Cryptographic Hygiene: Best Practices for Organizations

Good crypto hygiene is the security equivalent of brushing your teeth—simple routines that prevent painful (and expensive) emergencies later. Below is a pragmatic, CISO-friendly guide you can give to engineering, security, and compliance teams to harden cryptography across your estate—cloud, on-prem, SaaS, and edge.

1) Start with governance and ownership

• Name accountable owners for cryptography (security architecture + platform engineering + app teams).
• Define a crypto policy: approved algorithms/parameters, key lengths, rotation periods, certificate issuance rules, exception handling.
• Establish an RFC-style change process for crypto changes (algorithm upgrades, KMS/HSM migrations, PQC pilots).
• Track metrics: % of assets inventoried, certs expiring <30/60/90 days, deprecated algorithms eliminated, rotation SLA conformance.

2) Build complete visibility (discovery + inventory)

• Discover externally and internally: enumerate TLS/SSH, APIs, message queues, data stores, HSMs/KMS, service meshes, containers, serverless, endpoints.
• Fingerprint everything: protocol, cipher suite, key length, certificate chain, curve, hash, library/versions, HSM policies.
• Map data flows: identify where sensitive data is in transit and at rest; link crypto controls to data classification.
• Continuously rescan: treat crypto posture like vuln management—baseline, monitor, and alert on drift.

3) Standardize strong, modern defaults

• Algorithms & parameters
  • Transport (TLS): TLS 1.2+ (prefer 1.3), disable NULL/RC4/3DES/MD5/SHA-1; prefer AEAD (GCM/ChaCha20-Poly1305) and strong curves for ECDHE.
  • Data at rest: AES-GCM/CTR/XTS with ≥128-bit keys; authenticated modes for integrity.
  • Hashes: SHA-256/384; avoid SHA-1 for signatures and integrity.
  • Asymmetric: RSA-3072+ or ECDSA with P-256/P-384 (and plan for PQC—see §9).
• Libraries: standardize on vetted crypto libraries; pin versions; apply security patches fast.
• Secure configuration baselines: CIS-style baselines for load balancers, proxies, web servers, databases, and service meshes.

4) Keys first: lifecycle and access

• Centralize keys in a KMS or HSM with enforced policies; avoid app-embedded keys.
• Separation of duties: distinct roles for key creation, approval, and use.
• Rotation & revocation: automate rotations (e.g., 90–365 days by key class); test revocation paths.
• Least privilege: grant applications scoped, time-bound key-use permissions; audit every access.
• Backups: secure, tested backups for keys with dual control; document recovery procedures.

5) Certificates without surprises

• ACME/automated issuance: eliminate manual CSR/issuance/renewal where possible.
• Short-lived certs for internet-facing workloads; track CT logs for impersonation/typosquatting.
• Chain hygiene: enforce complete, correct chains; remove weak/legacy roots; pin where appropriate.
• Expiry management: alert at 90/60/30 days; auto-replace in CI/CD to avoid outages.

6) Secrets management (stop hard-coding)

• Use a secrets manager (cloud-native or third-party) with rotation hooks and dynamic secrets.
• Ban secrets in code: pre-commit hooks, CI scanners, and repo DLP.
• Runtime controls: mount secrets at runtime (env vars/sidecars) with least privilege and short TTLs.

7) Crypto in the SDLC

• Threat model crypto early: identify data sensitivity and crypto needs at design time.
• SAST/DAST/SCA: scan for unsafe crypto use (e.g., ECB mode, weak PRNGs), outdated libraries, and known CVEs.
• Golden templates: provide secure code patterns for encryption, signing, key handling, and TLS verification.
• Gate on posture checks: block deploys if they introduce deprecated ciphers or missing TLS verification.

8) Strong randomness and integrity

• CSPRNGs only: rely on OS/hardware entropy sources (e.g., /dev/urandom, platform RNG APIs).
• Nonce/IV management: never reuse nonces; rely on library-managed nonces when available.
• Integrity everywhere: prefer authenticated encryption; add signatures for critical artifacts (containers, binaries, configs).

9) Plan for Post-Quantum Cryptography (PQC) now

• Inventory cryptography with algorithm detail to know where RSA/ECC is used and with what key sizes.
• Prioritize migration for long-lived data (HNDL risk): recordings, archives, backups, PII/PHI, IP, government/defense data.
• Adopt crypto-agility: design systems to swap algorithms/keys without redesign (config-driven, versioned crypto profiles).
• Pilot PQC in non-critical paths (e.g., hybrid key exchange in TLS, code signing test environments).
• Track vendor roadmaps for PQC-ready KMS/HSM, libraries, and protocols; plan interop testing.

10) Protect keys with hardware and isolation

• Use HSMs for root and high-value keys (CA, code signing, payment, hardware attestation).
• Leverage enclaves/TEE where appropriate for key-in-use protection.
• Network isolation & mTLS for management planes (KMS/HSM/admin APIs).

11) Monitoring, detection, and response

• Posture monitoring: dashboards for protocol versions, cipher use, cert health, and control drift.
• Detection: alert on weak cipher negotiation, failed certificate validation, expired/soon-to-expire certs, and anomalous key use.
• IR playbooks: include crypto-specific actions—key compromise, CA breach, certificate mis-issuance, algorithm downgrade.
• Tamper-evident logs: sign logs or route to immutable storage; correlate with identity and change events.

12) Third-party & SaaS assurance

• Contractual controls: require strong crypto, rotation SLAs, and PQC roadmaps from vendors.
• Attestations: review SOC 2/ISO reports for key management, HSM use, and crypto change control.
• External surface scans: validate vendor-facing TLS posture and certificate hygiene.

13) Education, drills, and documentation

• Run “crypto days”: red/blue exercises for misconfigurations (e.g., TLS downgrade, expired cert).
• Job aids: one-page cheat sheets with approved ciphers, curves, and library calls.
• Document everything: key hierarchies, rotation timelines, exception registers, PQC migration plans.

A simple cryptographic hygiene checklist

• Owners, policy, and metrics defined
• Continuous discovery of TLS/SSH, data stores, HSM/KMS, libraries
• Strong defaults: TLS 1.3 preferred, AEAD ciphers, SHA-256+
• Centralized KMS/HSM; automated key rotation and revocation
• Automated certificate issuance/renewal; no hard-coded secrets
• SDLC gates for crypto misuse and outdated libs
• PQC inventory and migration roadmap; crypto-agile designs
• Monitoring, alerting, IR runbooks for crypto incidents
• Vendor/SaaS crypto requirements and validation
• Documentation kept current; teams trained

“So what?” for CISOs

• Reduce outage risk by eliminating surprise expirations and brittle manual cert processes.
• Shrink breach blast radius with centralized key control, short-lived credentials, and HSM-backed root keys.
• Accelerate audits with clear policy, metrics, and traceability for keys/certs.
• Future-proof your estate by building crypto-agility and a PQC migration plan before deadlines hit.
• Lower total cost via automation (ACME, rotations, CI/CD checks) and fewer emergency fire drills.

Don’t forget your Cryptographic Bill of Materials (CBOM)

A CBOM is the authoritative inventory of cryptography in your environment—algorithms, key sizes, libraries, certificates, HSM/KMS locations, and where they’re used in apps, services, and data flows. It’s the backbone for everything above: visibility, policy enforcement, rotation, audit readiness, and PQC planning.

Qinsight helps organizations discover, inventory, and maintain a living CBOM, continuously monitoring TLS/SSH, keys, certificates, libraries, and configurations across cloud and on-prem environments—so you can enforce strong defaults today and migrate to post-quantum cryptography with confidence.