It is no surprise that security is one of the hottest topics of the last couple of years. The increased interest in cloud computing and the concept of “Zero Trust” are quickly climbing the ladder of attention to security officers in every organization. Critical workloads such as applications that process sensitive data like healthcare information or financial transactions need to be protected. Not only in the cloud but also when running on-prem. There are many security-related aspects to take into account. One of the key concepts to secure applications and the infrastructure on which they run is cryptography. The concepts of cryptography need to be embedded into the organization from various points of view. IT professionals require a clear path to guide them in the right direction. Crypto policies for security-oriented organizations.
Introduction & main concepts
Many organizations create and propagate so-called crypto policy documents. These documents are part of the vision on security they envision. Practically speaking, it’s part of the (intended) security framework. Crypto policy documents explain why the organization has a crypto policy in the first place at all, they highlight the target audience. Often, the crypto team is the (main) author and owner of the document. Furthermore, the document explains how cryptography is defined and implemented in the organization. In addition to that, it explains which cryptographic standards are allowed and which are not. Key management as well as certificate management are important aspects of the document. Besides these topics, the document should also include terms and references as well as any deviations referred to the above mentioned topics.
In the next sections, we’ll dive deeper into the actual concepts that form the heart of the document and thus of the policies that apply to everyone who is involved. This article can never be 100% complete, since cryptography is a huge topic that lets you easily fill an entire book. However, the topics are the most common ones to give you a fair push in the right direction.
Context and scope
First of all, the document should describe the context and scope of cryptography in your organization. Practitioners need to know what to expect from themself but also what they can expect from the departments and teams which are also involved. This would set the baseline for all actions that will follow as soon as a use-case requires cryptography at the first place.
Most importantly the owners and (intended) readers of the policy document should be clear. Besides this, the end-users should be listed which make use of crypto services. Contact details and a (brief) way of working should be in place in addition to the services that the crypto team delivers.
Besides all of this, the document should mention the most important changes compared to the previous version as well as updates from “the industry”. Think of the adoption of quantum computing or a new version of TLS.
Having the main contents and organizational topics in place gives each team a proper start to actually implement their security-related aspects.
Define and implementation
This chapter should mention the main definition and explanation of cryptography. The main purposes and goals need to be explained in such a way that everyone understands why this is relevant. Cryptography can be applied based on the risk assessment of data (in rest and in transit) of applications that require a certain security level.
Many articles on the internet are dedicated to risk management. In terms of crypto, the following questions are most relevant:
- What and how big is the attack surface?
- Who are the main subjects of an attack?
- What are the consequences in case of a compromised system?
Every decision should be made based on this risk assessment, not “gut feeling”.
Often the requirements to encrypt data are more strict compared to the environment in which the information resides. From a technical perspective, the environment can be the technical infrastructure, network as well as the physical environment or persons.
The crypto policy document should be explicit about the responsibilities of who is responsible for which aspect of cryptography. Some of the following answers need to be in place:
- Who is responsible for risk mitigation for workloads and/or infrastructure components?
- What are the main duties of the crypto team?
- Who holds the responsibility for the implementation of cryptographic solutions?
- Who is responsible to order crypto-related services and products (such SSL certificates, Hardware Security Devices) and which processes need to be followed to do so?
- Who has sufficient mandate over the different aspects which are relevant in terms of the stated cryptography policies?
Besides the above-mentioned key aspects, everyone should also understand the way of working, what to expect from them, current timelines for services being delivered by the crypto team as well as any impediments that hamper the DevOps teams consuming various cryptography services.
Cryptographic standards & guidelines
At the heart of the crypto policy document are the cryptography standards and guidelines that should be used by anyone in the organization. Since crypto is a specialized topic, it’s vital that the crypto policy document explains the main concepts as well as background information that supports it.
At least the following topics should be included:
- Symmetric and asymmetric encryption: what it is and what the differences are. Besides this, describe the pros and cons of each method and feed the reader with practical information about the potential use cases. In the end, the user should understand when to apply which method of encryption.
- With respect to encryption, explain what algorithms, protocols, and schemes are and what their main purpose is. This helps to set the right context and it puts the main concepts into perspective. The policy document should include the algorithms, protocols, and schemes that are allowed to be used by the application development teams. Think of the applicable SHA functions as described in the Secure Hash Document from the NIST (security standard).
Random Number Generators & Protocols
- Random Number Generators offer a way to generate an encryption key and public/private key combinations. The policy document must include which RNGs are allowed and which are not. This has an effect on how you would use them for specific use cases.
- On top of this list, describe different types of (block) cipher algorithms and Advanced Encryption Standard (AES).
- Allowed protocols: this section should go deeper into the concepts and differences of encryption protocols such as SSL and TLS. Readers need to understand what the main differences are and which protocol favors the other when it comes to applying them.
For every topic that is included in the document, there should be an explanation of how to use it in a secure way. Recommended versions should be on the “comply or explain list” so that readers are guided in their solution. They should also understand why things can go wrong if they use it in the wrong way. Application developers are no security experts, so flowcharts and other use-case diagrams should help them decide which solutions are suitable for their needs. Offer simple tables and diagrams that explain to which degree the intended security topics provide protection. Don’t assume people understand all aspects, so be sure to explain the way they correlate to each other.
Key management
No crypto policy document is complete without a proper description of key management. Without having this in place, every other security measure is useless.
The crypto policy document needs to describe measures that apply to the (internal) security procedures, the organization itself as well as IT-specific measures.
First of all key management needs to elaborate on who is responsible for the key(s). Clear ownership needs to go hand in hand with clear responsibilities. Describe the interplay of key management with respect to applications and which security requirements apply for each of them. This also has an effect on permanent keys as well as temporary keys. Readers should understand which situation applies to them.
Protection levels
A crypto policy often defines three different protection levels when it comes to key management:
- Level 1: A security admin has direct access to the keys on an individual basis. No need to include a second security administrator or auditor.
- Level 2: Apply separation of concerns in terms of server management by implementing two-factor authentication. All under the supervision of an auditor.
- Level 3: multi-part-control. This means it is impossible to conduct key management-related activities without other people besides the security administrators.
The policy document should include a matrix that maps the organizational measures and the protection levels as well as the security governance aspects that apply to these measures.
Among the previous aspects, the policy document needs to include the following topics about key management:
- Access control: who has access to which (type) of keys and who hasn’t?
- Describe the validity of different types of keys (duration or number of used times).
- Storage solution: software-based solutions or through the usage of Hardware Security Modules (HSMs). Include storage requirements for different types of keys.
- Test (management) environments that enable users of security keys to test their keys should also be described as well as the intended usage of them.
Perhaps one of the most important aspects is key life cycle management generation, storage, usage, backups, archive, distribution, and disposal. Every aspect should be carefully explained to guide the inexperienced reader.
Certificate management
Digital certificates are used to let users, machines, services, and roles authenticate themselves. Besides this, they let you sign digital documents and encrypt + decrypt data. The certificate describes how this can be achieved and when data is protected in a secure way.
Authors of the policy document should include the following topics which all reside under certificate management:
- The role and main tasks of the Trust Service Provider (TSP) as well as the Certificate Service Provider (CSP).
- Elaborate on the different types of certificates and their main purpose.
- How digital certificates are issued and how the certificate chain works in terms of (elevated) trust.
- The role of public/private key pairs in relation to digital certificates as well as how that relates to digital identities.
- Which Public Key Infrastructure (PKIs) are allowed and which are not? Mention if one or more PKIs are to be phased out or not.
- Provide a flow chart that guides the intended users to select the right certificate fit for their specific use case. Differentiate between internal- and external use as well as if the certificate is to be used for production or non-production workloads.
On top of the previous list, the following topics should be included in the policy document: the role and restrictions of wildcard certificates, and the way certificate management can be automated (for example through the use of secret management software). Also, be sure to include the role and purpose of Certificate Authorities as well as the function of a Timestamping service.
Terms and references
A properly sorted glossary of terms and references can’t be missed. Since there are so many (technical) terms and concepts, readers require a thorough alphabetical list of all of them. They need to be able to glance through the list and easily find the item they’re looking for. Besides a list of terms and references, there should be a solid table of contents and each chapter should be structured in the same way. All of these aspects help them to make applying the right crypto implementation a bit easier.
Conclusion
Cryptography is a tough and broad topic that requires specialists in different domains. Large organizations that want to apply cryptography standards in a structured way need to write a crypto policy document. A proper crypto policy document describes the purpose of the document, who is responsible for it, and the main cryptography aspects. Think of security standards and guidelines, key & certificate management, protocols, and governance-related policies. The policy document is a guidebook for every IT professional who needs to apply cryptography in any shape or form in the organization.