Why Cryptographic Agility Needs To Be A Top Cybersecurity Priority

Gregory Webb is the CEO of AppViewX, a cybersecurity and IT infrastructure automation platform enabling digital transformation.


Digital transformation is fundamentally reshaping the business landscape. It enables capabilities that would have been unimaginable only a few short years ago, including improved customer experience and adoption, productivity and scale enhancements from cloud and edge computing, and faster output and profits from machine learning and artificial intelligence.

Yet connecting vast numbers of users and infrastructure securely is both complex and imperative. At the heart of this challenge lies public key infrastructure (PKI) and digital certificates, which serve as the foundational elements of machine (non-human) identity management and enterprise cybersecurity.

PKI and digital certificates deliver vital trust and encryption capabilities that organizations require to conduct business smoothly, effectively and securely. Yet as digital transformation marches forward and sprawling multi-cloud environments take shape, the challenges associated with managing security scale quickly. As a result, a highly flexible certificate lifecycle management and PKI framework that ensures true cryptographic agility becomes mission critical.

Today, a successful cybersecurity strategy hinges on an effective design, the right technology controls, and an ability to adopt new cryptographic standards quickly and easily. It also includes the ability to pivot to quantum-safe certificates and evolving best practices that revolve around a Zero Trust model. Crypto-agility is the ability to quickly make changes to your PKI landscape at scale to ensure continuous availability, security and compliance so critical business processes are not disrupted.

Keys To Success

Getting a handle on PKI and digital certificates is essential for ensuring trust, secure communications and data integrity. With hundreds of millions of people accessing tens of billions of applications, services and devices, an identity-first security and Zero Trust stance is imperative. Identity governance and administration (IGA) programs that combine human and machine identity management are at the center of this equation.

To effectively implement these security measures, it is important to understand three of the core use cases for crypto-agility:

Certificate Authority (CA) Compromises

Issues with certificate authorities (CAs) and public and private certificates are certain to arise, and underlying technology changes are inevitable. As a result, when a CA encounters a problem—including a full-scale compromise—organizations must be prepared to switch to a new CA quickly to avoid disruptions. A good example of this situation is the Entrust distrust issue, which is pressuring customers to transition to a new CA before November 1, 2024, to prevent potential harmful outages and security incidents as a result of Entrust certificates being distrusted in Google Chrome.

The key to mitigating this and similar security risks revolves around preparation. Best practices include developing a contingency plan outlining the steps for switching CAs efficiently and investing in tools that promote crypto-agility and enable easy certificate management across different CAs. Regular scanning, discovery and inventory can also help identify misconfigurations and vulnerabilities exposed by expired or compromised certificates.

Shorter Certificate Validity Windows

Google’s proposal to reduce TLS certificate validity from 398 days to 90 days is a double-edged sword. While it is designed to enhance security and promote automation, it could also significantly undermine organizations that lack automation and effective crypto-agility strategies. Many organizations already struggle with annual certificate renewals. Increasing the renewal frequency to every 90 days could lead to expired certificates, critical application and service outages, and an increased risk of cyberattacks.

Full, end-to-end automation of the entire certificate and PKI automation from CSR generation and certificate binding to policy-based rotation and replacement can untangle the mess. It’s wise to invest in tools that automate certificate lifecycle management, streamline renewals and reduce the risk of human error. Enterprise security leaders should also consider a crypto-agility strategy that focuses on shorter certificate lifespans (without impacting operations). A best practice methodology standardizes enterprise PKI policies and integrates automation tools with the existing infrastructure.

Preparing For Post-Quantum Cryptography

Quantum computing introduces a significant threat to current encryption methods. Current cryptographic algorithms, used by certificates and digital signing services, could soon become vulnerable due to the significantly enhanced processing power and compute resources available with quantum computing. This could render many certificates useless and jeopardize secure transactions and sensitive data. However, advancing to quantum-resistant certificates involves better visibility and a deeper understanding of cryptographic assets across increasingly complex PKI landscapes.

Proactive planning is key to navigating this challenge. It’s critical to gain visibility into an organization’s entire cryptographic landscape, know where every machine identity within the enterprise estate resides, and identify data protection and encryption needs across systems. Organizations should implement a crypto-agility approach to develop a migration plan for deploying quantum-resistant certificates. This ensures a smooth transition and supports continued security as the quantum age unfolds.

Crypto-Agility Changes Everything

Organizations that implement crypto-agility are likely to achieve a smoother journey into digital transformation. They gain both business and security benefits that center on three areas:

• Threat visibility: Improved insight into PKI and certificates, including how, when and where certificates are being used (and potentially misused) across complex hybrid multi-cloud environments.

• Automation: A more efficient framework surrounding certificate lifecycle management from issuance to renewals to revocation. Among other things, this reduces the risk of human error and ensures timely updates to boost enterprise protection and compliance.

• Control: Maintaining control over cryptographic practices and policies ensures that an organization can swiftly adapt to industry changes, security threats and regulatory requirements without disrupting business operations.

Make no mistake: Public key infrastructure and digital certificates form the bedrock of digital security as critical IT/Sec infrastructure. They provide the essential trust and encryption necessary for organizations to offer robust services and conduct business safely and securely. Crypto-agility isn’t a buzzword or fashionable trend—it’s now at the center of protecting the digital enterprise.



Comments