listen to this article:
Gluing the terms software-defined and cryptography together in one phrase may seem counter-intuitive at first. Just like the realm of networking where the software-defined trend first gained momentum, cryptography has firm roots in hardware. To be more specific, purpose-built hardware has been the basis for cryptographic key management and protection, maintaining keys’ confidentiality—a basic tenet in cryptography.
Given that cryptography is one of the foundational elements of cybersecurity—used to protect organizations’ most sensitive data, systems, and software—it’s no surprise that security-minded companies have been relying on certified and field-proven hardware in their cryptography implementations.
But the digital transformation is challenging traditions in many realms of IT, leading organizations to adopt software-defined architectures that enable faster, more scalable, more automated operations. No less so in cryptography.
Can Cryptography Be Software-Defined?
Content platform SDxCentral defines software-defined everything, or SDx, as “any physical item or function that can be performed as or automated by software.” In the context of cryptography, this means moving away from hardware key protection and processing to pure-software mechanisms and building in automation and intelligence, as a start.
But, here’s the rub: in the path to software-defined cryptography, we cannot deviate from the tradition of meticulous attention to security when designing a cryptography architecture. This is especially important when it comes to protecting sensitive data and applications, which would be at high risk without a stable security foundation in an increasingly challenging cybersecurity landscape.
What Constitutes A Software-Defined Security Architecture?
Applying the principles of software-defined IT architectures to cryptography, we can picture a high-level design that looks like this:
A software-defined cryptography architecture has the following attributes:
- Virtualized: Key generation, key storage, and cryptoprocessing are performed by secure virtual cryptographic modules that can run on any physical infrastructure.
- Automated and agile: Cryptographic functions integrate into DevSecOps processes and automated service workflows. Infrastructure elements scale automatically in response to changing service demands. For example, if there is a sudden surge in consumption of a service that uses cryptography for authentication or encryption, the virtualized cryptographic modules scale up rapidly to enable the service to operate smoothly.
- Intelligent: Centralized lifecycle management of all cryptography infrastructure components and keys, with administration and automation tools to make operations efficient, and APIs for integration with external services such as public certification authorities (CAs) and identity and access management (I&AM). Detailed real-time logs of all cryptographic operations across all infrastructure can be used for ongoing monitoring and detection of anomalous behavior indicating potential security threats, as well as for audit and compliance needs.
- Secure: Security should be a core requirement that is built into both the technology and operational processes. Cryptographic key protection should be robust and as much as possible based on security guarantees, protecting both key confidentiality and key usage. Administrative and application access controls should be enforced with the ability to define granular security policies. At the whole system level, the security model, potential threats, and risks should be assessed thoroughly and regularly by cryptography experts.
Four Stages to Achieve Software-Defined Cryptography
The vision of a software-defined cryptography architecture clearly cannot be implemented overnight or all at once. However, starting immediately, organizations can take incremental steps to realize the benefits of this approach.
Consider a path divided into multiple stages, increasing in the level of sophistication. Each stage presents further advancement toward the goal but they do not necessarily need to occur in this order or in separate time phases—a much more likely scenario is partial advancements in varied stages over time.
Following is a brief overview of the changes that each stage entails.
Stage 1: Virtualize the Infrastructure
Migrate from traditional cryptographic hardware devices such as hardware security modules (HSMs), trusted platform modules (TPMs) and smartcards to pure-software solutions with proof of hardware-level security.
In cases where hardware-based key protection is not in use today – for example when keys are located on standard laptops or servers – a virtual key protection solution can immediately boost security without requiring dedicated hardware purchase and installation.
In cases where hardware is currently in use, migration to virtual cryptographic infrastructure can be implemented gradually as hardware expires and in accordance with the particular use case requirements.
Stage 2: Centralize Management
Today, managing all cryptographic components and keys used by the organization, across varied sites and infrastructures, in a unified manner is a major challenge. Disparate products across on-premises data centers, cloud infrastructure, and endpoints lead to management silos that create overhead and inconsistent policy enforcement.
Move toward a unified management approach by adopting cryptographic key protection and management platforms that use open APIs and are designed to support any infrastructure.
Stage 3: Introduce New Applications
With the ability to implement cryptography securely and consistently anywhere, and the control provided with unified management, comes the opportunity to confidently introduce new applications that would not have been feasible before.
With software-defined cryptography, it is possible to achieve security, privacy, and regulatory compliance while also addressing service velocity and user experience requirements.
Stage 4: Orchestrate and Automate
The last stage is the most advanced, and arguably the most challenging one to achieve because it requires organizational transformation beyond the realm of cryptography.
In the ideal state, cryptography will be a fully integrated part of a software-defined environment. Services using cryptography-based security capabilities will call simple functions— “encrypt”, “sign”, or “rotate key” for example—and corresponding actions across all infrastructure components, cryptographic modules included, will occur automatically under the control of the orchestration layer.
This vision may seem a long way off. There are steps that can be taken today, however, to immediately improve operational efficiency and security through automation. Evaluate the APIs and automation capabilities provided by cryptographic products; there may be opportunities to start automating currently manual tasks that take significant time and resources.