Cryptographic Management: How to Minimize Mayhem and Maximize Effectiveness

Cryptography is the foundation of authentication, authorization, confidentiality, data integrity, and more.  It is the foundation of digital trust; it is the enabler of overall enterprise security. Any threat to cryptography is a threat to be taken seriously. In today’s increasingly connected ecosystems, broken cryptography can result in mayhem — unauthorized access to sensitive information, damage to critical infrastructure, lost control over devices and data — the list is endless. As every organization in every industry knows (or should know), mission-critical assets, systems, and data are crown jewels, which require the utmost attention, management, and protection. Unsurprisingly, maintaining and protecting these crown jewels is easiest when the enterprise knows precisely where, what, and how effective they are.

Can you identify and defend your organization’s crown jewels? It’s an important question and one asked in a recent Infosecurity Magazine thought piece by Uri Levy, SVP global strategy, XM Cyber. Levy observes that simply throwing money at the problem will not solve it. “It is not necessarily how much you are spending but how you choose to spend your cybersecurity budget. Fundamentally, getting it right means having the tools to ensure you can identify and protect your most valuable assets.”

 We agree.

ISARA’s new enterprise security solution, Advance® Crypto Agility Suite, provides insight into the cryptography used throughout an organization’s infrastructure, including in those pesky blind spots. The number of devices, systems and technologies used within enterprises continues to rapidly grow and shows no signs of slowing down. This makes it increasingly difficult for organizations to identify and manage their cryptographic assets. Consequently, creating and spending a quality cybersecurity budget is becoming increasingly difficult. As if it were not hard enough already. Learn how to make cryptographic management easier.

Cryptographic Infrastructures Need to be Visible to Reduce Risk

“Having the visibility necessary to reduce risk is one of the most critical parts of security...A single view across the battlefield is vital,” advocates Levy. Cryptographic infrastructures need to be visible, managed, and upgraded whenever necessary — with minimal disruption to normal business operations. “We created ISARA Advance to enable the discovery, management, and remediation of cryptographic infrastructure from a central dashboard, to help organizations account for cryptography, save time, and reduce upgrade disruptions,” said Alan Panezic, chief product officer at ISARA.

The National Cybersecurity Center of Excellence (NCCoE ), a part of the Department of Homeland Security and the National Institute of Standards and Technology (NIST) has undertaken a collaborative project to bring awareness to the issues surrounding migration to post-quantum cryptographic algorithms and to develop and share best practices to ease that migration. The NCCoE and NIST have circulated the draft project, Migration to Post-Quantum Cryptography, asking for feedback from the community.  ISARA is grateful to have had the opportunity to provide input to this crucial project. Some our recommendations included:

  • Suggested additions to the list of Standards Development Organizations from which an inventory of standards is being built

  • Notes on the importance of code-signing operations as an early-stage transition point from quantum-vulnerable to quantum-safe.

  • Despite the less urgent requirement, the inclusion of a similar processes and considerations for migrating symmetric key algorithms and primitives

  • Notes on the importance of understanding the expected lifetimes of cryptographic assets, for the formulation of an efficient migration strategy

  • Notes on the importance of consideration for quantum-safe security in the early stages of product design cycles, even if the end product is expected to be relatively short lived

  • Need to raise awareness that tools and solutions are appearing in market to tackle some of the paper’s recommended first steps, including crypto discovery. (Our Advance® Crypto Agility Suite is one example of such a solution)

 From the Migration to Post-Quantum Cryptography draft, “the initial scope of this effort is to demonstrate the discovery tools that can provide automation assistance in identifying where and how public-key cryptography is being used in hardware, firmware, operating systems, communication protocols, cryptographic libraries, and applications employed in data centers on-premises or in the cloud and distributed compute, storage, and network infrastructures. The recommended project will engage industry in demonstrating use of automated discovery tools to identify all instances of public-key algorithms used in an example network infrastructure’s computer and communications hardware, operating systems, application programs, communications protocols, key infrastructures, and access control mechanisms.”

 The Importance of Quantum-Safe Migration

Current public-key cryptography is expected to be broken by a large-scale quantum computer within 7-10 years, creating widespread threats and putting organizations and their systems and data at risk. Transitioning to new cryptographic standards is complex and could take enterprises and governments at least a decade or more to complete. Now is the time to begin implementing quantum-safe technologies, policies, and procedures. “Make sure your organization is making plans to be ahead of the quantum threat. Do your research. Do a quantum risk analysis, and make sure somebody is designated to be in charge of crypto-agility with regards to quantum computers,” recommends Dustin Moody, Ph.D., NIST mathematician.

"...Before large-scale quantum computers are built, we need to migrate our systems and practices to ones that cannot be broken by quantum computers. For systems that aim to provide long-term confidentiality, this migration should happen even sooner,” states Dr. Michele Mosca, founder of the Institute for Quantum Computing and professor in the Dept. of Combinatorics & Optimization at the University of Waterloo.

 Susan Miller, editor at Government Computer News, outlines NIST’s recommendations for post-quantum cryptography migration:

  • Discover the FIPS-140-validated hardware and software modules present in the enterprise

  • Identify the cryptographic libraries that are commonly used for quantum-vulnerable algorithms and those that might support one of NIST’s selected quantum-resistant algorithms

  • Find and select sample cryptographic applications that use quantum-vulnerable public-key cryptography

  • Identify quantum-vulnerable code in computing platforms, including operating systems, access control utilities, cryptographic integrity applications and identity and access management applications

  • Find and prioritize the quantum-vulnerable cryptographic algorithms used in communication protocols leveraged by critical infrastructure sectors

Organizations can stay ahead of cryptography threats by integrating crypto agility and quantum-safe security now. Learn more about the ISARA Radiate® Quantum-Safe Toolkit, built for OEMs and developers who want to test and integrate next-generation post-quantum cryptography into their commerical products. After all, when it comes to cryptographic management, we want to minimize the mayhem and maximize effectiveness.