TYSONS CORNER, VA – July 19, 2024

In the intricate web of cloud, on-premises, and hybrid environments cryptographic keys remain high-value targets for the exploitation of our most sensitive data and systems. They are referenced often and mischaracterized even more often but are pivotal to safeguarding everything from personal communications to national secrets. Yet, in a twist of irony, these very keys—designed to protect us—are themselves perilously vulnerable. This paradox forms the heart of a critical issue that many government agencies are struggling to address: the inability to effectively inventory and manage their cryptographic assets.

The Ubiquity and Vulnerability of Cryptographic Keys

Protection and access to cryptographic keys are the cornerstone of secure communication in the digital age. Keys encrypt emails, authenticate users, protect transactions, and secure files. However, their reliance and omnipresence are also their Achilles’ heel. Keys are embedded in various applications, devices, and networks, making them ubiquitous yet often invisible to those tasked with their management. Furthermore, they can get embedded deep within firmware and hardware putting them effectively out of reach for traditional scanning and discovery tools.

One of the most glaring vulnerabilities arises from the sheer volume and dispersion of these keys across traditional on-premises and managed cloud environments. In an average enterprise, especially within large government agencies, thousands to millions of cryptographic keys are in use. Each key, if not properly managed, represents a potential entry point for cyber adversaries. The reality is stark: without a comprehensive and exhaustive inventory, this preponderance of key creation and storage quickly becomes unmanageable and you are left with “keys in the wild.” Highly privileged objects existing in various logical locations but outside the purview of security operations and effective risk management controls.

The Challenge of Inventorying Cryptographic Assets

The difficulty in inventorying cryptographic keys lies in their nature and deployment. Keys can be static or dynamic, symmetric or asymmetric, long-term or ephemeral. They can reside in software, hardware, cloud environments, or even be embedded in firmware. This diversity complicates the task of creating an exhaustive inventory. Government agencies, tasked with protecting critical national infrastructure, face an uphill battle in this regard. Traditional asset management tools are often ill-equipped to detect and catalog cryptographic keys scattered across diverse environments, let alone provide context around their origin and usage. Furthermore, the rapid pace of technological advancement means that new types of keys and encryption methods are continually emerging, adding layers of complexity to an already overwhelming footprint. Access for cyber defenders is further inhibited by strict adherence to service level agreements (SLAs) between customer and service provider.

The Risks of Unmanaged Cryptographic Keys

When cryptographic keys are not adequately managed, the risks are manifold and severe. Unmanaged keys can lead to unauthorized access, data breaches, and system compromises. For government agencies, the stakes are even higher, with potential consequences including espionage, sabotage, data exfiltration, and overall threats to national security.

One of the primary risks is key misuse or theft. Cybercriminals, once they obtain a cryptographic key, can decrypt sensitive information, impersonate legitimate users, or tamper with data integrity. The infamous Snowden leaks highlighted how critical it is to control access to cryptographic keys. Even trusted insiders can become threats if key management practices are lax. Moreover, the lack of a proper inventory means that expired or weak keys may continue to be used, creating vulnerabilities that can be exploited by adversaries. Without visibility into their cryptographic landscape, agencies cannot enforce key rotation policies or ensure compliance with regulatory standards, further compounding the risk.

A Call to Action: Prioritizing Cryptographic Key Management

Addressing the vulnerability of cryptographic keys requires a multi-faceted approach. First and foremost, government agencies must invest in advanced cryptographic asset discovery and management tools capable of inventorying, cataloging, and managing keys across all environments and diving deep enough into firmware to include the root of trust. These systems should integrate with existing security infrastructure from EDR to GRC products to provide real-time visibility and control over cryptographic assets and enhance threat-hunting and pursuit activities.

Additionally, agencies must adopt strict key governance policies and ensure vaulting of privileged credentials and tokens. This includes implementing key rotation schedules, enforcing strong privileged access controls, and conducting regular audits to ensure adherence and investigate anomalies. Training and awareness programs are also crucial, as they equip support personnel with the knowledge to how to appropriately handle cryptographic keys generation and storage responsibly.

What Agencies Can Do Now — Inventory

Cryptographic keys are the linchpins of digital security, yet they are perilously vulnerable when left unmanaged. For government agencies, the inability to inventory and control these keys poses significant risks to their operations and the security of sensitive data. By recognizing the critical importance of robust key management practices and investing in the necessary tools and policies, agencies can mitigate these risks and protect their cryptographic assets from being lost in the wild. The time to act is now—before the gatekeepers of our digital world become the enablers of our undoing.