PKI Silos, Post-Quantum Crypto and Other Emerging Trends in Cryptography: Part 1
Contact Sales
[email protected]
+1-216-931-0465
PKI
PKI Silos, Post-Quantum Crypto and Other Emerging Trends in Cryptography: Part 1
August 4,2022
This article was originally published by Spiceworks News & Insights on July 29, 2022.
Cryptography is the foundation of the digital world. Many companies today are digital businesses, using technology to sell, engage with customers, and complete day-to-day operations. For these businesses, cryptography and public key infrastructure (PKI) are essential in establishing the trust companies need across their IT infrastructures and product solutions. Amid a growing wave of increasingly sophisticated cyberattacks such as those on SolarWinds and Kaseya, PKI is a stalwart defender of zero-trust strategies. By providing unique digital identities for users, devices, and applications, tying assigned permissions to an entity’s identity, and supplying strong user authentication, PKI protects sensitive data and secures end-to-end communications.
As the number of digital identities, access controls, code signing requirements and trust relationships businesses maintain grow exponentially, PKI and cryptography will play a critical role in modern organization visibility and machine identity management, especially as attacks increase in sophistication and severity. Meeting current security challenges while anticipating and planning for future needs will require companies to keep close tabs on changes impacting their business and cryptographic needs.
Against this backdrop, here are the most significant trends in cryptography we can expect to see for the remainder of 2022.
Prediction 1: PKI silos will need to be eradicated to achieve governance
For companies pursuing zero-trust security goals, overhauling PKI governance is a must. Today, more and more outages are caused by expired certificates, as seen in the recent outages from Fortinet, Shopify, and other major enterprises. Centralized visibility and control over an organization’s various applications of machine identities and the PKI that sits behind them are crucial to achieving the access control required for regulatory compliance and enterprise cybersecurity.
To that end, businesses are investing in PKI to manage their certificates, performing PKI consolidation, and migrating several disparate PKIs into a single multi-tenant solution, such as EJBCA. However, while these approaches are gaining popularity, the reality is that PKI silos will persist in large organizations. This is because manual certificate management processes have not kept up with the evolution of IT environments. As enterprises continue to deploy more machine identities, PKI governance inevitably becomes siloed, putting organizations at risk.
According to Pulse Research and Keyfactor, 96% of IT security executives report that PKI is essential to implementing a zero-trust architecture. Hence centralized management of PKI and the machine identities they govern will provide the visibility necessary to make this a reality. This ranges from authenticating every user’s and device’s identity on the network and encrypting all data at transit across the organization to maintaining the integrity of data coming to and from users/devices.
Prediction 2. Complete visibility and proactive certificate management will be essential to zero-trust
The race to digital transformation has introduced a new set of security challenges. With an exponential number of machine identities created each day, IT and security teams are struggling to manage the security certificates tied to those identities. As businesses continue to grow more digital, proactive certificate management will become even more essential. Without proper machine identity and certificate management, organizations stand to experience massive outages, among other detrimental consequences.
Furthermore, organizations are struggling to decide how to handle PKI and the management of machine identities. Today, a plethora of options exist for obtaining code signing certificates, and there are also way more identities between users, devices, and applications where certificates need to be implemented to vouch for the legitimacy of an end user. The ongoing evolution of IT environments means that PKI certificates are applied in many ways and various environments. Web servers, for example, need certificates from a public certificate authority (CA), while internal identity management falls under a private CA. Furthermore, digital certificates used in DevOps practices have short lifecycles, while website SSL certificates live longer.
While it is expected that an organization’s strategy includes obtaining certifications from multiple sources, it is essential to have complete visibility over these systems. This is especially critical to maintaining security in a highly distributed cloud environment.
Prediction 3: Post-quantum cryptography is gaining traction
Quantum computing’s ability to crack current asymmetric encryption algorithms poses a serious threat to PKI, Transport Layer Security (TLS), virtual private networks (VPNs), and a wide range of other systems. Although quantum computers capable of breaking classical cryptography are still years away, there is certainly early movement here. They likely will emerge during the lifecycle of solutions being developed today.
To address this issue, new post-quantum cryptographic (PQC) algorithms are being developed. These new algorithms are based on problems that retain their asymmetric complexity in the face of quantum computing, which is essential to secure algorithms in the face of a quantum attack. While PQC has been discussed in certain circles for a while, the years-long PQC effort the National Institute of Standards and Technology (NIST) announced in 2015 has given it credence.
While NIST recently announced its Round 3 selections for standardization, final standards are not expected until 2024. Following the adoption of standardized algorithms, there will be modifications to standard protocols and formats to use the new algorithms. Then there will be the implementations of those algorithms and protocols in cryptographic toolkits (e.g., Bouncy Castle, OpenSSL) and operating systems (Windows, macOS, Android, iOS), followed by the use of those algorithms by products that use those toolkits or operating systems, such as web browsers, email clients, and IoT devices.
Then there will be procurement and rollout of those new products and operating systems that use those new algorithms and protocols. Finally, deployments of those implementations must reach “critical mass” in the ecosystems those products operate in. It does not do any good to roll out a new algorithm or protocol if the products or devices in an organization’s system do not support it. All in all, this process can take anywhere between four and 20+ years after 2024.
This all said, companies can start building PQC solutions based on the draft standards, which will lay the groundwork for developers to prepare for future developments. With official standards, PQC will come into its own and will gain widespread acceptance and inclusion in regulations and standards moving forward. To prepare for PQC, organizations must inventory all their keys and algorithms and create a plan based on automation to update them.
Even if PQC does not happen, the algorithms and keys we use today will not be secure in the future. We know this because the ones we used 15-20 years ago are not considered secure today. Regardless of what the future holds, organizations should never design systems to use cryptography statically.
In the second part of this series, we will dive into the remaining trends that are emerging in the cryptography space. Stay tuned for more on how crypto-agility will go mainstream and why the industry will start to see more adoption of security standards as guidelines as quantum computing draws nearer.
3. IoT has become the next wave for MIM.
Connected products present an entirely new use case and environment for MIM, bringing the advantages of digital infrastructure to physical processes which generates real-time production data, alerts operators to upcoming maintenance needs, tracks assets, and more.
As per Gartner,” these connected devices bridge cyber and physical worlds, and open up new threat vectors”. We believe a robust MIM strategy will prove key in preventing privacy breaches in high-governance industries like finance and healthcare. This will help guard against attacks on “industrial devices that lead to operational impacts and, potentially, catastrophic events in safety-critical production areas.”
IoT fields present unique demands and challenges in terms of both compliance and design. While the public sphere has made progress in defining approaches for IoT authentication, there is still plenty of work to do. As per Gartner, “most IIoT systems are self-contained and use native proprietary means for authentication. Also, “Some authentication methods are not good candidates due to certain IoT devices that are resource or feature constrained with low computing power and limited secure storage capacity,” Gartner suggests. “Evaluate and adopt authentication frameworks that support the range of device types across the IoT realms in operation.”
4. The supporting infrastructure around machine identities is still finding its footing.
On top of a greater variety and volume of machines, use cases among different business units and departments differ, as well. This widespread usage requires a set of centralized standards to keep MIM aligned throughout the organization while still allowing departments the flexibility to implement MIM in ways appropriate to their unique contexts.
However, frameworks and governance supporting best practices in MIM are still emerging. The Hype Cycle identifies a “chicken and egg” problem, in “Target applications wait to see if a standard takes off and IAM vendors wait for wide support in their target applications.”
As per Gartner, “There is only a partial convergence of tools. Many tools have different approaches with regards to user interfaces, integrations, discovery, reporting capabilities, reach and latency. This results in a best-of-breed strategy using multiple tools.” Gartner suggests, “Determine the overall interdependence of machine identities by establishing discovery processes. Evaluate a mix of multiple tools that can provide continuous observability of machines in your hybrid and multicloud environment.”
New MIM platforms and service models are making it easier for organizations to manage machine identities and public key infrastructure. These centralized platforms provide a hub for the state of MIM across the enterprise and set the stage for automation. They create cost efficiencies, too. In the past, each business unit managing machine identities required its own certificate authority (CA), and each CA required its own server. Modern MIM platforms can host multiple CAs on one server. These offerings come prepackaged with databases and integrations, allowing users to avoid vendor bloat. PKI-as-a-Service offerings allow organizations to outsource MIM completely through an efficient SaaS subscription model.
5. MIM is critical to enabling more agile workflows across design, development, and security operations.
Agile and DevOps processes heavily employ cloud systems and other decentralized platforms to facilitate iterative development and fast feedback loops. From a security perspective, that means a higher velocity of digital requests and transactions that must be secured without becoming a bottleneck.
Security, software testing, and compliance phases are often regarded as speedbumps to agility and innovation. But the “shift left” trend recasts these sticky phases as accelerators by bringing security, testing, and compliance stakeholders into the design conversation at the earliest stages, an approach known as DevSecOps. With the proper tools, we believe key tenets of DevOps, like automation, can be expanded to security and MIM.
6. MIM lays the groundwork for Zero Trust.
Zero Trust is the latest movement in enterprise security. Traditionally, once a user or machine passes through the firewall, it is “trusted” and can move laterally, unchecked, through the systems landscape. A Zero Trust approach verifies each request as if the request is coming from an open, unsecured network.
Zero Trust is a strategy, not a tool. To enable that strategy without slowing down business processes, organizations must have the architecture and frameworks in place for managing machine identities efficiently.
What’s Next
When it comes to machine identities, the train has left the station. Certificates and keys are already at play in every enterprise organization and stand as an integral feature of any modern digital infrastructure.
As a company, it’s unlikely that your primary function is to create an efficient MIM process. We believe the traditional method of managing machine identities is tedious, manual, and often misunderstood, and can significantly inhibit your security team from focusing on their higher-level objectives.
The field of MIM and its umbrella, IAM, has splintered into exciting new subfields that position MIM as not only sustainable but as a value-add to your organization. That’s where Keyfactor comes in. We help organizations take back control and secure every machine identity so they can focus on driving business value. Let us show you how our cloud-first platform makes it easy to manage and protect every key and certificate across your business — schedule a demo to learn more.
Gartner, Hype Cycle for Digital Identity, 2022, Felix Gaehtgens, 25 July 2022
Gartner and Hype Cycle are registered trademarks and service marks of Gartner, Inc. and/or its affiliates in the U.S. and internationally and are used herein with permission. All rights reserved. Gartner does not endorse any vendor, product or service depicted in its research publications, and does not advise technology users to select only those vendors with the highest ratings or other designation. Gartner research publications consist of the opinions of Gartner’s research organization and should not be construed as statements of fact. Gartner disclaims all warranties, expressed or implied, with respect to this research, including any warranties of merchantability or fitness for a particular purpose.
This article was originally published by Spiceworks News & Insights on July 29, 2022.
Cryptography is the foundation of the digital world. Many companies today are digital businesses, using technology to sell, engage with customers, and complete day-to-day operations. For these businesses, cryptography and public key infrastructure (PKI) are essential in establishing the trust companies need across their IT infrastructures and product solutions. Amid a growing wave of increasingly sophisticated cyberattacks such as those on SolarWinds and Kaseya, PKI is a stalwart defender of zero-trust strategies. By providing unique digital identities for users, devices, and applications, tying assigned permissions to an entity’s identity, and supplying strong user authentication, PKI protects sensitive data and secures end-to-end communications.
As the number of digital identities, access controls, code signing requirements and trust relationships businesses maintain grow exponentially, PKI and cryptography will play a critical role in modern organization visibility and machine identity management, especially as attacks increase in sophistication and severity. Meeting current security challenges while anticipating and planning for future needs will require companies to keep close tabs on changes impacting their business and cryptographic needs.
Against this backdrop, here are the most significant trends in cryptography we can expect to see for the remainder of 2022.
Prediction 1: PKI silos will need to be eradicated to achieve governance
For companies pursuing zero-trust security goals, overhauling PKI governance is a must. Today, more and more outages are caused by expired certificates, as seen in the recent outages from Fortinet, Shopify, and other major enterprises. Centralized visibility and control over an organization’s various applications of machine identities and the PKI that sits behind them are crucial to achieving the access control required for regulatory compliance and enterprise cybersecurity.
To that end, businesses are investing in PKI to manage their certificates, performing PKI consolidation, and migrating several disparate PKIs into a single multi-tenant solution, such as EJBCA. However, while these approaches are gaining popularity, the reality is that PKI silos will persist in large organizations. This is because manual certificate management processes have not kept up with the evolution of IT environments. As enterprises continue to deploy more machine identities, PKI governance inevitably becomes siloed, putting organizations at risk.
According to Pulse Research and Keyfactor, 96% of IT security executives report that PKI is essential to implementing a zero-trust architecture. Hence centralized management of PKI and the machine identities they govern will provide the visibility necessary to make this a reality. This ranges from authenticating every user’s and device’s identity on the network and encrypting all data at transit across the organization to maintaining the integrity of data coming to and from users/devices.
Prediction 2. Complete visibility and proactive certificate management will be essential to zero-trust
The race to digital transformation has introduced a new set of security challenges. With an exponential number of machine identities created each day, IT and security teams are struggling to manage the security certificates tied to those identities. As businesses continue to grow more digital, proactive certificate management will become even more essential. Without proper machine identity and certificate management, organizations stand to experience massive outages, among other detrimental consequences.
Furthermore, organizations are struggling to decide how to handle PKI and the management of machine identities. Today, a plethora of options exist for obtaining code signing certificates, and there are also way more identities between users, devices, and applications where certificates need to be implemented to vouch for the legitimacy of an end user. The ongoing evolution of IT environments means that PKI certificates are applied in many ways and various environments. Web servers, for example, need certificates from a public certificate authority (CA), while internal identity management falls under a private CA. Furthermore, digital certificates used in DevOps practices have short lifecycles, while website SSL certificates live longer.
While it is expected that an organization’s strategy includes obtaining certifications from multiple sources, it is essential to have complete visibility over these systems. This is especially critical to maintaining security in a highly distributed cloud environment.
Prediction 3: Post-quantum cryptography is gaining traction
Quantum computing’s ability to crack current asymmetric encryption algorithms poses a serious threat to PKI, Transport Layer Security (TLS), virtual private networks (VPNs), and a wide range of other systems. Although quantum computers capable of breaking classical cryptography are still years away, there is certainly early movement here. They likely will emerge during the lifecycle of solutions being developed today.
To address this issue, new post-quantum cryptographic (PQC) algorithms are being developed. These new algorithms are based on problems that retain their asymmetric complexity in the face of quantum computing, which is essential to secure algorithms in the face of a quantum attack. While PQC has been discussed in certain circles for a while, the years-long PQC effort the National Institute of Standards and Technology (NIST) announced in 2015 has given it credence.
While NIST recently announced its Round 3 selections for standardization, final standards are not expected until 2024. Following the adoption of standardized algorithms, there will be modifications to standard protocols and formats to use the new algorithms. Then there will be the implementations of those algorithms and protocols in cryptographic toolkits (e.g., Bouncy Castle, OpenSSL) and operating systems (Windows, macOS, Android, iOS), followed by the use of those algorithms by products that use those toolkits or operating systems, such as web browsers, email clients, and IoT devices.
Then there will be procurement and rollout of those new products and operating systems that use those new algorithms and protocols. Finally, deployments of those implementations must reach “critical mass” in the ecosystems those products operate in. It does not do any good to roll out a new algorithm or protocol if the products or devices in an organization’s system do not support it. All in all, this process can take anywhere between four and 20+ years after 2024.
This all said, companies can start building PQC solutions based on the draft standards, which will lay the groundwork for developers to prepare for future developments. With official standards, PQC will come into its own and will gain widespread acceptance and inclusion in regulations and standards moving forward. To prepare for PQC, organizations must inventory all their keys and algorithms and create a plan based on automation to update them.
Even if PQC does not happen, the algorithms and keys we use today will not be secure in the future. We know this because the ones we used 15-20 years ago are not considered secure today. Regardless of what the future holds, organizations should never design systems to use cryptography statically.
In the second part of this series, we will dive into the remaining trends that are emerging in the cryptography space. Stay tuned for more on how crypto-agility will go mainstream and why the industry will start to see more adoption of security standards as guidelines as quantum computing draws nearer.
3. IoT has become the next wave for MIM.
Connected products present an entirely new use case and environment for MIM, bringing the advantages of digital infrastructure to physical processes which generates real-time production data, alerts operators to upcoming maintenance needs, tracks assets, and more.
As per Gartner,” these connected devices bridge cyber and physical worlds, and open up new threat vectors”. We believe a robust MIM strategy will prove key in preventing privacy breaches in high-governance industries like finance and healthcare. This will help guard against attacks on “industrial devices that lead to operational impacts and, potentially, catastrophic events in safety-critical production areas.”
IoT fields present unique demands and challenges in terms of both compliance and design. While the public sphere has made progress in defining approaches for IoT authentication, there is still plenty of work to do. As per Gartner, “most IIoT systems are self-contained and use native proprietary means for authentication. Also, “Some authentication methods are not good candidates due to certain IoT devices that are resource or feature constrained with low computing power and limited secure storage capacity,” Gartner suggests. “Evaluate and adopt authentication frameworks that support the range of device types across the IoT realms in operation.”
4. The supporting infrastructure around machine identities is still finding its footing.
On top of a greater variety and volume of machines, use cases among different business units and departments differ, as well. This widespread usage requires a set of centralized standards to keep MIM aligned throughout the organization while still allowing departments the flexibility to implement MIM in ways appropriate to their unique contexts.
However, frameworks and governance supporting best practices in MIM are still emerging. The Hype Cycle identifies a “chicken and egg” problem, in “Target applications wait to see if a standard takes off and IAM vendors wait for wide support in their target applications.”
As per Gartner, “There is only a partial convergence of tools. Many tools have different approaches with regards to user interfaces, integrations, discovery, reporting capabilities, reach and latency. This results in a best-of-breed strategy using multiple tools.” Gartner suggests, “Determine the overall interdependence of machine identities by establishing discovery processes. Evaluate a mix of multiple tools that can provide continuous observability of machines in your hybrid and multicloud environment.”
New MIM platforms and service models are making it easier for organizations to manage machine identities and public key infrastructure. These centralized platforms provide a hub for the state of MIM across the enterprise and set the stage for automation. They create cost efficiencies, too. In the past, each business unit managing machine identities required its own certificate authority (CA), and each CA required its own server. Modern MIM platforms can host multiple CAs on one server. These offerings come prepackaged with databases and integrations, allowing users to avoid vendor bloat. PKI-as-a-Service offerings allow organizations to outsource MIM completely through an efficient SaaS subscription model.
5. MIM is critical to enabling more agile workflows across design, development, and security operations.
Agile and DevOps processes heavily employ cloud systems and other decentralized platforms to facilitate iterative development and fast feedback loops. From a security perspective, that means a higher velocity of digital requests and transactions that must be secured without becoming a bottleneck.
Security, software testing, and compliance phases are often regarded as speedbumps to agility and innovation. But the “shift left” trend recasts these sticky phases as accelerators by bringing security, testing, and compliance stakeholders into the design conversation at the earliest stages, an approach known as DevSecOps. With the proper tools, we believe key tenets of DevOps, like automation, can be expanded to security and MIM.
6. MIM lays the groundwork for Zero Trust.
Zero Trust is the latest movement in enterprise security. Traditionally, once a user or machine passes through the firewall, it is “trusted” and can move laterally, unchecked, through the systems landscape. A Zero Trust approach verifies each request as if the request is coming from an open, unsecured network.
Zero Trust is a strategy, not a tool. To enable that strategy without slowing down business processes, organizations must have the architecture and frameworks in place for managing machine identities efficiently.
What’s Next
When it comes to machine identities, the train has left the station. Certificates and keys are already at play in every enterprise organization and stand as an integral feature of any modern digital infrastructure.
As a company, it’s unlikely that your primary function is to create an efficient MIM process. We believe the traditional method of managing machine identities is tedious, manual, and often misunderstood, and can significantly inhibit your security team from focusing on their higher-level objectives.
The field of MIM and its umbrella, IAM, has splintered into exciting new subfields that position MIM as not only sustainable but as a value-add to your organization. That’s where Keyfactor comes in. We help organizations take back control and secure every machine identity so they can focus on driving business value. Let us show you how our cloud-first platform makes it easy to manage and protect every key and certificate across your business — schedule a demo to learn more.
Gartner, Hype Cycle for Digital Identity, 2022, Felix Gaehtgens, 25 July 2022
Gartner and Hype Cycle are registered trademarks and service marks of Gartner, Inc. and/or its affiliates in the U.S. and internationally and are used herein with permission. All rights reserved. Gartner does not endorse any vendor, product or service depicted in its research publications, and does not advise technology users to select only those vendors with the highest ratings or other designation. Gartner research publications consist of the opinions of Gartner’s research organization and should not be construed as statements of fact. Gartner disclaims all warranties, expressed or implied, with respect to this research, including any warranties of merchantability or fitness for a particular purpose.
This article was originally published by Spiceworks News & Insights on July 29, 2022.
Cryptography is the foundation of the digital world. Many companies today are digital businesses, using technology to sell, engage with customers, and complete day-to-day operations. For these businesses, cryptography and public key infrastructure (PKI) are essential in establishing the trust companies need across their IT infrastructures and product solutions. Amid a growing wave of increasingly sophisticated cyberattacks such as those on SolarWinds and Kaseya, PKI is a stalwart defender of zero-trust strategies. By providing unique digital identities for users, devices, and applications, tying assigned permissions to an entity’s identity, and supplying strong user authentication, PKI protects sensitive data and secures end-to-end communications.
As the number of digital identities, access controls, code signing requirements and trust relationships businesses maintain grow exponentially, PKI and cryptography will play a critical role in modern organization visibility and machine identity management, especially as attacks increase in sophistication and severity. Meeting current security challenges while anticipating and planning for future needs will require companies to keep close tabs on changes impacting their business and cryptographic needs.
Against this backdrop, here are the most significant trends in cryptography we can expect to see for the remainder of 2022.
Prediction 1: PKI silos will need to be eradicated to achieve governance
For companies pursuing zero-trust security goals, overhauling PKI governance is a must. Today, more and more outages are caused by expired certificates, as seen in the recent outages from Fortinet, Shopify, and other major enterprises. Centralized visibility and control over an organization’s various applications of machine identities and the PKI that sits behind them are crucial to achieving the access control required for regulatory compliance and enterprise cybersecurity.
To that end, businesses are investing in PKI to manage their certificates, performing PKI consolidation, and migrating several disparate PKIs into a single multi-tenant solution, such as EJBCA. However, while these approaches are gaining popularity, the reality is that PKI silos will persist in large organizations. This is because manual certificate management processes have not kept up with the evolution of IT environments. As enterprises continue to deploy more machine identities, PKI governance inevitably becomes siloed, putting organizations at risk.
According to Pulse Research and Keyfactor, 96% of IT security executives report that PKI is essential to implementing a zero-trust architecture. Hence centralized management of PKI and the machine identities they govern will provide the visibility necessary to make this a reality. This ranges from authenticating every user’s and device’s identity on the network and encrypting all data at transit across the organization to maintaining the integrity of data coming to and from users/devices.
Prediction 2. Complete visibility and proactive certificate management will be essential to zero-trust
The race to digital transformation has introduced a new set of security challenges. With an exponential number of machine identities created each day, IT and security teams are struggling to manage the security certificates tied to those identities. As businesses continue to grow more digital, proactive certificate management will become even more essential. Without proper machine identity and certificate management, organizations stand to experience massive outages, among other detrimental consequences.
Furthermore, organizations are struggling to decide how to handle PKI and the management of machine identities. Today, a plethora of options exist for obtaining code signing certificates, and there are also way more identities between users, devices, and applications where certificates need to be implemented to vouch for the legitimacy of an end user. The ongoing evolution of IT environments means that PKI certificates are applied in many ways and various environments. Web servers, for example, need certificates from a public certificate authority (CA), while internal identity management falls under a private CA. Furthermore, digital certificates used in DevOps practices have short lifecycles, while website SSL certificates live longer.
While it is expected that an organization’s strategy includes obtaining certifications from multiple sources, it is essential to have complete visibility over these systems. This is especially critical to maintaining security in a highly distributed cloud environment.
Prediction 3: Post-quantum cryptography is gaining traction
Quantum computing’s ability to crack current asymmetric encryption algorithms poses a serious threat to PKI, Transport Layer Security (TLS), virtual private networks (VPNs), and a wide range of other systems. Although quantum computers capable of breaking classical cryptography are still years away, there is certainly early movement here. They likely will emerge during the lifecycle of solutions being developed today.
To address this issue, new post-quantum cryptographic (PQC) algorithms are being developed. These new algorithms are based on problems that retain their asymmetric complexity in the face of quantum computing, which is essential to secure algorithms in the face of a quantum attack. While PQC has been discussed in certain circles for a while, the years-long PQC effort the National Institute of Standards and Technology (NIST) announced in 2015 has given it credence.
While NIST recently announced its Round 3 selections for standardization, final standards are not expected until 2024. Following the adoption of standardized algorithms, there will be modifications to standard protocols and formats to use the new algorithms. Then there will be the implementations of those algorithms and protocols in cryptographic toolkits (e.g., Bouncy Castle, OpenSSL) and operating systems (Windows, macOS, Android, iOS), followed by the use of those algorithms by products that use those toolkits or operating systems, such as web browsers, email clients, and IoT devices.
Then there will be procurement and rollout of those new products and operating systems that use those new algorithms and protocols. Finally, deployments of those implementations must reach “critical mass” in the ecosystems those products operate in. It does not do any good to roll out a new algorithm or protocol if the products or devices in an organization’s system do not support it. All in all, this process can take anywhere between four and 20+ years after 2024.
This all said, companies can start building PQC solutions based on the draft standards, which will lay the groundwork for developers to prepare for future developments. With official standards, PQC will come into its own and will gain widespread acceptance and inclusion in regulations and standards moving forward. To prepare for PQC, organizations must inventory all their keys and algorithms and create a plan based on automation to update them.
Even if PQC does not happen, the algorithms and keys we use today will not be secure in the future. We know this because the ones we used 15-20 years ago are not considered secure today. Regardless of what the future holds, organizations should never design systems to use cryptography statically.
In the second part of this series, we will dive into the remaining trends that are emerging in the cryptography space. Stay tuned for more on how crypto-agility will go mainstream and why the industry will start to see more adoption of security standards as guidelines as quantum computing draws nearer.
3. IoT has become the next wave for MIM.
Connected products present an entirely new use case and environment for MIM, bringing the advantages of digital infrastructure to physical processes which generates real-time production data, alerts operators to upcoming maintenance needs, tracks assets, and more.
As per Gartner,” these connected devices bridge cyber and physical worlds, and open up new threat vectors”. We believe a robust MIM strategy will prove key in preventing privacy breaches in high-governance industries like finance and healthcare. This will help guard against attacks on “industrial devices that lead to operational impacts and, potentially, catastrophic events in safety-critical production areas.”
IoT fields present unique demands and challenges in terms of both compliance and design. While the public sphere has made progress in defining approaches for IoT authentication, there is still plenty of work to do. As per Gartner, “most IIoT systems are self-contained and use native proprietary means for authentication. Also, “Some authentication methods are not good candidates due to certain IoT devices that are resource or feature constrained with low computing power and limited secure storage capacity,” Gartner suggests. “Evaluate and adopt authentication frameworks that support the range of device types across the IoT realms in operation.”
4. The supporting infrastructure around machine identities is still finding its footing.
On top of a greater variety and volume of machines, use cases among different business units and departments differ, as well. This widespread usage requires a set of centralized standards to keep MIM aligned throughout the organization while still allowing departments the flexibility to implement MIM in ways appropriate to their unique contexts.
However, frameworks and governance supporting best practices in MIM are still emerging. The Hype Cycle identifies a “chicken and egg” problem, in “Target applications wait to see if a standard takes off and IAM vendors wait for wide support in their target applications.”
As per Gartner, “There is only a partial convergence of tools. Many tools have different approaches with regards to user interfaces, integrations, discovery, reporting capabilities, reach and latency. This results in a best-of-breed strategy using multiple tools.” Gartner suggests, “Determine the overall interdependence of machine identities by establishing discovery processes. Evaluate a mix of multiple tools that can provide continuous observability of machines in your hybrid and multicloud environment.”
New MIM platforms and service models are making it easier for organizations to manage machine identities and public key infrastructure. These centralized platforms provide a hub for the state of MIM across the enterprise and set the stage for automation. They create cost efficiencies, too. In the past, each business unit managing machine identities required its own certificate authority (CA), and each CA required its own server. Modern MIM platforms can host multiple CAs on one server. These offerings come prepackaged with databases and integrations, allowing users to avoid vendor bloat. PKI-as-a-Service offerings allow organizations to outsource MIM completely through an efficient SaaS subscription model.
5. MIM is critical to enabling more agile workflows across design, development, and security operations.
Agile and DevOps processes heavily employ cloud systems and other decentralized platforms to facilitate iterative development and fast feedback loops. From a security perspective, that means a higher velocity of digital requests and transactions that must be secured without becoming a bottleneck.
Security, software testing, and compliance phases are often regarded as speedbumps to agility and innovation. But the “shift left” trend recasts these sticky phases as accelerators by bringing security, testing, and compliance stakeholders into the design conversation at the earliest stages, an approach known as DevSecOps. With the proper tools, we believe key tenets of DevOps, like automation, can be expanded to security and MIM.
6. MIM lays the groundwork for Zero Trust.
Zero Trust is the latest movement in enterprise security. Traditionally, once a user or machine passes through the firewall, it is “trusted” and can move laterally, unchecked, through the systems landscape. A Zero Trust approach verifies each request as if the request is coming from an open, unsecured network.
Zero Trust is a strategy, not a tool. To enable that strategy without slowing down business processes, organizations must have the architecture and frameworks in place for managing machine identities efficiently.
What’s Next
When it comes to machine identities, the train has left the station. Certificates and keys are already at play in every enterprise organization and stand as an integral feature of any modern digital infrastructure.
As a company, it’s unlikely that your primary function is to create an efficient MIM process. We believe the traditional method of managing machine identities is tedious, manual, and often misunderstood, and can significantly inhibit your security team from focusing on their higher-level objectives.
The field of MIM and its umbrella, IAM, has splintered into exciting new subfields that position MIM as not only sustainable but as a value-add to your organization. That’s where Keyfactor comes in. We help organizations take back control and secure every machine identity so they can focus on driving business value. Let us show you how our cloud-first platform makes it easy to manage and protect every key and certificate across your business — schedule a demo to learn more.
Gartner, Hype Cycle for Digital Identity, 2022, Felix Gaehtgens, 25 July 2022
Gartner and Hype Cycle are registered trademarks and service marks of Gartner, Inc. and/or its affiliates in the U.S. and internationally and are used herein with permission. All rights reserved. Gartner does not endorse any vendor, product or service depicted in its research publications, and does not advise technology users to select only those vendors with the highest ratings or other designation. Gartner research publications consist of the opinions of Gartner’s research organization and should not be construed as statements of fact. Gartner disclaims all warranties, expressed or implied, with respect to this research, including any warranties of merchantability or fitness for a particular purpose.
This article was originally published by Spiceworks News & Insights on July 29, 2022.
Cryptography is the foundation of the digital world. Many companies today are digital businesses, using technology to sell, engage with customers, and complete day-to-day operations. For these businesses, cryptography and public key infrastructure (PKI) are essential in establishing the trust companies need across their IT infrastructures and product solutions. Amid a growing wave of increasingly sophisticated cyberattacks such as those on SolarWinds and Kaseya, PKI is a stalwart defender of zero-trust strategies. By providing unique digital identities for users, devices, and applications, tying assigned permissions to an entity’s identity, and supplying strong user authentication, PKI protects sensitive data and secures end-to-end communications.
As the number of digital identities, access controls, code signing requirements and trust relationships businesses maintain grow exponentially, PKI and cryptography will play a critical role in modern organization visibility and machine identity management, especially as attacks increase in sophistication and severity. Meeting current security challenges while anticipating and planning for future needs will require companies to keep close tabs on changes impacting their business and cryptographic needs.
Against this backdrop, here are the most significant trends in cryptography we can expect to see for the remainder of 2022.
For companies pursuing zero-trust security goals, overhauling PKI governance is a must. Today, more and more outages are caused by expired certificates, as seen in the recent outages from Fortinet, Shopify, and other major enterprises. Centralized visibility and control over an organization’s various applications of machine identities and the PKI that sits behind them are crucial to achieving the access control required for regulatory compliance and enterprise cybersecurity.
To that end, businesses are investing in PKI to manage their certificates, performing PKI consolidation, and migrating several disparate PKIs into a single multi-tenant solution, such as EJBCA. However, while these approaches are gaining popularity, the reality is that PKI silos will persist in large organizations. This is because manual certificate management processes have not kept up with the evolution of IT environments. As enterprises continue to deploy more machine identities, PKI governance inevitably becomes siloed, putting organizations at risk.
According to Pulse Research and Keyfactor, 96% of IT security executives report that PKI is essential to implementing a zero-trust architecture. Hence centralized management of PKI and the machine identities they govern will provide the visibility necessary to make this a reality. This ranges from authenticating every user’s and device’s identity on the network and encrypting all data at transit across the organization to maintaining the integrity of data coming to and from users/devices.
The race to digital transformation has introduced a new set of security challenges. With an exponential number of machine identities created each day, IT and security teams are struggling to manage the security certificates tied to those identities. As businesses continue to grow more digital, proactive certificate management will become even more essential. Without proper machine identity and certificate management, organizations stand to experience massive outages, among other detrimental consequences.
Furthermore, organizations are struggling to decide how to handle PKI and the management of machine identities. Today, a plethora of options exist for obtaining code signing certificates, and there are also way more identities between users, devices, and applications where certificates need to be implemented to vouch for the legitimacy of an end user. The ongoing evolution of IT environments means that PKI certificates are applied in many ways and various environments. Web servers, for example, need certificates from a public certificate authority (CA), while internal identity management falls under a private CA. Furthermore, digital certificates used in DevOps practices have short lifecycles, while website SSL certificates live longer.
While it is expected that an organization’s strategy includes obtaining certifications from multiple sources, it is essential to have complete visibility over these systems. This is especially critical to maintaining security in a highly distributed cloud environment.
Quantum computing’s ability to crack current asymmetric encryption algorithms poses a serious threat to PKI, Transport Layer Security (TLS), virtual private networks (VPNs), and a wide range of other systems. Although quantum computers capable of breaking classical cryptography are still years away, there is certainly early movement here. They likely will emerge during the lifecycle of solutions being developed today.
To address this issue, new post-quantum cryptographic (PQC) algorithms are being developed. These new algorithms are based on problems that retain their asymmetric complexity in the face of quantum computing, which is essential to secure algorithms in the face of a quantum attack. While PQC has been discussed in certain circles for a while, the years-long PQC effort the National Institute of Standards and Technology (NIST) announced in 2015 has given it credence.
While NIST recently announced its Round 3 selections for standardization, final standards are not expected until 2024. Following the adoption of standardized algorithms, there will be modifications to standard protocols and formats to use the new algorithms. Then there will be the implementations of those algorithms and protocols in cryptographic toolkits (e.g., Bouncy Castle, OpenSSL) and operating systems (Windows, macOS, Android, iOS), followed by the use of those algorithms by products that use those toolkits or operating systems, such as web browsers, email clients, and IoT devices.
Then there will be procurement and rollout of those new products and operating systems that use those new algorithms and protocols. Finally, deployments of those implementations must reach “critical mass” in the ecosystems those products operate in. It does not do any good to roll out a new algorithm or protocol if the products or devices in an organization’s system do not support it. All in all, this process can take anywhere between four and 20+ years after 2024.
This all said, companies can start building PQC solutions based on the draft standards, which will lay the groundwork for developers to prepare for future developments. With official standards, PQC will come into its own and will gain widespread acceptance and inclusion in regulations and standards moving forward. To prepare for PQC, organizations must inventory all their keys and algorithms and create a plan based on automation to update them.
Even if PQC does not happen, the algorithms and keys we use today will not be secure in the future. We know this because the ones we used 15-20 years ago are not considered secure today. Regardless of what the future holds, organizations should never design systems to use cryptography statically.
In the second part of this series, we will dive into the remaining trends that are emerging in the cryptography space. Stay tuned for more on how crypto-agility will go mainstream and why the industry will start to see more adoption of security standards as guidelines as quantum computing draws nearer.
Connected products present an entirely new use case and environment for MIM, bringing the advantages of digital infrastructure to physical processes which generates real-time production data, alerts operators to upcoming maintenance needs, tracks assets, and more.
As per Gartner,” these connected devices bridge cyber and physical worlds, and open up new threat vectors”. We believe a robust MIM strategy will prove key in preventing privacy breaches in high-governance industries like finance and healthcare. This will help guard against attacks on “industrial devices that lead to operational impacts and, potentially, catastrophic events in safety-critical production areas.”
IoT fields present unique demands and challenges in terms of both compliance and design. While the public sphere has made progress in defining approaches for IoT authentication, there is still plenty of work to do. As per Gartner, “most IIoT systems are self-contained and use native proprietary means for authentication. Also, “Some authentication methods are not good candidates due to certain IoT devices that are resource or feature constrained with low computing power and limited secure storage capacity,” Gartner suggests. “Evaluate and adopt authentication frameworks that support the range of device types across the IoT realms in operation.”
On top of a greater variety and volume of machines, use cases among different business units and departments differ, as well. This widespread usage requires a set of centralized standards to keep MIM aligned throughout the organization while still allowing departments the flexibility to implement MIM in ways appropriate to their unique contexts.
However, frameworks and governance supporting best practices in MIM are still emerging. The Hype Cycle identifies a “chicken and egg” problem, in “Target applications wait to see if a standard takes off and IAM vendors wait for wide support in their target applications.”
As per Gartner, “There is only a partial convergence of tools. Many tools have different approaches with regards to user interfaces, integrations, discovery, reporting capabilities, reach and latency. This results in a best-of-breed strategy using multiple tools.” Gartner suggests, “Determine the overall interdependence of machine identities by establishing discovery processes. Evaluate a mix of multiple tools that can provide continuous observability of machines in your hybrid and multicloud environment.”
New MIM platforms and service models are making it easier for organizations to manage machine identities and public key infrastructure. These centralized platforms provide a hub for the state of MIM across the enterprise and set the stage for automation. They create cost efficiencies, too. In the past, each business unit managing machine identities required its own certificate authority (CA), and each CA required its own server. Modern MIM platforms can host multiple CAs on one server. These offerings come prepackaged with databases and integrations, allowing users to avoid vendor bloat. PKI-as-a-Service offerings allow organizations to outsource MIM completely through an efficient SaaS subscription model.
Agile and DevOps processes heavily employ cloud systems and other decentralized platforms to facilitate iterative development and fast feedback loops. From a security perspective, that means a higher velocity of digital requests and transactions that must be secured without becoming a bottleneck.
Security, software testing, and compliance phases are often regarded as speedbumps to agility and innovation. But the “shift left” trend recasts these sticky phases as accelerators by bringing security, testing, and compliance stakeholders into the design conversation at the earliest stages, an approach known as DevSecOps. With the proper tools, we believe key tenets of DevOps, like automation, can be expanded to security and MIM.
Zero Trust is the latest movement in enterprise security. Traditionally, once a user or machine passes through the firewall, it is “trusted” and can move laterally, unchecked, through the systems landscape. A Zero Trust approach verifies each request as if the request is coming from an open, unsecured network.
Zero Trust is a strategy, not a tool. To enable that strategy without slowing down business processes, organizations must have the architecture and frameworks in place for managing machine identities efficiently.
When it comes to machine identities, the train has left the station. Certificates and keys are already at play in every enterprise organization and stand as an integral feature of any modern digital infrastructure.
As a company, it’s unlikely that your primary function is to create an efficient MIM process. We believe the traditional method of managing machine identities is tedious, manual, and often misunderstood, and can significantly inhibit your security team from focusing on their higher-level objectives.
The field of MIM and its umbrella, IAM, has splintered into exciting new subfields that position MIM as not only sustainable but as a value-add to your organization. That’s where Keyfactor comes in. We help organizations take back control and secure every machine identity so they can focus on driving business value. Let us show you how our cloud-first platform makes it easy to manage and protect every key and certificate across your business — schedule a demo to learn more.
Gartner, Hype Cycle for Digital Identity, 2022, Felix Gaehtgens, 25 July 2022
Gartner and Hype Cycle are registered trademarks and service marks of Gartner, Inc. and/or its affiliates in the U.S. and internationally and are used herein with permission. All rights reserved. Gartner does not endorse any vendor, product or service depicted in its research publications, and does not advise technology users to select only those vendors with the highest ratings or other designation. Gartner research publications consist of the opinions of Gartner’s research organization and should not be construed as statements of fact. Gartner disclaims all warranties, expressed or implied, with respect to this research, including any warranties of merchantability or fitness for a particular purpose.
The 2022 State of Machine Identity Management Report
Get actionable insights from 1,200+ IT and security professionals on the next frontier for IAM strategy — machine identities.
The 2022 State of Machine Identity Management Report
Get actionable insights from 1,200+ IT and security professionals on the next frontier for IAM strategy — machine identities.
*** This is a Security Bloggers Network syndicated blog from Blog Archive – Keyfactor authored by Ted Shorter. Read the original post at: https://www.keyfactor.com/blog/pki-silos-post-quantum-crypto-and-other-emerging-trends-in-cryptography-part-1/
