Cryptography: welcome to my world of confidentiality, integrity and availability. For the past 20 years, I have had the privilege of being part of the steady evolution of how organizations encrypt data and helping customers secure their most sensitive information: cardholder data, health records and payment transactions. Now in 2021, what cryptographic trends are we seeing in day-to-day business and beyond?
Cryptography has come a long way since ATM cash withdrawals and secure internet browsing. With more buy-in from CISOs, enterprises have been embracing cryptography more broadly. Previously, implementing cryptography was viewed as a hurdle because of the cost, impact on user experience and deployment challenges. The cloud has spurred vast cryptographic adoption recently. Enterprises and financial services organizations embrace it for general network security, key management, code signing, retail payment transactions, protecting data at rest and in transit and many more. The cloud helps alleviate cost issues and now has more options, so organizations have an easier time managing their cryptographic infrastructure.
Along with cryptography, we are seeing growing interest in its close cousin, tokenization, which is being implemented cross-industry — spurred out of the need for PCI DSS compliance and organizations’ desire to reduce their compliance scope. And with increased data protection regulations, such as GDPR, we’re starting to see tokenization used more frequently in healthcare, financial services and enterprises. Tokenization replaces actual data with a token that is worthless to hackers.
Common Security Challenges: Untwining Bad Habits
Managing keys is a hot issue, especially when dealing with access rights to the data, legal ramifications of outsourcing and how risks are mitigated. Common questions we hear: How do I protect my company? We have moved to the cloud, but who is the actual owner of the data? What protections do I have in the cloud? What happens if I have all my information, including my cryptographic keys in a certain cloud provider, and they get subpoenaed? What happens to the data if my organization gets subpoenaed?
Other cloud and security considerations are single-source cloud provider or a multi-cloud; how data is moved; and how organizations maintain control of the data while keeping it secure.
At the end of the day, organizations want to improve their data security. Many organizations have been taking a minimalist approach to their key management until recently. As organizations grow, many find it challenging to build out their cryptographic architecture to manage PKI, identity management and data at rest. They must untwine some bad habits, particularly concerning key and certificate management, to build for today but also plan for tomorrow.
The Guy in the Basement
We can’t talk about data security without talking about the evolution of threats. Not too long ago, threats began with what I like to refer to as the guy in the basement, then to organized crime, ultimately leading to much more sophisticated state-sponsored and ransomware attacks. These increasing threats pave the way for cryptography to expand and become more in demand.
Just ten years ago, cryptography was considered an annoyance to many. Not many people understood it, and, historically, managing cryptographic systems has been a very manual, tedious process. Now, we’re getting to the point across industries where security and cryptography are prioritized, and the requirements are better understood — including next-generation college graduates who fundamentally get it.
It’s a very exciting time. We’re at the forefront of new implementations and innovations, with encryption as the enabler. We’re seeing new ways payments are being taken, especially for the micro-merchants. We also see new payment methods, such as contactless payments on COTS (CPoC) are easy for the end-user to set up and exchange money quickly, especially with the cloud continuing to get bigger and better. With everything combined, we are on the verge of a huge tide of evolutionary innovations that will be rolled out in the next five to ten years.