Table of Contents

Often in the cybersecurity field, encryption algorithms are broken or deemed to be too weak, and so the industry standards shift to a new algorithm. This switch can damage existing hardware that previously relied upon the deprecated encryption algorithm, unless that security system is cryptographically agile. Cryptographic agility refers to the ability of security hardware to change to a new algorithm, as per industry standards, without the need to rewrite applications or deploy new hardware systems.

Crypto-agility comes about when an infrastructure has such complete control over their cryptographic operations that a change to those operations will not impact the day to day functions of the hardware in any way. As time has gone on, computer systems have become more complicated, as have encryption algorithms and attackers methods of attacks, in turn. Since attackers are learning to break algorithms, new ones must be devised regularly. Thus, crypto-agility has become a necessity with newly developed hardware systems.

Why is Crypto-Agility Important?

As previously mentioned, attackers breaking encryption algorithms is one of the main reasons those algorithms are replaced. Attackers are discovering new ways to crack secure algorithms used every day. In 2018, the National Institute of Science and Technology (NIST) released a guideline that brought attention to the fact that the Sweet32 vulnerability was used to make the encryption algorithm 3DES insecure. 3DES is used in the financial sector by most companies, so changing from 3DES to a new encryption algorithm could break the hardware used in the financial sector, if it is not cryptographically agile. As time goes on, vulnerabilities are bound to be found in all types of encryption, so crypto-agility will continue to grow in most organization’s hardware devices.

Another reason to ensure an IT infrastructure is cryptographically agile is because of the emergence of quantum computing. Quantum computing is an emerging side of computer science that is being more and more heavily researched each year, as quantum computing has the potential to be able to render all classical computing cryptosystems useless. Quantum computing will continue to grow for the foreseeable future, and so certain crypto-agility techniques must be implemented. Future computing systems will need to be able switch between multiple encryption algorithms, as opposed to just one, to combat quantum computing.

How to achieve and maintain Crypto-Agility

The most important part of creating cryptographically agile hardware systems is by planning for it at the beginning. When the designs for your security systems are initially made, ensure that crypto-agility is one of the main requirements. This will ensure that the cryptographic agility of the hardware is being monitored at all times. With existing systems, there is software that exists that can implement crypto-agility, as recreating the systems from the bottom up is not feasible.

Another method to achieve crypto-agility is by implementing policies that tell employees the proper procedures to follow to reach and maintain crypto-agility. These policies should be detailed, but not too technical, to allow employees from any sector to be able to understand the policies. The policies should also be clear and enforce the use of the most up-to-date cryptography methods. Everyone within the organization should be trained in the use of all policies, especially crypto-agility related ones. These policies should be where the role-based access controls are discussed as well.

IT security teams should train the different sectors of the company on the responsibilities of that sector to help reach the goal of crypto-agility. The sector responsibilities for all parts of the organization should include maintaining an accurate inventory of crypto assets, noting the current access level of each member of the sector, and keeping track of who owns what data. This will assist IT security team members in maintaining crypto-agility throughout the organization.

Public Key Infrastructures (PKIs) are another great method to attaining crypto-agility. A PKI deals with the management of certificates and keys, and automates the replacement, creation, and rotation of keys and certificates. This removes the issue of human error from the management of keys and certificates. You also gain control over the Chain of Trust and Certificate Authorities (CAs) utilized in the PKI, gaining your organization the ability to have even more control over the encryption of data.

The following best practices will help reinforce the methods used to attain crypto-agility:

  • Automation of management and tracking in as many sectors as possible
  • Maintain strong visibility of all processes, assets, and user-usage throughout the organization
  • Identify and fix vulnerabilities before data can be stolen or compromised
  • Update with the patches for hardware and software as often as possible, to remain up-to-date on security breaches
  • Ensure the ability to test and replace current encryption algorithms with newly created algorithms is available
  • Replace keys and certificates as soon as necessary
  • Keep up with the most current encryption algorithms available

Free Downloads

Datasheet of Encryption Consulting Services

Encryption Consulting is a customer focused cybersecurity firm that provides a multitude of services in all aspects of encryption for our clients.

Download
Encryption Services

About the Author

President at Encryption Consulting LLC focusing on providing consulting to customers in the Applied Cryptography space.

Data protection is now one of the most critical and perhaps number one priorities for organizations. With data breaches at an all-time high and new regulations such as GDPR and likes of it coming into force, organizations are now focusing on the Data-Centric Security approach. As such Encryption is one of the oldest yet one of the most effective technology solutions that can enable organizations to achieve Data-Centric Security.

The two main drivers for encryption are.

Compliance

  • EU GDPR
  • PCI-DSS
  • HIPPA/HIPPA HITECH
  • NYDFS

Risk Reduction

  • Big Data Lakes
  • Cloud Platforms
  • Analytics involving sensitive data

The journey of encrypting data follows a thorough process that consists of:

  • Classification
  • Discovery
  • Protection
  • Enforcement
  • Monitoring

While Encryption has been in use for centuries, its application depends on the context of information being processed and the relevant business requirement. As such while it may sound easy Encryption has its own set of challenges that should be taken care of while designing an Encryption solution. At Encryption Consulting we understand these challenges

1. Data Discovery:

The first and foremost action for an organization is to locate their sensitive and critical data that requires Encryption which is achieved through means of data discovery and assessment.

Manual Approach

  • Discussing with business stakeholders and Data custodians

Tool Based

  • Selecting and deploying Data discovery tools for structured, unstructured, and semi-structured data stores

2. Key Management: Cloud or On-Premise

Key management is one of the most critical components of Encryption. It is very important to carefully identify and design best approach suited for your needs

Key Security

  • Ensuring Secure keys with constant protection
  • Not allowing access of keys to cloud administrators

Controlling keys as the Customer

  • If a customer deletes its key, then data will be removed as well
  • Maintaining on-premise control of key

Confinement of Key

  • Utmost dedication to the key management platform
  • Never allowing key swaps

Key Rotation

  • Avoid over-use of the key which permits vulnerability
  • Re-keying data with a new key to creating a new key

3. Querying Encrypted Data:

Quite often is required to search and index encrypted data stored on-premise or in the cloud. This is a big concern for organizations since this might involve decrypting data many often and thus increasing the opportunity for a hacker to get access to decrypted data. Additionally, frequent decryption can increase the demand for system resource requirements and time.

4. Performance Overhead

Whenever data is encrypted, a performance overhead is associated with encryption. The amount of data encrypted may cause a slowdown for systems.

5. Encryption Algorithm and Key Length

Another important aspect of Encryption is the selection of the Encryption algorithm & Key Length. While selecting a higher key length can enhance Security and reduce risks of Key compromise it can cause performance impact as a higher key length will consume more resources and time. Thus a careful understanding of throughput and business needs should be evaluated for the selection of the Encryption algorithm and Key length

6. Challenges of Encryption Program Management:

When deciding on which type of encryption is best for your organization, the challenges organizations face with encryption program management are:

Planning

  • Meeting set requirements and compliances
  • Assess products/vendors available
  • Confirmation of product/vendor

Building

  • Creating and tuning a secure environment
  • Plan for system integration

Integrating

  • Set Formal Policies
  • Formatting of Data
  • Conduct Performance Test
  • Launch Application

We at Encryption Consulting can help our customers plan and design the most suitable Encryption option for securing your data irrespective of where they are stored and without compromise on business performance or user experience.

Contact us at info@encryptionconsulting.com

Free Downloads

Datasheet of Encryption Consulting Services

Encryption Consulting is a customer focused cybersecurity firm that provides a multitude of services in all aspects of encryption for our clients.

Download
Encryption Services

About the Author

President at Encryption Consulting LLC focusing on providing consulting to customers in the Applied Cryptography space.

Let's talk