CSO Insights: 4 Reasons Why You Can’t Ignore Crypto-Agility

Insights from Chief Security Officer, Chris Hickman, on the 2019 Keyfactor-Ponemon Institute Report: The Impact of Unsecured Digital Identities

Cybersecurity never stands still. As threats evolve with each passing day, even the most sophisticated preventative controls will not stop every attack.

For this reason, businesses in ever-increasing numbers are shifting their focus from prevention and protection to effective threat response.

Public key infrastructure (PKI) is a cornerstone in any enterprise cybersecurity strategy. Keys and digital certificates live virtually everywhere, delivering cryptographic protection for nearly all of the hardware and software we use every day.

But despite a shift toward effective response, PKI doesn’t get the same attention as other cybersecurity tools in the enterprise. Even so, the same principle applies, and a recent barrage of crypto-related incidents reveals that most organizations are ill-equipped to effectively respond when things go wrong.

As the saying goes, “stuff happens”– and when it does, it often tests just how prepared we are.

As cybersecurity and IT executives, we generally plan for any security incident that can threaten our organization, but do you have a plan in place to respond to crypto-related events?

A recent study by Ponemon Institute on The Impact of Unsecured Digital Identities reveals that organizations have an average of nearly 140,000 keys and certificates across their environment, yet more than 60% of respondents are concerned about their ability to keep them secure.

So – what happens when the keys and certificates you trust today become your greatest risk tomorrow?

Let’s take a look at just a few of the crypto-related incidents that can threaten your business.

Certificates are trusted in two ways – explicit and ubiquitous.

• Explicit trust is when you enable a device to trust a certain certificate or the CA it is issued from.
• Ubiquitous trust is when a CA is natively trusted by a browser, application, or operating system (i.e. Google Chrome or Windows OS) and the certificate is kept in a “trust store.”

But what happens when a Certificate Authority (CA) can no longer be trusted? Perhaps the CA was breached or failed to keep up with cryptographic standards.

Regardless of how it happened, your trusted source for keys and certificates has failed you, and now you’re left to pick up the pieces.

When CA breaches do happen – the Ponemon report shows that organizations experienced two incidents of CA compromise in the past 24 months — the impact is huge. According to that same report, the average cost to recover from these events is $13.2 million.

Even the likes of GoDaddy, Apple, and Google cannot be relied upon to ensure that your certificates are secure and up to industry standard – having recently misissued nearly 1 million browser-trusted certificates that failed to meet current standards.

Despite the minimal risk, the cost for organizations to find and replace these certificates was considerable.

Discovery of a bug in a crypto-library can also result in the need to generate new keys and reissue certificates according to the technology used in patching or replacing it.

In October 2017, a flaw discovered in a software library used by on Infineon Trusted Platform Modules (TPMs) to generate RSA private keys left millions of security devices vulnerable. In this case, it wasn’t enough to simply install firmware updates – nearly every large enterprise around the world was left scrambling to manually revoke and replace weak encryption keys.

Cryptographic algorithms evolve. In fact, it’s hard to find any cryptographic algorithm or hashing mechanism that hasn’t failed us in recent years – replaced by a stronger, less breakable alternative.

Just think of the keys and hash algorithms we trusted in 2007, from MD5 and SHA-1 to 1024-bit RSA keys. None are acceptable today.

Experts in the field of quantum computing predict that quantum computers will be viable within the next 15 years. This leap forward is likely to disrupt key components of cryptography as we know it, forcing enterprises to pivot to new strategies, cryptographic standards and technologies.

Finding and replacing keys and certificates on affected systems is still largely a manual process, at a tremendous cost and risk to the organization. In the shift from SHA-1 to SHA-2, several organizations reported expenses exceeding $5 million. And that assumes there are no failed audits along the way, in which case costs could run well beyond $14 million.

Private keys are essential to decrypt data and enable access to critical information. But in the wrong hands, they can be used impersonate a trusted entity and gain unfettered access to your network.

Attackers can target trusted keys used by firewalls, load balancers, and servers – enabling them to hide in your encrypted traffic. Uncertain of which key may have been stolen, IT and security teams are forced to generate all new keys and certificates across hundreds of systems.

Organizations estimate that they experienced an average of more than four incidents of server certificate and key misuse, costing an average of $13.4 million in the past two years.

At the scale of public key infrastructure today, manual scripts and spreadsheets are simply ineffective.

Crypto-agility provides the ability to manage your keys and certificates in a proactive and responsive way. If your enterprise isn’t crypto-agile, now is the time to start. Cryptographic agility is imperative as we approach the era of post-quantum cryptography.

Developing an effective key and certificate management strategy and investing in automation can help you stay one step ahead of the security curve – and reduce the impact and cost of crypto-related incidents to your business.

Want to learn more? Download this eBook and start your path to a crypto-agile PKI, or check out our latest release – Keyfactor Command 6 – designed to enable crypto-agile enterprise key management at scale.