Crypto Agility. Why Now? (Part 3)

Cryptography plays a significant role in any digital service because it is the foundation for securing an organization’s most critical asset – data. The concept of a cryptographical profile has reached the C-suite due to the negative impact it can cause when poorly applied. The spectre of quantum computing and the increasing regulatory environment also require organizations to manage their cryptography properly. This blog post summarizes recent activities that demonstrate the relevance of cryptography:

  • Importance of Data Protection
    Organizations should not underestimate the importance of cryptography that is used for data protection. There are many instances when undetected cryptography that was not properly managed surprised a major brand with a data breach bringing unwanted headlines and causing highly visible system outages.The Cost of a Data Breach Report 2020 found that enterprises suffered an average $5.52 million in total costs stemming from a data breach. In part two of our three-part blog series, which covered the proliferation of cryptography, we highlighted a Ponemon report that revealed “Misconfigured Cloud servers tied for most frequent initial threat vector in breaches caused by malicious attacks.”
  • Crypto Agility
    Cryptographic Agility is the ability for an organization to quickly and efficiently enforce the use of new cryptographic policies across its digital footprint. Its purpose is to respond to unpredictable cryptographic vulnerabilities and ensure digital assets are protected throughout the digital ecosystem with company defined policies for cryptography.
  • Crypto Visibility
    The first step toward crypto agility is understanding the organization’s current cryptographic dependencies. Building a cryptographic inventory is key to developing an efficient response plan in the event of cryptographic compromise and start the transition to crypto agility. Unfortunately, many organizations do not have a complete inventory of where cryptography is being used. According to a recent NIST Cyber Security White Paper, Getting Ready for Quantum Computing, “A prerequisite for migrating from the current set of public-key algorithms to post-quantum algorithms is to identify where and for what purpose public-key cryptography is being used. Public-key cryptography has been integrated into existing computer and communications hardware, operating systems, application programs, communications protocols, key infrastructures, and access control mechanisms.”

    Not having an accurate picture of cryptographical instances puts organizations at a disadvantage when it comes to determining where and how to prioritize the replacement of post-quantum algorithms – an inevitable exercise. The NIST white paper also asserts that, “Tools are urgently needed to facilitate the discovery of where and how public-key cryptography is being used in existing technology infrastructures.”
  • Post-Quantum Cryptography
    Classical public key cryptography used broadly to protect our current digital environment will eventually be broken by a future quantum computer. NIST started the process to standardize new “quantum-resistant” cryptographic algorithms (PQC) in 2016. The final standards are planned to be released between 2022 and 2024. Multiple options for PQC algorithms will require organizations to carefully select the new cryptographical standards based on use cases and security constraints. Crypto agility will be necessary to navigate safely between multiple complex PQC algorithms.
  • Regulations on Encryption
    Although encryption regulation in the United States has been relatively lax, the global landscape looks different. As of January 1, 2020, China began enforcing a new cryptographic law that regulates the usage of cryptography across both private and public sectors. This new law impacts international business, “Under Article 28 of the Encryption Law, importers must obtain a license if the imported commercial encryption item “may impact national security or the public interest” and “provides an encryption protection function,” as reported by Inside Privacy. Crypto Agility will be a must-have for ensuring compliance with multiple cryptographic standards across a global landscape. The growth of regulations surrounding cryptographical use cases underscores the need for organizations to manage cryptographical assets more efficiently to support increasing demands from international business interests.

Cryptography will constantly evolve, and an agile approach to managing cryptographical instances must be adopted to keep pace with growing use cases, regulations and standards.

The first blog in this series looked at what you need to know about the importance of cryptography, and was followed up with a discussion on the impact of the proliferation of cryptography.

Julien Probst, Head of Products, InfoSec Global; Diana Gruhn, Product Marketing Director, Entrust