“Agility” has been quite a buzzword recently. You will likely find it on most companies’ 5-year plan slide decks. Yet, there is one area where the ability to adapt quickly and efficiently makes a lot of sense -cryptography. In an age where the methods employed by cyber attackers are becoming increasingly sophisticated and the specter of quantum computing looms, the importance of encryption cannot be overstated. This has led to the rise of a concept enabled by technical capabilities, known as “crypto-agility,” or the ability to quickly adapt to an alternative cryptographic standard without making significant infrastructure changes.
Embracing Crypto-Agility
With advancements in encryption come new challenges. As encryption methods evolve, older algorithms may become susceptible to attacks. Crypto-agility, therefore, has emerged as the antidote to this vulnerability. At its core, crypto-agility empowers organizations to transition seamlessly between encryption techniques. Rather than relying solely on one method, crypto-agility advocates for strategic flexibility, allowing the swift adoption of newer, more secure crypto libraries. However, large organizations can have hundreds or thousands of keys, digital certificates, encryption, and other cryptographic assets that can expire or suddenly break. Most security teams are unaware of the types of encryptions they use, let alone which applications use them. They implicitly trust that embedded cryptographic systems will protect their networks. This strategy has proven to fail as the headlines pile up. It is time to extend zero-trust principles into the cryptographic ecosystem to know if the most fundamental layer of protection and confidentiality can fulfill its purpose when called upon. The first step to address these risks is to discover where the current cryptographic assets reside and assess their ability to withstand decryption attempts. Cryptographic discovery tools have been developed to create accurate inventories of all cryptographic instances, known and unknown, and analyze systems relying on cryptography to protect sensitive assets, including web servers, hosts, applications, networks, and cloud systems.
Proactive Resilience
The use cases of crypto-agility have soared in recent years. We could argue that it has even become a buzzword in the cybersecurity industry, although it is often misused. Even once impregnable encryption algorithms have succumbed to the relentless march of technological progress and ingenious hacking techniques. Organizations lacking crypto-agile strategies were exposed to preventable attacks, prompting industry juggernauts to partner with crypto-agility solution providers. Steering away from static cryptographic management models requires robust tooling capable of integrating with a comprehensive set of environments such as networks, servers and applications but also with certificate management solutions, threat management suites and EDR technologies, among others. Crypto-agility platforms are being developed to empower cybersecurity teams to add crypto-agility capabilities to their security tech stack. For example, large financial institutions are increasingly integrating InfoSec Global Crypto-Agility Management Platform with industry-leading agent management tools like Microsoft Sentinel or CrowdStrike Falcon. Adopting a crypto-agility framework allows organizations to accommodate future changes but also comply with strict standards, like the Payment Card Industry Data Security Standard (PCI DSS), guiding payments industry stakeholders to ensure safe payments worldwide.
Emerging Encryption Trends
Encryption technology is on a transformative journey, reflecting the need for robust data protection. Traditional symmetric and asymmetric encryption techniques now share the stage with ground breaking innovations such as homomorphic and post-quantum encryption. However, switching from legacy encryption to recommended algorithms tends to be exceedingly expensive and error prone. After a year OpenSSL experienced an implementation error that led to the Heartbleed vulnerability, half of U.S. organizations still had not patched all their OpenSSL instances. This is because cryptographic assets are deeply embedded into software, rendering them extremely difficult to change.
Another growing segment comes from the proliferation of Internet of Things devices. Securing IoT devices throughout their lifespan can be particularly challenging as their encryption is baked in when manufactured. With crypto-agility, your new electric car will be updated to mitigate risks thanks to a crypto-agile middle layer at the chip level allowing it to update its cryptographic assets.
Conclusion
Without crypto-agility, applications must either be reconfigured locally or recoded to enable the implementation of new quantum-safe algorithms. Neither one is a good option. To prevent security issues that can halt major networks’ operations and cause Global 1000 to shell out millions to ransomware attackers, leading standard bodies are working hard to identify which digital signature schemes, hash algorithms, block ciphers, and other encryption methods to approve for standardization. Legislators worldwide are also increasingly promulgating their own encryption standards, which puts additional pressure on organizations to become crypto-agile to comply to different market regulations.