During three decades of instructing graduate students in cyber security – ahem, we used to call it computer security – the one research paper I’ve assigned as required reading without exception is Ken Thompson’s Turing Lecture, “Reflections on Trusting Trust.” That paper explains the essential, but invisible nature of trust in software development. And I believe that all cyber security students should be exposed to this important message: You cannot trust things unless there is legitimate basis for that trust.
Sadly, so many enterprise security teams today miss this message in their application of cryptography. Sure, they go to great lengths installing and using cryptography with carefully designed algorithms that will thwart even the most persistent cryptanalyst. And they argue on-and-on about key lengths over drinks with colleagues, often claiming that best-case brute force crack time estimates in the millions of years would be too risky to even consider. And yet, even with all of this fuss about proper cryptography, they don’t protect their keys. Or their certificates. They treat them as an operational issue, not a security concern.
I guess this should not come as a surprise, because underlying trust – along the lines of what companies like Venafi provide for enterprise customers, can be pretty invisible. Think about certificate issuance, for instance. Obviously, a public key certificate bound to a name via a Gmail request is going to be of much lower assurance than a certificate bound to a name via in-person authentication. But how do you know the difference? The answer is that it is not easy. But it is also the difference between stopping advanced cyber attacks, and scratching your head when your data is lost.
In my new report issued today, the 2017 TAG Cyber Security Annual, I explain how certification authorities, public key cryptography solutions, and related protections are so vital to securing enterprise infrastructure. This becomes even more critical as Internet of Things (IoT) endpoints, Industrial control system (ICS) components, and cloud workloads rely on cryptography for virtualized secure communications and control. Protecting keys and certificates will be the glue holding all of this together.
My advice: Get your security team together immediately and discuss how you are doing this vital task today. Ask them, as a group, to explain the existing trust chains, or lack thereof, inherent in your cryptographic use. Make sure not to forget websites with certificates, or network equipment loaded with cryptographic software. And if there is even the slightest hint that you might be a bit sloppier than you should be with the keys and certificates – maybe it is time to make key and certificate security a priority.
Dr. Edward G. Amoroso is a guest blogger for Venafi.com and the author of the new report, 2017 TAG Cyber Security Annual. He is the former SVP and CSO of AT&T, and the current CEO of TAG Cyber, LLC.