recently we've had a lot of people
contact us to talk about crypto
inventory what is crypto inventory so it
is the process of going around your IT
infrastructure and working out wherever
it is that you are using cryptography a
lot of organizations have already got a
policy for cryptography so they already
have some way of saying in our
organization I only want to use RSA keys
that are a certain length I don't want
to use AES keys or a certain length I
don't use any old hash functions like
md5 or sha-1 so crypto inventory is the
process of checking that your
infrastructure really does respect the
policy that you've put down or more
people are being asked to do this by
their auditors or their own risk
assessment organization has worked out
they need to do it but there are other
good reasons to do crypto inventory as well
so you might want to do crypto inventory
to check that your crypto really follows
your policy or you might want to do it
to prepare for post quantum cryptography
so if you're going to upgrade all of
your asymmetric crypto to be quantum
resistant you first need to work out
where it is you're using it and for what
purposes you might also want to do
crypto inventory to prepare for
migration to the cloud you need to know
what algorithms and what key management
is going on inside your critical
applications if you're going to build a
version of that that's going to work on
a public cloud providers crypto services
crypto agility is the ability to change
cryptographic algorithm library key set
in a short period of time when one needs
to that might be because an algorithm
has been compromised it might be because
post quantum crypto is necessary as
quantum computers are coming faster than we thought
and the first step to doing that is to
have an accurate inventory of where
you're using all those crypto algorithms
once you have that inventory you can
look to see where you have obstacles to
crypto agility so where do I have
hard-coded in my application the name of
the algorithm or the provider or the
particular cipher suite I'm using that
could be made independent so that I can
then later on change it in an easy and
modular way
when you do crypto inventory you need to
prioritize you've only got a certain
amount of resources what are you going
to do to make sure you use them in the
best way a typical approach is to rely
on data classification so if I'm using a
an application to treat customer data
personal identifying data secrets of my
company then I want to know exactly
what's going on with the crypto there
whereas maybe in some other parts of the
infrastructure where I having got the
resources to really dive deep and
there's no sensitive customer data I can
make - with a basic scan to understand
what's going on now crypto since our
tools can scan the cryptography you're
using at all kinds of different levels
so at the highest level where you can
scan the network so we can look for
network services tell you what cipher
suites are in use what keys and
certificates apply your policy to that
one level down from there we can scan
file systems so we can pick up
certificates keys key stores crypto
libraries and so on down for that we can
scan inside applications so a unique
thing we can do at cryptosense is track
how an application calls its crypto
libraries while it's running so you
understand not just what cryptography is
possible from that code but what crypto
algorithms actually get used and from
where when the application is running
this gives you the priority information
that you really need to decide what you
need to remediate and how you're going
to upgrade that application to post
quantum crypto or plug it into a cloud
crypto service provider
the way we do inventory at crypto cents
is to send all of the data we've
captured from around the network so from
applications from network services from
file system scans into the crypto sense
analyzer platform where we can apply a
vulnerability analysis export in a way
that's suitable for visualization so for
example in Kibana or Splunk so that you
can deal with the large volumes of data
that you're going to have to look at and
we allow you to cross-reference a scan
so for example you can answer the
question this certificate that I found
on the network where is it stored on the
file system of that application and when
is it actually use when the application
runs so we give you full 360-degree
visibility on the cryptography in your
infrastructure
