There has never been a more important time to audit your cryptography. SafeCipher delivers vendor‑neutral cryptographic audits aligned to NCSC, NIST, ISO/IEC 27001/27002, PCI DSS and sector guidance—covering code, infrastructure, cloud, IoT/OT, and supply chain. We combine AI‑assisted discovery (CBOM), hands‑on testing, and governance reviews to give you a prioritized remediation roadmap and post‑quantum transition plan.
Audit Scope & Method (What We Examine and How We Work)
- Estate discovery: algorithms, keys, certificates, protocols, libraries, HSM/KMS usage across on‑prem, cloud, containers, and OT/IIoT
- CBOM generation: Cryptographic Bill of Materials per app/system (machine‑readable + human reports)
- Risk & compliance mapping: findings tied to NCSC patterns, NIST SPs, ISO 27001 controls and your internal policy
- Remediation playbooks: change‑ready steps with owners, SLAs, and test/rollback plans
- Evidence packs: logs, screenshots, change records, and policy deltas for audit
1) Cryptographic Standards & Policies (NCSC, NIST, ISO 27001) — Assessment & Gap Closure
We review your Crypto Policy, Key Management Standard, CP/CPS, cipher suites, key lifetimes, and naming/SAN rules. Outputs include updated policy packs, exceptions register, and CI/CD policy enforcement hooks.
2) Cryptographic Compliance (Legal, Regulatory, Contractual) — Traceability & Controls
We map crypto controls to ISO/IEC 27001/27002, PCI DSS 4.0, NIS2, GDPR/UK GDPR, sector baselines, and internal standards. You get a clause‑to‑control traceability matrix and remediation backlog.
3) Deprecated Cryptography (SHA‑1, 3DES, RC4, TLS 1.0/1.1, MD5) — Identification & Retirement
We locate deprecated/weak algorithms and protocols in services, code, and devices. We plan safe retirement with compatibility testing, phased rollouts, and traffic canaries.
4) Outdated Symmetric Ciphers — Modernization to AES‑GCM/ChaCha20‑Poly1305
We assess cipher modes (e.g., CBC vs GCM), key sizes, IV handling, and randomness. We prescribe hardened suites and validate library support across platforms.
5) Non‑FIPS‑Approved Ciphers — FIPS 140‑Validated Paths Where Required
Where FIPS is mandated, we identify non‑validated primitives/modules and define compliant alternatives or compensating controls.
6) Inadequate Asymmetric Keys — Key Sizes, Curves, and Generation Hygiene
We test key lengths, curve choices, RNG quality, CSR content, and rotation. We standardize on strong profiles (e.g., RSA 3072/4096, P‑256/P‑384) with documented lifetimes.
7) Cryptographic Agility — Design for Change & PQC Transition
We assess your ability to swap algorithms/cert profiles without outages. Deliverables: abstraction patterns, versioned policies, hybrid certificate pilots, and test harnesses.
8) Outdated Cryptographic Appliances — Lifecycle & Supportability Review
We inventory HSMs, TLS terminators, accelerators, and signing boxes; document firmware/support status; and plan upgrades with ceremony/runbook updates.
9) Cryptographic Hardware Approaching End‑of‑Life — Refresh & Migration Plan
We prepare EoL transition plans (capacity, clustering, DR) including key migration/backup strategies and dual‑running during cutover.
10) Cryptographic Hardware Out of Support — Risk Treatment & Replacement
We quantify risk for unsupported hardware, recommend replacements (e.g., Thales Luna, Entrust nShield, Azure Managed HSM, AWS CloudHSM), and schedule change windows.
11) Expired Certificates — Outage Prevention & Renewal Automation
We find expired/near‑expiry certs, establish pre‑expiry windows, and implement CLM automation (ACME/EST/SCEP/CMP) with maintenance‑window renewals and monitoring.
12) Certificate Inventory Hygiene — Ownership, Tagging, CMDB Integration
(Added) We normalize ownership metadata, tagging, and environment/zone labels; sync to CMDB and dashboards for accountability and alerting.
13) Self‑Signed Certificates — Trust Model Hardening
We locate self‑signed certs in production and replace them with CA‑issued alternatives (enterprise or public as appropriate), documenting pinning/validation impacts.
14) Invalid/Revoked/Misconfigured Certificates — Validation, Chains, EKUs
We validate paths, EKUs, SANs, AIA/CRL/OCSP, stapling, and renegotiation. We fix revocation handling and chain building across platforms and devices.
15) Broken Certificate Chains — Root/Intermediate Store Alignment
We repair trust stores, distribute intermediates, and standardize bundle formats for servers, devices, proxies, and mobile/IoT clients.
16) Unprotected Private Keys — Custody, Access Control, and Escrow Policy
We identify plaintext keys, weak permissions, shared secrets, and unlogged access. We enforce HSM/KMS storage, M of N ceremonies, and just‑in‑time privileged access.
17) Cloud HSM Usage — Architecture & Residency
We review AKV/Managed HSM, AWS KMS/CloudHSM, GCP KMS, and Thales DPoD usage, defining tenancy, partitioning, geo‑fencing, and throughput patterns.
18) Cloud Key Management (KMS/EKM) — Integration & Control Boundaries
We assess KMS integrations, key rotation, grant models, and envelope encryption patterns; we align boundaries with CipherTrust Manager/HashiCorp Vault where appropriate.
19) Cloud Certificates (CDN, Edge, Private CA) — Configuration & Automation
We audit edge/CDN certs (CloudFront, Front Door, CDN), AWS ACM/ACM PCA, Google CAS, and automate renewals/deployments with pipelines and APIs.
20) Cloud Microservice Cryptography — Service‑to‑Service mTLS & Secrets
We standardize service identity with cert‑manager/SPIFEE/SPIRE, short‑lived certs, and secrets governance (Vault/AKV/KMS) with rotation SLAs.
21) Microservice Certificate Authorities — Issuer Strategy & Governance
We evaluate in‑cluster issuers, trust anchors, and renewals; consolidate where needed, and align to enterprise CA/CLM with policy enforcement and metrics.
AI‑Assisted Discovery & CBOM (Code, Containers, Runtime)
We run AI‑powered discovery over codebases, containers, registries, and runtime traffic to produce CBOMs, detect deprecated crypto, and rank issues by blast radius and fix complexity.
Post‑Quantum Readiness (Inventory, Policy, Hybrid Pilots)
We map quantum‑vulnerable assets, define hybrid certificate profiles, test client/device support, and stage upgrades without breaking dependencies.
Key Management & HSM Governance (BYOK/Managed HSM)
We design key custody with on‑prem HSMs and cloud HSM/KMS, define backup/escrow, access, monitoring, and DR, and document ceremonies and controls.
Evidence & Reporting (What You Receive)
- Enterprise CBOM and certificate inventory
- Risk register with prioritised backlog and ownership
- Updated Crypto Policy & Key Management Standard
- Remediation playbooks (TLS, libraries, key rotation, cert renewal)
- Executive report with KPIs, timelines, and budget ranges
Engagement Models & Timeline (Assessment → Pilot → Scale)
- Assessment: discovery + CBOM + policy gap analysis
- Pilot: fix high‑value paths (edge TLS + code signing); prove automation
- Scale: roll out policy packs, CLM, HSM governance, and PQC pilots across estates
FAQ: Cryptographic Audits — Common Questions
Will scanning disrupt services? No—discovery is passive/agentless where possible; changes are staged with rollbacks.
Can you audit without source code? Yes—binaries, containers, traffic, and config are sufficient to baseline most risks.
Do you cover OT/IIoT? Yes—with Purdue‑aware approaches, offline RAs, and constrained‑network CRL strategies.
What about public vs private trust? We align both: public TLS via CertCentral/ACME and private PKI via AD CS/EJBCA/Entrust/Keyfactor/Venafi.