Cryptography has taken a tumultuous journey over the past 20 years. As the digital world has evolved, its role in protecting the modern enterprise has become more crucial than ever. Cyber attackers now lie in wait for businesses, and there is no perimeter strong enough to keep them out. As a result, organisations are deploying zero-trust solutions, ensuring security even in the case of a breach. The modern security challenge has been made even more complicated by the move to remote working, BYOD policies and increasingly hybrid scenarios involving an organization’s data centers and multiple clouds. Cryptography is now increasingly needed in the modern environment of remote management, but the pace needed in implementing it enterprise-wide is a challenge all in itself.
At the core of this is the fact that the cryptographic space is currently highly fragmented, with numerous solutions inherently utilizing the technology. There are many ways to authenticate identity, such as passwords, OTP and smartcards, plus numerous cryptographic methods for encrypting databases, VMs, storage and more across different clouds and data centers. To add further complexity, cryptographic signatures are also required for documents, transactions and code. Multiple point and siloed solutions can result in reduced visibility, agility, and flexibility, not to mention the strain on management with high costs involved in the deployment in different environments.
Determining a new approach
Managing and deploying cryptographic solutions in the modern age requires a new approach, with multiple layers to consider:
- Making the shift to hybrid hardware and software: Hardware solutions have traditionally powered legacy key protection. In today’s environments where everything is virtualized and managed remotely, and enterprises are moving to cloud deployments, pure hardware solutions constitute a significant obstacle. As a result, software solutions for key protection with strong guarantees are needed to replace and complement existing hardware.
- Transforming from siloed to unified key management: While legacy key protection and management has been comprised of different solutions, a unified approach with one platform that can support all cryptographic solutions in any environment is needed today.
- Ensuring integrated key management and key protection: Legacy key protection provides only simplistic management and dedicated key management solutions are often not integrated with key protection. A unified platform providing integrated key protection and management is required.
- Key misuse prevention: Legacy key protection solutions address the problem of key theft only. Today, key misuse must be addressed as an integral part of key protection.
- Adopting an agile infrastructure: Rigidity plagues legacy key protection and management solutions. Cryptography standards are continually changing; updates must be rolled out quickly and new threats need to be considered and resolved. Today’s cryptographic infrastructure needs to support agility.
- Speeding up deployment: Legacy cryptographic solutions that relied solely on hardware were ultimately slow in deployment. Today, enterprise security teams must offer on-demand cryptographic services internally in order to quickly support business needs.
Evidently, the fragmented legacy cryptographic infrastructure of the 1990s does not support modern business needs and is in desperate need of modernization.
Clearing a path
To address these challenges, firstly, modern solutions are needed that are based on openness and transparency in collaborative environments. Second, modern computing environments need modern software. Third, a new technological approach is required to deliver a software key store with proven security guarantees to complement legacy hardware and support new security requirements. Legacy solutions involved building a fortress around the device that held key material and prevented any attacker from breaching that machine. In today’s zero-trust environments, this is problematic when it comes to software-only solutions.
A different approach is to ensure that cryptographic keys are never kept in one single place at any particular time, forcing a cyber attacker to simultaneously breach several machines in order to gather information. That way there would be no single point of security failure, and strong separations between the different machines would make it extremely hard to breach.
The question however still remains; How can one cryptographic operation such as decryption or signing be carried out without holding the key? Fortunately, a methodology called Secure Multiparty Computation (MPC), also known as threshold cryptography, can do exactly this. Using MPC, the secret key is generated in two or more parts called shares, so that all shares are needed to get any information about the key. These different shares reside on different servers and devices, so that an attacker has to breach them all to steal the key.
MPC protocols enable different machines to obtain the result of the cryptographic operation, without combining any of the shares or revealing any sensitive information about the key. This means the key remains fully protected, even while in use. MPC protocols have mathematical proofs of security, guaranteeing that an attacker who cannot breach all machines is unable to learn anything about the key, even if they know the protocols used. Although anti-intuitive, when using MPC, the key is never whole in any single place, not whilst in use or while the code is generated.
Adopting a unified solution
In moving to a unified approach to key storage, organizations can ensure transformation in their existing fragmented infrastructure, allowing for improvements in efficiency, security, user experience and cost savings, while providing the necessary infrastructure for all cryptographic requirements in the business. Virtualizing cryptography allows for consistency with how other software works within the organization, ensuring scalability in cloud or on-premise environments and enabling agility in a cost-effective manner. Most critically, however, such solutions allow key orchestration across the enterprise and management of all cryptographic solutions from one location, bringing cryptography into a new technological phase.
