If you’re having trouble getting a handle on your cryptographical instances, you’re not alone. According to Ponemon Institute’s most recent Global Encryption Trends Study, “Discovering where sensitive data resides is the number one challenge.”[i] And it’s no surprise given the surge in cryptographical use cases spawned from modern IT practices such as DevOps, machine identity, cloud, and multi-cloud environments.

Discussions at the DHS (Department for Homeland Security) and NIST (National Institute of Standards and Technology) are raising awareness with urgency aimed at public and private organizations to find tools and methods that will give them visibility into their cryptographical instances in order to be able to monitor it.

“Many information technology (IT) and operational technology (OT) systems are dependent on public-key cryptography, but many organizations have no inventory of where that cryptography is used. This makes it difficult to determine where and with what priority post-quantum algorithms will need to replace the current public-key systems. Tools are urgently needed to facilitate the discovery of where and how public-key cryptography is being used in existing technology infrastructures.”[1] This concern was raised by NIST in a recent report on adopting and using post-quantum algorithms.

DHS recently partnered with NIST to create a roadmap designed to reduce the risks that are expected with advancements in technology, particularly quantum computing. The roadmap provides a guide for chief information officers on how to mitigate risks, advising them to: stay on top of changing standards, inventory and prioritize systems and datasets, audit vulnerabilities, and to use the gathered information for transition planning. In the statement, Homeland Security Secretary Alejandro N. Mayorkas advised, “Now is the time for organizations to assess and mitigate their related risk exposure. As we continue responding to urgent cyber challenges, we must also stay ahead of the curve by focusing on strategic, long-term goals.”

The roadmap ostensibly advises organizations to embark on what industry analyst Gartner refers to as a Cryptographic Center of Excellence (CryptoCoE), which is a group within an organization that takes ownership of an enterprise-wide strategy for crypto and PKI: discovering, inventorying, monitoring, and executing.

By organizing the people, protocols, processes, and technology needed to prepare for quantum resilience, CIOs are laying the foundation for a strong crypto strategy and building a CryptoCoE within their organization to enforce governance and compliance and bring crypto agility.

Crypto agility describes a way for implementing cryptography that shouldn’t be limited to preparations for post-quantum computing. Crypto agility means that cryptographical updates can be made without causing business disruption – ensuring that algorithm replacement is relatively straightforward and can happen without changing the function of an application. This means being prepared to easily transition to new requirements as they are updated by standards groups and regulatory bodies. Requirements and regulations change in order to keep up with a threat climate that is always in motion, necessitating the need for stronger algorithms and longer key lengths.

Another driver for having an accurate picture of your cryptographic inventory is to know what certificates are in use throughout the organization, if they are in compliance, and when they expire. Certificate expiry causes outages that make business applications unavailable. Outages can be costly, cause potential breach of service-level agreements, and damage brand reputation.

The sooner an organization can gain visibility into all of its cryptographical instances, which means going behind the endpoints to uncover SSH keys, crypto libraries, and hardcoded cryptography hidden inside of hosts and applications, the better prepared it will be to avoid data breaches and maintain compliance as new key lengths and algorithms are required to defend an organization from known threats. If you’re wondering whether or not it’s time to perform an enterprise-wide cryptography risk assessment, the time is now.


Other Resources:

DHS releases roadmap to post-quantum cryptography



Getting Ready for Post-Quantum Cryptography: Exploring Challenges Associated with Adopting and Using Post-Quantum Cryptographic Algorithms

NIST 4-28-2021, https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04282021.pdf


[1] The National Institute of Standards and Technology (NIST), https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04282021.pdf

[i] 2021 Global Encryption Trends Study, Ponemon Institute