Getting a Grip on Cryptography
Cryptography isn’t usually considered a ‘sexy’ subject in the complex field of cybersecurity. When cryptography is included in an IT security roadmap, it’s often only as a box that needs to be ticked off; a red flag as part of an audit, or an overdue update for a component that doesn’t want to return to an older standard. And more and more often, we come across something in the cloud that simply refuses to work if you leave out the cryptography. That seems to occur more frequently these days and putting it off today doesn’t make it go away. This issue causes a lot of headaches in every corner of the security world, driven in part by confusing regulations and incomprehensible technical instructions. It’s always a chore, without obvious added value, which doesn’t make it any easier to convince the people in charge of the money.
This lamentation among security professionals is mostly justified. But… When you consider that almost every modern security product has a big stack of cryptography under the hood – with all the complexity that entails – then it’s only logical that the topic keeps popping up again and again. And now that you’ve put your infrastructure in the cloud, you can’t simply slap something substandard together – or leave out the crypto entirely, like before. It wasn’t so long ago that organizations forbade encryption on their own network, ‘for security reasons’. That was almost standard practice up to 2015. The idea still lives on today in some corners because encryption makes inspection impossible. There goes your antivirus and your Intrusion Protection.
It’s a complicated puzzle, and when you think you’re done there are always some pieces left over. The topic is so universal that you can almost call it a vital technology. That means knowledge and control of cryptography is essential for effective security.
Within the field of computer security, crypto is de facto one of the most important issues, because it’s hidden below the surface in so many places, but there are very few organizations that give it an explicit administrative owner. So, ownership is commonly left floating between Security and IT. That causes friction and inertia, and things start to break down.
Considering that, now is the time for us all to swallow that bitter pill and sink our teeth into the topic.
What we’ve noticed are the side effects of three fundamental developments:
- Upscaling:: The number of applications of cryptography is constantly growing due to Zero Trust and the expansion of mobile working, telecommuting and the cloud; data stored outside your own infrastructure requires encryption for storage and transport (in our typical technical jargon: deperimiterization). But at the same time, cryptographic keys are valid for shorter and shorter periods, which forces more frequent rotation and other maintenance, just for availability. This increase in scale has made the issue unavoidable for supervisory bodies (hence compliance obligations like NIS2 and DORA) and operational IT (forced by disruptions and migrations).
- Shift of security from the network and infrastructure layers (applications, directories, RBAC, firewalls and proxies) increasingly to the data layer (storage and transport). This process is accelerating because a larger proportion of the data is stored in separate files, instead of a logical collection in applications and databases. Since we don’t know exactly what and/or where these ‘unstructured’ data are or where they are located (and thus can’t quantify the risks), we must reinforce the generic security safety nets: we encrypt the locations where the data are stored (‘data at rest’, or the file system) and those they move through (the network, or ‘data in transit’). More complexity.The security industry also promises futuristic encryption of ‘data in use’, sometimes in combination with encryption at the level of the individual file; in DLP, enclaves, and above all the ‘Sovereign Cloud – to keep foreign intelligence services and Big Tech from spying on us. They also like to talk about C2PA – new crypto for proving the authenticity of digital content; a logical solution in the time of deepfakes and AI disinformation. This sounds complicated and it is: it guarantees extra complexity that your organization will have to deal with.
- Overdue maintenance. We’re currently going through the transition from the first generation of cryptographic technology (from around 2000) to the introduction of the second generation (starting around 2015, yet far from finished today, in 2024). The transition has been slow, because it’s excruciatingly difficult and we’re already beginning the first migrations to the third generation of crypto. This third generation mainly involves short-term encryption keys and more modern ‘Post Quantum’ algorithms. Talk about complicated: the looming breakthrough of Quantum computers makes it feasible to crack the keys for older algorithms, so we’ll basically have to replace everything we use today with the new Post Quantum cryptography.
Oh Boy.
Getting a grip on crypto
Not everyone has come around to the insight that managing and mastering the use of cryptography (‘Crypto transparency’) is an absolute necessity for any meaningful application of cryptography in security. To put it bluntly: if you get the cryptography wrong, you probably break the security of what you are doing. It’s often presented as a low-maintenance technology, especially by the tooling salespeople. But the security it provides is actually the result of the safe handling of keys and the correct organization of processes and systems. As the scale increases and finds ever-wider applications, a thorough understanding of the technology is vital. And that requires a creative and specialized team that can improvise. Unfortunately, only the really big organizations have enough scale to handle that. The rest needs to work with a long-term supplier, that has such a team.
This is the core value that underlies our cryptography services: serving as a sparring partner for innovation and growth, with a clear and familiar process organization, supported with suitable process automation.
Our approach
Getting a grip on cryptography within an organization demands a structural approach. In our experience, that approach consists of Discovery, Onboarding (taking control), and Governance (good management).
Discovery
Without insight into where you use crypto (and where you don’t yet, but should be), you won’t be able to field to an adequate, contemporary security, much less maintain it. Discovery is a hybrid process between a technical scan of your own network, requesting the customized internet services (provided by the world of OSINT), interviewing IT specialists and suppliers, and analyzing designs. Discovery helps you determine:
- Where you use crypto – and how.
- Where you don’t use crypto – but should, based on your security policy[1] and architecture principles.
Onboarding
Onboarding involves the various steps you take using what you find during Discovery. Depending on what you find, that may include registration (in asset management), inclusion in monitoring, in continuity planning, initiating improvements, or adding cryptography – all steps that are included in security management. Onboarding consists of the following steps:
- Inclusion in the asset inventory – the CMDB, with the status (in use/in management (or not)/should use crypto, but don’t (or using it incorrectly), plus the date of inclusion.
- Filling in the basic data.
- The budgetary owner: who pays?
- The responsible administrator (and organization): who maintains?
- The function of the system (landscape): who and what uses?
- Complete administration and remediate weaknesses.
- Correction of defects and omissions
- Monitoring & regular inspections.
- Automate, where profitable and feasible.
- Allocating expenses.
Ideally, you wouldn’t need Discovery, because the correct organization of the use of cryptographic resources is embedded in the IT tools creation process. But in the real world … That’s usually not the case. Which is why you need Discovery.
Within larger organizations, the rapid increase in workloads means there is no way around using a factory-line approach, even in the short term. There’s no time to lose in optimizing this process. Setting a standard for Onboarding is a good place to start.
Governance: keeping a grip
In technology’s turbulent state today, the most important thing is to stay relevant for the customer organization by offering suitable products, robust services, and the right future-proof support. The term for that today is ‘Crypto agility’: the ability to move with the current of new developments through anticipation, planning and expertise.
Getting a grip on cryptography – and keeping it – involves every level of service:
The CA landscape level
The most familiar PKI customers have existing Certificate Authorities (CAs), both internal and public. The former serves the internal namespace – the LAN- and is often a ‘side job’ for IT. The latter deals with certificates procured for the internet and is contracted out. But that doesn’t automatically mean that it’s done well, nor is it always secure. Often, departments and projects do it on the side. They call that ‘best effort’, which means that sometimes it turns out fine.
But most of the time, it doesn’t.
The internal CA is responsible for consolidating, embedding, and improving where necessary. Replacement is only needed when improvement is no longer feasible, the end of the economic service life approaches, or the supplier stops offering support. Consolidating into a single infrastructure may be a good plan, but too often it’s seen as an end, rather than a means. It may be more practical to give the different CAs a single front end in a portal. That can be a separate site, but you could also consider making it part of an Identity Governance application or a helpdesk portal.
The RA facilities level
We sometimes refer to the process side of cryptography as the Registration Authority (RA), and to the field as Certificate Governance. The RA is where Security, IT and the Business come together for day-to-day operations – where keys are requested and issued, and where the necessary authorizations are processed in an online workflow (request and attestation), if possible.
The back end of the RA should be automated as much as possible. That means after a client system is onboarded, the cryptographic keys should be replaced automatically and on time. That saves a lot of time and effort, especially now that the keys are valid for shorter and shorter periods. Unfortunately, this integration doesn’t happen on its own, so it should be a standard step in the Onboarding process. Support for the available protocols is becoming more and more common, but it certainly isn’t standard practice now. The cryptographic service will have to take on its share of the workload in this area.
A fixed element of the Onboarding process involves organizing the monitoring service (red and blue teams from both IT and Security) for the crypto user. That way you can keep a structural eye on current usage, notify users when certificates that are not renewed automatically are about to expire, and revoke certificates and access to specialist knowledge to support SOC analysts.
And finally – especially with regard to NIS2 – Onboarding allocates the cryptography user to Disaster Recovery and Emergency Management. That naturally applies to both the core internal systems (CA and RA) and the linked clients. This is far from trivial; certificates grant privileged access to systems like APIs, RDP and SSH, but they are seldom top-of-mind among many security professionals, so that makes them a primary target of attacks. It’s therefore vital for you to implement effective emergency procedures, maintain them, and test them.
Conclusion
It’s clear that we have a lot of work ahead of us. So, make a plan, select an effective owner, and brace yourself: this is a tough job, and you’re sure to pull a lot of skeletons out of the closet along the way. But there’s no way around it and putting it off today will only make it more urgent tomorrow.
If you need help, please don’t hesitate to reach out!