Skip to main content
banner image
venafi logo

Reflections on Trusting Cryptographic Keys and Digital Certificates

Reflections on Trusting Cryptographic Keys and Digital Certificates

September 8, 2016 | Dr. Edward G. Amoroso, CEO of TAG Cyber, LLC.
Key Takeaways
  • A new report issued today, the 2017 TAG Cyber Security Annual, discusses why key and certificate security is vital to securing enterprise infrastructure
  • Cyber trust is typically invisible in nature, but organizations often fail to ensure there is a legitimate basis for that trust
  • Enterprise security teams go to great lengths to use cryptography, but then do not protect their keys and certificates

During three decades of instructing graduate students in cyber security – ahem, we used to call it computer security – the one research paper I’ve assigned as required reading without exception is Ken Thompson’s Turing Lecture, “Reflections on Trusting Trust.” That paper explains the essential, but invisible nature of trust in software development. And I believe that all cyber security students should be exposed to this important message: You cannot trust things unless there is legitimate basis for that trust.

Sadly, so many enterprise security teams today miss this message in their application of cryptography. Sure, they go to great lengths installing and using cryptography with carefully designed algorithms that will thwart even the most persistent cryptanalyst. And they argue on-and-on about key lengths over drinks with colleagues, often claiming that best-case brute force crack time estimates in the millions of years would be too risky to even consider. And yet, even with all of this fuss about proper cryptography, they don’t protect their keys. Or their certificates. They treat them as an operational issue, not a security concern.

I guess this should not come as a surprise, because underlying trust – along the lines of what companies like Venafi provide for enterprise customers, can be pretty invisible. Think about certificate issuance, for instance. Obviously, a public key certificate bound to a name via a Gmail request is going to be of much lower assurance than a certificate bound to a name via in-person authentication. But how do you know the difference? The answer is that it is not easy. But it is also the difference between stopping advanced cyber attacks, and scratching your head when your data is lost.

In my new report issued today, the 2017 TAG Cyber Security Annual, I explain how certification authorities, public key cryptography solutions, and related protections are so vital to securing enterprise infrastructure. This becomes even more critical as Internet of Things (IoT) endpoints, Industrial control system (ICS) components, and cloud workloads rely on cryptography for virtualized secure communications and control. Protecting keys and certificates will be the glue holding all of this together.

My advice: Get your security team together immediately and discuss how you are doing this vital task today. Ask them, as a group, to explain the existing trust chains, or lack thereof, inherent in your cryptographic use. Make sure not to forget websites with certificates, or network equipment loaded with cryptographic software. And if there is even the slightest hint that you might be a bit sloppier than you should be with the keys and certificates – maybe it is time to make key and certificate security a priority.

Dr. Edward G. Amoroso is a guest blogger for and the author of the new report, 2017 TAG Cyber Security Annual. He is the former SVP and CSO of AT&T, and the current CEO of TAG Cyber, LLC.


Subscribe to our Weekly Blog Updates!

Join thousands of other security professionals

Get top blogs delivered to your inbox every week

See Popular Tags

About the author

Dr. Edward G. Amoroso, CEO of TAG Cyber, LLC.
Dr. Edward G. Amoroso, CEO of TAG Cyber, LLC.
Read Posts by Author
get-started-overlay close-overlay cross icon
get-started-overlay close-overlay cross icon
Venafi Risk assessment Form Image

Sign up for Venafi Cloud

Venafi Cloud manages and protects certificates

* Please fill in this field Please enter valid email address
* Please fill in this field Password must be
At least 8 characters long
At least one digit
At last one lowercase letter
At least one uppercase letter
At least one special character
* Please fill in this field
* Please fill in this field
* Please fill in this field

End User License Agreement needs to be viewed and accepted

Already have an account? Login Here

get-started-overlay close-overlay cross icon

How can we help you?

Thank you!

Venafi will reach out to you within 24 hours. If you need an immediate answer please use our chat to get a live person.

In the meantime, please explore more of our solutions

Explore Solutions

learn more

Email Us a Question

learn more

Chat With Us

learn more