When it comes to the security of any organisation, what is the most critical thing businesses are trying to protect? Data. From government intelligence to personally identifiable information, there is a slew of data being stored and transmitted by organisations and it all needs to be secured. Why? Because this information is exactly what bad actors are targeting.
One of the best ways for organisations to mitigate risks and improve their overall security posture is to implement a zero-trust approach – or at least consider the ‘never trust, always verify’ principle that zero trust is based on. This simply means that organisations should not implicitly trust anything inside or outside the perimeter. Every organisation will be a little bit different in what solutions it needs and how they are implemented, but the steps to get started are generally the same for all.
The first steps involve having a full inventory of data and its flows. By knowing where high-value data sits, and how it gets processed and transmitted, businesses will have a good indicator of where to start. From there, they can ensure they have an inventory of cryptographic assets – like keys, certificates and secrets – and then map that to their data to understand how everything is secured. This will give the picture of what the attack surface looks like and help them identify if there are any risks or gaps that need to be addressed immediately. Next, as firms prepare to implement a new digital security strategy, including zero trust, it’s critical to be crypto-agile. It helps mitigate any risks related to cryptography, allows change to be implemented easily and ensures strong governance along the way.
It’s also worth noting that this isn’t something that can be done quickly or with one solution or technology. Organisations should incrementally implement a zero-trust approach, rolling it out in pieces or layers, with the security framework building upon itself over time. Not only will this type of approach improve security, but it will also deliver business value – especially when firms make the connection between zero trust and other projects such as post-quantum (PQ) readiness.
Most of the cryptography best practices organisations perform as part of implementing zero trust will also be part of the journey they embark on when preparing for the PQ threat. This is important not only because of the threat quantum computing poses to digital security within the decade but also because of the ‘harvest now, decrypt later’ (HNDL) threat that exists today.
HNDL attacks are all about data. Bad actors harvest long-life data today (defined as sensitive data that needs to remain confidential for over 10 years), with the intent of decrypting it once a quantum computer is capable of doing so. Firms will need to introduce post-quantum cryptography (PQC) to the previously discussed steps to be quantum safe. This can be achieved by either transitioning traditional public key cryptography to pure PQC or by adding PQC alongside it, which is known as a hybrid mode of work.
And it doesn’t end there. The threat landscape is continually growing and evolving, with cyberattacks becoming more sophisticated. A perfect example is artificial intelligence. While the technology has been around for decades, this new generation of AI has taken a big step forward and rung several alarm bells. AI has become increasingly good at fooling humans via phishing, smishing and deep fakes, making the case for prioritising security even more important. However, AI also offers benefits for cybersecurity by enabling improved threat detection and comprehensive monitoring of IT systems for misconfigurations or deviations from best practices.
Whether exploring the possibilities of AI or moving data to the cloud, businesses need to ensure they have the right procedures and technology in place. At the end of the day, regardless of industry or business priorities, all organisations share the critical need to keep their data secure. From there, the key takeaways are clear: know what kind of data is stored and transmitted, understand the data flows, identify who has access and how it is used, and understand what kind of cryptography is currently in place to ensure it stays secure – both today and in the future.
Samantha Mabey is digital solutions marketing director at Entrust
This article was originally published in the Winter 2023 issue of Technology Record. To get future issues delivered directly to your inbox, sign up for a free subscription.