Anand Kashyap is CEO and cofounder of Fortanix, a global leader in data security and a pioneer of confidential computing.
As we barrel toward the AI and post-quantum computing era, tech professionals have one key concern on their minds: “data security.”
The previous articles in this series explored the first two components of a sound data security strategy: discovery and assessment. Here, we take a closer look at remediation, the third prong of a game plan that gives organizations the best opportunity to protect their data.
The goal of remediation is to efficiently fill gaps in an organization's security posture to meet its data security goals. One way to help meet these goals is to achieve crypto agility, the ability to quickly and seamlessly respond to a cryptographic security threat.
In this vein, businesses are increasingly infusing AI to quickly auto-remediate rather than creating tickets and waiting for humans to perform the necessary steps.
The Hits Keep Coming
Modern organizations are as aware of cybersecurity threats as ever, but it doesn’t seem to matter. The number of major breaches globally continues to increase, and no one is safe.
Live Nation and Ticketmaster are facing a lawsuit stemming from a breach involving the private information of roughly 560 million customers. In late May, the hacker group ShinyHunters listed the data for sale on the dark web for a reported $500,000.
Earlier this year, Dell reported a breach that involved 49 million customer records, including information on purchases between 2017 and 2024. In April, telecom giant AT&T suffered a data breach that affected 7.6 million current customers and 65 million former customers, with personal data leaked onto the dark web.
These are just a handful of recent major data breaches, and the list will no doubt continue to grow. The takeaway isn’t new, but it has become more pronounced: With data everywhere, we need to acknowledge that exposure and threats are also everywhere and take the proper steps to protect it.
The Looming Importance Of Post-Quantum Cryptography
The previous article in this series touched on how organizations are preparing for the quantum computing era, which involves transitioning from existing cryptographic standards to post-quantum cryptography (PQC). It also discussed how the starting point for many is Mosca's Theorem, a widely known warning that calls for organizations to prepare appropriately for the impact of quantum computers with crypto agility.
At a high level, crypto agility requires an abstraction layer where the application using encryption does not need to concern itself with the actual crypto algorithm or the encryption key. These can be upgraded without requiring any change to the application—the abstraction layer would handle it.
The peer-reviewed Journal of Cybersecurity recently published the Crypto Agility Risk Assessment Framework (CARAF), which builds on Mosca's Theorem across five phases:
• Phase 1: Identify threats.
• Phase 2: Take an inventory of assets.
• Phase 3: Perform a risk estimate.
• Phase 4: Secure assets through risk mitigation.
• Phase 5: Make an organizational roadmap.
Phases four and five equate to remediation, addressing gaps in data security after they're discovered and assessed.
During discovery and assessment, for example, you may find a key that hasn’t been rotated for five years, which should trigger a rotation. Or there may be a key being rotated periodically, but the service it’s attached to continues to use the old key. In this case, remediation would trigger a workflow or automation to fix the identified problem.
What Remediation Looks Like
Full remediation with crypto agility involves multiple elements. How they’re executed could vary based on an organization’s specific policies and business requirements. Six of the most common actions include:
1. Updating policies and procedures. Continually update policies and procedures to ensure alignment with industry requirements, ensure compliance and mitigate risks.
2. Implementing best practices for encryption. Ensure encryption is implemented consistently across all systems and applications, including data at rest, in transit and in use with strong cryptographic algorithms and key management practices.
3. Enhancing key management practices. Strengthen key management practices to securely generate, store, distribute, rotate and dispose of cryptographic keys. Specifically, data encryption keys should be cryptographically strong, updated or rotated periodically and retired when no longer required. Special attention should be paid to robust key management policies and procedures that protect keys from unauthorized access and misuse.
4. Providing training and awareness. Education is key in every industry, and it’s no different here. All employees should learn about the importance of compliance requirements and how crypto agility contributes to that goal. It’s on organizations to provide training and awareness programs to help teams understand their roles and responsibilities in maintaining cryptographic security and compliance.
5. Conducting regular audits and assessments. It can’t be overstated: Malicious threats will continue to evolve, and that means you should, too. Implement a calendar of regular audits and assessments to monitor compliance with cryptographic policies and procedures. Conduct audits internally and externally to identify non-compliance issues and act as needed.
6. Staying informed about regulatory changes. As laws around the world evolve, stay on top of regulatory changes and updates related to cryptographic practices and compliance requirements. Your organization’s policies and procedures should be regularly reviewed and updated to reflect any changes in regulations or industry standards.
As we wrap up this series on the state of cybersecurity, a quick recap of the three pillars of a strong security strategy: discovery, during which an organization maps its encryption keys and data services; assessment, when teams identify gaps and risks in their data security posture; and remediation, proactively filling those gaps to become compliant and agile, eliminate risk and achieve full data security.
As data privacy regulations and multicloud architecture become more complex, organizations can't afford to subject themselves to dangerous and costly breaches and non-compliance. Building a foundation of encryption around the three pillars covered in this series sets organizations up for success.
Forbes Technology Council is an invitation-only community for world-class CIOs, CTOs and technology executives.Do I qualify?