There Has Never Been a More Urgent Requirement for

Cryptographic-Agility and Cryptographic-Diversification

Compiled and produced by Steve Monti

There has never been a more important time to undertake an audit of all your cryptographic infrastructure. SafeCipher is perfectly placed to conduct an audit that meets leading compliance requirements, including NCSC, NIST and ISO recommendations.

Our Vendor Neutral Cryptographic Audits are based on the following:

1. Cryptographic Standards and Policies: These refer to the established guidelines and regulations within the organization regarding the use of cryptographic algorithms, protocols, and technologies. It involves ensuring that cryptographic practices align with industry best practices and regulatory requirements.

2. Cryptographic Compliance: This involves ensuring that the cryptographic practices within the organization comply with relevant industry standards, legal regulations, and internal policies. It ensures that cryptographic operations meet the necessary security and compliance requirements.

3. Deprecated Cryptography: This refers to cryptographic algorithms, protocols, or practices that are no longer considered secure due to advancements in cryptanalysis or the discovery of vulnerabilities. It’s essential to identify and phase out any deprecated cryptography to maintain security.

4. Outdated Symmetric Ciphers:Symmetric ciphers that are outdated or vulnerable to attacks should be identified and replaced with more secure alternatives. This involves assessing the strength and suitability of symmetric encryption algorithms used in the organization’s cryptographic systems.

5. Non-FIPS Approved Ciphers: The Federal Information Processing Standards (FIPS) prescribe cryptographic standards for use in U.S. government systems. Identifying and eliminating non-FIPS approved ciphers ensures compliance with security standards and regulations.

6. Inadequate Asymmetric Keys: Asymmetric encryption relies on key pairs for encryption and decryption. Inadequate key lengths or weak key generation practices can compromise security. Assessing the strength and adequacy of asymmetric keys is crucial for maintaining the integrity of cryptographic systems.

7. Cryptographic Agility: Cryptographic agility refers to the ability of a system to adapt and transition to newer cryptographic algorithms or protocols as needed. It involves implementing mechanisms that allow for the seamless replacement of cryptographic components to address evolving security requirements and threats.

8. Outdated Cryptographic Appliances: Cryptographic appliances such as hardware security modules (HSMs) or encryption devices may become outdated or unsupported by manufacturers over time. Identifying and upgrading outdated cryptographic appliances ensures continued support, security, and compatibility with modern cryptographic standards.

9. Cryptographic Hardware Approaching End of Life: This involves identifying cryptographic hardware components that are nearing the end of their operational life cycle. Planning for the replacement or upgrade of such hardware is necessary to prevent disruptions to cryptographic operations.

10. Cryptographic Hardware Out of Support: Cryptographic hardware that is no longer supported by manufacturers may lack essential security updates and patches, making them vulnerable to exploits and attacks. Identifying and replacing unsupported cryptographic hardware is essential for maintaining the security of cryptographic systems.

11. Expired Certificates: SSL/TLS certificates used for securing communications and transactions have expiration dates. Expired certificates can lead to service disruptions and security vulnerabilities. Monitoring and renewing certificates before they expire is essential for maintaining the availability and security of cryptographic services.

13. Self-Signed Certificates: Self-signed certificates are certificates that are signed by the entity they belong to rather than a trusted certificate authority (CA). While they can be used for testing or internal purposes, they pose security risks in production environments due to the lack of third-party validation. Identifying and replacing self-signed certificates with CA-signed certificates enhances trust and security.

14. Invalid Certificates: Invalid certificates are certificates that fail to meet the requirements of the validation process, such as expired, revoked, or improperly configured certificates. Identifying and resolving issues with invalid certificates ensures the integrity and security of cryptographic communications.

15. Broken Certificate Chains: Certificate chains establish trust by linking certificates to trusted root CAs. Broken certificate chains occur when the chain of trust is incomplete or compromised, leading to security vulnerabilities. Identifying and repairing broken certificate chains is essential for ensuring the validity and integrity of cryptographic certificates.

16. Unprotected Private Keys: Private keys used for cryptographic operations must be adequately protected from unauthorized access and theft. Failure to protect private keys can result in data breaches and security incidents. Assessing and implementing measures to safeguard private keys, such as encryption and access controls, is critical for maintaining the security of cryptographic systems.

17. Cloud HSM Use: Cloud-based hardware security modules (HSMs) provide secure key storage and cryptographic operations in the cloud. Evaluating the use of cloud HSMs involves assessing their security features, compliance with regulatory requirements, and integration with existing cryptographic infrastructure.

18. Cloud Key Management: Cloud key management services (KMS) are used for generating, storing, and managing cryptographic keys in the cloud. Assessing cloud key management involves evaluating the security, reliability, and compliance of the services provided, as well as their integration with cryptographic systems and applications.

19. Cloud Certificates: Certificates used in cloud environments for securing communications, identities, and services. Assessing cloud certificates involves ensuring their validity, proper configuration, and compliance with security standards and policies.

20. Cloud Microservice Cryptography: Microservices architecture often involves decentralized cryptographic operations for securing communication between services. Assessing cloud microservice cryptography involves evaluating the implementation, configuration, and security of cryptographic mechanisms used within microservices.

21. Microservice Certificate Authorities: Microservices may have their own certificate authorities (CAs) for issuing and managing certificates within the microservices environment. Assessing microservice certificate authorities involves evaluating their security, trustworthiness, and compliance with organizational policies and standards.