Imagine: You just learned that an encryption algorithm or protocol has been cracked. You immediately wonder if you are using that algorithm to protect sensitive assets and, if so, how long it would take to change it. This is not a far-fetched scenario and, unfortunately, few organizations are in a position to quickly switch from one cryptographic scheme to another. In other words, they lack crypto agility, the ability to quickly migrate technologies. This gap could leave organizations exposed to potential risks concerning their critical assets.

Cryptographic algorithms are considered safe — until they are not. Ten years after organizations were asked to migrate from SHA-1 to SHA-2, according to a Venafi report, more than 20 percent of organizations still had not done so. According to another study by the same firm, one year after the Heartbleed OpenSSL vulnerability, 74 percent of Global 2,000 firms had still not fully patched the vulnerability.

Is this a risk situation your organization can afford to face?

What’s Driving the Need for Improved Crypto Agility?

Given these challenges, it’s easy to see how organizations could benefit from becoming more cryptographically agile. Here are some other factors that are driving the need to improve crypto agility:

  • Encryption algorithms and protocols can be unexpectedly cracked, necessitating a migration to alternative algorithms.
  • Data protection regulations and industry standards may require using new crypto algorithms.
  • Interacting with other entities may require the adoption of alternative encryption algorithms.
  • Advancements in cryptanalysis may necessitate migrating crypto implementations.
  • Future advancements in quantum computing leading to improved factorization capabilities to crack public-key schemes, and more.

Taking Stock of Existing Encryption Algorithms

To determine the level of effort required to migrate cryptographic deployments, it’s critical to understand how and what type of cryptography is currently deployed. Software implementations provide the most agility, while hardware implementations result in the least agility.

There are multiple dimensions to crypto agility: algorithm agility, protocol agility, platform agility, implementation agility and retirement agility. Each of these needs to be thoroughly explored to determine potential impacts from each dimension and potential ramifications if they are not executed properly.

Cryptography plays a vital role in protecting the organization’s most valuable assets. However, it’s a mistake to assume that current cryptography deployments will be secure forever. That’s why you need a crypto agility plan in the event that current crypto protection measures become susceptible to attacks.

How to Start Developing a Crypto Agility Plan

What exactly is a crypto agility plan, and how do you get started? A crypto agility plan is a strategy that defines what actions the firm must complete to quickly switch crypto schemes. Organizations looking to develop such a plan should start with the following steps:

  1. Create an inventory of cryptographic implementations.
  2. Identify the types of encryption algorithms used as well as key lengths.
  3. Identify how cryptography is implemented — e.g., software, hardware, scripts.
  4. Review how cryptographic functions are utilized — e.g., callable via application programming interfaces (APIs).
  5. Define a layer of abstraction for new crypto implementations where crypto is accessed via a new interface that allows swapping of crypto schemes.
  6. Create a prioritized list of systems to update.

Critical data protection is no longer just an IT security issue, but a board issue. It is everyone’s job to make sure business leaders have the insight they need to protect the business. A crypto agility plan can help minimize panic and chaos should the need arise to quickly switch crypto schemes.

Register for the webinar to learn more

More from Data Protection

Transitioning to Quantum-Safe Encryption

With their vast increase in computing power, quantum computers promise to revolutionize many fields. Artificial intelligence, medicine and space exploration all benefit from this technological leap — but that power is also a double-edged sword. The risk is that threat actors could abuse quantum computers to break the key cryptographic algorithms we depend upon for the safety of our digital world. This poses a threat to a wide range of critical areas. Fortunately, alternate cryptographic algorithms that are safe against…

How Do You Plan to Celebrate National Computer Security Day?

In October 2022, the world marked the 19th Cybersecurity Awareness Month. October might be over, but employers can still talk about awareness of digital threats. We all have another chance before then: National Computer Security Day. The History of National Computer Security Day The origins of National Computer Security Day trace back to 1988 and the Washington, D.C. chapter of the Association for Computing Machinery’s Special Interest Group on Security, Audit and Control. As noted by National Today, those in…

Resilient Companies Have a Disaster Recovery Plan

Historically, disaster recovery (DR) planning focused on protection against unlikely events such as fires, floods and natural disasters. Some companies mistakenly view DR as an insurance policy for which the likelihood of a claim is low. With the current financial and economic pressures, cutting or underfunding DR planning is a tempting prospect for many organizations. That impulse could be costly. Unfortunately, many companies have adopted newer technology delivery models without DR in mind, such as Cloud Infrastructure-as-a-Service (IaaS), Software-as-a-Service (SaaS)…

Millions Lost in Minutes — Mitigating Public-Facing Attacks

In recent years, many high-profile companies have suffered destructive cybersecurity breaches. These public-facing assaults cost organizations millions of dollars in minutes, from stock prices to media partnerships. Fast Company, Rockstar, Uber, Apple and more have all been victims of these costly and embarrassing attacks. The total average cost of a data breach has increased by 2.6% since 2021 and is now $4.35 million. Organizations that don't deploy zero trust security models also incur an average of $1 million more in…