Skip to main content

What Does the Proliferation of Cryptography Mean for IT Security, Risk, and Compliance Teams? Hint: It’s More Than Certificates

Jun

24

2021

Time to read

Read so far

Written by: 

Diana Gruhn
  &  
Julien Probst

Time to read

Written by: 

 & 
CryptoCoE-2

An exponential growth in cryptographic instances has increased complexity. But, when cryptography is done right, it can reduce the threat landscape because distributed systems can trust each other, establish secure connections, exchange and store sensitive data securely. Unfortunately, unmanaged cryptographic or invisible cryptographic configurations that are generated through shadow-IT processes are opening the door to silent data breaches, fraud or unanticipated downtime.  As discussed in Part 1 of this blog series, “The core elements that make the cryptographic layers safe include: algorithms, keys, libraries, and certificates.”

Organizations often limit the scope of cryptographical visibility to the network cypher suites and certificates used by their public-facing web services. This approach misses core cryptographic components that are used to maintain trust and protect critical information end-to-end, from the end-points to backend or private cloud infrastructure. Unmanaged cryptography usually includes hardcoded Private Keys, unmanaged SSH keys, shadow certificates, and/or cryptographic libraries that have been end-of-lifed. To improve the overall IT security posture of an organization, comprehensive visibility into a full and accurate audit of the complete cryptographic inventory is needed. The goal is to bring all hidden cryptographic elements to the surface and verify their compliance against regulations and security standards.

Poorly monitored cryptography creates significant vulnerabilities mainly due to:

  • Lack of visibility

    Unmonitored cryptography puts sensitive data and/or infrastructure at risk because it may introduce hidden critical vulnerabilities or breach compliance without anyone being aware of it. Ideally, organizations need a holistic understanding of their reliance on cryptography across their critical infrastructure, including:

    • Public-facing and internal network web services
    • Hosts and virtual environments performing business-critical operations
    • Business applications having access to sensitive information
    • Cloud infrastructure running business-sensitive systems

  • Inadequate policies or policy enforcement

    Modern IT practices like DevOps, IoT, cloud and multi-cloud environments leave critical cryptographic decisions in the hands of non-cryptographic specialists. While they may be experts in modern computing, they may lack the required expertise to use keys, algorithms, certificates or cryptographic libraries correctly. Ideally, cryptographic policies should be established by the InfoSec team as part of the organization’s security and compliance requirements, such as:

    • All certificates must rely on secure signature and public key algorithms
    • All certificates must be monitored and managed to prevent expiration
    • All private keys must be kept secret
    • All encryption key pairs must use secure algorithms and key-size
    • All key pairs must be rotated
    • All cryptographic libraries must be up-to-date
    • All cryptographic algorithms must meet the latest standards

  • Serious damage potential

    While cryptography is considered secure by default, it is complex and needs to be properly managed – much like if a cutting-edge home security system is installed incorrectly. Inadequacies in the way that cryptography is securely managed or introducing a single mistake within a configuration can have a  substantial impact, including:

    • Disclosure of secret private keys embedded into applications
    • Unexpected downtime caused by unmanaged expiring certificates
    • Compliance breach due to reliance on legacy algorithms
    • Data leakage related to the use of vulnerable cryptographic libraries
    • Unauthorized access and fraud originating from the exploitation of hidden SSH keys

According to The National Institute of Standards and Technology (NIST), “Tools are urgently needed to facilitate the discovery of where and how public-key cryptography is being used in existing technology infrastructures”. This illustrates the sense of urgency organizations should have to understand their reliance on cryptography. In order to improve an organization’s cyber resiliency, it has become necessary to monitor cryptography, including keys, certificates, algorithms, and libraries across the entire digital footprint.  The added bonus is that a cryptographic inventory will be mandatory to plan for the migration to cryptographic agility and quantum safety.

Visibility has to move beyond the network to uncover cryptography that is unmanaged and that is hiding inside business-critical operational systems and applications. Once discovered, organizations can assess their cryptographic resilience and compliance posture and build a remediation strategy. With a continuously evolving digital ecosystem, having proper cryptographic hygiene has become mandatory to control cyber risks.

In the final blog in this series we will take a deeper dive into crypto agility and how to establish a crytocraphic profile of your organization.

Additional Resources

Web page

White paper

Data sheet

diana gruhn
Diana Gruhn
Product Marketing Director, Entrust
Diana Gruhn is a Product Marketing Director at Entrust, the brand that keeps the world moving safely by enabling trusted identities, payments, and digital infrastructure around the globe. She has been working in the high technology industry for 10+ years and is enthusiastic about helping businesses stay secure as well as the people who transact with them.
View all of Diana's Posts
julien-probst-thumb
Julien Probst
Guest Contributor
Julien Probst is a cybersecurity professional and entrepreneur with more than 12 years of experience in international business, entrepreneurship and product innovation in high tech and cybersecurity. He is currently head of product at InfoSec Global, an Entrust partner and previously co-founded and led Sysmosoft, a Swiss pioneer in mobile security.
View all of Julien's Posts