Concrete solutions for cloud security: part one

One thing we’ve noticed in markets around the world is that cloud adoption rates are rising. With the cloud, organizations tend to see reduced capital expenditure and short deployment times, with the ability to run cryptographic operations at the same level as on-premises HSMs. These are all reasons why organizations gravitate towards the cloud.

However, as established trends continue to evolve, new trends are emerging. Nowadays, organizations are trying to figure out how to optimize their cloud infrastructure and get more functionality from it. Many companies are searching for cloud cryptography providers that can offer enhanced efficiency as well as a high level of compliance.

In this three-part series of articles, we will delve into the growing security concerns, business requirements, and innovative solutions in the realm of cloud data security.

Dealing with cryptographic sprawl

With vectors of attack and fraud becoming more sophisticated and widespread, companies are looking for better ways to protect their sensitive data. As a result, many companies have incorporated encryption into their solutions. Quite often, organizations want to further augment that security by managing the keys used by those solutions inside a PCI and FIPS-validated hardware security module (HSM). This improves the organization’s security posture because it increases the level of protection and control over keys and data.

As organizations grow and deploy more and more applications using this functionality, managing all the encryption keys becomes a bigger challenge. These applications may utilize client libraries, third-party tools, and cloud solutions to implement cryptographic functions. This diverse range of resources can result in a phenomenon known as cryptographic sprawl.

What is cryptographic sprawl?

Cryptographic sprawl refers to the proliferation of unmanaged secrets, cryptographic solutions, encryption keys, and applications within an enterprise. While it may appear commonplace for organizations to have such a situation, the gradual accumulation of these resources can lead to significant issues. Unmanaged secrets pose potential security risks, and the absence of proper management for keys and cryptographic resources increases administrative overhead. Therefore, addressing cryptographic sprawl becomes crucial for maintaining a secure and efficient environment.

The hard facts of cryptographic sprawl

The Salesforce-Mulesoft Connectivity Benchmark Reports spanning 2021-2023, which surveyed 1,000 enterprise organizations across nine countries, reveal significant trends. Enterprises have experienced a 26% surge in application usage, resulting in a staggering 171% increase in integration labor costs. Alarmingly, most applications remain inadequately integrated and have an average lifespan of around four years. To tackle the mounting challenges of application proliferation and rising costs, organizations must address the issue of cryptographic sprawl.

How sprawl sets in

Let’s imagine an organization that offers IT and payment solutions. As they grow, they might start new business units with separate or shared pools of resources. They’ll also start acquiring different solutions and business tools. For example, the company might use Active Directory to manage its domain, SQL Server for its databases, and CyberArk for access management. In addition to these solutions, the organization is probably managing some things in-house, such as DNS infrastructure. Finally, let’s say that our organization is signing code for firmware updates as part of a software supply chain security initiative. Taken all together, these services require a robust encryption solution. But that solution will be using lots of encryption keys. And encryption keys need to be proactively managed in order to prevent security risks.

It looks like a lot on paper. But the encryption and key management for all of these things—from encrypting databases and tokenizing data to signing firmware—can be offloaded to an external key management server or HSM. This is the first step the company would take toward fixing cryptographic sprawl.

Resolving it

Resolving cryptographic sprawl doesn’t have to be an arduous task. In fact, it can be swiftly addressed by implementing a cloud key management solution. Managing hundreds of applications necessitates the generation, distribution, and deletion of thousands of encryption keys. Organizations can begin by conducting a self-assessment of their key management maturity level.

For instance, they should determine whether they have a robust key management solution in place. If so, it becomes crucial to ask essential questions such as: Are our keys stored in an application database, software, or with comprehensive hardware-backed protection? Are our keys partially or fully indexed? Have we established stringent policies to enforce key lifecycles?

If the answers to any of these questions is “No,” then it’s time for a serious discussion with a trusted cloud key management solution provider.

FAQ

What are the risks of cryptographic sprawl and how does it affect cloud infrastructure?

Cryptographic sprawl poses risks such as unmanaged secrets and increased administrative overhead, impacting the security and efficiency of cloud infrastructure. It leads to proliferation of unmanaged cryptographic solutions, encryption keys, and applications, potentially resulting in security vulnerabilities.

How do organizations manage encryption keys across multiple applications and clouds, and how can they overcome associated challenges?

Organizations manage encryption keys across various applications and cloud solutions by implementing robust key management solutions. Challenges include the need for generating, distributing, and deleting thousands of encryption keys, which can be mitigated by conducting self-assessments of key management maturity levels and adopting comprehensive hardware-backed protection.

What factors should organizations consider when choosing a cloud key management solution to address cryptographic sprawl?

Organizations should consider factors such as the storage location of keys (e.g., application database, software, or hardware-backed protection), key lifecycle enforcement policies, and the level of indexing for keys. When selecting a cloud key management solution provider, it is essential to ensure compatibility with existing infrastructure and adherence to stringent security standards.