COVID-19 is changing the way nearly all of us work and, for some specialist security operations, this is a real challenge. For others, it’s an excellent opportunity to add value to the business for when the economy starts to recover.
Many of us see the day-to-day security operations baked into modern businesses. These operations include things like security awareness training, identity, and access control, and vulnerability management. However, for those operating with regulated encryption programs or that have to maintain robust multi-person key management schemes, social distancing presents a problem.
Within a businesses’ most fortified rooms are often devices that are used to secure cryptographic keys – called Hardware Security Modules (or HSMs for short). These devices typically serve one or two functions. In some cases, they’re the only place a root encryption key can exist as a whole, alternatively, they perform very specific cryptographic operations - like verifying your PIN.
HSMs essentially provide hardware-maintained security such as tamper resistance, physical security, and multi-party control over access; this is where the issues begin.
In many cases, the basic implementation is ‘dual control,’ often requiring two people to be physically present at the HSM to enter their keys, and PINs. In more sophisticated implementations, there may be a quorum – perhaps three out of five – or ‘N of M’ as it’s commonly known.
In an environment where social distancing is required, this can be extremely challenging. If there are a significant number of key custodians, it may require a rethink of the process and some dialogue with your security assessor or accreditation body. There are situations where just two people can be present if local law allows; however, with encryption services being deployed all over the world, there could be substantial challenges to overcome.
If possible, procedural consolidation of key custodians is a possible compromise. This process should be clearly documented as an emergency protocol and, if key components need to be shared in order to move from an N of M, it should be done while minimising exposure to all components and the key custodians.
The gift of time
For many, the move to social distancing may have given their business back some additional time previously lost to commuting or travel. There is also the opportunity to prioritise workload or process optimisation. This would enable staff with available time to be leveraged on those ‘back burner’ projects that were due when the backlog was complete.
Other security professionals in the software world are seeing their organisations implement change freezes to cope with an uptick in demand or a switch to supporting their government and healthcare industries’ efforts in the battle against COVID-19.
Whatever direction a business is travelling in, it is important to ensure that security is a core requirement and not an add-on feature at the end of a project. With multiple attacks in the media leveraging COVID-19 messaging, rushed software solutions could easily be a target in the future.
For those in the payments community, there are also some new software security standards to consider. The Secure SLC Standard introduced by the PCI Standards Council, for example, provides a framework for security governance and secure software development to certify against.
Many vendors and standards bodies are now making their security guidance available freely so now is as good a time to review and decide what fits your environment best. Having a plan in place when executive teams come to focus on firmwide security again may be one of the more long-term upsides to enforced working from home.