For many years — almost since the beginning of secure internet communications — data security professionals have had to face the challenge of using certificates, the mechanism that forms the basis of Transport Layer Security (TLS) communications. Certificates facilitate secure connections to websites (represented by the “s” in “https”), and are a core component of verifying the identity of servers, machines, internet of things (IoT) devices, users and access points — and that is just the beginning of a long list of occasions where we use and depend on certificates.

Certificates, encryption keys and the algorithms that they employ to protect data are part of a growing area of discussion: cryptographic risk, also known as crypto-risk.

What Is Crypto-Risk?

Crypto-risk is a metric used to represent how well our data is protected by cryptographic means. To put it in context, experts use “data risk” to represent unmanaged or unprotected sensitive data, and they use “platform risk” or “infrastructure risk” to represent the unmanaged vulnerabilities of a computer, the physical location where it resides or the security of its operating system.

In order to evaluate those risk metrics, organizations use a variety of tools to discover everything from unprotected sensitive data, such as Social Security numbers or credit card information, to unpatched vulnerabilities in their operating systems and applications. Many organizations do not, however, have an effective set of tools for measuring how well their data is protected by encryption. In other words, there is not currently an adequate method of measuring crypto-risk.

To move the science of data security forward, it is important to create a standard for determining crypto-risk — one that accounts for all factors that contribute to the vulnerability of encrypted data. This could include a set of criteria based on answers to questions such as:

  • What algorithm is used to provide integrity (e.g., MD-5, SHA-1, SHA-236, SHA-3, etc.)?
  • What key lengths for encryption are being used to protect your data and is it consistent across your enterprise (e.g., AES-128, AES-256, etc.)?
  • What algorithm is used for the digital signature on your company’s PGP keys or certificates (e.g., SHA-1, SHA-256, etc.)?
  • When is your certificate due to expire (e.g., December 31 at midnight)?
  • Who issued your certificate, how is it being validated and can it be (or has it been) revoked?
  • What cryptographic libraries or software are currently installed on your organization’s systems and applications? Are they sufficient to protect the data?

These questions will be numerous — just like the questions about malware and event management — but knowing the answers will help organizations understand how to consistently use and manage their cryptographic assets and continually assess how effective those assets are at protecting the organization’s data.

“The Quantum Computers Are Coming! The Quantum Computers Are Coming!”

The industry is already a step behind when it comes to defining and measuring crypto-risk, but the story doesn’t end there. As we cross a new threshold of computing power, security teams will face greater challenges when it comes to encryption. The quantum age, the next generation of computing, promises to solve problems that cannot realistically be tackled by traditional binary computers.

One of the anticipated capabilities of quantum computers is that they will efficiently implement Shor’s Algorithm and Grover’s Algorithm, which can be used to crack encryption keys in far less time than traditional computing methods. When quantum computers reach the point where they can implement these algorithms and be acquired by consumers for a reasonable price, we will see a rise in malicious actors’ ability to erode the strength of existing symmetric algorithms like AES and effectively nullify existing asymmetric algorithms that are commonly in use today, such as RSA or ECC.

Fortunately, we have not yet reached that critical juncture. In fact, we do not yet have a quantum computer with the strength necessary to nullify even an RSA key. It is hard to say when we will reach that point, though some of our leading researchers believe it could be only two decades away.

The good news is that the National Institute of Standards and Technology (NIST) has already embarked on an effort to introduce new, quantum-resistant encryption algorithms. These post-quantum cryptography (PQC) algorithms promise to be resistant to the power of quantum computers.

IBM is working with NIST on evaluating two algorithms as part of its CRYSTALS project with the hope that we see acceptance and standardization of these new algorithms within just a few, short years. Such a development would give data security professionals new ways to protect our critical data, even archived data, using encryption algorithms that can withstand the power of next-generation computers.

The Crypto-Risks of Today

Even without the risk posed by the advent of quantum computing, other cryptographic risks still exist that need to be addressed immediately. These include those simple but persistent problems of using obsolete encryption algorithms, short encryption keys and certificates that are of unknown origin or pending expiry. If those risks go undetected and unmanaged, they represent an immediate and present threat to the data protection and business continuity of your organization.

Microsoft and Let’s Encrypt recently highlighted how certificate mismanagement can detrimentally impact business continuity. There is no excuse for us to continue to fumble the ball when we know that the problem is only going to get more complicated as we move ahead. Consider the actions taken by Apple to actively block certificate trust for any certificate over a year old, or the attempt by hackers to infect enterprises’ computers through the display of fake certificate security alerts, taking full advantage of organizations’ disorganized certificate management.

These efforts show that mismanagement (or no management) of cryptographic assets, such as certificates, keys, algorithms and libraries, is of critical importance and can not only negatively impact business continuity, but also create opportunities for malicious actors to find ways to compromise enterprise data security.

These threats represent crypto-risk. Crypto-risk is a risk to all enterprises today and it must be addressed.

Strengthen the Data Security Chain

The door is locked and chained on data security, but the lock is old and the chain is rusty — and only as strong as its weakest link. When an enterprise’s data is at risk, it is incumbent on the data security team to measure the strength of each link and take action to fortify the entire chain.

When it comes to encryption, we have many moving parts: algorithms, varying key sizes, certificates, asymmetric key pairs, symmetric keys, key rotation, key derivation — the list goes on. In order to get a handle on crypto-risk, there needs to be a way to show, in a simplified, combined view, the totality of encryption-related risk. Without a way to measure that crypto-risk, there is no way security teams are going to be able to manage it.

More from Data Protection

Overheard at RSA Conference 2024: Top trends cybersecurity experts are talking about

4 min read - At a brunch roundtable, one of the many informal events held during the RSA Conference 2024 (RSAC), the conversation turned to the most popular trends and themes at this year’s events. There was no disagreement in what people presenting sessions or companies on the Expo show floor were talking about: RSAC 2024 is all about artificial intelligence (or as one CISO said, “It’s not RSAC; it’s RSAI”). The chatter around AI shouldn’t have been a surprise to anyone who attended…

3 Strategies to overcome data security challenges in 2024

3 min read - There are over 17 billion internet-connected devices in the world — and experts expect that number will surge to almost 30 billion by 2030.This rapidly growing digital ecosystem makes it increasingly challenging to protect people’s privacy. Attackers only need to be right once to seize databases of personally identifiable information (PII), including payment card information, addresses, phone numbers and Social Security numbers.In addition to the ever-present cybersecurity threats, data security teams must consider the growing list of data compliance laws…

How data residency impacts security and compliance

3 min read - Every piece of your organization’s data is stored in a physical location. Even data stored in a cloud environment lives in a physical location on the virtual server. However, the data may not be in the location you expect, especially if your company uses multiple cloud providers. The data you are trying to protect may be stored literally across the world from where you sit right now or even in multiple locations at the same time. And if you don’t…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today