We received dozens of excellent, in-depth predictions and best practices for the Cybersecurity Insight Jam. In fact, we received so many we couldn’t possibly post all of them during the virtual event. Therefore, we’ve resolved to publish as many of the unpublished pieces as we can.
In that spirit, we present this cryptography predictions article from Chris Hickman, Chief Security Officer at Keyfactor.
5 Reasons Why Cryptography Will Dominate 2021 IT Security Trends
Cryptography isn’t new. In fact, it’s ancient. Today, cryptography is everywhere in our day-to-day lives. It forms the foundation of things we don’t think about, like bank transactions and video streaming, and things we do think about, like passwords and digital currencies. In terms of network security, 2020 reinforced the importance of crypto-agility to protect digital identities from rising crypto-based exploits and attacks. Many companies are beginning to address crypto management but have yet to add crypto agility into the mix.
When it comes to security, everything that’s considered secure today will be insecure in the future, simply because of the pace of digital innovation. How we continue to use and manage cryptography will shape the way we do business next year and beyond. Digital transformation has been hyped for years, but 2020 forced many companies to accelerate initiatives due to the sudden need for remote workforces and distributed networking use cases. These new use cases have defined five crypto trends that will impact IT, network security, and IoT security in 2021 and beyond.
1. The Resurgence of Public Key Infrastructure (PKI)
PKI has been on the rise as many companies recognize its value as a bridge between security and development. PKI is surging in the internet of things (IoT) and DevOps deployments thanks to its ability to establish roots of trust and seamlessly slipstream with coding processes and development toolkits. It’s a battle-tested, foundational digital identity security tool that will see continued adoption because of its scalability and automated lifecycle management platform options.
2. The Continued Rise of Crypto-Based Exploits Using Code Signing, SSH key, and TLS Certificates
Administrators often generate their own keys, rather than acquire them from a trusted authority, which raises misuse and visibility risks. SSH key, TLS certificate, and code signing-based attacks are becoming more common and more frequent. While we’re also getting better at detecting these kinds of attacks, the trendline shows momentum and the implication of the risks they present, especially as these kinds of attacks can happen at all layers of the stack. Code signing and SSH keys are prevalent with most businesses having more than they need and no easy way to track where they live within the organization. At face value, SSH keys seem harmless, but when they fall into nefarious hands, they offer attackers a backdoor to the network.
3. Shortened Digital Certificate Lifecycles
Most IT administrators will be familiar with this year’s announcement from big browsers that certificate lifespans would be shortened to 13 months. The change came into effect this September, but the real impact won’t be felt until 2021 when administrators have to manage the sudden rollover. It’ll be particularly challenging for teams lacking tools or automation to support the rollover. Many administrators I’ve spoken to comment that the change means that their workload has just gone up 100%, but they’re still working with the same budget and staffing levels to manage that workload. While the intention behind the lifespan reduction is honorable, it’s a significant change that’s creating an additional burden for staff already struggling to manage and renew all SSL publicly rooted certificates from third-party vendors.
4. Root CA Expiration
Perhaps the most predictable (but mostly ignored) prediction is root CA expiration. As root CAs expire, the certificates they use will no longer be trusted, potentially causing device failures like this year’s AddTrust root CA expiration that caused several outages on connected devices like smart TVs. Generally speaking, root stores are not managed effectively. Root management is usually done through software updates, however, if those updates aren’t done in time the update fails as the certificate is no longer trusted. Now, products are being designed to manage Roots of Trust out of band to software updates – but that process doesn’t extend to legacy products. If you don’t update your legacy roots, you can’t push updates, resulting in potential device failure. While an inconvenience on consumer devices like smart speakers, this scenario could create life-impacting consequences on machines like autonomous cars or medical devices. This is a prediction that teams can get ahead of; root CA expiration is a time-lined event and can be planned for.
5. Quantum-Safe Cryptography and Standards Evolution
There is still a lot of trepidation around quantum and its potential impact on technology. We’re in the early stages of quantum computing and still working to understand how its scalable architecture could exploit the algorithms we’ve designed. Cryptography is a language that uses standardizations for specifications across industries. NIST draft standards are underway and will be expanded across facets of industry and the way the internet works. Contrary to popular concern, there will be quantum-safe cryptography, but like all big changes, it will take a while for customers to realize the impacts.
While some predictions may seem more daunting than others, all trends point to the importance of having a plan in place to ensure crypto best practices are implemented across IT infrastructure. Understanding where digital identities – keys and certificates – live within the organization has never been more critical. Without visibility to those assets creating a plan to manage and protect them is impossible.
Thanks again to Chris Hickman, Chief Security Officer at Keyfactor, for his contribution to the #InfoSecInsightJam. For more, check out our Identity Management Buyer’s Guide.
- The Best Identity Governance Tools and Vendors in 2023 - December 31, 2022
- The Best Privileged Access Management Providers for 2023 - November 1, 2022
- The 10 Best Free and Open-Source Identity Management Tools - October 15, 2022