Over the past few years, we’ve heard a great deal about quantum computing advances and their ramifications for cyber security and digital trust. The Cloud Security Alliance estimates that a quantum computer will be capable of breaking current cybersecurity infrastructure as soon as 2030. To underscore the urgency, the organization has even set up a Countdown to Y2Q clock.
Whether or not 2030 will be the exact year that quantum destruction arrives, security professionals are definitely taking the post-quantum threat seriously. In a recent Ponemon Institute Reportsurveying more than 1,400 IT and IT security practitioners around the globe, 61 percent of participants expressed concern that their organizations will not be prepared to address the security implications of post-quantum computing (PQC). Only 30 percent of respondents stated that their organizations are actively allocating budget for PQC readiness.
These tentative responses to the PQC threat are understandable. The threat landscape is constantly evolving, and new forms of ransomware, AI-enabled attacks, and other risks are in the headlines daily. It’s hard for security teams to endure the pressure to stay ahead of cyberattacks targeting their organizations while preparing for a post-quantum future. Without a cryptographic management strategy that spans the entire enterprise, organizations will be left vulnerable to security threats—including attacks that utilize quantum computing.
How can organizations balance today’s immediate threats without getting crushed by the PQC iceberg on the horizon? An enterprise-wide strategy focused on crypto-agility can provide a path forward.
Switching up technology faster
Although the PQC threat is relatively new, the concepts behind crypto-agility have existed for years. Simply put, crypto-agility is defined as the ability of a security system to switch from one mechanism of encryption to another—quickly. In a dynamic environment with new threats constantly emerging, the benefits of this kind of agility would appear obvious. However, only 29 percent of participants in the Ponemon survey described their organizations as very effective in the timely updating of their cryptographic algorithms, parameters, processes and technologies.
To achieve crypto-agility, you need to see and understand where encryption is used within your organization, and how the technologies are used. Encryption might reside in certificates, protocols, libraries, and algorithms. It might be present in device components like Hardware Security Modules (HSMs) and Trusted Platform Modules (TPMs). DevOps organizations frequently use code signing processes as well, which could potentially be targeted by threats.
Acquiring an accurate inventory of cryptographic keys can be challenging. In the Ponemon survey, 58 percent of respondents say their organizations do not know exactly how many keys and certificates they have. Partnering with a reputable certificate discovery service can help organizations acquire an up-to-date inventory of its certificate environment, but it’s important to look beyond certificates alone.
Automate and test for readiness
Gaining visibility into cryptographic assets is critical, but it’s only a first step. Most large enterprises have multiple encryption technologies in use across their organizations. Managing many thousands of certificates is a slow, manual process that is difficult, especially across global sites. Fortunately, automation can empower enterprises to update outdated or compromised keys and certificates quickly, and at scale.
For certificate lifecycle management, an automation manager as part of PKI as a service can support the deployment of vast numbers of certificates in minutes. Whether the environments reside in the cloud or on-premises, an automation manager can help organizations respond in a nimble way to new threats or other challenges.
It’s also important to test for interoperability when updating cryptographic algorithms. Taking the time to ensure that infrastructure and applications work smoothly together before migrating to new cryptographic technologies across the entire organization.
People and experience are key
It’s clear that IT professionals understand the importance of crypto-agility. According to the Ponemon survey, 51 percent said that it was their second most important strategic priority. What was their top strategic goal? Hiring and retaining qualified personnel was the top priority for 55 percent of respondents.
The right solutions and technology partners can play an important role in helping organizations prepare for the coming PQC challenge. But like any strategic initiative, achieving crypto-agility will ultimately depend on a culture of communication, supported and executed by experienced, knowledgeable people.
Dr. Avesta Hojjati, VP of Engineering and Head of R&D, DigiCert