listen to this article:
With the continuation of WFH initiatives and the increase in digital content, businesses everywhere are more empowered than ever about migrating their business operations to the cloud. This is majorly due to the fast-paced growth of digitization, virtualization, and mobile technology, as they provide businesses with unmatched efficiency and flexibility.
According to Deloitte Insights, security and data protection is the top driver for cloud migration. However, the cloud is still not a one-size-fits-all solution, and it comes with some trade-offs on different business, security, and operational levels. This means that any organization moving to the cloud needs to have a dynamic structure behind it, especially in terms of security. In other words, it needs to be crypto-agile.
What Defines a Crypto Agile Security System?
Crypto agility is the ability and aptitude of a security system to switch from older cryptographic algorithms and primitives to newer and more secure ones without changing the underlying infrastructure.
The idea of crypto agility is based on the principle of accelerating change, which guarantees that computing power will continue to grow at a rapid pace. Every few years, some existing cryptosystems will be rendered obsolete. This has already happened to standards such as SHA-1 and MD5, and more recently TLS 1.0 after most browsers deprecated its support in 2020. Even the ubiquitous RSA had to be improved from RSA-1024 to RSA-2048 to enhance security.
As computing power increases, current standards such as RSA, ECC (the NSA has already started moving away from it), and AES will eventually be phased out. And when NIST and other governing bodies declare that these systems should be updated, organizations should be crypto agile enough to switch without much effort and avoid being non-compliant.
Key Business Considerations for Crypto Agility
While it’s easy to make a case for moving to the cloud, the migration process is not. Before you make a move, you need to take time and plan on how to ensure business continuity, minimal time to value, and crypto agility. Here are some useful considerations.
How Long Will It Take To Move to the Cloud?
A complete shift to the cloud takes time as companies have to decide which business functions to implement in the cloud and which remain on-prem. However, hybrid systems create new problems for the IT department, and it’s important to consider integration, customization, data management, and overall security.
Who is Liable for New Vulnerabilities?
Cloud Service Providers (CSPs) adhere to a shared security responsibility model, which means your security team maintains some responsibilities for security as you move applications, data, containers, and workloads to the cloud, while the provider takes some responsibility, but not all. Defining the line between your responsibilities and those of your providers is imperative for reducing the risk of introducing vulnerabilities into your public, hybrid, and multi-cloud environments.
Are Your Developers Trained for New Programming?
Developers are responsible for the design, implementation, and maintenance of the entire cloud infrastructure. This means that beyond the standard cloud developer skills such as .NET, Java, J2EE, Spring, PHP, Python, and Perl, your development team needs advanced skillsets such as REST (over JCA), CNG, and PKCS#11.
Such expertise will be required in determining the cryptographic algorithms most appropriate for specific applications, implementing security policies such as tokenization, and setting compliance requirements for keys in storage.
Do You Have a Risk Management Framework and Back Up Strategy?
Moving to the cloud eliminates hardware dependency and associated risks, but it also introduces new risks that require careful management. To mitigate these risks, every business needs to adopt a risk management framework that measures and monitors the critical and high risks on a real-time basis. All crypto assets should also be protected using an infrastructure that supports new cryptographic standards and curves and is integrated into external services to help reduce risk and achieve compliance.
Beyond mitigation, you also need to have a backup strategy for both data loss and your cryptographic infrastructure to ensure the resilience of the entire business.
Does Your Strategy Include Futureproofing And Avoid Cloud Debt?
In the race to migrate to the cloud, CIOs mostly focus on ensuring business continuity and handling immediate challenges. However, a long-term strategy is needed to futureproof the business and avoid cloud debt. This should be a key area in the planning phase as it helps work out application dependencies, compatibility requirements, and budgets.
Agile businesses should avoid vendor lock-in to a particular CSP and at the same time enhance efficiency, by setting up a multi-cloud infrastructure. This means evaluating the need for services and solutions to prevent the need to refactor applications, change encryption methods or manually synch data when working across mulitple clouds.
Who Has Control Over Encryption Keys?
While CSPs make service provision easier by generating, managing, and storing the keys used to encrypt and decrypt data, this can put business data at risk. Businesses that need to ensure maximum data privacy and security need to adopt the Control Your Own Key (CYOK) concept. This key management strategy gives the company full ownership and control over access to the data, regardless of where it is stored or processed.
Key Technical Considerations for Crypto Agility
Here are some technical considerations that can help ensure successful implementation and a smooth transition to the cloud.
What Does Your Key Management System Offer?
Key management is a core aspect of crypto agility as it administers the entire lifecycle of cryptographic keys (generation, usage, storage, archiving, and deletion). Basically, it manages the keys, ensures regulatory compliance, and secures data from risks posed by privileged users.
Organizations should consider if their current key management systems offer the ability to prevent single point of failure and an efficient management of encryption keys, given the disparate nature of cloud (native, multi-cloud or hybrid) infrastructures.
Will Your Developers Need to Rewrite and Update Code?
Cryptographic primitives are the basic building blocks of any cryptosystem. At the moment, the NIST-approved primitives are hash functions, symmetric key algorithms, and asymmetric-key algorithms.
However, some algorithms under these primitives have already been phased out as technology caught up with them. Some of the recommended cloud standards are AES, ECC, RSA, and SHA 2. Some previously recommended standards, such as TDES (3 DES), have recently been deprecated, and the uncertainty of post-quantum cryptography accentuates the need for crypto-agile systems. Crypto agile systems that provide integration layers are critical to avoid developer rewrite and update of code when algorithms and methods are updated.
Should and Can Your Cryptographic Services be Spun Up?
Cryptographic services include ICSF, PKI Services, OCSF, and System SSL. Basically, they combine several technologies to enable functions such as tokenization, data secrecy, data integrity, personal identification, digital signatures, access governance, and key management.
When moving to the cloud, organizations should plan to ensure that new services can be spun up whenever they are required, such as infrastructures that support on-demand deployment of instances.
Does Your CSP Provide the API Your Developers Work With?
APIs are an essential part of the cloud computing infrastructure as they allow users to interact with cloud components, resources, and services. Before moving to the cloud, it’s advisable that you move to a service-oriented architecture as it allows modular business services that include standardized interfaces.
How Do You Ensure Availability?
Besides the Cloud Service Provider availability and reliability checklist, an organization needs to have an availability strategy before moving to the cloud, such as a multi-region, multi-cloud, and hybrid architecture to reduce latency, maximize the use of redundancy and ensure business continuity. These architectures also ensure that an organization can respond automatically to changes in security needs and adapt to innovation and competition. The problem is that each of the services likely use its own key management service, so implementing the architectures requires careful consideration and usually much effort.
Who Is Responsible for Backup & Disaster Recovery?
A disaster recovery plan helps identify, mitigate, and recover from interruptions of key IT services. Before you create one, map your infrastructure and conduct a business impact analysis first.
The organization has the responsibility for securing and backing up everything that connects with the cloud, including on-premises infrastructure stack and user devices, owned networks, applications, and the communication layers that connect its users, both internal and external, to the cloud and to each other – while running on AWS, Azure, or any other public cloud provider’s systems.
Be Crypto Agile And Overcome Cloud Trade Offs
To keep up with the global market, it’s inevitable that your company will make a move to the cloud at some point. This will require lots of planning to minimize cloud migration trade-offs, and it’s important that companies implement data security solutions that provide consistent protection of cloud data through a unified cryptographic key management and protection platform. This will allow the business to future-proof its systems and set up a cloud-based infrastructure that can adapt to disruptions through flexibility and scalability.