What Does the Proliferation of Cryptography Mean for IT Security, Risk, and Compliance Teams? Hint: It’s More Than Certificates

An exponential growth in cryptographic instances has increased complexity. But, when cryptography is done right, it can reduce the threat landscape because distributed systems can trust each other, establish secure connections, exchange and store sensitive data securely. Unfortunately, unmanaged cryptographic or invisible cryptographic configurations that are generated through shadow-IT processes are opening the door to silent data breaches, fraud or unanticipated downtime.  As discussed in Part 1 of this blog series, “The core elements that make the cryptographic layers safe include: algorithms, keys, libraries, and certificates.”

Organizations often limit the scope of cryptographical visibility to the network cypher suites and certificates used by their public-facing web services. This approach misses core cryptographic components that are used to maintain trust and protect critical information end-to-end, from the end-points to backend or private cloud infrastructure. Unmanaged cryptography usually includes hardcoded Private Keys, unmanaged SSH keys, shadow certificates, and/or cryptographic libraries that have been end-of-lifed. To improve the overall IT security posture of an organization, comprehensive visibility into a full and accurate audit of the complete cryptographic inventory is needed. The goal is to bring all hidden cryptographic elements to the surface and verify their compliance against regulations and security standards.

Poorly monitored cryptography creates significant vulnerabilities mainly due to:

Lack of visibility
Unmonitored cryptography puts sensitive data and/or infrastructure at risk because it may introduce hidden critical vulnerabilities or breach compliance without anyone being aware of it. Ideally, organizations need a holistic understanding of their reliance on cryptography across their critical infrastructure, including:

  • Public-facing and internal network web services
  • Hosts and virtual environments performing business-critical operations
  • Business applications having access to sensitive information
  • Cloud infrastructure running business-sensitive systems

Inadequate policies or policy enforcement
Modern IT practices like DevOps, IoT, cloud and multi-cloud environments leave critical cryptographic decisions in the hands of non-cryptographic specialists. While they may be experts in modern computing, they may lack the required expertise to use keys, algorithms, certificates or cryptographic libraries correctly. Ideally, cryptographic policies should be established by the InfoSec team as part of the organization’s security and compliance requirements, such as:

  • All certificates must rely on secure signature and public key algorithms
  • All certificates must be monitored and managed to prevent expiration
  • All private keys must be kept secret
  • All encryption key pairs must use secure algorithms and key-size
  • All key pairs must be rotated
  • All cryptographic libraries must be up-to-date
  • All cryptographic algorithms must meet the latest standards

Serious damage potential
While cryptography is considered secure by default, it is complex and needs to be properly managed – much like if a cutting-edge home security system is installed incorrectly. Inadequacies in the way that cryptography is securely managed or introducing a single mistake within a configuration can have a  substantial impact, including:

  • Disclosure of secret private keys embedded into applications
  • Unexpected downtime caused by unmanaged expiring certificates
  • Compliance breach due to reliance on legacy algorithms
  • Data leakage related to the use of vulnerable cryptographic libraries
  • Unauthorized access and fraud originating from the exploitation of hidden SSH keys

According to The National Institute of Standards and Technology (NIST), “Tools are urgently needed to facilitate the discovery of where and how public-key cryptography is being used in existing technology infrastructures”. This illustrates the sense of urgency organizations should have to understand their reliance on cryptography. In order to improve an organization’s cyber resiliency, it has become necessary to monitor cryptography, including keys, certificates, algorithms, and libraries across the entire digital footprint.  The added bonus is that a cryptographic inventory will be mandatory to plan for the migration to cryptographic agility and quantum safety.

Visibility has to move beyond the network to uncover cryptography that is unmanaged and that is hiding inside business-critical operational systems and applications. Once discovered, organizations can assess their cryptographic resilience and compliance posture and build a remediation strategy. With a continuously evolving digital ecosystem, having proper cryptographic hygiene has become mandatory to control cyber risks.