Adam: How do you see encryption evolving over the next 5-10 years?
Puneet: Quantum computers are evolving swiftly with time. The encryption process, specifically asymmetric encryption, and encryption with keys of a small length, will be at high risk of a breach in the next 5-10 years.
Quantum computers high-speed computations can be very advantageous for many tasks that cannot be done now, even by supercomputers. At the same time, their super performance can be a significant threat to popular public-key cryptography — which we are using nowadays — as quantum computers can quickly solve many problems like NP-complete problems, non-deterministic problems, etc.
In other words, we can say that in the next 5-10 years, when there is a large-scale universal usage of quantum computers, we cannot trust public-key cryptography algorithms. However, we can use symmetric key cryptography securely. The NIST also recommends that AES-256 be used until 2030 and beyond.
Adam: Tell us a little about Encryption Consulting.
Puneet: Encryption Consulting is a customer-focused cyber-consulting firm providing an array of services in all aspects of encryption. Our knowledge and experience put experts on your team to deploy the industry’s best, proven encryption technologies. Our people and services enable organizations to successfully achieve their data security goals in Confidentiality, Integrity, and Availability. Our services will secure your sensitive data throughout its entire lifecycle. Our specialty is delivering Assessments, Strategies, and Implementations for organizations that either lack specialized resources or value having a trusted advisor to upgrade their data security posture.
At Encryption Consulting, we have created a custom Cryptographic Data Protection framework based on NIST 800-57, NIST 800-53 standards, FIPS, and industry best practices to accelerate our client’s data protection projects.
We provide services in the following area:
- Sensitive Data Identification and Classification
- Enforcement of data protection controls – Encryption, Tokenization, or Masking
- Expert advice on implementation strategy and services
- How to comply with encryption standards and follow industry best practices
- Insights on encryption compliance & regulation
- Operationalizing Encryption key lifecycle management
- Delivering on reporting and integration
- PKI and HSM training for cloud and on-premises environments
- Encryption technology supplier evaluations
In summary, we enable organizations to identify areas in their current encryption environment needing improvement by conducting an assessment, creating a roadmap, and implementing an encryption plan end-to-end.
We are also in the process of enhancing our code signing solution, Codesign Secure, to provide a secure and flexible solution to our customers’ code signing needs for all operating systems, including Windows, Linux, Macintosh, Docker, and Android/iOS apps.
Join us for our Encryption Consulting Virtual Conference 2021 on November 3 and November 4 to hear the latest about encryption and cryptography.
Adam: Based on the past year of assessments your organization has worked on, what takeaways or data security best practices can you share?
Puneet: Based on the past year assessments, the best data security practices are as follows:
- An organization should encrypt its data at every level.
- Data should be encrypted at the Storage level.
- File/Folder Layer encryption, Database Layer encryption, and Application Layer encryption should be present.
- All keys must be stored in a hardware security module (HSM), and there must be access control and monitoring of data in place.
- When a user wants to access the resources, there must be a strong verification process. The user can only access resources applicable for their job.
- Users should not be able to access the resources of another department.
- Documentation of processes, standards, architecture designs, policies, etc., plays a significant role in an organization for existing and new team members. Defining appropriate documents for the necessary services is a must.
Adam: What tips do you have for organizations when approaching key management in the cloud?
Puneet: Compliance standards and regulations ask a lot of key management practices. Standards created by NIST, and regulations, like PCI DSS, FIPS, and HIPAA, expect users to follow certain best practices to maintain cryptographic keys used to protect sensitive data. The following are important practices to ensure compliance with government regulations and standards:
- Avoid hard-coding keys: The most important practice with cryptographic keys is never hard-coding key values anywhere. Hard-coding a key into open-source code — or code of any kind — instantly compromises the key. Anyone with access to that code now has access to the key value of one of your encryption keys, resulting in an insecure key.
- Least privilege: The principle of least privilege is the idea that users should only have access to keys that are absolutely necessary for their work. This assures only authorized users can access important cryptographic keys while providing better tracking of key usage. If a key is misused or compromised, only a handful of people have access to the key, so the suspect pool is narrowed down if the breach was within the organization.
- HSMs: An HSM is a physical device that stores cryptographic keys and performs cryptographic operations on-premises. For an attacker to steal the keys from an HSM, they would need to physically remove the device from the premises, steal a quorum of access cards required to access the HSM, and bypass the encryption algorithm used to keep the keys secure. HSMs on the Cloud are also a viable key management storage method.
- Automation: Automation is a widely practiced method of ensuring keys do not go past their validity period and become overused. Other key lifecycle tasks can be automated, like creating new keys, backing up keys regularly, distributing keys, revoking keys, and destroying keys.
- Create and Enforce Policies: Creating and enforcing security policies relating to encryption keys is another way many organizations ensure the safety and compliance of their key management system. Security policies provide the methods everyone within an organization follows and creates another tracking method to access specific keys.
- Separate Duties: Separating duties related to key management is another important practice for any organization. An example of separation of duties is that one person is assigned to authorize a new user’s access to keys, while another distributes the keys, and a third person creates the keys. With this method, the first person cannot steal the key during the distribution phase or learn the value of the key during the generation phase of the key lifecycle.
- Split Keys: One final practice to ensure the strength of any key management system is by splitting the keys into multiple portions. In this way, no one person knows the full key. Rather multiple people must come together to use the key. This assures that others can be held responsible by their peers if their portion of the key is compromised.
Adam: What “wow” technology is on the horizon, in your opinion?
Puneet: As I previously mentioned, quantum computing is an up-and-coming system being developed in the world of computers. I believe this will be a product to keep an eye on in the future, as it will change everything about the encryption world. With quantum computers, public-key cryptography will be a thing of the past. Quantum computers have the potential to make public-key cryptography obsolete, since they will be able to solve encryption with public-key cryptography in an extremely short amount of time.
Although public-key cryptography will not be able to be used, symmetric encryption will still be usable. Additionally, new protection methods will have to be developed to protect against quantum computing, likely using quantum computing. These new quantum computing protections will be another future product to keep an eye out for, as they will be a new addition to the world of cybersecurity.
Note: Encryption Consulting is hosting its Encryption Consulting Virtual Conference 2021 on November 3 and November 4. Register now: https://www.encryptionconsulting.com/ecconf