Light Dark
March 23, 2020 By Rick Robinson 4 min read
Data Protection
Risk Management

For many years — almost since the beginning of secure internet communications — data security professionals have had to face the challenge of using certificates, the mechanism that forms the basis of Transport Layer Security (TLS) communications. Certificates facilitate secure connections to websites (represented by the “s” in “https”), and are a core component of verifying the identity of servers, machines, internet of things (IoT) devices, users and access points — and that is just the beginning of a long list of occasions where we use and depend on certificates.

Certificates, encryption keys and the algorithms that they employ to protect data are part of a growing area of discussion: cryptographic risk, also known as crypto-risk.

What Is Crypto-Risk?

Crypto-risk is a metric used to represent how well our data is protected by cryptographic means. To put it in context, experts use “data risk” to represent unmanaged or unprotected sensitive data, and they use “platform risk” or “infrastructure risk” to represent the unmanaged vulnerabilities of a computer, the physical location where it resides or the security of its operating system.

In order to evaluate those risk metrics, organizations use a variety of tools to discover everything from unprotected sensitive data, such as Social Security numbers or credit card information, to unpatched vulnerabilities in their operating systems and applications. Many organizations do not, however, have an effective set of tools for measuring how well their data is protected by encryption. In other words, there is not currently an adequate method of measuring crypto-risk.

To move the science of data security forward, it is important to create a standard for determining crypto-risk — one that accounts for all factors that contribute to the vulnerability of encrypted data. This could include a set of criteria based on answers to questions such as:

  • What algorithm is used to provide integrity (e.g., MD-5, SHA-1, SHA-236, SHA-3, etc.)?
  • What key lengths for encryption are being used to protect your data and is it consistent across your enterprise (e.g., AES-128, AES-256, etc.)?
  • What algorithm is used for the digital signature on your company’s PGP keys or certificates (e.g., SHA-1, SHA-256, etc.)?
  • When is your certificate due to expire (e.g., December 31 at midnight)?
  • Who issued your certificate, how is it being validated and can it be (or has it been) revoked?
  • What cryptographic libraries or software are currently installed on your organization’s systems and applications? Are they sufficient to protect the data?

These questions will be numerous — just like the questions about malware and event management — but knowing the answers will help organizations understand how to consistently use and manage their cryptographic assets and continually assess how effective those assets are at protecting the organization’s data.

“The Quantum Computers Are Coming! The Quantum Computers Are Coming!”

The industry is already a step behind when it comes to defining and measuring crypto-risk, but the story doesn’t end there. As we cross a new threshold of computing power, security teams will face greater challenges when it comes to encryption. The quantum age, the next generation of computing, promises to solve problems that cannot realistically be tackled by traditional binary computers.

One of the anticipated capabilities of quantum computers is that they will efficiently implement Shor’s Algorithm and Grover’s Algorithm, which can be used to crack encryption keys in far less time than traditional computing methods. When quantum computers reach the point where they can implement these algorithms and be acquired by consumers for a reasonable price, we will see a rise in malicious actors’ ability to erode the strength of existing symmetric algorithms like AES and effectively nullify existing asymmetric algorithms that are commonly in use today, such as RSA or ECC.

Fortunately, we have not yet reached that critical juncture. In fact, we do not yet have a quantum computer with the strength necessary to nullify even an RSA key. It is hard to say when we will reach that point, though some of our leading researchers believe it could be only two decades away.

The good news is that the National Institute of Standards and Technology (NIST) has already embarked on an effort to introduce new, quantum-resistant encryption algorithms. These post-quantum cryptography (PQC) algorithms promise to be resistant to the power of quantum computers.

IBM is working with NIST on evaluating two algorithms as part of its CRYSTALS project with the hope that we see acceptance and standardization of these new algorithms within just a few, short years. Such a development would give data security professionals new ways to protect our critical data, even archived data, using encryption algorithms that can withstand the power of next-generation computers.

The Crypto-Risks of Today

Even without the risk posed by the advent of quantum computing, other cryptographic risks still exist that need to be addressed immediately. These include those simple but persistent problems of using obsolete encryption algorithms, short encryption keys and certificates that are of unknown origin or pending expiry. If those risks go undetected and unmanaged, they represent an immediate and present threat to the data protection and business continuity of your organization.

Microsoft and Let’s Encrypt recently highlighted how certificate mismanagement can detrimentally impact business continuity. There is no excuse for us to continue to fumble the ball when we know that the problem is only going to get more complicated as we move ahead. Consider the actions taken by Apple to actively block certificate trust for any certificate over a year old, or the attempt by hackers to infect enterprises’ computers through the display of fake certificate security alerts, taking full advantage of organizations’ disorganized certificate management.

These efforts show that mismanagement (or no management) of cryptographic assets, such as certificates, keys, algorithms and libraries, is of critical importance and can not only negatively impact business continuity, but also create opportunities for malicious actors to find ways to compromise enterprise data security.

These threats represent crypto-risk. Crypto-risk is a risk to all enterprises today and it must be addressed.

Strengthen the Data Security Chain

The door is locked and chained on data security, but the lock is old and the chain is rusty — and only as strong as its weakest link. When an enterprise’s data is at risk, it is incumbent on the data security team to measure the strength of each link and take action to fortify the entire chain.

When it comes to encryption, we have many moving parts: algorithms, varying key sizes, certificates, asymmetric key pairs, symmetric keys, key rotation, key derivation — the list goes on. In order to get a handle on crypto-risk, there needs to be a way to show, in a simplified, combined view, the totality of encryption-related risk. Without a way to measure that crypto-risk, there is no way security teams are going to be able to manage it.

 |  |  |  |  |  |  |  |  |  |  |  |  |  |  | 
Rick Robinson
Product Manager, Encryption and Key Management

More from Data Protection
January 27, 2025

How secure are green data centers? Consider these 5 trends

4 min read - As organizations increasingly measure environmental impact towards their sustainability goals, many are focusing on their data centers.KPMG found that the majority of the top 100 companies measure and report on their sustainability efforts. Because data centers consume a large amount of energy, Gartner predicts that by 2027, three in four organizations will have implemented a data center sustainability program, which often includes implementing a green data center.“Responsibilities for sustainability are increasingly being passed down from CIOs to infrastructure and operations…

January 21, 2025

Why maintaining data cleanliness is essential to cybersecurity

3 min read - Data, in all its shapes and forms, is one of the most critical assets a business possesses. Not only does it provide organizations with critical information regarding their systems and processes, but it also fuels growth and enables better decision-making on all levels.However, like any other piece of company equipment, data can degrade over time and become less valuable if organizations aren’t careful. What’s even more dangerous is that neglecting data hygiene can expose organizations to a number of security…

January 3, 2025

Router reality check: 86% of default passwords have never been changed

4 min read - Misconfigurations remain a popular compromise point — and routers are leading the way.According to recent survey data, 86% of respondents have never changed their router admin password, and 52% have never adjusted any factory settings. This puts attackers in the perfect position to compromise enterprise networks. Why put the time and effort into creating phishing emails and stealing staff data when supposedly secure devices can be accessed using "admin" and "password" as credentials?It's time for a router reality check.Rising router risksRouters…

Topic updates

 Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today
© 2025 IBM Contact Privacy Terms of use Accessibility Cookie Preferences
Sponsored by si-icon-eightbarfeature