How becoming more crypto-agile can protect your business

The digital revolution has up-ended the way individuals and organisations communicate and do business, but extraordinary security risks have followed in its wake.

As the number of connected devices continues to explode, hackers and cyber-criminals have an ever-larger theatre in which to play, while IT security teams must work double speed to contain and neutralise threats on multiple fronts.

Verifiable identities are the means by which machines – whether algorithms, pieces of software and hardware, or connections to the cloud – demonstrate their ‘bona fides’ to other machines to which they connect and communicate.

Digital certificates issued by Certificate Authorities (CA) have served as machine identities for these interactions since the earliest days of the internet.

A certificate issued by a CA is essentially provides an assurance that the machine that wants to connect can be trusted.

Without certificates, machine-to-machine communication can’t be trusted so private and secure communication can’t be guaranteed. If a certificate is compromised, communication can be hijacked by hackers.

Recent volatility in the relationships between CAs and browsers mean organisations can no longer assume their long-trusted CAs will continue to be trusted by all browser makers.

Without crypto-agility – the ability to manage the use of certificates in real-time – organisations could face application and services outages along with major business disruption, and potentially put customer data at risk.

Certificate authorities in flux

CAs issue millions of certificates every year; providing the critical security assets needed to allow machines to exchange information securely over the internet.

However, CAs are facing uncertain times and we’ve seen several high-profile events impacting the CA industry. For example, Google has announced that after 23 October 2018 it will no longer trust any Symantec-issued certificates.

The upshot is that obtaining a certificate is just the first step to ensuring website security. Businesses and consumers can no longer be assured that a certificate purchased in good faith will always be trusted by browsers. Changing circumstances may mean businesses need the ability to quickly change a group of certificates in response to a set of external business events so they can protect customer data and ensure business continuity.

As things stand, this could be more easily said than done for many Australian organisations.

The need for crypto-agility

Organisations need to have what can be termed ‘crypto-agility’ in order to replace, revoke, and renew compromised certificates swiftly. However, many businesses sit at the ‘crypto-clunky’ end of the spectrum.

A recent study found only 23 per cent of organisations were confident in their ability to quickly find and replace compromised certificates.

The remaining three quarters may be putting their reputations and customers at risk, courtesy of the fact that they don’t know how many certificates they have, or where they are located, and without this information it’s impossible to replace them quickly.

In today’s digitally-dependent world, consumers have minimal tolerance for unplanned computer outages, irrespective of their cause. Large companies whose services go down for more than a few minutes can expect to experience revenue losses, a storm of negative social media and a dent to their corporate credibility which can take time to recover from.

Security breaches can be even more damaging, as organisations around the world continue to find out to their cost. Hacks can result in the loss of the personal details of tens of thousands of individuals, such as CVs. This can cost organisations high profile customers, and lead to the prospect of lawsuits.

Becoming more agile

It’s prudent for organisations looking to avoid such calamities to ensure they’re not solely reliant on a single CA. To ensure their machine identities enjoy continuous protection, companies need to be ready to remove, change or add a certificate at a moment’s notice, should issues arise with an incumbent provider.

Certificate management has traditionally been a low-to-no profile matter for most organisations. Increased appreciation of its importance, outside of the IT shop, should result in more focus being placed on ensuring continuous protection.

In addition to being aware of changing regulations and potential revocation of certificates, organisations need to have a plan ready to roll, should a change become necessary. An automated platform which tracks and manages certificates is key to making a swift and smooth switch.

No time to lose

Recent upswings in the number of CA compromises and hacker activity mean crypto-agility has never been more important. Corporate credibility and customer loyalty will hang in the balance until organisations educate themselves about the external factors affecting certificate security and automate their processes to be able to respond to threats at speed.