3 min read
How to Deploy and Manage Cryptography in a Project the Right Way
Ashiq JA (guest) : 04. August 2022
With the ever increasing number of online services and electronic transactions, business owners are becoming ever more dependent on the use cryptography to prevent sensitive information from cyber attackers. Cryptographic implementations are often considered to be a project bottleneck due to its time consuming nature and increasing cost within IT budgets.
In recent years, cryptography has been identified as an area that required further innovation to meet the needs of large businesses. Organizations are facing multiple challenges with the implementation and ongoing maintenance of cryptography on both new and legacy systems. In this article, we present a few recommendations based on Cryptomathic’s approach to simplifying the implementation of cryptography in a project.
Cryptography as a Service
Organizations which were previously using huge numbers of Hardware Security Modules (HSMs) were looking for solutions to avoid significant monetary costs by utilizing existing HSM infrastructures and capacity within the business.
Cryptographic decisions on parameters such as algorithms, key sizes and crypto-periods were being enforced on a per-project basis – this could only scale so far.
To change this ineffective model and meet the cryptographic needs for both new and legacy applications, a centralized crypto service solution was developed by Cryptomathic in partnership with its clients (read Barclays’ case study). The Crypto Service Gateway (CSG), was the result of this partnership, created to solve the traditional problems of managing cryptography.
Cryptographic business services can now provide a user friendly and proactive solution that will allow businesses to manage cryptography easily. A few of the objectives of these services, provided by CSG, include:
- Improve responsiveness to market for business projects
- Minimize operational and future life-cycle costs
- Improve flexibility and scalability in project implementations
- Prevent cryptography being a project bottleneck
- Provide centralized control and policy management
- Simplify proof of compliance
Implementing cryptography in new projects
One of the goals of CSG was to succesfully develop a central crypto service to enable shortening the time period for delivery of new applications into production. Successful implementation of cryptography should include good monitoring and logging capabilities to examine the usage of the service. In the case of project implementation, Cryptomathic CSG can significantly reduce costs and time on multiple levels, such as development, testing, training, procurement and proof of compliance. For more on how this applies to your business see the CSG Business Benefits.
Reducing HSM hardware vendor dependency
Achieving the goal of attaining an HSM-solution that is hardware vendor neutral entails multiple applications securely sharing HSM-resources without concern over being tied to one vendor in particular. This reduces the hardware vendor lock-in compared with traditional approaches and improves levels of performance management.
A centralized and granular cryptographic policy can enable seamless updates for all necessary cryptographic functions without any change in the application code. Centralized controls allow the business to restrict access to cryptographic function and to enforce policies on key length, rotation and mode of operation. In addition, a key lifecycle management system can ensure that the right keys are in the right place at the right time, while a centralized crypto service ensures that these keys can be efficiently used by only the authorized parties in the correct way.
Implementing the organization’s security policy
Imagine what would happen if RSA was broken or if SHA-2 was considered too weak - it would lead to an urgent review of vast numbers of projects and applications using cryptography, followed by coding changes, testing and redeployment.
It would be both expensive and risky to carry out these operations in a short period of time. The pressure to fix the issue would easily result in a higher number of bugs being introduced. By rethinking the way cryptography is deployed within a business, both costs and risks can be reduced. With CSG, a central policy file determines which crypto operations each application can perform and identifies the correct key to use. It enforces which algorithm, key length or operation may be used. If a weakness is found in a cryptographic algorithm, it can be removed from the trusted list of algorithms and applications can immediately begin using the updated policy list.
The policy acts like a firewall, disallowing applications from performing any crypto operations that are not allowed. CSG servers sit between business applications and HSMs. Application keys are managed by an integrated central key management system.
References and further reading
- Selected articles on HSMs (2013-17), by Ashiq JA, Duncan Jones, Peter Landrock, Peter Smirnoff, Steva Marshall, Torben Pedersen and more
- CSG - Case Study Barclay's Bank (2014) by Cryptomathic
- How to implement efficient key management in a legacy infrastructure (2015)
by Ashiq JA - Is your crypto due a service (2014) by Duncan Jones
Image: "Storage servers", courtesy of grover_net, Flickr