Blog - Cryptomathic

Turning Cryptography into a Service - Part 2

Written by Rob Stubbs | 15. January 2018

Part 2 – Accelerating Time-to-Market

 With the increase in e-commerce and electronic communications on the one hand, and the growing challenges of cybercrime and data protection regulation on the other hand, cryptography is becoming an increasingly important business enabler.

This is especially true in the banking and financial services industry, where large sums of money are involved that attract cyber criminals, but also in emerging industries such as FinTech, IoT and blockchain, whose business models are heavily dependent on cryptography to provide the necessary security and privacy.

Developing New Cryptographic Applications 

Consequently, many organizations are developing new cryptographic applications, and with the need to be increasingly agile in today’s competitive markets, they need to do so at pace. However, the difficulty of scoping and delivering a cryptographic project increases with the number of actors and platforms it must accommodate; and if the project involves layering additional security onto a pre-existing system, without impacting either performance or availability, then the challenges are even greater. The potential complexity of cryptographic project workflows is illustrated in Figure 1.


Figure 1: Cryptography Development Project Workflows

 

These workflows are likely to have multiple iterations, and it may prove practically impossible to achieve all the objectives within the constraints imposed. As a result, the use of cryptography often becomes, or is perceived as, responsible for holding up entire projects. Responding to these development challenges requires organizations to consider moving away from the project-by-project model and embrace a more proactive and sustainable approach to developing and managing cryptography.

Avoiding Choke Points with Crypto Service Gateway

Cryptomathic's Crypto Service Gateway (CSG) is the world's first embodiment of an integrated cryptographic service model, ideally suited to the demands of 'application-level cryptography'. This model improves workflows making it easier for organizations to enhance their business systems to provide end-to-end protection and security of sensitive data. Organizations can choose to protect as much or as little business data as is considered necessary - within transaction flows or data at rest - in a disciplined and controlled manner.

Figure 2: Improved Workflows with CSG

CSG provides a fully-integrated cryptographic environment that scales easily with the number and size of applications within your business. Rather than working with a range of complex, often proprietary HSMinterfaces, which require a lot of detailed cryptographic knowledge, developers can work with a single, simple crypto API and spend more of their time focusing on the business logic.

Furthermore, crypto policy definition can be left in the hands of a small team of security specialists who can enforce it across all applications, so it is no longer a challenge that every project has to address individually; subsequent changes in crypto policy (e.g. changes of algorithm or key length) become easy to implement across the board, without having to modify each application.

This new crypto service model also works to the advantage of project managers, providing a range of advantages such as:

  • CSG removes the need for the project to purchase HSMs for both the development and production parts of the project - this activity can be deducted from what is typically the critical path for the project, leading to savings of 6 to 8 weeks elapsed time (particularly where cryptography is introduced late and unplanned into the scope of a project).
  • The adoption of CSG will naturally lead to an increasing range of proven tools and techniques that do not have to be re-proven on a per project basis. These techniques will have proven cryptographic capabilities, which assists in reducing the number of unknowns for all projects.
  • CSG provides central policy enforcement, which contributes significantly to reducing the elapsed time required for independent scrutiny of the cryptography within a new project or enhancement. This is built in as standard to CSG, as are comprehensive levels of auditing and logging. As a result, certain activities can either be dropped completely from the development project plan or they simply become a single, modest task rather than a whole set of complex tasks.
  • Projects using CSG will have faster access to all available specialist expertise in the organization. There may be challenges or difficulties, but the project isn't on its own. Your project’s challenge may have been faced by others previously and a solution or explanation may be available.
  • As deploying cryptographic solutions using CSG becomes your organization’s norm, this leads to a natural reduction in single point of failure dependencies within the production systems’ support and enhancement teams.

The end result is that projects can be completed more quickly, on a lower budget and with less risk; and the resulting business applications are more maintainable.

The Enlightenment Opportunities Using CSG

Businesses often view the inclusion of cryptography at the outset of a project as a necessary evil. Consequently, they frequently opt for a 'tactical solution' because the proper 'production-strength solution' will cost the project perhaps 30% more and, more importantly, add an extra 5 weeks to the project's duration. However, once the tactical solution has been developed and the service is operational, what is the likely appetite for going back and putting in the production-strength solution (and risk breaking something), in comparison to other business priorities that promise a higher return on investment (ROI)? In contrast, using an integrated service model allows the organization to design the cryptography correctly from the outset, with a reduction in both time and costs.

Having a clear vision of how your organization can harness an enabler such as Cryptomathic’s Crypto Service Gateway is absolutely fundamental. This vision can be modest or aggressive, and could have one, several or all of the following characteristics:

  • Internal and external compliance 
    • CSG’s central policy enforcement uses a fine-grained but straightforward policy language, which allows administrators to control exactly what keys and commands different users of the system have access to. The policy language is simple enough to show to auditors and business architects who do not have programming experience.
    • CSG has extensive usage and audit logging, digitally signed for non-repudiation, which together with the policy language allows projects to easily demonstrate both theoretical and actual compliance with regulations.
  • Proactive monitoring of existing HSM estates 
    • CSG enables maintenance and measurement of overall systems’ SLAs for applications that use cryptography, where the cryptographic capabilities cannot, and must not, be seen to be a system weak point or performance 'chokepoint'.
    • CSG allows better HSM utilization to be achieved consistently and resiliently.
  • HSM vendor independence 
    • The use of CSG can assist an organization in controlling its level of vendor dependency. Many organizations have policies that stipulate that they wish to be able to have dual or multiple sources of equipment supply. In recent years, however, the HSM marketplace has been consolidating, making vendor independence a moving target. Without CSG, substituting a different manufacturer’s HSM equipment is rarely straightforward and requires significant effort, while there are invariably more compelling business-focused activities for your development and support personnel to undertake.
    • Use of CSG gives an organization the freedom to adopt the latest and most technically- and commercially-effective HSM equipment. This can be achieved far more readily than hitherto for both new and existing systems.
  • Proactive cryptographic lifecycle management 
    • Proactive changes to the cryptographic functionality within a business system have always been highly desirable but rarely achievable, such changes having invariably been undertaken on a special project basis. Using CSG, it is now possible to ensure that such events can be accommodated for without undue impacts to the underlying business applications. In the event of the unexpected need to cease using a cryptographic technique, e.g. in response to the discovery of a weakness, having CSG available to assist in a timely resolution could prove vital.
    • CSG can be readily integrated with Cryptomathic’s Crypto Key Management System (CKMS) to achieve seamless and transparent key changes.
    • The ability to manage HSM firmware upgrades and incremental HSM deployments centrally contains cost to the organization in both the production and development environments.

Conclusion

CSG enables organizations to be more agile, whilst reducing the cost of developing, operating and maintaining their cryptographically-enabled business applications.

Cryptomathic can assist your organization in determining the benefits and ROI achievable from deploying CSG, an exercise that is likely to prove very illuminating and result in a strong business case for using CSG.

Turning Cryptography into a Service Part 1 – Increasing Efficiency & Resilience

References and Further Reading

Selected articles on HSMs (2013-today), by Ashiq JA, Peter Landrock, Peter Smirnoff, Rob Stubbs, Steve Marshall, Torben Pedersen and more