Dr. Taher Elgamal | Egyptian cryptographer and entrepreneur
Cryptography has been the backbone of security in our digital world, and it continues to grow in importance as more services, capabilities, and in fact, our lives become ever more digital. Not only does it increase in importance, but almost every day we see a new article about another breach. Hospitals, retail stores, large businesses - all are under a constant threat of some form of attack to exfiltrate data or for some other nefarious purposes.
A new threat has been growing. Indeed, we’ve seen the large, complex undertaking with just a small sample of this threat when those attacks we read about are successful. I am, of course, referring to the foundation of all digital security. The basis on which all security models are based: that cryptography used to protect our data, our services, and our digital lives, is in fact secure. Imagine if cryptography is broken.
In the past, we’ve allowed our software providers to include the relevant security packages and we’ve relied on them to implement these into the services we consume. Now we have enough data to know about hidden risks that weren’t immediately obvious. In addition, new proprietary cryptography methods are being invented, developed, and used. As we deploy next generation solutions, including quantum resilient cryptographic algorithms, does it make sense to continue to only rely on our vendors and providers to upgrade, implement, and secure the software we use?
Unraveling the past to bring clarity to the future
We are on the brink of a transition, one which will take significant time, and one which I believe has to start with an understanding of what is in use today. For example, what are the standards that are in place now? I think we’ve all experienced the pain moving from past failed algorithms such as MD5 or SHA-1. Some of you may still be using these today and not even know! These are some of the problem areas that need to be resolved within to bring about enhanced security and implement upcoming changes to cryptography.
It’s hard to think of an area of your business that isn’t touched by cryptography. From data in transit with TLS, SSH, IPSEC… cryptography is built into our load balancers, browsers, and servers. It is also in the data at rest in our databases and storage array and even our applications, wallets, and enterprise services. Each one of these areas has been developed and delivered by different vendors or software packages that frequently lack scrutiny.
Today most of these services are secured by vendors using open source or other libraries that your enterprise may rarely manage or maintain despite the critical reliance on them. We continue this assumption that they are secure. There is very little support for customers or users of these systems to “trust but verify”.
The importance of crypto agility
Enterprises need to have more ownership of the management of their cryptography assets. We should all expect that any specific cryptographic method, library, or implementation could be found weak or broken. Even next generation protocols may already be vulnerable if we are to believe reports out of the news. As post-quantum continues to mature, we may find ourselves in situations where changing encryption technologies may be more frequent and rapid than previously ever anticipated.
Our technology implementations will need to be more agile to accommodate faster change. CISOs and Risk Officers in an enterprise need to take an active look into what cryptography solutions are in use today so they can respond to evolving threats. In the future, we can simplify that response with architected solutions designed to allow an enterprise to control the cryptography used that is designed to be agile and change with the evolving industry needs.
Looking to future-proof your organization with crypto agility?
Learn more about the importance of crypto agility in the Thales PQC e-book or take a look at our solutions in place today to help you get ready for PQC and bring crypto agility into your organization, allowing you to be flexible and prepared to adjust your cryptography with ease.