I had the wonderful opportunity to participate in a webinar last week with my friend and colleague Ted Shorter from Keyfactor. The topic of the session was the need for end-to-end cryptography lifecycle management in enterprise – and the discussion left a distinct impression on me. I’d like to take a moment to explain why.
It occurred to me that our many security consulting projects at TAG Cyber are rarely motivated by enterprise customers expressing the need to improve management of keys, certificates, and related cryptographic infrastructure. Our projects always seem to stem from problems related to SIEM, SOC, IAM, UBA, and other enterprise security tools.
But almost always – once the security consulting engagement proceeds, we find that teams have particularly bad, or even non-existing, lifecycle practices for their cryptography. This is often explained away as an artifact of multiple teams being involved, including the network teams, developers, and security organization.
What we recommend in these cases – and what Ted and I reinforced during our session, is that a workable end-to-end methodology is not only possible – but might be easier to implement than one might have expected. And yes – I am not hesitant to admit that Keyfactor can and will provide assistance in this regard. Here are the elements of the end-to-end process.
Key Steps to Consider
It all starts in the first step with defining policies and responsibilities. Such determination establishes a base of coordinated activity and is particularly useful in larger organizations that have support distributed control and support for keys and certificates. This is fine, but it must be carefully orchestrated.
The second step involves developing a good inventory of all cryptographic technologies, processes, and applications. This is best done using technology where possible, but it can often require that teams share information as part of an organizational discovery initiative. Inventory management, as you’d expect, is an on-going process.
The third step involves the hard work of identifying and remediating all vulnerabilities that are found in the cryptographic infrastructure, including all systems and applications. During our webinar, Ted made the correct case that this is the heart of the end-to-end process and requires the most time and attention to get right.
The fourth step is a continuous and on-going, where monitoring and audit of all cryptographic processes is done. Maintenance and support of key and certificate-related infrastructure are essential tasks that help ensure both compliance and security for any systems reliant on cryptography. This is perhaps more accurately described as concurrent with the other steps.
Finally, the end-to-end methodology emphasizes automation of the lifecycle, consistent with the basic tenets of agility. For rote tasks such as ensuring non-expiration of certificates, automated support provides the essential coverage that helps cryptography teams sleep at night. Automation has moved from an optional convenience to an essential requirement.
If you would like to learn more, then check out the eBook I worked on with Ted and the team at Keyfactor. It lays out the essential components of our proposed end-to-end methodology – and it includes examples that will help you apply the process to your own situation. After you read the eBook, please let me know what you think. I look forward to hearing from you.