This article was originally published by Spiceworks News & Insights on July 29, 2022.
Centralized management of machine identities and cryptography are key to secure operations in an increasingly digital and dangerous business environment. In this two-part article, Ted Shorter, CTO, Keyfactor, discusses the most significant trends in cryptography this year.
Cryptography is the foundation of the digital world. Many companies today are digital businesses, using technology to sell, engage with customers, and complete day-to-day operations. For these businesses, cryptography and public key infrastructure (PKI) are essential in establishing the trust companies need across their IT infrastructures and product solutions. Amid a growing wave of increasingly sophisticated cyberattacks such as those on SolarWinds and Kaseya, PKI is a stalwart defender of zero-trust strategies. By providing unique digital identities for users, devices, and applications, tying assigned permissions to an entity’s identity, and supplying strong user authentication, PKI protects sensitive data and secures end-to-end communications.
As the number of digital identities, access controls, code signing requirements and trust relationships businesses maintain grow exponentially, PKI and cryptography will play a critical role in modern organization visibility and machine identity management, especially as attacks increase in sophistication and severity. Meeting current security challenges while anticipating and planning for future needs will require companies to keep close tabs on changes impacting their business and cryptographic needs.
Against this backdrop, here are the most significant trends in cryptography we can expect to see for the remainder of 2022.
Prediction 1: PKI silos will need to be eradicated to achieve governance
For companies pursuing zero-trust security goals, overhauling PKI governance is a must. Today, more and more outages are caused by expired certificates, as seen in the recent outages from Fortinet, Shopify, and other major enterprises. Centralized visibility and control over an organization’s various applications of machine identities and the PKI that sits behind them are crucial to achieving the access control required for regulatory compliance and enterprise cybersecurity.
To that end, businesses are investing in PKI to manage their certificates, performing PKI consolidation, and migrating several disparate PKIs into a single multi-tenant solution, such as EJBCA. However, while these approaches are gaining popularity, the reality is that PKI silos will persist in large organizations. This is because manual certificate management processes have not kept up with the evolution of IT environments. As enterprises continue to deploy more machine identities, PKI governance inevitably becomes siloed, putting organizations at risk.
According to Pulse Research and Keyfactor, 96% of IT security executives report that PKI is essential to implementing a zero-trust architecture. Hence centralized management of PKI and the machine identities they govern will provide the visibility necessary to make this a reality. This ranges from authenticating every user’s and device’s identity on the network and encrypting all data at transit across the organization to maintaining the integrity of data coming to and from users/devices.
Prediction 2. Complete visibility and proactive certificate management will be essential to zero-trust
The race to digital transformation has introduced a new set of security challenges. With an exponential number of machine identities created each day, IT and security teams are struggling to manage the security certificates tied to those identities. As businesses continue to grow more digital, proactive certificate management will become even more essential. Without proper machine identity and certificate management, organizations stand to experience massive outages, among other detrimental consequences.
Furthermore, organizations are struggling to decide how to handle PKI and the management of machine identities. Today, a plethora of options exist for obtaining code signing certificates, and there are also way more identities between users, devices, and applications where certificates need to be implemented to vouch for the legitimacy of an end user. The ongoing evolution of IT environments means that PKI certificates are applied in many ways and various environments. Web servers, for example, need certificates from a public certificate authority (CA), while internal identity management falls under a private CA. Furthermore, digital certificates used in DevOps practices have short lifecycles, while website SSL certificates live longer.
While it is expected that an organization’s strategy includes obtaining certifications from multiple sources, it is essential to have complete visibility over these systems. This is especially critical to maintaining security in a highly distributed cloud environment.
Prediction 3: Post-quantum cryptography is gaining traction
Quantum computing’s ability to crack current asymmetric encryption algorithms poses a serious threat to PKI, Transport Layer Security (TLS), virtual private networks (VPNs), and a wide range of other systems. Although quantum computers capable of breaking classical cryptography are still years away, there is certainly early movement here. They likely will emerge during the lifecycle of solutions being developed today.
To address this issue, new post-quantum cryptographic (PQC) algorithms are being developed. These new algorithms are based on problems that retain their asymmetric complexity in the face of quantum computing, which is essential to secure algorithms in the face of a quantum attack. While PQC has been discussed in certain circles for a while, the years-long PQC effort the National Institute of Standards and Technology (NIST) announced in 2015 has given it credence.
While NIST recently announced its Round 3 selections for standardization, final standards are not expected until 2024. Following the adoption of standardized algorithms, there will be modifications to standard protocols and formats to use the new algorithms. Then there will be the implementations of those algorithms and protocols in cryptographic toolkits (e.g., Bouncy Castle, OpenSSL) and operating systems (Windows, macOS, Android, iOS), followed by the use of those algorithms by products that use those toolkits or operating systems, such as web browsers, email clients, and IoT devices.
Then there will be procurement and rollout of those new products and operating systems that use those new algorithms and protocols. Finally, deployments of those implementations must reach “critical mass” in the ecosystems those products operate in. It does not do any good to roll out a new algorithm or protocol if the products or devices in an organization’s system do not support it. All in all, this process can take anywhere between four and 20+ years after 2024.
This all said, companies can start building PQC solutions based on the draft standards, which will lay the groundwork for developers to prepare for future developments. With official standards, PQC will come into its own and will gain widespread acceptance and inclusion in regulations and standards moving forward. To prepare for PQC, organizations must inventory all their keys and algorithms and create a plan based on automation to update them.
Even if PQC does not happen, the algorithms and keys we use today will not be secure in the future. We know this because the ones we used 15-20 years ago are not considered secure today. Regardless of what the future holds, organizations should never design systems to use cryptography statically.
In the second part of this series, we will dive into the remaining trends that are emerging in the cryptography space. Stay tuned for more on how crypto-agility will go mainstream and why the industry will start to see more adoption of security standards as guidelines as quantum computing draws nearer.