In my last blog, we discussed the need to know where and how your crypto is currently being used in your organization and in your supply chain interactions. You will find it useful to do this on a regular basis, and you will want to bring in some central coherence and visibility to this function going forward.
In this blog, we will discuss all the places you will find your crypto. On a panel I was once on, a wise person said “Where isn’t crypto?”.
Where isn’t crypto?
You will, in fact, find cryptography in every layer of your stack and embedded in all protocols that exchange information (data in transit) internally or externally, that secure information while in storage (data at rest), and even those that authorize and secure its processing (data in use). You will find it in the networks, in the devices (microprocessors, IoT, ATM, satellites, set-top boxes, point-of-sales systems, smartphones, cars, etc.), in the applications, in the cloud, at the edge, in the servers, in the firewalls, in DNSSEC, HTTPS, TLS, SSH, IAM, VPN, Wi-Fi and PKI, in secure payment protocols, in key management applications, at the core of cryptocurrencies, in mobile apps, and in your code signing. Well you get the point, “Where isn’t crypto?”
So, this will be an involved process, and one that to be solved effectively and on a timely basis requires a collaborative eco-system – and for verticals that exchange significant digital value between them on a daily basis, this collaboration may be best approached using pre-competitive behaviours.
Planning, budgeting and implementation
One thing to keep in mind as you think through planning, budgeting, and timelines, is who will help you with implementing the solutions? This work should not be considered just a one-time crypto-rotation – as, for example, DES was to AES. That was a single crypto-primitive within the symmetric key crypto-family and could be largely achieved (and that rotation started over 20 years ago…) with minimal impact to existing hardware and software tools.
A change to post-quantum cryptography is a change of all crypto-primitives of the public key crypto-family with a brand new generation of quantum-safe crypto-primitives. In other words, it’s a new crypto-family. And this new family will then expand.
So, when you think about your approach, make sure you focus on two things: new processing hardware and software that accommodates new growth in the new crypto-family without once again having to redo the whole stack. And, if possible, have that new hardware and software also operate between the old and the new crypto-families – it’s crypto-agility, not a crypto-rotation, you want to achieve. Crypto-agility is going to be a very good investment for your future and for your supply chains.
In our next blog, we will talk about what’s required ‘back there’, ‘down there’ and ‘out there’ to deliver crypto-agility. And after that blog, our following blog will talk a little about some ideas around planning and some end state architectures for the modern zero trust enterprise.
Thanks for reading.
