Gregory Webb is the CEO of AppViewX, a cybersecurity and IT infrastructure automation platform enabling digital transformation.
Cryptography is an essential component of every enterprise’s cybersecurity strategy today and forms the foundation of trust in the online world, encrypting transactions and enabling secure point-to-point communications. With digital transactions becoming business as we know it, cryptography is vital for securing the digital economy and enterprise-critical infrastructure.
Yet cryptography and digital identity as a whole are rarely discussed as part of an overall cybersecurity strategy. Most organizations’ information security teams just assume it’s all properly managed. However, if you have unmanaged digital certificates and keys or weak crypto standards, it not only impacts your business continuity but also leaves your critical infrastructure exposed and vulnerable. As a result, your organization might end up with a serious data breach, a compliance violation and irrecoverable financial loss, and reputational damage.
Given how businesses are transforming with cloud migration, DevOps and the internet of things (IoT), the magnitude of digital communications and related security requirements has catapulted. The number of machines and their identities have increased significantly, making the digital identity ecosystem so much more massive and complex to manage.
Having a well-thought-through and executed crypto management strategy is necessary to defend your business from data breaches, service disruptions and compliance failures.
Crypto-agility is another critical capability that all digital businesses need to consider. It is a measure of how quickly an organization can take proactive steps to mitigate threats. Crypto-agility will become even more relevant in a post-quantum world, where you need to rapidly scale up and be prepared to fight quantum threats. This is also the reason why you need to define a strong crypto management strategy. If you’re not quantum-ready and agile, the confidentiality, integrity and availability of the applications that drive your business could be compromised, putting your business in grave risk.
How do you define and implement an enterprise-wide crypto strategy? What does it take to adopt and standardize cryptography best practices so your organization is inherently secure and compliant?
This is where a cryptographic center of excellence, or CCoE, comes into play.
What Is A Cryptographic Center Of Excellence?
CCoE is a framework that weaves together people, processes, policies and technology to help organizations establish an enterprise-wide crypto strategy to take control of their critical infrastructure. The purpose of a CCoE is to create a central hub for all things PKI and help organizations effectively adapt to the changes in the future with crypto-agility.
How Does A Mature CCoE Model Help?
A mature CCoE model will deliver the following business value:
- Ownership: Bring all business units together to collectively own the crypto responsibility and ingrain the best practices into the very DNA of enterprise security.
- Leadership: Spearhead initiatives that inspire other business units to adopt safe and reliable crypto practices.
- Research: Understand pain points and gather requirements from other business units. Use the information to recommend an effective crypto strategy.
- Best practices: Define and build a handbook of crypto requirements and compliance that teams can refer to when evaluating new tools or technology.
- Advice and expertise: Guide business units on the security aspects of their tools and technology assessment, such as potential vulnerabilities and compliance issues.
The Journey Toward A Mature CCoE
Establishing a mature CCoE model is more of a journey than a one-time process. There may be challenges along the way, such as lack of resources, siloed tools and teams, and changing industry regulations that tend to slow down the process. But with proper planning and efficient leadership, the journey gets easier and the results are more effective and efficient.
Here are some pivotal steps to consider as you work toward building a mature CCoE:
Educate Key Stakeholders
Establishing a CCoE begins with teamwork. Getting all the key stakeholders to agree on the processes and policies is imperative for successful implementation. Start with creating a CCoE roadmap and educating all the teams involved about the significance of cryptography, the need for a CCoE and the responsibilities each team must own or share. Only when cross-team collaboration is at its best can you get the best out of a CCoE.
Know Your Crypto Infrastructure
Clearly, you can neither control nor protect what you can’t see. Visibility into your crypto assets and machine identities is indispensable—especially when there are thousands of them distributed across multiple cloud and on-premises environments. Running a deep network-level scan to discover all the digital certificates used in your organization can provide an initial baseline. Sorting them into a central inventory and analyzing them for crypto standards and compliance can provide much-needed organization. Deep visibility into certificates not only gives you better control but also makes it easy for your teams to analyze and remediate issues.
Well-defined policies enable better governance. A CCoE must define and enforce a uniform, enterprise-wide PKI policy to standardize crypto management and improve compliance. It must also establish role-based access controls to regulate access to crypto assets and recommend tool integrations to simplify user management and access control (e.g., integration with the corporate user IAM). This helps authenticate and authorize the right people, reinforcing your zero-trust strategy.
One of the primary responsibilities of a CCoE is to simplify crypto management and policy governance for all users, applications, workloads and devices. This cannot be achieved with spreadsheet-based manual processes or siloed automation. As digital transformation progresses, machine identities will continue to grow both in volume and variety. A CCoE must include automated processes with self-service workflows and integrate them seamlessly with DevOps and enterprise solutions such as ITSM and SIEM tools so certificate lifecycle management is simplified and automatic.
Be Proactive And Stay Ahead Of Threats
As new attack vectors evolve and quantum computing advances, cryptography will proliferate deeply and find more enterprise security use cases. Developing and maintaining an enterprise-wide CCoE can immensely help in adapting to changes and mitigating threats. For security-conscious organizations undergoing digital transformation, a CCoE can serve as both a great security feature and ultimately a business enabler.
Forbes Technology Council is an invitation-only community for world-class CIOs, CTOs and technology executives. Do I qualify?