{"id":17464,"date":"2024-10-04T08:28:44","date_gmt":"2024-10-04T06:28:44","guid":{"rendered":"https:\/\/sits.com\/verschluesselung-in-den-griff-bekommen\/"},"modified":"2024-11-06T10:42:56","modified_gmt":"2024-11-06T09:42:56","slug":"getting-a-grip-on-cryptography","status":"publish","type":"post","link":"https:\/\/sits.friendventure.dev\/en\/blog\/getting-a-grip-on-cryptography\/","title":{"rendered":"Getting a Grip on Cryptography"},"content":{"rendered":"

[vc_row][vc_column]

Getting a Grip on Cryptography<\/h2>[vc_column_text]Cryptography isn\u2019t usually considered a \u2018sexy\u2019 subject in the complex field of cybersecurity. When cryptography is included in an IT security roadmap, it\u2019s often only as a box that needs to be ticked off; a red flag as part of an audit, or an overdue update for a component that doesn\u2019t want to return to an older standard. And more and more often, we come across something in the cloud that simply refuses to work if you leave out the cryptography. That seems to occur more frequently these days and putting it off today doesn\u2019t make it go away. This issue causes a lot of headaches in every corner of the security world, driven in part by confusing regulations and incomprehensible technical instructions. It\u2019s always a chore, without obvious added value, which doesn\u2019t make it any easier to convince the people in charge of the money.<\/strong><\/p>\n

This lamentation among security professionals is mostly justified. But... When you consider that almost every modern security product has a big stack of cryptography under the hood \u2013 with all the complexity that entails \u2013 then it\u2019s only logical that the topic keeps popping up again and again. And now that you\u2019ve put your infrastructure in the cloud, you can\u2019t simply slap something substandard together - or leave out the crypto entirely, like before. It wasn\u2019t so long ago that organizations forbade encryption on their own network, \u2018for security reasons\u2019. That was almost standard practice up to 2015. The idea still lives on today in some corners because encryption makes inspection impossible. There goes your antivirus and your Intrusion Protection.
\nIt\u2019s a complicated puzzle, and when you think you\u2019re done there are always some pieces left over. The topic is so universal that you can almost call it a vital technology. That means knowledge and control of cryptography is essential for effective security.
\nWithin the field of computer security, crypto is de facto one of the most important issues, because it\u2019s hidden below the surface in so many places, but there are very few organizations that give it an explicit administrative owner. So, ownership is commonly left floating between Security and IT. That causes friction and inertia, and things start to break down.
\nConsidering that, now is the time for us all to swallow that bitter pill and sink our teeth into the topic.
\nWhat we\u2019ve noticed are the side effects of three fundamental developments:<\/p>\n

    \n
  1. Upscaling:<\/strong>: The number of applications of cryptography is constantly growing due to Zero Trust and the expansion of mobile working, telecommuting and the cloud; data stored outside your own infrastructure requires encryption for storage and transport (in our typical technical jargon: deperimiterization). But at the same time, cryptographic keys are valid for shorter and shorter periods, which forces more frequent rotation and other maintenance, just for availability. This increase in scale has made the issue unavoidable for supervisory bodies (hence compliance obligations like NIS2 and DORA) and operational IT (forced by disruptions and migrations).<\/li>\n
  2. Shift of security <\/strong>from the network and infrastructure layers (applications, directories, RBAC, firewalls and proxies) increasingly to the data layer (storage and transport). This process is accelerating because a larger proportion of the data is stored in separate files, instead of a logical collection in applications and databases. Since we don\u2019t know exactly what and\/or where these \u2018unstructured\u2019 data are or where they are located (and thus can\u2019t quantify the risks), we must reinforce the generic security safety nets: we encrypt the locations where the data are stored (\u2018data at rest\u2019, or the file system) and those they move through (the network, or \u2018data in transit\u2019). More complexity.The security industry also promises futuristic encryption of \u2018data in use\u2019, sometimes in combination with encryption at the level of the individual file; in DLP, enclaves, and above all the \u2018Sovereign Cloud \u2013 to keep foreign intelligence services and Big Tech from spying on us. They also like to talk about C2PA \u2013 new crypto for proving the authenticity of digital content; a logical solution in the time of deepfakes and AI disinformation. This sounds complicated and it is: it guarantees extra complexity that your organization will have to deal with.<\/li>\n
  3. Overdue maintenance. <\/strong>We\u2019re currently going through the transition from the first generation of cryptographic technology (from around 2000) to the introduction of the second generation (starting around 2015, yet far from finished today, in 2024). The transition has been slow, because it\u2019s excruciatingly difficult and we\u2019re already beginning the first migrations to the third generation of crypto. This third generation mainly involves short-term encryption keys and more modern \u2018Post Quantum\u2019 algorithms. Talk about complicated: the looming breakthrough of Quantum computers makes it feasible to crack the keys for older algorithms, so we\u2019ll basically have to replace everything we use today with the new Post Quantum cryptography.<\/li>\n<\/ol>\n

    Oh Boy.[\/vc_column_text]

    <\/div>\n

    Getting a grip on crypto<\/h2>
    <\/div>\n[vc_single_image image=\"17415\" img_size=\"large\" alignment=\"center\" style=\"vc_box_rounded\" add_border_to_image=\"yes\" dont_stretch_image=\"yes\" activate_fancybox=\"yes\" css=\".vc_custom_1728034632356{background-color: #ffffff !important;}\"][vc_column_text]Not everyone has come around to the insight that managing and mastering the use of cryptography (\u2018Crypto transparency\u2019) is an absolute necessity for any meaningful application of cryptography in security. To put it bluntly: if you get the cryptography wrong, you probably break the security of what you are doing. It\u2019s often presented as a low-maintenance technology, especially by the tooling salespeople. But the security it provides is actually the result of the safe handling of keys and the correct organization of processes and systems. As the scale increases and finds ever-wider applications, a thorough understanding of the technology is vital. And that requires a creative and specialized team that can improvise. Unfortunately, only the really big organizations have enough scale to handle that. The rest needs to work with a long-term supplier, that has such a team.<\/p>\n

    This is the core value that underlies our cryptography services: serving as a sparring partner for innovation and growth, with a clear and familiar process organization, supported with suitable process automation.[\/vc_column_text]

    <\/div>\n

    Our approach<\/h2>[vc_column_text]Getting a grip on cryptography within an organization demands a structural approach. In our experience, that approach consists of Discovery, Onboarding (taking control), and Governance (good management).[\/vc_column_text]
    <\/div>\n[vc_single_image image=\"17420\" img_size=\"large\" alignment=\"center\" dont_stretch_image=\"yes\" activate_fancybox=\"yes\"]
    <\/div>\n

    Discovery<\/h2>[vc_column_text]Without insight into where you use crypto (and where you don\u2019t yet, but should be), you won\u2019t be able to field to an adequate, contemporary security, much less maintain it. Discovery is a hybrid process between a technical scan of your own network, requesting the customized internet services (provided by the world of OSINT), interviewing IT specialists and suppliers, and analyzing designs. Discovery helps you determine:<\/p>\n