It goes without saying that data privacy is important for businesses, so why is cryptography management so often left out of the cybersecurity innovation conversation? As businesses grow, there’s usually more sensitive data to protect, the pace of which, given the pace of innovation, can be hard to keep up with. However, cryptography is undeniably a pivotal part of IT security, particularly as regulations and data privacy needs surge. Yet, due to a lack of modernization and automation, organizations often struggle to understand their risk of poorly managed cryptography and effectively manage their cryptographic protocols. As a result, the industry has found itself at a crossroads: the digital innovation blind spot.
Modern IT: How Cryptography Got Left Behind (and Why That’s a Bad Thing)
For a multitude of reasons, over the past decades, cybersecurity solutions have evolved keeping up with innovation trends in IT. We have seen the creation of new cybersecurity markets tackling security gaps that are now covered. However, this evolution has left behind a crucial factor underpinning an organization’s cybersecurity posture: cryptography. The worry? Outdated cryptography processes cannot keep up with the complexity of modern IT. Unmanaged cryptographic artefacts can cause critical application outages too. Essentially, unmanaged cryptography is a (costly) grenade.
Outdated cryptography is a significant financial burden, a legal liability, and a significant security risk, in the same way that an outdated legacy device on a network can be. Whereas cryptography gets left out of the conversation, the security of physical legacy devices on a network are a constant bone of contention. Crucially, both should be regarded as potent cybersecurity risks.
Compliance and Cryptography
Compliance wise, however, cryptography remains a crucial element of security for many organizations. Good cryptography management is often a requisite of industry compliance, especially in the finance and healthcare sectors. PCI DSS, for the payment card industry, for example, mandates strong encryption for data transmission and storage, as well as specifies cryptographic protocols and management practices.
However, these compliance standards often fall short of well managed and maintained cryptography, leaving many organizations at risk. Compliance does not mean secure. Cryptographic compliance often relies on outdated processes that do not meet management or auditor expectations. However, cryptography management requires a specific skill set that many IT professionals do not possess, leading to data protection or key management policies being ignored. A lack of understanding and skill in this area further alienates it from the mainstream discussion of cybersecurity.
Switching Cryptographic Standards
Cryptography standards are the established guidelines that the cybersecurity industry utilizes at large-scale to ensure the secure transmission and storage of sensitive information, digitally. These standards encompass a wide range of constructions. Adhering to cryptography standards means that organizations can feel confident in the security and robustness of cryptographic algorithms and protocols being used.
When it comes from switching from one cryptographic standard to another, the whole organization may be left without an established solution to handle the migration efficiently. For example, it took some organizations up to 10 years to migrate away from SHA-1.
The Future? Quantum Computing and Cryptography
One thing is for certain: the digital world will continue to innovate. Whether cryptography gets left behind (and therefore too hard to retroactively manage later on) is another question. Quantum computers will break modern day public key cryptography. The looming threat of quantum computers puts the c-suite in a tough position: quantum is not happening now, but if you don’t secure cryptography for the future promptly, it will be too late. As a result, sensitive data is vulnerable to ‘store now, decrypt later’ cyberattacks, which cybercriminals steal and store large encrypted datasets with the intention of decrypting in the future. As we get closer to accessible quantum computing these attacks will no doubt increase.
Governing bodies are waking up to the very real threat of quantum computing and modern cryptography though. The US National Institute of Standards and Technology (NIST) recently released 3 quantum-resistant algorithms, with another one coming soon. It is crucial that business leaders take note of this and proactively protect against the future.
But Why Now? Moving Away from What If, Why and When?
With budgets tight and spending justification a crucial element of security in today’s business landscape, we must focus on the immediate risks. AI, for example, poses a significant threat to organizations today, from adversarial machine learning (AI can be used to manipulate training data, leading to models that make incorrect predictions or classifications, for example) to sophisticated phishing campaigns.
There’s an opportunity for organizations to get ahead of the curve to have more resources available to focus on the most pressing AI-augmented threats. Automated cryptography management enables security teams to be more efficient and be able to focus on the never-ending new threats. It is essential to gain a comprehensive understanding of its risk posture, keep up with migration processes to new protocols, and understand that cryptography is an essential part of the digital IT landscape today.
About the Author
Dr. Marc Manzano is General Manager, Cybersecurity at SandboxAQ, where he leads the cybersecurity group. His current research interests include post-quantum cryptography, lightweight cryptography, fully-homomorphic encryption, the intersection between machine learning and cryptanalysis, performance optimizations of cryptographic implementations on a wide range of architectures, and quantum algorithms. He has presented more than 25 articles at international conferences, published more than ten journal papers, and collaborated on several scientific books related to cryptography and computer networks security.
Over the past ten years, Dr. Manzano has led the development of many secure cryptographic libraries and protocols. Dr. Manzano was formerly a Senior Staff Software Engineer at Google, and before that, he was the Vice President of the Cryptography Research Centre at the Technology Innovation Institute, a UAE-based scientific research center. Prior to that, he held several positions where he was responsible for implementing pivotal cryptographic components of a variety of secure communication products, including an electronic voting platform.
Dr. Manzano holds a Ph.D. in Computers Network Security, which he earned under the supervision of the University of Girona (Spain) and Kansas State University (United States). He earned an MSc in Computer Science from the University of Girona (Spain), while he did research stays at UC3M (Spain) and at DTU (Denmark). He initiated his research career while finalizing his BSc in Computer Engineering at Strathclyde University (UK).
Dr. Manzano can be reached on X at https://x.com/marcmanzano?lang=en and on our company website at https://www.sandboxaq.com/
