Imagine: You just learned that an encryption algorithm or protocol has been cracked. You immediately wonder if you are using that algorithm to protect sensitive assets and, if so, how long it would take to change it. This is not a far-fetched scenario and, unfortunately, few organizations are in a position to quickly switch from one cryptographic scheme to another. In other words, they lack crypto agility, the ability to quickly migrate technologies. This gap could leave organizations exposed to potential risks concerning their critical assets.
Cryptographic algorithms are considered safe — until they are not. Ten years after organizations were asked to migrate from SHA-1 to SHA-2, according to a Venafi report, more than 20 percent of organizations still had not done so. According to another study by the same firm, one year after the Heartbleed OpenSSL vulnerability, 74 percent of Global 2,000 firms had still not fully patched the vulnerability.
Is this a risk situation your organization can afford to face?
What’s Driving the Need for Improved Crypto Agility?
Given these challenges, it’s easy to see how organizations could benefit from becoming more cryptographically agile. Here are some other factors that are driving the need to improve crypto agility:
- Encryption algorithms and protocols can be unexpectedly cracked, necessitating a migration to alternative algorithms.
- Data protection regulations and industry standards may require using new crypto algorithms.
- Interacting with other entities may require the adoption of alternative encryption algorithms.
- Advancements in cryptanalysis may necessitate migrating crypto implementations.
- Future advancements in quantum computing leading to improved factorization capabilities to crack public-key schemes, and more.
Taking Stock of Existing Encryption Algorithms
To determine the level of effort required to migrate cryptographic deployments, it’s critical to understand how and what type of cryptography is currently deployed. Software implementations provide the most agility, while hardware implementations result in the least agility.
There are multiple dimensions to crypto agility: algorithm agility, protocol agility, platform agility, implementation agility and retirement agility. Each of these needs to be thoroughly explored to determine potential impacts from each dimension and potential ramifications if they are not executed properly.
Cryptography plays a vital role in protecting the organization’s most valuable assets. However, it’s a mistake to assume that current cryptography deployments will be secure forever. That’s why you need a crypto agility plan in the event that current crypto protection measures become susceptible to attacks.
How to Start Developing a Crypto Agility Plan
What exactly is a crypto agility plan, and how do you get started? A crypto agility plan is a strategy that defines what actions the firm must complete to quickly switch crypto schemes. Organizations looking to develop such a plan should start with the following steps:
- Create an inventory of cryptographic implementations.
- Identify the types of encryption algorithms used as well as key lengths.
- Identify how cryptography is implemented — e.g., software, hardware, scripts.
- Review how cryptographic functions are utilized — e.g., callable via application programming interfaces (APIs).
- Define a layer of abstraction for new crypto implementations where crypto is accessed via a new interface that allows swapping of crypto schemes.
- Create a prioritized list of systems to update.
Critical data protection is no longer just an IT security issue, but a board issue. It is everyone’s job to make sure business leaders have the insight they need to protect the business. A crypto agility plan can help minimize panic and chaos should the need arise to quickly switch crypto schemes.