well as generating a task in the approvers’ accounts, which they see on the dashboard as soon as they log in to their Fortanix Self-Defending KMS account.
  • The users can then grant approvals from the UI. The sensitive operation is blocked until the quorum is met.
  • Once the quorum is met, the operation is performed, and the event is logged including the names of users who approved the request.

Quorum10.png

                                                        Figure 10: Approving quorum request

Quorum Approval Request to Update Group Quorum Policy

Since updating a quorum policy is a sensitive operation, this change in quorum policy should be approved by the administrators/applications who were part of the policy before the update. So, the original approvers/administrators will receive the following approval request to approve the new policy. The window shows what was the old policy in the Existing column and what update was made in the New column.
Click the APPROVE or DECLINE button to approve or decline the policy.

Quorum11.png

                              Figure 11: Quorum approval for Group Policy update - diff view

In the approval window, the Existing column shows the existing state of the security object and the New column shows the updates made to the security object. A user can APPROVE or DECLINE the request.

Quorum Approval Request for Security Object Updates

When a Security Object is updated such as changing the SO name, changing the permitted SO permissions, updating the expiry date for SO, or deleting/deactivating an SO, such operations will trigger a quorum approval request such as the following:

Quo7.1.png

                              Figure 11: Quorum approval for Group Policy update - diff view

In the approval window, the Existing column shows the existing state of the security object and the New column shows the updates made to the security object. A user can APPROVE or DECLINE the request.

Quorum Approval Request for Cryptographic Policy Updates

When a cryptographic policy is updated it triggers the following Quorum Approval request:

Quorum13.png

                           Figure 13: Quorum approval for Cryptographic Policy update - diff view

In the approval window, the Existing column shows the existing state of the security object and the New column shows the updates made to the security object. A user can APPROVE or DECLINE the request.

Quorum Approval Request for Plugin Code Change

When you update the code for a Fortanix Self-Defending KMS plugin, it triggers the following quorum approval request:

Quorum14.png

                    Figure 14: Quorum approval for Plugin code change - diff view

In the approval window, the Existing column shows the existing state of the security object and the New column shows the updates made to the security object. A user can APPROVE or DECLINE the request.