An exponential growth in cryptographic instances has increased complexity. But, when cryptography is done right, it can reduce the threat landscape because distributed systems can trust each other, establish secure connections, exchange and store sensitive data securely. Unfortunately, unmanaged cryptographic or invisible cryptographic configurations that are generated through shadow-IT processes are opening the door to silent data breaches, fraud or unanticipated downtime. As discussed in Part 1 of this blog series, “The core elements that make the cryptographic layers safe include: algorithms, keys, libraries, and certificates.”
Organizations often limit the scope of cryptographical visibility to the network cypher suites and certificates used by their public-facing web services. This approach misses core cryptographic components that are used to maintain trust and protect critical information end-to-end, from the end-points to backend or private cloud infrastructure. Unmanaged cryptography usually includes hardcoded Private Keys, unmanaged SSH keys, shadow certificates, and/or cryptographic libraries that have been end-of-lifed. To improve the overall IT security posture of an organization, comprehensive visibility into a full and accurate audit of the complete cryptographic inventory is needed. The goal is to bring all hidden cryptographic elements to the surface and verify their compliance against regulations and security standards.
Poorly monitored cryptography creates significant vulnerabilities mainly due to:
According to The National Institute of Standards and Technology (NIST), “Tools are urgently needed to facilitate the discovery of where and how public-key cryptography is being used in existing technology infrastructures”. This illustrates the sense of urgency organizations should have to understand their reliance on cryptography. In order to improve an organization’s cyber resiliency, it has become necessary to monitor cryptography, including keys, certificates, algorithms, and libraries across the entire digital footprint. The added bonus is that a cryptographic inventory will be mandatory to plan for the migration to cryptographic agility and quantum safety.
Visibility has to move beyond the network to uncover cryptography that is unmanaged and that is hiding inside business-critical operational systems and applications. Once discovered, organizations can assess their cryptographic resilience and compliance posture and build a remediation strategy. With a continuously evolving digital ecosystem, having proper cryptographic hygiene has become mandatory to control cyber risks.
In the final blog in this series we will take a deeper dive into crypto agility and how to establish a cryptographic profile of your organization.