David Mahdi is CSO and CISO Advisor at Sectigo and a former analyst at Gartner with over 20 years of experience in IT security.
getty
There’s been a lot of discussion about the so-called “quantum apocalypse”—the point at which quantum computers will be able to readily break the cryptographic foundation that secures the world’s data.
An analogy is helpful here to understand the code-breaking capabilities of quantum computers versus the traditional computers that exist today. Imagine writing a secret down on a piece of paper, sliding it between the pages of a book and then placing that book on a shelf in a library that contains a million books.
Roughly speaking, the way computers work today is equivalent to having to flip through each page of each book on every shelf in order to find that secret. It’s going to take a long time to uncover it, likely trillions of years.
A quantum computer, by contrast, with its ability to run multiple processes at once and solve complex problems quickly, is essentially capable of looking at every single page and every single book on every single shelf simultaneously. The result is that it can find that secret in only about one week.
The advent of quantum computing means sensitive data that has, for nearly 50 years, been encrypted and protected via PKI (public key infrastructure) will find itself vulnerable to bad actors. With quantum computing power at their fingertips, bad actors will be able to quickly and easily crack the cryptographic algorithms (RSA and ECC) used to provide security and authentication for billions of online activities today.
Crypto agility—that is, having the ability to respond to a changing cryptographic environment in an agile manner—is critical. Quantum-safe cryptography is a vital defense mechanism that will ensure preparedness and usher in a safe and secure post-quantum future.
In fact, as part of its post-quantum cryptography standardization project, the U.S. Department of Commerce’s National Institute of Standards and Technology (NIST) recently selected four quantum-resistant encryption algorithms that will be moving toward standardization, which is expected by 2024. This standardization initiative is an encouraging sign of progress in the efforts to safeguard sensitive information against the quantum apocalypse. While standardization is two years away, it is critical for enterprises to be cryptographically agile and start preparing now.
How To Prepare For Quantum Computing Today
So, what is the best way that enterprises can increase their “crypto agility”? There are several key actions that enterprises can take to ensure their digital infrastructure is able to withstand future quantum-based threats.
To begin preparing for a post-quantum future, enterprises first need to understand where all their cryptography lives. This isn’t as straightforward a task as it seems because cryptography is the steel-and-concrete foundation of the digital world—which is to say, it’s everywhere.
This technology—a PKI digital certificate—is equally as ubiquitous and is baked into laptops, phones and printers. If someone makes a payment with a credit card, Apple Pay or cryptocurrency—cryptography is securing that transaction. Web servers and load balancers will utilize SSL certificates to establish encrypted sessions with web browsers. Kubernetes clusters utilize TLS certificates to enable container authentication. Cryptographically signed documents and code utilize certificates. These are just a few examples. There are a few aspects of today’s digital world that don’t involve cryptography.
IT teams can’t manage what they can’t measure, so it’s important for enterprises to scope out what they’re actually using from a cryptography standpoint. Automated certificate lifecycle management (CLM) tools that can manage all cryptography in one place can assist in this effort by looking for digital certificates in an environment and reporting back on certificate health and any vulnerabilities. Enterprises should make sure they have the tools necessary to produce a comprehensive snapshot.
As a next step, enterprises should create a cryptographic “center of excellence” within their organizations. This can be a physical or virtual team that manages cryptographic algorithms and digital certificates as well as the people and processes at the front end of these technologies—ensuring crypto-agility on an ongoing basis rather than as a one-off assignment.
Finally, enterprises should implement a migration path to begin quantum-proofing their existing technology and retiring technology not built to support post-quantum algorithms. Hybrid certificates can be quite useful here. Hybrid certificates are cross-signed certificates containing both a traditional (RSA or ECC) key and signature and a quantum-safe key and signature.
In this way, hybrid certificates enable gradual migration to quantum-safe crypto algorithms over the next few years.
Start Preparing Now
There’s no reason to panic at the moment, but enterprises should certainly start preparing for a world where quantum computers can break vulnerable cryptographic algorithms and create a security disaster. By taking the above steps, enterprises can start securing their future by developing the crypto-agility they’ll require in the years to come.
Forbes Technology Council is an invitation-only community for world-class CIOs, CTOs and technology executives. Do I qualify?
