Supply Chain Risk Management
Continuously identify and report on the status of Cryptographic use
There Can Be No Weak Links in Your Supply Chain
Cryptography is ubiquitous today. It is used to authenticate users and services to one another. It is used to secure data when transmitted between two parties. It its used to conceal stored data on hard drives and other storage media. It is used to conceal our financial transactions from prying eyes when we use our banking apps.
In the SolarWinds supply chain compromise researchers found a key element of the compromise was enabled by weak default cryptographic configuration of the client’s Active Directory Kerberos service. This was exploited by attackers to gain administrative privileges in the Active Directory domain to further the objectives of the attack.
In general, despite any central policies, organizations generally have no way to 1) Identify the cryptographically protocols and algorithms across enterprise operations, 2) Evaluate actual deployment status against corporate policy, 3) analyze and prioritize the remediation of policy exceptions or deficiencies, or 4) Consistently be able to identify and report on the status of Cryptographic use – whether on a user’s desktop, or on servers housing the corporate crown jewels.
Lifecycle management is a process whereby managed elements periodically evaluated for current status, analyzed against corporate policy, exceptions to policy are identified and process by which they are remediated is documented and auditable. It is a process that assures the integrity of the security controls it represents.
Cryptographic Lifecycle Management is therefore the process by which Cryptography and it’s elements are managed constantly across the enterprise, and in such a way that potentially business impacting deficiencies can by identified and mitigated before they become a target of a major compromise.