Crypto-agility: Strategies and best practices to get there

In 2011, hackers broke into Netherlands-based web security firm DigiNotar to create more than 500 fake security certificates. More recently, Chrome researchers revealed a formal plan to distrust Symantec-issued certificates. With organizations relying heavily on encryption protocols to ensure secure communications, they must plan for being able to quickly respond to such incidents, according to Paul Turner, CTO for products at Venafi Inc. At the recent InfoSec World conference, Turner explained how achieving crypto-agility can help companies transition from one encryption standard to another -- and quickly.

In this Q&A with SearchCIO, Turner defines crypto-agility and highlights the benefits and challenges that companies are likely to encounter when trying to integrate it. He also shares best practices to help companies prepare for crypto-agility and explains why maintaining an inventory of cryptographic assets is a critical component to attain such cryptographic agility.

Editor's note: This interview has been edited for clarity and length.

What is crypto-agility?

Paul Turner: Crypto-agility is the ability for an organization to rapidly respond to a large crypto threat in a business-relevant period of time. Organizations are using crypto very broadly in their environments, and the most broadly used are the [Transport Layer Security] and the [Secure Socket Shell]. They rely on these for their mission-critical communications.

Paul Turner

If there is an event such as an algorithm that is all of a sudden broken unexpectedly, or a crypto library that has a bug that impacts a large number of systems, or there's a certificate authority compromise, all will require the replacement of a large number of keys and, potentially, the certificates that the CA compromise, and organizations will have to be able to respond quickly.

What are the benefits of being crypto-agile? Are there any challenges?

The biggest benefit of being crypto-agile is that you're able to leverage cryptography for security in a sustainable way.

Turner: The biggest benefit is that you're able to leverage cryptography for security in a sustainable way. You're not going to have it become a liability; instead, it is an asset.

The challenge that organizations have is that these cryptographic protocols are very broadly used in our organizations and across systems that are owned by different groups. In order for you to develop this crypto-agility, you have to orchestrate across all of those different people and groups.

Even if it's an organization that has 50 administrators and a thousand systems, just coordinating with all of them if a disaster occurs, or if you're just trying to get them all to adopt new practices, can take some time.

Do you have any tips for companies that are trying to be crypto-agile?

Turner: One of the first things has very little to do with technology and is about defining policies. The unique aspect of these cryptographic assets that makes policies a necessity is that the only way you're going to get all these various teams to change their habits is by making them understand what they need to do and understand that they're accountable for that. By defining policies, you can make sure that the entire organization is on notice that these are the ways that they need to secure their systems, and they're responsible for doing that.

Once you've got those policies defined, every group is responsible for having and maintaining an inventory of all their assets. The only way you're going to be able to respond quickly and replace all of the cryptographic assets that you've got is to know where they are, whether they exist or not.

You are going to need some central driving organization -- typically, that's the security group -- and they will provide the capability to develop that inventory, they'll provide the tools. Each one of the different groups then need that to participate in making sure that those tools can be used.

And then once we have that inventory, you begin by just reviewing it because most organizations have not had an inventory, so very quickly they can find that they have vulnerabilities and address those right away.

What's one of the key elements of creating an inventory?

Turner: One of the critical pieces of inventory is that you need to develop a method for tracking ownership, because it's not enough to just know, 'OK, we've got 100,000 keys and certificates,' but not know who you need to contact if there's an issue. Again, each one of those groups owns the systems where those keys and certificates are deployed, and they're the only ones that are going to be able to change them when needed. You need to be able to contact the correct person, probably in an automated fashion, either by sending email or opening tickets at a ticketing system.

Now that you have a good visibility and a good understanding of who owns things, what you want to do is you want to move to real crypto-agility, which is your ability to change things quickly. To do this, you have to implement automation, because the scale of the use of these keys is just beyond being able to do it manually. You won't be able to automate everything, but you need to implement a strategy that automates as much as possible.

The final piece is you need to make sure that you have a way of validating and tracking where you are in the process.