Imagine: You just learned that an encryption algorithm or protocol has been cracked. You immediately wonder if you are using that algorithm to protect sensitive assets and, if so, how long it would take to change it. This is not a far-fetched scenario and, unfortunately, few organizations are in a position to quickly switch from one cryptographic scheme to another. In other words, they lack crypto agility, the ability to quickly migrate technologies. This gap could leave organizations exposed to potential risks concerning their critical assets.

Cryptographic algorithms are considered safe — until they are not. Ten years after organizations were asked to migrate from SHA-1 to SHA-2, according to a Venafi report, more than 20 percent of organizations still had not done so. According to another study by the same firm, one year after the Heartbleed OpenSSL vulnerability, 74 percent of Global 2,000 firms had still not fully patched the vulnerability.

Is this a risk situation your organization can afford to face?

What’s Driving the Need for Improved Crypto Agility?

Given these challenges, it’s easy to see how organizations could benefit from becoming more cryptographically agile. Here are some other factors that are driving the need to improve crypto agility:

  • Encryption algorithms and protocols can be unexpectedly cracked, necessitating a migration to alternative algorithms.
  • Data protection regulations and industry standards may require using new crypto algorithms.
  • Interacting with other entities may require the adoption of alternative encryption algorithms.
  • Advancements in cryptanalysis may necessitate migrating crypto implementations.
  • Future advancements in quantum computing leading to improved factorization capabilities to crack public-key schemes, and more.

Taking Stock of Existing Encryption Algorithms

To determine the level of effort required to migrate cryptographic deployments, it’s critical to understand how and what type of cryptography is currently deployed. Software implementations provide the most agility, while hardware implementations result in the least agility.

There are multiple dimensions to crypto agility: algorithm agility, protocol agility, platform agility, implementation agility and retirement agility. Each of these needs to be thoroughly explored to determine potential impacts from each dimension and potential ramifications if they are not executed properly.

Cryptography plays a vital role in protecting the organization’s most valuable assets. However, it’s a mistake to assume that current cryptography deployments will be secure forever. That’s why you need a crypto agility plan in the event that current crypto protection measures become susceptible to attacks.

How to Start Developing a Crypto Agility Plan

What exactly is a crypto agility plan, and how do you get started? A crypto agility plan is a strategy that defines what actions the firm must complete to quickly switch crypto schemes. Organizations looking to develop such a plan should start with the following steps:

  1. Create an inventory of cryptographic implementations.
  2. Identify the types of encryption algorithms used as well as key lengths.
  3. Identify how cryptography is implemented — e.g., software, hardware, scripts.
  4. Review how cryptographic functions are utilized — e.g., callable via application programming interfaces (APIs).
  5. Define a layer of abstraction for new crypto implementations where crypto is accessed via a new interface that allows swapping of crypto schemes.
  6. Create a prioritized list of systems to update.

Critical data protection is no longer just an IT security issue, but a board issue. It is everyone’s job to make sure business leaders have the insight they need to protect the business. A crypto agility plan can help minimize panic and chaos should the need arise to quickly switch crypto schemes.

Register for the webinar to learn more

More from Data Protection

Heads Up CEO! Cyber Risk Influences Company Credit Ratings

4 min read - More than ever, cybersecurity strategy is a core part of business strategy. For example, a company’s cyber risk can directly impact its credit rating. Credit rating agencies continuously strive to gain a better understanding of the risks that companies face. Today, those agencies increasingly incorporate cybersecurity into their credit assessments. This allows agencies to evaluate a company’s capacity to repay borrowed funds by factoring in the risk of cyberattacks. Getting Hacked Impacts Credit Scoring As per the Wall Street Journal…

4 min read

IBM Security Guardium Ranked as a Leader in the Data Security Platforms Market

3 min read - KuppingerCole named IBM Security Guardium as an overall leader in their Leadership Compass on Data Security Platforms. IBM was ranked as a leader in all three major categories: Product, Innovation, and Market. With this in mind, let’s examine how KuppingerCole measures today’s solutions and why it’s important for you to have a data security platform that you trust. The Transformation of the Data Security Industry As digital transformation continues to expand, the impact it has had on enterprises is very apparent when…

3 min read

SaaS vs. On-Prem Data Security: Which is Right for You?

2 min read - As businesses increasingly rely on digital data storage and communication, the need for effective data security solutions has become apparent. These solutions can help prevent unauthorized access to sensitive data, detect and respond to security threats and ensure compliance with relevant regulations and standards. However, not all data security solutions are created equal. Are you choosing the right solution for your organization? That answer depends on various factors, such as your industry, size and specific security needs. SaaS vs. On-Premises…

2 min read

Understanding the Backdoor Debate in Cybersecurity

3 min read - The debate over whether backdoor encryption should be implemented to aid law enforcement has been contentious for years. On one side of the fence, the proponents of backdoors argue that they could provide valuable intelligence and help law enforcement investigate criminals or prevent terrorist attacks. On the other side, opponents contend they would weaken overall security and create opportunities for malicious actors to exploit. So which side of the argument is correct? As with most debates, the answer isn't so…

3 min read