Gluing the terms software-defined and cryptography together in one phrase may seem counter-intuitive at first. Just like the realm of networking where the software-defined trend first gained momentum, cryptography has firm roots in hardware. To be more specific, purpose-built hardware has been the basis for cryptographic key management and protection, maintaining keys’ confidentiality—a basic tenet in cryptography.
Given that cryptography is one of the foundational elements of cybersecurity—used to protect organizations’ most sensitive data, systems and software—it’s no surprise that security-minded companies have been relying on certified and field proven hardware in their cryptography implementations. But the digital transformation is challenging traditions in many realms of IT, leading organizations to adopt software-defined architectures that enable faster, more scalable, more automated operations. No less so in cryptography.
Which raises the question: can cryptography be software defined?
Content platform SDxCentral defines software defined everything, or SDx, as “any physical item or function that can be performed as or automated by software.” In the context of cryptography, this means moving away from hardware key protection and processing to pure-software mechanisms, and building in automation and intelligence, as a start.
But, here’s the rub: in the path to software-defined cryptography, we cannot deviate from the tradition of meticulous attention to security when designing a cryptography architecture. This is especially important when it comes to protecting sensitive data and applications, which would be at high risk without a stable security foundation in an increasingly challenging cybersecurity landscape.
In our blog post: Is Crypto Being Left Out of the “Software-Defined” Movement? we described past hurdles to market adoption of pure-software cryptography solutions. In this blog post, we take a forward look at what a software-defined cryptography architecture looks like, the stages of evolution toward achieving a fully software-defined architecture, and practical steps that organizations can take today to start reaping the benefits.
A virtualized approach to storing, using and managing cryptographic keys and secrets, enabling agility and flexibility through hardware abstraction and automation, while providing proven security guarantees as a core requirement.
Traits of a software-defined cryptography architecture
Applying the principles of software-defined IT architectures to cryptography, we can picture a high-level design that looks like this:
A software-defined cryptography architecture has the following attributes:
- Virtualized: Key generation, key storage and cryptoprocessing are performed by secure virtual cryptographic modules (such as virtual HSMs) that can run on any physical infrastructure.
- Automated and agile: Cryptographic functions integrate into DevSecOps processes and automated service workflows. Infrastructure elements scale automatically in response to changing service demands. For example, if there is a sudden surge in consumption of a service that uses cryptography for authentication or encryption, the virtualized cryptographic modules scale up rapidly to enable the service to operate smoothly.
- Intelligent: Centralized lifecycle management of the all cryptography infrastructure components as well as enterprise key management. Administration and automation tools should be used to make operations efficient, with APIs for integration with external services such as public certification authorities (CAs) and identity and access management (I&AM). Detailed real-time logs of all cryptographic operations across all infrastructure can be used for ongoing monitoring and detection of anomalous behavior indicating potential security threats, as well as for audit and compliance needs.
- Secure: Security should be a core requirement that is built into both the technology and operational processes. Key protection should be robust and as much as possible based on security guarantees, protecting both key confidentiality and key usage. Administrative and application access controls should be enforced with the ability to define granular security policies. Crypto-agility is critical to enable rapid updates to vulnerable cryptographic algorithms or add new ones per service requirements. At the whole system level, the security model, potential threats and risks should be assessed thoroughly and regularly by cryptography experts.
Four stages to achieve the benefits of software-defined cryptography
The vision of a software-defined cryptography architecture clearly cannot be implemented overnight or all at once. However, starting immediately, organizations can take incremental steps to realize the benefits of this approach.
Consider a path divided into multiple stages, increasing in the level of sophistication. Each stage presents further advancement toward the goal but they do not necessarily need to occur in this order or in separate time phases—a much more likely scenario is partial advancements in varied stages over time.
Following is a brief overview of the changes that each stage entails:
Stage 1: Virtualize the infrastructure
Migrate from traditional cryptographic hardware devices such as hardware security modules (HSMs), trusted platform modules (TPMs) and smartcards to pure-software solutions with proof of hardware-level security.
In cases where hardware-based key protection is not in use today – for example when keys are located on standard laptops or servers – a virtual key protection solution can immediately boost security without requiring dedicated hardware purchase and installation.
In cases where hardware is currently in use, migration to virtual cryptographic infrastructure can be implemented gradually as hardware expires and in accordance with the particular use case requirements.
Stage 2: Centralize management
Today, managing all cryptographic components and keys used by the organization, across varied sites and infrastructures, in a unified manner is a major challenge. Disparate products across on-premises data centers, cloud infrastructure, and endpoints lead to management silos that create overhead and inconsistent policy enforcement.
Move toward a unified management approach by adopting cryptographic key protection and management platforms that use open APIs and are designed to support any infrastructure.
Stage 3: Introduce new applications
With the ability to implement cryptography securely and consistently anywhere, and the control provided with unified management, comes the opportunity to confidently introduce new applications that would not have been feasible before.
With software-defined cryptography it is possible to achieve security, privacy and regulatory compliance while also addressing service velocity and user experience requirements.
Stage 4: Orchestrate and automate
The last stage is the most advanced, and arguably the most challenging one to achieve, because it requires organizational transformation beyond the realm of cryptography.
In the ideal state, cryptography will be a fully integrated part of a software-defined environment. Services using cryptography-based security capabilities will call simple functions— “encrypt”, “sign”, or “rotate key” for example—and corresponding actions across all infrastructure components, cryptographic modules included, will occur automatically under the control of the orchestration layer.
This vision may seem a long way off. There are steps that can be taken today, however, to immediately improve agility, operational efficiency and security through automation. Evaluate the APIs and automation capabilities provided by cryptographic products; there may be opportunities to start automating currently manual tasks that take significant time and resources.
Secure multi-party computation (MPC): software-defined cryptography enabler
Unbound’s cryptographic key management and protection solutions, based on MPC, provide a unique approach that aligns with the software-defined cryptography vision.
In a nutshell, our Distributed Trust Platform stores and uses cryptographic keys that are split into random shares distributed among multiple machines. MPC enables secure computation of all cryptographic operations (generate key, encrypt, sign, etc.) without the key ever being united in one place. It is guaranteed mathematically that unless all machines are breached simultaneously, the keys cannot be compromised.
MPC-based distributed trust model for cryptographic keys
- Virtualization of cryptographic infrastructure elements across an organization’s IT environment (for example, Unbound Key Control serves as a virtual HSM for on-premises and cloud deployments) by distributing key shares between multiple segregated machines, enabling key protection at the level of hardware and beyond while using standard physical infrastructure.
- New possibilities for innovative digital services built on new models of trust, leveraging the fact that key shares can be distributed anywhere. Examples include secure blockchain-based services where transactions must be signed by a defined quorum of multiple people and/or machines (each holding a share of the private key used for signing) before being recorded in the blockchain ledger, or secure PKI-based mobile authentication with the authentication key split between the mobile device and a server.
While the path to fully software-defined cryptography is still long, it is possible to achieve. And by adopting new technologies and practices, it is possible to start making the move—and reaping the benefits—today.