Neil Thacker, CISO EMEA at Netskope, says the fact that new standards for post-quantum cryptography are coming is a hugely positive step forward in the constant evolution of security and why the transition to these standards will be one of the biggest transformational challenges facing security teams in the next decade.
Every few decades, the foundations of the cybersecurity world are dug up and a new encryption standard is established in its place. It started in the 1970s with the Data Encryption Standard (DES), which at the turn of the Millennium was replaced with the Advanced Encryption Standard (AES). On both occasions the new standards were designed to futureproof and protect digital infrastructure from the advances in computing. Today, with rapid developments occurring in Quantum Computing, we need to make this change once again.
Quantum Computing has been making headlines since 1995, when it was hypothesised that a quantum computer with sufficient qubits could use Shor’s algorithm to break public-key encryption. While real-world implementations of quantum computers are still years away, the issue of post-quantum security has urgency due to the threat of ‘hack now, crack later’ attacks. This approach sees threat actors gathering encrypted data today through a range of data theft approaches, and storing it until a quantum computer powerful enough to break the encryption becomes available. Although delayed, this model anticipates threat actors, especially state sponsored groups, accessing potentially critical intellectual property, secure communications and state secrets.
Fortunately, the National Institute of Standards and Technology (NIST) has been searching for a new encryption standard that would be resistant to post-quantum compromise. The new standard is being referred to as post-quantum cryptography (PQC). In July last year, NIST published four finalists after a global effort to set new standards which are due to be finalised in 2024. The US Government has already mandated that all agencies and departments start adopting PQC standards by 2025.
The announcement of this timeline sounded the starting gun on what will be one of the most challenging change management projects over the next decade or so.
Start by knowing your data
In order to prepare for a post-quantum world, you need to understand where you are reliant on potentially vulnerable encryption and what it is protecting. You can then decide what data you need to protect first as you begin a phased deployment of post-quantum cryptography.
We often refer to data as having a ‘half life’ similar to that of nuclear material, with data losing value and relevancy over time. Something might be critical business data today, but in a week, month, year or decade this might not be the case. When you assess the value of your data, you should measure data value over time against the cost of implementing any additional security.
Of course, there will always be critical digital assets, such as sensitive intellectual property, state secrets and sensitive personal records, that need protection over decades. For some sectors, there are strict regulations mandating the protection of such information for 10+ years and this should be factored in when assessing and prioritising what data to protect first.
Once you have assessed and identified your high value digital assets, the next stage is to assess the vulnerability of data at rest, in transit and in use. Most organisations use Hardware Security Modules (HSM) to store encryption keys and considerations should be made on how these modules will handle post-quantum cryptography.
Learning lessons from adopting AES
As every CISO knows, even the best laid plans rarely survive contact with the real world and transitioning to PQC standards will undoubtedly bring challenges. One of the biggest will be to avoid significant accidental data loss. I remember in the early 2000s, working as a security analyst, helping recover encrypted data (using gaming PCs with powerful GPUs) after a senior leader left the company without sharing the passphrase key. The weak point was cracking passphrase which took seconds and not breaking the encryption itself.
However, this is simply not a viable option anymore and having clear ownership of the transition process with an understanding of roles and responsibilities between networking and security teams will be essential while also including joint KPIs, safeguards and checkpoints to prevent inadvertently losing access.
It would be wrong to assume from the outset that organisations can migrate to new encryption standards unanimously everywhere. This is especially important in businesses that need to encrypt data on a continuous basis such as transaction data. Imagine having to encrypt and decrypt terabyte size files to share them internally due to restrictive policies. This is often seen to be catastrophic for performance, increasing latency and severely impacting business functions.
Instead, we should use existing principles of Zero Trust to guide the rollout, leveraging a Secure Access Service Edge (SASE) platform to give network and security teams greater visibility over who is accessing those critical assets not just for on-premises servers and databases but for cloud apps and cloud infrastructure. With this insight, dynamic policies can be implemented to ensure these assets are protected by PQC when the need exists.
How to phase the transition
First, identify your key vendors and those in the supply chain so you can start to engage on how they will become prepared for a PQC world. Adding this future-proof requirement into the purchasing process will help accelerate this change but the cost of doing so should always be measured against the value of the assets they are protecting.
Secondly, consider your digital infrastructure, particularly when it comes to public cloud. Consider engaging with your HSM provider to discuss how they can assist in this transition. Additionally, you should review your digital infrastructure’s regular maintenance and upgrade schedules and budgets for places to incorporate the adoption of PQC-resistant secure products into this process.
Finally, don’t just look at encryption as a requirement for your own internal security. If your organisation provides digital products or services, the performance specifications for PQC encryption should be included in your own new product design pathways. These standards are the future and will be implemented in the next few years, so the sooner you can deliver assurance and secure digital products to market, the greater your competitive edge.
The time is now
The fact that new standards for post-quantum cryptography are coming is a hugely positive step forward in the constant evolution of security, but the transition to these standards will be one of the biggest transformational challenges facing security teams in the next decade. It will take a major effort and thoughtful preparation to make this transition successful, but doing so will be essential to protect our digital future.Click below to share this article