Looking back a year ago, when writers published blogs and articles predicting what 2014 would have in store for us, many were calling it the “Year of Encryption.” This was largely due to the NSA/Snowden revelations, which lit a raging privacy vs. security fire, with the widespread use of encryption as the by-product. Google, Microsoft, Yahoo!, and many other eGiants began encrypting everything, everywhere, not only to combat government surveillance programs, but most importantly to protect against attacks from a litany of cyber adversaries.
What we didn’t count on was 2014 ultimately being the “Year of Encryption Vulnerability.”
That’s exactly what happened. And for enterprise security warriors waging a daily war against multitudes of cyber adversaries, from solo hackers to well-funded nation-states, it couldn’t have happened at a worst time. There was Heartbleed, then Shellshock, then POODLE, and many more along the way, which didn’t make the headlines. Remediating these vulnerabilities presented different challenges, yet the common thread between them all was they threatened the veracity of encryption keys and digital certificates. Security teams found themselves spending massive amounts of time and resources remediating, ironically the very same encryption “trust instruments” which they deployed in the first place, to keep them safe. The enterprise PKI, designed to surround sensitive data like an impenetrable brick wall, turned out in some cases to be full of hidden trap doors.
So where do we go from here? That’s a question we must all ask ourselves, and answer correctly, because the use of encryption will only continue to exponentially increase, regardless of how well or poorly we manage it. When it comes to a hyper-connected world in which privacy and security is ever more important, our businesses must be in a position of strength when it comes to encryption, so that we can actually trust encryption to do its’ job and protect sensitive data everywhere it’s employed. If we don’t, trust itself could get undermined to the point where the internet could revert back to the e-commerce of 1990’s, where hardly anyone trusted it to perform financial or otherwise sensitive transactions online. When I read articles stating that the German Spy Agency wants to buy zero-day vulnerabilities in order to undermine SSL security, that’s literally what I envision.
From a security perspective, I believe we are at a point where it’s become absolutely mandatory that all encryption keys and digital certificates are secured and managed with the right technology, people and processes. In other words, we must now treat all keys and certificates as if they are the most privileged set of credentials that exist in the enterprise.
That means we must be in position to immediately and effectively remediate encryption vulnerabilities when they inevitably come to light. When the next Heartbleed hits, we must be able to quickly find every single affected key and certificate, and then automatically revoke, replace, and reissue. Our businesses and brands can’t afford to have incomplete remediation when it comes to trust-based vulnerabilities.
More importantly, as malicious cyber operations (nation-state and others) continue to use encryption more and more to evade detection and silently siphon off massive volumes of sensitive data from businesses, we must adapt to this new reality and be in position to fight back. The ever-expanding digital universe certainly holds much promise for the world. Yet the future of securing sensitive, private and financial data within this universe largely depends upon our ability to secure and properly manage the encryption assets we all rely upon to make trust online possible.