How the Three Pillars of Crypto-Agility Prepare Your Enterprise for Whatever the Future Holds
By Mike Cooper, Revocent
While organizations increasingly recognize the need for crypto-agility, the fact remains that few organizations have actually achieved that goal in practice. Take the bumpy ride around deprecation of SHA-1. Vulnerabilities were discovered as far back as 2005. Yet in 2017, SAP Ariba, for instance, advised legacy customers to use unpatched browsers to avoid being blocked or triggering error messages due to the use of deprecated SHA-1 certificates. And it was only last month that Microsoft finally stopped accepting Windows Update service endpoints based on SHA-1.
In today’s fast-changing and uncertain world, such a long hash migration process is no longer acceptable (if it ever was). Threats like quantum computing are getting more real while cryptographic algorithms are subject to decay or comprise (such as SHA-2 which has already been replaced by SHA-3) as new flaws are discovered. Along with the longer-term threats, organizations face more immediate risks that threaten business continuity such as ongoing use of obsolete encryption algorithms, short encryption keys, and certificates that are of unknown origin or about to expire.
With the challenges only becoming more complex as certificate lifespans get shorter and shorter, there is only one path forward and that is to achieve crypto-agility. By crypto-agility we mean that your organization has taken complete control over cryptographic mechanisms – your public key infrastructure (PKI) and associated processes – and can quickly make whatever changes are needed without intense manual effort.
An automated, well-managed cryptographically agile infrastructure enables your organization to respond swiftly to both immediate and long term threats. Crypto-agility also makes your operations teams more efficient, and eliminates unnecessary costs such consulting fees, temporary staff, fines, or remediation costs.
Most organizations have long embraced the value of PKI automation, but have nonetheless allowed manual processes to slip through. Recognizing the value and control provided by an on-premise CA, enterprises widely adopted Microsoft Active Directory Certificate Services (ADCS), which automates certificate provisioning and renewals for AD-joined systems. When the numbers of systems requiring certificates were small and expiration dates long, a few manually issued certificates for endpoints outside the Microsoft universe didn’t seem like a problem.
Fast forward to today where enterprises have hundreds or thousands of Linux, Mac and UNIX endpoints. In this world, partial or incomplete automation represents a significant problem. The table below presents a scenario of the time and expense involved with a comprehensive hash migration. With incomplete or partial automation, most enterprises would be looking at a 15-month migration period compared to just six days when a fully automated solution has been put in place.
Crypto-agility is a complex topic at scale and working towards it requires a multifaceted approach. Changes need to be made to security setups in organizational policy, operating methods, and core technology and processes. Your PKI may need to be upgraded and enhanced to support rapid swaps of cryptography, and software development procedures may need to be revamped to incorporate a nimbler approach to cryptography – as opposed to being bolted on top of finished software.
Despite the complexity, enterprises can no longer afford to take a wait and see attitude toward crypto-agility. Below are three pillars that if adopted will put your organization on the right path toward withstanding whatever the future holds:
Pillar #1 – Automate discovery and reporting. At the push of a button, you should be able to produce a full reporting of all your cryptographic assets. This will allow you quickly identify vulnerable cryptography and to report anomalies. There are any number of tools available to help you do this, but ideally certificate reporting should just be incorporated into an automated PKI solution.
Pillar #2 – Automate PKI operations at scale.The ideal solution here is a fully automated Certificate Management Systems (CMS) that will manage the entire lifecycle of a certificate from creation to renewal.When the CMS is used to create a certificate, it should have all the data it needs to not only monitor the certificate for expiration but automatically provision a replacement certificate without human intervention.
Pillar #3 – Be nimble. At an organization and management level, your IT organization from DevOps through to day-to-day operations staff, needs to be ready for threats and change. You should carefully evaluate and rethink all aspects of your PKI to identify areas that may lock you into a particular vendor or technology. Remember too, that the rate of threats and change is accelerating.
Join the Futurex Tech Talk on September 16
If your organization manages its own CA and still relies on manual certificate provisioning and renewal processes, I encourage you to attend the Tech Talk taking place at noon ET on Wednesday, Sept. 16 to learn more about automating certificate provisioning and renewal across your entire network at scale.
In this Tech Talk entitled “How to Unify Certificate Management On All Your Devices and Applications,” Adam Cason, Vice President, Global and Strategic Alliances at Futurex, will join me for an interactive discussion on how you can improve the automation and security of your organization’s PKI.
By attending the webinar, you will:
- Learn how to streamline certificate automation for Linux/UNIX/Mac computers from Microsoft ADCS and eliminate manual processes
- Learn how applications can be automatically provisioned with certificates that are fully managed
- Learn how to improve data and key protection with a FIPS 140-2 Level 3 validated platform
- Learn how to overcome common hurdles in deploying enterprise certificate authority environments
For those of you who are new to Revocent, we provide innovative PKI products to organizations on a global basis. Our premier CertAccord Enterprise product provides X.509 certificate automation to enable customers to extend their existing Microsoft Enterprise CA to Linux, Mac, and UNIX platforms. Full life-cycle management of certificates allows customers to significantly reduce ongoing labor costs, improve security, and simplify their PKI.
We hope you’ll join us on Sept. 16 for what I’m confident will be a lively and engaging discussion. Head over to the registration page now to reserve your spot.