Security Consultant – PKI & KMI

Overview

Job Description

Public Key Infrastructure

• Provide guidance to key stakeholders on PKI and Cryptographic Key Management lifecycle, processes, and procedures.
• Provide PKI advisory and assistance service support for IT in Certification Authority (CA), Registration Authorities (RA), and other PKI components to meet the security requirements.
• Understand the different regulatory and industry best practices of implementing PKI solution and ensures these controls are implemented in bank’s PKI.
• Analyse all aspects of the existing PKI infrastructure and providing recommendations to enhance system security, reliability, & availability.
• Conduct risk assessments on the PKI to identify the security risks and notify the concerned IT stakeholders to remediate the issues within the agreed timelines.
• Involves in the external audit engagements on the PKI and support the IT teams by providing the required security evidence requested during the Audit.
• Involves in Telecom Regulatory Authority (TRA) license in providing the required documents from group security department and monitors the licensing periodic requirements by producing the TRA requested artifacts.
• Be part of the key ceremonies conducted in the bank to monitor the activity and guide the business and IT teams to ensure the keys are generated in secure manner.

Key Management Infrastructure

• Provides end-user KMI support and perform general administrative duties.
• Able to provide KMI expertise from experience, i.e., other key management use cases
• Lead technical tasks related to implementation and configuration of the KMI including integration with client systems.
• Develop and carry out improvement plans for key management capability using existing setup and playground documentation with the goal of automating repeatable tasks for optimal and efficient service delivery.

PKI

• X.509 Certificates and CRL
• Digital Signatures
• Timestamping
• Key Ceremony
• CP/CPS documentations
• TRA, CA/Browser Forum, WebTrust for CA guidance and Regulations
• Design and Deployment
• Offline Root CA, Sub CA, Issuing CA, Policy CA
• Patching and Upgrade
• Operational support
• Cryptographic Protocols
• PKI Keystores
• Certificate based authentication

PKI Software

• OpenTrust PKI and CMS
• Microsoft ADCS and Certificate Templates

• Entrust Certificate Services

• EverTrust OCSP

• Thales CipherTrust Manager

• TDE Encryption

• Key Management Interoperability Protocol

• AWS XKS
• Azure Vault and AWS Key Managers
• Files/Folder Encryption
• Application Encryption

PKI & KMI Hardware

• Utimaco CryptoServer LAN, u.trust General Purpose HSM Se-Series

• Thales Luna HSM 7

• Cryptographic Tokens (ex: Smartcards or USB Tokens)

Other Infrastructure Systems

• Operating Systems: RHEL and Windows
• Monitoring tools: SIEM, SNMP v2 and v3, etc.

• ITSM: Service Now

• Roles and Responsibilities
• PKI administration: which includes CLM, health checks of PKI systems, DR, backup, and restoration.
• KMI administration: which includes KLM, health checks, DR, backup, and restoration.
• Responsible to manage installation and configuration of the operating system in accordance with the Public Key Infrastructure solution requirements
• Responsible for managing the all the PKI and KMI components
• Responsible to implement infrastructure controls recommended by Operation/Technical Risk Team as well as the management
• Ensure the infrastructure access and role assigned is compliant with segregation of duties requirements
• Actively involved in the incident management process and coordinate with relevant stakeholders/teams
• Responsible to oversee all patching and upgrade requirements. And ensure patches are tested prior rolling out on the productions
• Coordinate migration of existing Database keys
• Work on Technical tasks related to implementation and configuration of Key Management system.
• Work closely with Service Owners, Crypto Officer and Key Custodian on all aspects of PKI and Key Management.
• Must be able to raise and own an incident and change ticket on Service Now.
• Present the change in the Change Approval Board (CAB) and obtain business approval.
• Ensure the incident resolution and change is progressed as per the agreed SLA.
• Perform Root Cause Analysis (RCA) through problem management process.