Your business’s critical infrastructure most likely relies on several systems across your digital environment. Whatever those systems may be, there is no doubt that they are in some way secured by the invisible algorithms of cryptographical solutions. In our recent best practices webinar, Crypto Governance: Laying the Foundation for a Strong Crypto Strategy, Neal Fuerst, Director of Technology and Solutions for Entrust, explains how securing your critical IT infrastructure rests on governance.
Whether you define your critical infrastructure as the back-end databases that store your intellectual property, customer and business data, web presence or email system, protecting these critical systems requires that the proper policies, procedures, and controls are in place to ultimately prevent bad actors from gaining access to the sensitive information they hold.
Crypto itself is also critical infrastructure as it touches nearly all aspects of our digital lives today. TLS/SSL delivers secure communications ranging from consumers ordering goods or services from your website to someone who is using a smartwatch for a touchless retail experience. From a business point of view, cryptography is the critical element used in securing your user community – whether it’s protecting web servers using encrypted TLS/SSL digital certificates or securing cloud infrastructure with strong authentication and encryption to provide data protection on virtual machines and databases. Internet of Things (IoT) brings a whole new set of ‘things’ that require encryption to protect data as it is transmitted from those devices to business repositories.
Securing the underpinnings of critical infrastructure starts with an important question – “who” handles implementing the security, including the cryptographic components, within your infrastructure? Governance ensures that you have the right cryptographic policies, procedures, and controls in place to protect the information within these critical systems.
The questions asked around governance should be about the people:
- Do your resources have the skills and time necessary to drive the roadmap for crypto solutions?
- Do your resources have the skills and time necessary to monitor the crypto landscape and stay abreast of the trending vulnerabilities and changing regulations?
- Do your resources understand the technology well enough to draft the policies and procedures that will govern the rest of the organization?
- Do your resources have the skills necessary to answer the question — how do we properly implement crypto when crypto is constantly evolving?
Cryptographic solutions are evolving at a rapid pace to address vulnerabilities as they emerge. Recently, we have seen requirements for stronger encryption keys, hashing algorithms and protocols take effect all while keeping an eye on anticipated cryptographical innovations such as multi-party computation, homomorphic encryption and quantum computing. To keep up with the rapid pace of change, we need to look at the important role that governance plays in building cryptographic solutions. Proper governance is necessary to be proactive towards evolving technology and crypto agility.
Cryptographic governance provides a framework for driving compliance and improvements to the cryptographic landscape within the organization. Having a well-defined and implemented governance model ensures that there is a system of checks and balances in place to educate the stakeholders on who does what and how. This is the underpinnings of a strong crypto strategy. Through effective governance, you are establishing cryptographic standards to be enforced across the enterprise, which will help eliminate issues associated with different cryptographic solutions scattered throughout the enterprise. Furthermore, by implementing a proper governance model, you are defining enforceable policies and procedures to ensure compliance. Without these policies and procedures, ensuring compliance is simply not realistic.