Companies that handle sensitive data are frequently required to demonstrate to internal or external auditors that they use cryptography appropriately as part of their data protection strategy. This requires them to use a definition of acceptable cryptography (that often comes directly from a standards body like NIST/FIPS or PCI-DSS), and evidence that this policy is enforced throughout their infrastructure. An automated, up-to-date Cryptographic Inventory provides this evidence. It can also be leveraged to develop “crypto agility” (the ability to change cryptographic libraries and algorithms rapidly when required). But what exactly should you put in a "crypto inventory", and how do you make one efficiently?
Crypto Inventory Goals
A cryptographic inventory is a strategic cybersecurity asset much like other hardware and software inventories. It enables an organisation to enforce a secure cryptographic policy across IT infrastructure, react quickly to security issues, and efficiently carry out strategic transformations such as migrating crypto services to the cloud or deploying post-quantum cryptography. In order to do achieve this, an inventory needs to have the following properties:
- Coverage. An effective inventory should cover keys, certificates, algorithms, protocols and providers in use in applications and infrastructure. Coverage should be sufficient to allow control of the organisation’s cryptographic policy, so if for example the policy certain algorithms to be used but only in specific protocols, the inventory must be sufficiently precise to allow this to be controlled.
- Accuracy. An inventory is only useful if it contains a true reflection of the cryptography in use, and not just what application developers or third-party suppliers think is being used. This typically implies some control is carried out beyond simple manual reporting. In particular, it's vital to look inside applications and understand what crypto they use to protect what data. Simply scanning the application for cryptography will produce only noise.
- Automation. If the inventory is to stay up-to-date, then data collection must be automated as far as possible to allow changes in applications and infrastructure configurations to be accounted for. Scanning processes must be scheduled automatically, and application tests integrated into CI.
- Usability. The security team must be able to use the inventory for tasks such as identifying non-compliances to the policy and the person responsible, monitoring progress on cryptographic transformations like removing old algorithms, identifying where certain certificates, keys and libraries are used in the event of security incidents, etc. Typically this implies that the inventory must be designed to be queryable and not just searchable. A folder full of PDFs will not suffice. It must also be possible to update the information and know when the information was updated.
Cryptosense Analyzer Platform (CAP) for Crypto Inventory facilitates crypto discovery at scale, from any access level, including tracing all the cryptography used inside an application while it runs and identifying the data concerned. Its precise analysis covers not just the algorithms and keys but, vitally, also they way they are used.