Mainstream Crypto-Agility and Other Emerging Trends in Cryptography: Part 2

This article was originally published by Spiceworks News & Insights on August 8, 2022.

In the first article of the two-part series, Ted Shorter, CTO, Keyfactor, discussed a few key trends in cryptography and public key infrastructure (PKI). In this article, the second of the series, he discusses a few more crucial trends to watch out for in cryptography this year.

In today’s digital world, cryptography has emerged as one of the most important tools for building secure systems. By properly leveraging cryptography, modern businesses can ensure the integrity, confidentiality, and authenticity of sensitive data that is essential to essential to business operations.

In the first part of this series, we discussed some of the biggest trends and emerging changes in cryptography that we expect to have a huge impact on a company’s business and cryptographic needs. Rounding out the list, here are two more of the most significant trends in cryptography that we expect to see this year.

A growing awareness of supply chain risk, the global drive toward zero-trust, and the widespread adoption of public key infrastructure (PKI) for software security requires that organizations give priority to crypto-agility, the ability to rapidly switch between multiple cryptographic primitives and algorithms without the rest of the system’s infrastructure being significantly affected by the changes. In fact, according to Keyfactor and Ponemon Institute, 57% of IT and security leaders have identified crypto-agility as a leading strategic priority in preparing for quantum computing.

Today, speed and security rule the world of enterprise technology. Unfortunately, the two are often at odds, creating a disconnect between DevOps and security teams. DevOps teams need to move fast to develop products that are in line with market needs, and many are not all that concerned about where certificates are issued from and what policies they comply with, so long as they have what they need to keep moving forward at speed. Faced with this primary concern, many DevOps teams have started to issue their own digital certificates, creating numerous blind spots for their security counterparts and leaving their solutions open to risk. In fact, most security teams do not fully know how many certificates have been issued, let alone where they live and when they expire.

The key to bridging this divide without sacrificing speed or security is introducing back-end controls for certificates that get issued through DevOps tools. This approach allows DevOps teams to move as quickly as they need to without changing their existing architecture since they can continue to issue and use certificates the same way they have been. But on the back-end, it gives security teams visibility into every certificate that gets issued to enforce policies and ensure accountability. And with automated certificate lifecycle management, the security team can automatically renew certificates as they expire to help ensure nothing breaks and to manage certificates with the necessary speed.

This type of collaboration will give rise to true crypto-agility. Organizations will use cryptography to its full potential, including rolling out digital identities as needed, securing the software supply chain, and deploying PKI to support DevSecOps, all with the ability to respond to changes rapidly.

The potential impact of quantum technology threatens both national security and the very foundation upon which internet security is based. According to the National Security Agency, a quantum computer of sufficient size and sophistication will be able to break much of the public-key cryptography used on digital systems across the United States.

In early May, the Biden-Harris administration announced an Executive Order that would bolster the National Quantum Initiative Advisory Committee. The committee guides policymaking and will work directly under the White House to ensure President Biden, Congress, federal agencies, and the public have the latest, most accurate information about advances in quantum technology. At the same time, President Joe Biden signed a National Security Memorandum, which outlines steps to mitigate the risks posed to America’s cybersecurity infrastructure. Both directives are intended to advance national initiatives in quantum science and raise awareness of the potential threats quantum computing will bring to the integrity of internet security.

In addition, a number of industry groups, including those in the automotive and medical industries, are developing their own security baselines. As the looming threat of quantum computing draws nearer, we will start to see more adoption of security standards as guidelines or even regulations.

The high-profile cyber incidents of the past year have thrown a spotlight on the sudden and significant impact modern threats can have on an organization’s cybersecurity and cryptographic needs. As we muse on what the coming year will bring, trust and agility will become paramount to ensuring businesses continue to operate securely. In the face of the disruptive events of the last year, enterprises have increasingly embraced the zero-trust principle, “trust nothing, validate everything.” In this model, PKI and machine identities have emerged as essential technologies to authenticate and establish digital trust between users, devices, and workloads across the business.

However, it is important to remember that trust is not static. As the threat landscape evolves and new technologies like quantum computing emerge, security standards will inevitably change. An organization’s ability to effectively manage and quickly adapt PKI infrastructure and machine identities to new algorithms, standards, and environments (i.e., their crypto-agility) will be equally important.

The good news is that organizations are becoming more aware of the urgency to become more crypto agile. In our recent survey analyzing the role of PKI, keys, and digital certificates in securing IT organizations, preparing for crypto-agility was ranked as a top strategic priority for digital security by 57% of IT security professionals. As the threat landscape continues to evolve, cryptography’s importance will only grow along with the need for centralized management of machine identities.