Cryptography is based on algorithms, which are mathematical equations developed to scramble plain text and make it unreadable until it’s decrypted at the other end.
Over time, these cryptographic algorithms change and evolve. However, until recently, most algorithms still relied on the math behind the RSA standards from over 40 years ago. The newest algorithms have been developed by the National Institute of Standards and Technology (NIST), which selected finalist encryption methods designed to withstand attacks from a quantum computer.
As computation changes and the RSA security algorithms become outdated, it’s important to address how to manage the migration to post-quantum cryptography (PQC) in the enterprise.
Since cryptography is a critical component of network security, it should be well-managed, but unfortunately, that’s not always the case.
In today’s cybersecurity landscape, security policies typically apply to objects such as networks, laptops, and desktops, as well as to anyone using operating systems through those objects. However, the cryptographic algorithms that form the very foundation of cybersecurity are not objects; they are built into every software program and every server or cloud infrastructure. In many cases, information security professionals are unaware of which algorithms are being used and where they are being used. RSA and post-quantum cryptography (PQC) algorithms will fail at some point, so it is critical for chief information security officers to establish a crypto-agility policy that addresses cryptographic security at the algorithm level, not just the certificate level.
At present, baseline cryptographic security focuses on managing certificate keys or user ID keys, and key-management platforms have some level of policy control. However, policies should also govern cryptographic algorithms, providing cryptographic agility for interchangeable algorithms, minimum standards, and cryptographic redundancies. For example, if a customer platform uses a defeated algorithm, a crypto-agility policy allows you to deploy a new algorithm to replace the failed one with a simple policy adjustment.
Enabling Secure and Resilient Cryptographic Infrastructure
Establishing a crypto-agility policy is more than just a software bug fix; it is about controlling security at the cellular level. Additionally, it is essential to talk about crypto policy management and to separate cryptography from the application layer to manage it with risk-tolerant policy, similar to the way general-purpose SQL databases separate data storage from application logic.
Security policies typically apply to objects like networks, laptops, and desktops and their users, but the cryptographic algorithms that underpin cybersecurity are not objects; they are part of every software program across every server or cloud infrastructure. However, in most cases, security professionals are not even aware of what algorithms are in use or where. It’s crucial to establish a crypto-agility policy to manage security, mitigate risks and ensure a successful transition to the quantum era.
Baseline cryptographic security currently centers around the certificate level, but policy control should also cover cryptographic algorithms, enabling the use of interchangeable algorithms, minimum standards, and cryptographic redundancies. Establishing cryptographic agility means you can replace a failed algorithm quickly, and you know which algorithm is used where. A crypto governance policy should provide minimum standards for infrastructure, operating systems, services, and cloud vendors.
Demand crypto governance and controls of your vendors, encourage collaboration, and create backup plans. It is essential to eliminate single points of failure in cryptography, and policy-driven enterprise crypto management platforms and establishing crypto-agility working groups can future-proof data and communication networks, keeping organizations more secure.