Countdown to crypto-agility
January 28, 2021
Like many people, I look forward to the opportunities of the new year. But 2021 will present new and equally pressing challenges as enterprises begin operating in the “new normal.”
This is especially true with cryptography. Because our cryptography is under increasing threat from current technology. Today, companies are facing AI and machine learning-assisted crypto-attacks and other cryptographic threats that find vulnerabilities in software and hardware implementations. If this weren’t worrisome enough, we’re one year closer to the breaking point of our 40-year-old cryptographic schema, which could bring business as we know it to a screeching halt. Quantum computing will break these cryptographic fundamentals.
Cryptography is the essential but often overlooked foundation for how companies conduct transactions securely over the Internet. Our standard RSA-based cryptographic methods—encryption keys, identity authentication and SSL certificates—make it possible to exchange data via the cloud, deliver products and services, communicate with customers and, most importantly, maintain integrity and trust.
While many organizations are actively managing the risks of adversaries and insider threats, and few have prepared to mitigate the risk of the impending cryptographic failure. Perhaps they’re waiting for the National Institute of Standards and Technology (NIST) to identify the next quantum resilient cryptographic method before they start this planning? To be clear, NIST has been busy strengthening RSA-based cryptography standards while working on Post-Quantum Cryptographic (PQC) algorithms with the first ones ready for roll-out as early as this year.
<<< Start >>>
Enterprises should do their homework now and be ready to receive and deploy these algorithms into their organizations. A security patch will not do the trick.
<<< End >>>
But enterprises should do their homework now and then be ready to receive and deploy these algorithms into their organizations. A security patch will not do the trick. What’s more, no one knows which PQC algorithm(s) will be most effective in the long run. This uncertainty means enterprises could spend considerable time and budget modernizing their cryptography only to learn that ongoing flexibility through crypto agility will be required.
Set a course for crypto agility, the ability to quickly and easily change processes and cryptographic technology as discussed in our new report, "The Race to Crypto-Agility." The term crypto-agility sounds like a superpower, right? Take my word: it’s critical to start now because it’s a complex challenge, as cryptographic functions are embedded throughout the enterprise enabling the business. It’s time consuming to get organized, complete the inventory, line up properly skilled resources and manage the change.
For most companies these functions are deeply embedded in applications across the enterprise and it’s not a simply “rip and replace.” It’s going to take a transformation effort across both the security and technology functions to achieve the modularity necessary to switch in and out new algorithms and cryptographic suites easily and repeatably. This means rearchitecting and pulling cryptographic functions out of applications and converting them to a cloud-enabled service that can be called through an application programming interface (API).
To prepare, you need to know which cryptographic functions to change and what order to change them in. That’s why Accenture created our Crypto-agility Accelerator to help clients assess internal systems and functions (as well as those of external cloud providers and ecosystem partners), identify cryptographic weaknesses and make plans to remediate.
If your company has not yet started on this business resilience journey, I recommend you to begin now by reading "The Race to Crypto-Agility." Our report also shares how crypto-agility will impact organizational roles/responsibilities and suggests steps to take as PQC algorithms become available.
Accenture Security is a leading provider of end-to-end cybersecurity services, including advanced cyber defense, applied cybersecurity solutions and managed security operations. We bring security innovation, coupled with global scale and a worldwide delivery capability through our network of Advanced Technology and Intelligent Operations centers. Helped by our team of highly skilled professionals, we enable clients to innovate safely, build cyber resilience and grow with confidence. Follow us @AccentureSecure on Twitter or visit us at www.accenture.com/security
Accenture, the Accenture logo, and other trademarks, service marks, and designs are registered or unregistered trademarks of Accenture and its subsidiaries in the United States and in foreign countries. All trademarks are properties of their respective owners. All materials are intended for the original recipient only. The reproduction and distribution of this material is forbidden without express written permission from Accenture. The opinions, statements, and assessments in this report are solely those of the individual author(s) and do not constitute legal advice, nor do they necessarily reflect the views of Accenture, its subsidiaries, or affiliates. Given the inherent nature of threat intelligence, the content contained in this report is based on information gathered and understood at the time of its creation. It is subject to change. Accenture provides the information on an “as-is” basis without representation or warranty and accepts no liability for any action or failure to act taken in response to the information contained or referenced in this report.
Copyright © 2021 Accenture. All rights reserved.