As the curtains closed on Simplify PKI 2021 – AppViewX’s very first event on all things crypto, we couldn’t help but marvel at the wealth of insights that the sessions had generated. Each session was an eye-opener, and each presenter had something that made the audience (and even the other panelists) go, “Wow, I never thought of that!” Our evidence? Questions thrown at the presenters faster than they could answer, follow-up emails asking for one-on-one sessions, and even some proof of concept sign-ups!
One such enlightening session was presented by David Mahdi, the Sr. Director Analyst at Gartner. His session on Journey to a World-Class Crypto Center of Excellence opened up a whole new way of thinking and brought to light hitherto unknown facts about Enterprise Crypto while deconstructing and simplifying seemingly complex ideologies.
In this blog, we bring you some key takeaways from the session. Read on!
The Hero’s Journey
Crypto Center of Excellence (CCOE) journey’s map, which, like any other journey, is full of highs and lows, crests and pitfalls, to reach the glorious but evasive summit. The Hero’s Journey (shown below) can be construed for CCOE in the following way-
The Call to Adventure: Where an enterprise is pushed out of its comfort zone due to external or internal circumstances, such as customers moving online, a long-overdue expansion, etc., and is motivated or forced to rethink its strategy.
The Threshold: Where the enterprise enlists the help of seasoned professionals to guide them along their journey. This could be an external agency (an analyst such as David Mahdi), or a technology such as the cloud, serving as the means to an end.
The Abyss: Where the enterprise experiences its first trial by fire. This could be an outage or a data breach, where the enterprise incurs significant service disruption, customer escalations, or loss in revenue.
The Transformation: Where an enterprise emerges from the trial transformed. Here, it learns from its mistakes and implements radical measures. In the CCOE journey, this could be realizing the need for a CCOE, enforcing stricter policies, and investing in cybersecurity tools to strengthen their security posture. As Mahdi says, “Don’t let a good breach go to waste.”
Digital Transformation and Trust
Digital transformation isn’t a thing of the future anymore. It’s something we’re living through now. Covid-19 has accelerated digital transformation; remote work and online customer trends have necessitated every business to become a digital business. Digital businesses generate a humongous volume of data, leading to an exponential rise in machines to store and process this data.
Here’s a great example of digital business – a new-age logistics company. This company uses sensors to track the temperature, origin, docking of ships, etc. – all of which are data elements. Operators could use these data elements to make mission-critical decisions. For example, they could gauge the weather conditions with sensors and ask a ship at sea to delay its arrival by a few hours to save on fuel costs.
But, how can these sensors be trusted? Let’s say a bad actor tampered with a temperature sensor, setting it to display the temperature lower than it actually is. If the container has temperature-sensitive items such as food or some equipment, they’re gone for good. And the scary part is operators may not even be aware the sensor has been tampered with to do anything about it.
For digital transformation to work, to realize business outcomes in the digital era, you need machines to communicate securely and effectively. How do you establish trust in machines? By building a trust fabric through identity assignation, authentication, and digital signatures. In a distributed but connected environment, you need to manage your machine identities (keys and certificates) in an agile and automated way. That’s one of the core tenets of CCOE.
Cryptography is Critical Infrastructure
Establishing trust in a digital world is no mean task. Every business is now a digital business, which means every business has to take cryptography seriously.
Why cryptography? As we saw earlier, digital business needs digital trust, which is established through digital identity. And digital identities are built on cryptography.
We love the analogy Mahdi provided – if digital business is the roof of a house, digital trust is its walls, digital identity is the floor, and cryptography is the steel and concrete foundation on which the house is built. To build a house, you need to start from the ground-up; that is, you first need to be cryptographically sound.
Cryptography is at the heart of everything digital. So if you were to have weak crypto or a digital certificate failure, it not only affects the PKI team but the entire business, and could cost it a lot of money.
Challenges in Building a CCOE
In one of the earlier sections, when we described the journey to CCOE in terms of a Hero’s Journey, we briefly discussed something called ‘The Abyss.’ In this section, we explore what this abyss consists of, that is, the challenges one might face in their CCOE journey.
1. Lack of Resources
There are very few people out there who understand PKI and the nuances of cybersecurity. Businesses often tend to underestimate the importance of PKI, and as a result, most Infosec teams are severely understaffed. Other business units fail to understand that the common issues they face, such as the inability to log-in to their systems or accessing an application, are the result of this resource shortage. Mahdi says it’s crucial to gather everyone around the table and educate them on the importance of information security to overcome this shortage
2. Siloed Tools, Teams, and Lack of a Process
The CISOs of many enterprises that Mahdi has spoken to confess to using multiple cybersecurity tools such as key management systems, cloud access brokers, firewalls, data loss prevention, etc., and each of these tools sits in its own little silo. This gives way for hackers, who aren’t bound by any regulatory laws or audits, to launch attacks that travel across these silos. They scout for vulnerabilities across tools, stitch them together, and launch a bundled attack. The recent SolarWinds attack was one such supply-chain attack, leaving behind a trail of destruction.
The above tools, when put together, have millions of lines of code, so it’s next to impossible to prevent such attacks. All that an enterprise can do is get up, dust themselves, and respond quickly. This is where being cryptographically agile helps.
Team siloes produce the same effect – say, the PKI team is unaware of what the identity team is up to. Hackers find it easier to exploit the fragmented approach to cybersecurity rather than a strong, unified front.
3. Growing Number of Use-Cases
Covid-19 has brought with it a rise in omnichannel use-cases – online banks, mobile help-centers, etc. While this certainly is exciting, it makes it harder for Infosec teams to keep track of and manage these diverse, fast-growing identities.
Walking the Tightrope
With each attack, government regulations are getting stricter and stricter, as a breach could potentially affect the economy of a country, cause loss of livelihood and sometimes even lives. Enterprises need to step their crypto-strategy and do it fast to avoid hefty fines, loss of reputation, or even bankruptcy.
A New Approach
To have a crypto-strategy that works, CISOs and other infosec members need to get the buy-in of other business units. As we’ve seen earlier, having state-of-the-art tools doesn’t get you far unless you have the people and the process. It’s imperative that other teams understand the basics of cybersecurity so that the burden of securing the digital business doesn’t fall on the infosec team alone.
For example, if the CFO decides to invest in a new tool for analytics or the marketing team publishes a webpage, they need to be aware of the security implications. They need to obtain and manage the license keys and certificates based on the best practices laid down by the Infosec team.
Meanwhile, the Infosec teams need to be agile so that they don’t make the other teams wait for long periods of time to get anything new implemented. Cross-teamwork helps again – champions from both teams can sit together and assess the tool for compliance to certain internal policies, dramatically improving adoption speeds.
So, what exactly is CCOE?
From what we’ve seen, CCOE is the framework that weaves together people, process, and technology in digital business into one secure crypto-mesh.
Now that we have a clear idea of what CCOE is, let us look at its mission.
The Crypto Center of Excellence Mission
All business units must have collective ownership over crypto. Building a “virtual team” consisting of members from all business units works can help spread the crypto message faster and more effectively.
Carry the crypto torch. Lead initiatives that inspire other business units to adopt secure practices.
Research and Gather Requirements
Go around other business units and learn about their requirements, timeframes, demands, etc., and accommodate them in your strategy.
Deliver Best Practices
Provide a ready-reckoner of compliance and crypto requirements that business units can refer to when they’re evaluating a new tool or technology.
Act as Advisors and SMEs
Guide business units on the security aspects of their tool or technology assessment, whether they comply with your policies, are free of potential vulnerabilities, etc.
Educate and Enable Business Units
Advocate the importance of security to business units, which could get you more resources.
Crypto-agility and CCOE
Crypto-agility forms a significant part of CCOE and is the need of the hour. Crypto-agility is a measure of an organization’s resilience to threats – how quickly an organization can recover from an attack or a vulnerability with minimal service disruption. The term can also be applied to routine key rotations and algorithm upgrades, the speed at which preemptive measures can be taken to ward off potential vulnerabilities and attacks.
Crypto-agility becomes highly relevant in a post-quantum world, where organizations need to stay one step ahead to prevent quantum attacks on crypto algorithms.
We hope you enjoyed this piece on CCOE. If you had noticed, machine identity is a term that would’ve appeared repeatedly in the article. David Mahdi took a session on machine identity as well, (Machine Identity – The Often Overlooked Piece of the IAM puzzle) and you can read our take on it here.