Free Trial
Contact Us
Podcast

Root Causes 289: What Is a Cryptographic Center of Excellence?

Hosted by
Tim Callan
Tim Callan
Chief Compliance Officer
Jason Soroko
Jason Soroko
Fellow
Original broadcast date
March 27, 2023

In this episode we dig into an emerging idea, which is the cryptographic center of excellence. We discuss how such a center of excellence would work and the benefits it can bring to an enterprise.

Podcast Transcript

Lightly edited for flow and brevity.
Tim CallanTim CallanThis is a “what is” episode. We want to talk about a term that has I’d say gained cachet recently over what it used to have, which is Cryptographic Center of Excellence.
Jason SorokoJason SorokoTim. We’ve heard a lot of these terms – something Center of Excellence. HR and every different part of a company will sometimes have it and I know that Gartner has been using this term Cryptographic Center of Excellence or Crypto Center of Excellence.

And we just want to talk about what that is and make you start thinking about it if you haven’t already. And I think, Tim, on this podcast, we don’t shy away from any form of credential form factor.

We talk about S/MIME. We talk about IoT. We talk about SSL, public trusted certificates. We’ve gone into Zero Trust. We talk about, sometimes, payment systems. We talk about digital identities for people.

And we get into everything – x.509 certificates, SSH certificates, SSH keys. Maybe one day, Tim, we will even talk about PGP keys.
Tim CallanTim CallanWe will talk about that one day.
Jason SorokoJason SorokoBut here’s my point. Here’s my really serious point. That’s a lot of stuff for a CIO to deal with.

And it’s a lot of stuff for a CISO to deal with and, think about within a larger organization you are gonna have people, risk officers and DevOps, cloud architects and you are gonna have people who are dealing with your IAM strategy and your PAM strategy and all this other stuff and wow! So, whenever you have this gigantic collection of not just vendor tools but also credential form factors and governance programs and all kinds of other things, different kinds of employee skillsets and who knows, some of these employees who work on these various things that all, in our minds, kind of glom together in terms of digital identity or lets just call it cryptography. I think CIOs especially, CISOs, think now, oh my goodness, it’s all cryptography. It’s all cryptography. This podcast is all about cryptography of all kinds and when you are talking about the machinations of making cryptography work, no matter what it is because my goodness isn’t it becoming a lot, Tim, like critical infrastructure?
Tim CallanTim CallanIt’s definitely critical infrastructure. 100%.
Jason SorokoJason SorokoSo, you have stakeholders on multi-vendor systems and you’ve got a history of these things coming from point solutions that never really communicated together before, expensive skillsets, siloed, even thinking within companies about these things that are all cryptography. The Cryptographic Center of Excellence idea, I’m going to oversimplify it. I’m sure there are folks at Gartner who might even cringe for me doing it but I’ll do it for them. This is about really delivering the best practices spread across all of your cryptography. A lot has been learned by those disparate teams and there’s a lot of good things that are brought to you by the vendor space in each of those areas. The PAM space has taught us a lot about fire ticketing and having your privileged credential live as short as possible and wouldn’t that be nice if that crept into your SSH practices. Which today it might not.

You might have that for your IAM and your cloud access but you might not have that for your remote administrators. Well, it should. It really should. And so there’s an enormous amount of cross-pollination that can be done there and it’s also, Tim, I think, about getting rid of the stuff that you forgot about. Hey, that PKI, that Certificate Authority that happens to be sitting underneath that Kubernetes cluster. I don’t know how many times we’ve mentioned that particular example but it’s one of the bug bears that I love bringing up. Finding the spots that are still hidden to you. Certificate lifecycle management with x.509 doing discovery against everything. It’s about pulling together absolutely everything into a Cryptographic Center of Excellence within your enterprise. What a great idea.
Tim CallanTim CallanSo, who pulls that together?
Jason SorokoJason SorokoIt is a group of very likeminded people under probably a CIO, but who knows. It could be from other stakeholders within the company. Certainly Risk Officers.
Tim CallanTim CallanSo you are imagining this as a cross-functional effort. Let’s call it a tiger team if that’s fair. There’s probably an owner and that owner probably is in the office of the CIO or the office of CISO.
Jason SorokoJason SorokoYou got it. It’s probably within those groups. Director of IT could be within that quite often. Typically there’s some kind of governance program written down. You might have to widen it a little bit. So, in other words, guidelines. Specifications and requirements. Heck, even, here’s some free advice. Procurement language for your security vendors. How to learn how to ask the right questions of your security vendors. You asked the perfect question. Who would those people be? Well, what happens if you could get champions elsewhere within the company?

And, in other words, somebody from HR might be like, hey, this has gotta be part of our HR program. I didn’t realize until I talked to you people how many different places that digital identities of our employees exist and therefore, this is eye opening and now we have to rewrite our procedure books.

Terrific. And so, therefore, it is not limited to the hardcore security people or the people who are most at stake with risk within the company – the stakeholders. It could be anybody and I would say anybody who has crown jewels probably is under some sort of cryptographic function and should probably have a say in terms of here is what’s important to me when it comes to encrypting or whatever it is you happen to be doing. So, anyway, that’s probably an oversimplification but I tell you, it’s a great idea.
Tim CallanTim CallanIt’s a great idea.
Jason SorokoJason SorokoI’d like in the future, Tim, and this is a challenge to the PKI and certificate lifecycle management vendor community to basically let’s provide some tools, some knowledge, some templates for how to think through this stuff because we live and breathe this and people who are in these enterprises, they are just trying to stay safe and stay secure and they are playing defense and a lot of them haven’t had that ability to just have an ongoing day-to-day immersion in cryptography of some kind. So, for those of us who are in any kind of cryptography, let’s try and support this idea of Cryptographic Center of Excellence because there’s people working hard in the industry. I think there’s some value add from the vendor community that would be really useful for this.

Stay informed with expert insights

Subscribe to Root Causes for engaging discussions on PKI, digital security, and best practices for protecting your organization's critical assets. Don’t miss an episode!

Listen on Apple PodcastsListen on SpotifyListen on SoundCloud