How to secure cryptographic keys

Opinion by Corey O'Connor,

Cryptocurrency private keys must become a new form of privileged credential in the minds of organisations, and they must be managed and protected as such, with the right workflows and access controls.

Cryptocurrency is slowly being normalised as a form of payment, especially within the retail industry. However, this trend towards decentralised currencies, which is forcing major banks worldwide to take cryptocurrency seriously, will inevitably attract the interest of financially motivated attackers. 

The volatile nature of crypto-values acts as a motivation, with the recent skyrocketing sums of money meaning attackers can now have access to a massive payday. And criminals have a significant advantage with the anonymity of crypto transactions, as they can compromise digital wallets and steal the private keys without being caught. Taking control of a digital wallet is the end goal for attackers, as this gives them total access to the funds.

The more credibility cryptocurrency gains, the more incentive criminals – from nation states to attackers – will have to create sophisticated hacking tools to access cryptocurrency coins. Implementing robust security controls to prevent crypto-credentials from being stolen must then become a priority for organisations, regardless of their industry.

How do digital wallets work?

Digital wallets come in two categories: hot wallets and cold wallets. Hot wallets allow for the storing of smaller amounts of currency, which means organisations and individuals tend to use them for quick transfers and exchanges. This makes hot wallets more fluid in nature. The wallet's private key is often stored and managed by easy access cryptocurrency services and tends to be protected by a password. 

Cold wallets, on the other hand, are used for storing much larger amounts of currency. They are usually favoured by more security-savvy individuals and organisations as the associated private key is kept entirely off the internet, for common sense reasons. Typically, the private keys are stored on an offline computer, but this does not eliminate the risk entirely. Indeed, as recent attacks have shown, networks can be easily compromised, meaning the keys become easily available for attackers to take hold of. 

Fortunately, solutions exist in the form of USB stick-like devices that store private keys and prevent their extraction. All the user has to do to prove they have access to the key is insert the device into a computer. The device will then use cryptographic functionality zero trust algorithms to establish access. While this solution is suitable to provide strong private key security, it may not work for larger businesses which need to have a global overview and control of who has access to the device and the credentials associated. 

How can cryptographic keys be secured?

Cryptographic key security is made far trickier by the fact that they are used by machines as well as humans. Indeed, cryptocurrency transactions can also be performed automatically by machines, meaning private keys must be secured for all users, both human and machine. This first step must be followed by establishing an authentication system to ensure the full control of keys access and monitoring their usage. 

Cryptocurrency private keys must become a new form of privileged credential in the minds of organisations, and they must be managed and protected as such, with the right workflows and access controls. 

Several steps should be taken to fully protect cryptographic keys. First, they need to be stored in a secure digital vault protected with multiple layers of security. In addition, all users with access to this vault must be subjected to multi-factor authentication. Role segregation also plays a pivotal role in controlling individual access to stored keys, which in turn limits access to even the most privileged administrators. Unless, of course, they have been granted the required permissions.

In terms of machine security, enabling secure application access will ensure only authorised applications have access to stored keys. Furthermore, it will check that the applications are legitimate.  Organisations must make sure they regularly audit all key access related activity and that triggers are put in place to alert the right people should fraudulent activity occur.  It's also crucial to enforce workflow approvals for activity regarded as highly sensitive – and the same procedure must apply for access to the keys.  

Finally, companies must monitor the activity of cryptocurrency administrators and simplify connections (in the same way as automated secure proxy/jump hosts) to target cryptocurrency administrator systems and activities – for instance, the system hosting the wallet.

Cryptocurrency provides a prime opportunity for hackers to make easy money. Organisations now have a responsibility to ensure they put in place the necessary safeguards and avoid jumping on the bandwagon without thinking about security. Protecting access keys must become their priority to protect against advanced attacks, allowing them to respond to the rising crypto demand without compromising themselves. 

Contributed by Corey O'Connor, product marketing manager, CyberArk

*Note: The views expressed in this blog are those of the author and do not necessarily reflect the views of SC Media UK or Haymarket Media.

Topics:

Find this article useful?

Get more great articles like this in your inbox every lunchtime

Upcoming event