Business agility has been a common organizational goal since the turn of the millennium – practices like agile methodologies, accelerated DevOps, and digital transformation are all, in one way or another, geared towards achieving that overarching goal. While considering the strategic goal of digitally enabling an agile business model, it is important to remember that an organization’s security architecture must be engineered to scale along with the rest of the business, and is expected to be just as agile as the processes it secures. However, cryptography – which forms the cornerstone of security in the digital era – has historically been a slow, antiquated practice, with tasks as simple as replacing a digital certificate on a server taking an hour to execute and test. The principle of enterprise crypto-agility is designed to eliminate that particular weak link, and thus empower cryptography to be on the same footing as other IT processes. The looming threat of quantum computing has brought this subject to the forefront of the security space in modern times. 

Crypto-agility may be defined as the ability of an organization or business unit to rapidly adapt to and implement crypto changes in bulk, and primarily applies to PKI. This is made possible by knowing what cryptography one possesses, where it is located, and how it can be manipulated. This is a valuable ability to have, for two reasons. One, it enables smooth transitions or upgrades to new best practices, mandates, or directives without disrupting business, and two, it enables teams to rapidly respond to threats by modifying cryptography without impacting the functionality or working of the network component in question. However, ‘becoming crypto-agile’ is not a panacea to every security issue. It’s a gradual process, and begins at a grassroots level. For instance, TLS 1.0 was recently deprecated by most major browsers, prompting the majority of the internet to migrate to TLS 1.2/1.3. Now, in addition to arranging for a migration, personnel would have to obtain new TLS 1.2-compatible certificates, locate every certificate on their network with an outdated algorithm, and replace it. Manually, this would take several days.

The example above illustrates the need for an agile model, though that’s just the tip of the iceberg. While there is no tool that can imbue crypto setups with instant agility, there are several things a CISO/CSO can do to achieve those attributes. This includes obtaining visibility into PKI, being able to quickly rotate certificates and keys, and automate their management by removing as much human interaction with the system as possible. Now, this may be done in parts, or in one fell swoop – there are tools which, when used in combination with effective policy, check several boxes off the list without the need to implement each individual requirement. In this session, we’d like to talk about the fastest, most effective route to achieving crypto-agility, and a realistic method of applying a generalized version of it to organizational networks.