The crypto-agility mandate, and how to get there
To achieve long-term data protection in today’s fast-changing and uncertain world, companies need the ability to respond quickly to unforeseen events. Threats like quantum computing are getting more real while cryptographic algorithms are subject to decay or compromise. Without the ability to identify, manage and replace vulnerable keys and certificates quickly and easily, companies are at risk.
So, what do we mean when we talk about crypto-agility? Fundamentally, you will have achieved crypto-agility when your security systems are able to rapidly deploy and update algorithms, cryptographic primitives, and other encryption mechanisms. Going a step further, it means you have achieved complete control over cryptographic mechanisms – your public key infrastructure (PKI) and associated processes – and can quickly make whatever changes are needed without intense manual effort.
The replacement of manual processes with automated ones is critical to keeping up with accelerating change. As computing power and security technologies continue to evolve at a faster and faster pace, your existing cryptographic infrastructure is destined to become obsolete in a few years unless you can keep it upgraded to the latest technologies. Notably, threats continue to evolve as well.
Moreover, as the world transforms to depend on digital systems more fully, we’ve embedded cryptography deeply into virtually every communication system in the world. It’s no longer possible for cryptography to remain isolated from other critical systems. The vast interdependent nature of modern systems makes it imperative that IT teams have the ability to respond quickly – or face the risk of major outages and disruption.
Cryptographic standards like RSA, ECC, and AES that are in broad use today are constantly being updated with more advanced versions. Eventually governing bodies like NIST get in the act and mandate the use of the latest standards, with browser and cloud providers often raising the bar as well. To avoid becoming non-compliant, you must have the ability to quickly upgrade all your systems that rely on deprecated cryptography.
A robust, cryptographically agile infrastructure also brings other long-term benefits and plays a critical role in preventing security breaches. Achieving crypto-agility will make your operations teams more efficient, and eliminate unnecessary costs such consulting fees, temporary staff, fines, or remediation costs.
Such scenarios can unfold when a bad actor gains admin access, for instance, and may or may not have issued certificates. This uncertainty means that certificates from the impacted certificate authority (CA) can no longer be trusted and all certs from that CA must be revoked and re-issued. Without crypto-agility and a clear understanding of your potential exposure, you’re looking at a costly all-hands-on-deck response to track and update hundreds or thousands of certs. And, of course, anytime you have humans involved with security response, you’re opening yourself to human error and further compromise and outages.
Quantum computing keeps getting closer
The looming threat of quantum computing – some say we could see 100,000x faster quantum computers as soon as 2025 – represents another compelling reason to focus on improving your crypto-agility. While all crypto algorithms are breakable on paper, the incredible computing power required for such a feat does not currently exist. That could change with quantum computers which one day will be able to break most existing algorithms and hash function in minutes or hours.
To avoid the doomsday scenario where every system in the world is potentially exposed to compromise, work is already underway toward quantum-safe cryptography. However, given how little we know about quantum computing and the inability to perform real-world testing, it’s safe to assume there will be considerable give and take before quantum-safe algorithms are widely available.
In the meantime, your cryptography, certificate management and key distribution systems must be agile enough to adapt to this very real emerging threat. The table below presents a scenario of the time and expense involved with swapping out existing cryptography for quantum-safe cryptography. In this scenario, with incomplete or partial automation most enterprises would be looking at a 15-month vulnerability period compared to just six days when a fully automated solution has been put in place.
A comparison of quantum doomsday mitigation scenarios
Crypto-agility is a complex topic at scale and working towards it requires a multifaceted approach. Changes need to be made to security setups in organizational policy, operating methods, and core technology and processes. Your PKI may need to be upgraded and enhanced to support rapid swaps of cryptography, and software development procedures may need to be revamped to incorporate a nimbler approach to cryptography – as opposed to being bolted on top of finished software.
The first step toward true crypto-agility is to understand the extent of your cryptographic exposure. This is accomplished by tracking down every digital certificate deployed across the organization and capturing details including algorithms and their size, the type of hashing/signature, validity period, where it’s located and how it can be used.
Once you have a complete inventory, you’ll then need to identify the vulnerable certificates by the type of cryptography in use and look for anomalies and potential problems. These can include certificates that use wildcards or IP address, certificates located on unauthorized or unintended systems as well as certificates abandoned on deprecated systems.
Finding your certificates and vulnerability isn’t enough by itself to deliver crypto-agility – you’re still looking at the aforementioned 15-month-long process if you need to swap everything out manually.
Here are three pillars of crypto-agility that will put your organization on the right path toward withstanding whatever the future holds:
#1 – Automate discovery and reporting. At the push of a button, you should be able to produce a full report of all your cryptographic assets. This will allow you quickly identify vulnerable cryptography and to report anomalies. There are any number of tools available to help you do this, but ideally certificate reporting should just be incorporated into an automated PKI solution.
#2 – Automate PKI operations at scale. The ideal solution here is a fully automated Certificate Management Systems (CMS) that will manage the entire lifecycle of a certificate from creation to renewal. When the CMS is used to create a certificate it should have all the data it needs to not only monitor the certificate for expiration but automatically provision a replacement certificate without human intervention.
#3 – Be nimble. At an organization and management level, your IT organization from DevOps through to day-to-day operations staff need to be ready for threats and change. You should carefully evaluate and rethink all aspects of your PKI to identify areas that may lock you into a particular vendor or technology.
The risk of having a slow-to-respond cryptographic infrastructure is increasingly daily, not only as digital transformations increase our dependency on inter-connected systems but as external threats and technology evolve with increasing pace. Looming above it all is the threat of quantum computing. Put it all together and it’s clear that the time to automate your PKI and move toward crypto-agility is at hand.