Why cryptography set to underpin 2021 IT security

How cryptographic keys and digital certificates will be used (and misused) in 2021 and beyond.


This is a contributed article by Chris Hickman, Chief Security Officer at Keyfactor.

The current pace of digital innovation means that when it comes to security, everything that’s considered secure by today’s standards, will be insecure in the future. The practice of cryptography has existed for hundreds of years and today, it forms the foundation of many everyday activities, from bank transactions and video streaming to passwords and digital currencies. The evolution of cryptography (and how it's used and managed) will continue to shape the way we do business now and in the future. Many companies have begun addressing crypto management but have yet to fully embrace crypto-agile best practices in their environments.

In terms of network security, 2020 reinforced the importance of crypto-agility that both supports trusted digital transformation initiatives and acts as a first line of defense against rising crypto-based security breaches. This year, many companies were forced to expedite initiatives to support new and unique remote workforce and distributed networking use cases. These use cases revealed five cryptography-based trends that will influence IT, network security and IoT security next year and beyond.

  1. Public Key Infrastructure (PKI) as a foundational security tool – PKI has been used by corporations for decades for secrets protection and management. More recently, companies have recognised PKI’s ability to bridge development and security, particularly in IoT and DevOps deployments. Its ability to establish roots of trust and seamlessly slip stream with coding processes and development toolkits have transformed this battle-tested, foundational digital identity security tool. PKI will continue to grow in popularity thanks to its scalability and automated lifecycle management platform options.

  2. Root CA expiration – As root CAs expire, the certificates they use will no longer be trusted, potentially causing device failures like the AddTrust root CA expiration that caused several outages on connected devices like smart TVs. Root stores are generally not managed effectively because root management is executed through software updates and if those updates aren’t completed in a timely fashion, the certificate becomes trusted, and the update fails. If you don’t update your legacy roots, you can’t push updates, resulting in potential device failure. While this is an inconvenience for consumer devices, this scenario could create life impacting consequences on machines like autonomous cars or medical devices. The good news is that root CA expiration is a time-lined event, making it predictable and manageable with advanced planning.

  3. Shortened digital certificate lifecycles – This year, big browsers announced that certificate lifespans would be shortened to 13 months. The change came into effect this September, but IT administrators won’t feel the true impact of the change until 2021 when they’ll be confronted with managing the sudden certificate rollover. It’ll be particularly challenging for teams lacking tools or automation to manage the process. For many, this change means that team workload has just gone up 100%, but their budget and staffing levels remain the same, creating additional burden for staff already struggling to manage and renew all SSL publicly rooted certificates from third-party vendors.

  4. Crypto-based exploits and cyber-attacks using code signing, SSH key and TLS certificates – Administrators typically generate their own keys, rather than acquire them from a trusted authority, which raises misuse and visibility risks. We’re seeing an upward trend in SSH key, TLS certificate and code signing-based attacks, and while we’re all getting better at detecting these attacks, the trendline and implication of these attacks is growing. Crypto-based exploits can happen at all layers of the stack; code signing and SSH keys are ubiquitous and teams often don’t have an easy way to track where they live within the organisation. SSH keys may seem harmless, but when they fall into the wrong hands, they offer easy access to the network.

  5. The introduction of new quantum safe cryptography and standards – There are still many unknowns when it comes to quantum and its potential impact on technology. Quantum computing is still in its infancy and researchers are working to understand how its scalable architecture could exploit the algorithms they've designed. Government and regulatory agencies like NIST are working on draft standards that can be expanded and applied as specifications across industries. In time there will be quantum safe cryptography but like all significant industry changes it will take time for customers and end users to realise the impacts.

While these predictions all require individual time, attention and investment, the key takeaway for teams comes down to ensuring the development of a singular plan to inventory the organisation’ digital identities (keys and certificates) and map crypto best practices that will be applied throughout the IT infrastructure.

Chris Hickman is the Chief Security Officer at Keyfactor, a leading provider of secure digital identity management solutions. He leads client success initiatives and helps integrate the voice of the customer directly into Keyfactor's platform and capability set.