SignPath for InfoSec
SignPath makes Code Signing secure
How secure are your private keys? Who has access to them and how is their usage regulated? Stolen or misused code signing certificates are a severe threat to ISPs and their customers. The only way to prevent breaches and reduce the risks of successful attacks is to protect your private keys and to estabalish a secure, transparent process.
Chain attacks
Don't be the weakest link
A stolen code signing certificate does not only put your organization at risk, but also all your customers. ISPs are increasingly becoming a target with the sole purpose of attacking one or several of their customers. IT organizations are reacting and demand their suppliers not only to sign their code, but to establish secure code signing processes.
Agility and Security
Allow your developers to move fast
Define clear policies on how code signing certificates may be used - give your development teams the freedom to implement them for their processes. SignPath provides a clear separation of duties, where security teams stay on top of private key access and policy enforcement and development teams can focus on delivering software.
Incident management
Be prepared and take informed decisions
SignPath allows you to lock down the code signing process and define multiple gates to ensure only malware-free, approved software from trusted build systems is signed. Every usage of your private key is logged, making it possible to trace any misuse.
Secure storage of private keys
Rest assured that your private keys can never be compromised
SignPath provides a FIPS-certified Hardware Security Module (HSM) to generate and store the private keys for your certificates. The HSM is located in a physically secured data center. Every signing operation takes place on the HSM ensuring that the private key is never exposed. The key infrastructure of SignPath fulfills all requirements for Extended Validation (EV) certificates without having to deal with USB tokens or spending money on dedicated hardware.
For customers who prefer direct control over their key material, SignPath offers dedicated Thales DPoD Cloud HSM instances. Use this option for local key backups, importing and exporting options, and to guarantee key availability independently from your SignPath subscription. (Export and backup options require cloning domains or key wrapping.)