“A journey of a thousand miles begins with a single step.” This Chinese proverb — often found in fortune cookies — is about motivation, determination and avoiding procrastination. As the new year unfolds and the threat of large-scale quantum computing to public key encryption inches closer, what good timing for such profound words.
There is no greater cryptographic migration than the one which CISOs and CIOs have now started preparing for: from classical, public key cryptography to quantum-safe cryptography.
Cryptography within public key infrastructures is the foundation of today’s information-powered organizations, and the consequences of a successful attack against this foundation could be devastating. Governments, defense contractors and critical infrastructure enterprises have already taken the quantum threat very seriously and began preparations years ago. Now, enterprises in all industries must follow suit.
The Thousand-Mile Journey Ahead
Large scale cryptographic migrations are immense undertakings, which often take years — or even decades — to complete. Cryptographic systems are complex, having been developed and extended over decades. By starting now, you will better equip your organization to confront the very real difficulties of the transition, and manage unwelcome surprises that could derail and delay quantum-safe migration efforts and create soaring back-end costs.
As with any large scale migration to new cryptographic standards, organizations will likely find the cryptographic migration onerous, daunting and overwhelming.
What is the First Step?
What can enterprises do now to strengthen and future-proof their cryptographic infrastructures? To prepare for the immense cryptographic transition, organizations should start by identifying the information and systems that may be vulnerable to quantum-enabled attacks. Then, determine where tools and solutions are needed to transition from classical to quantum-safe measures to safeguard critical assets.
One reason cryptographic systems are overlooked by organizations is because most companies don’t directly implement, manage or deploy cryptography. Instead, they deploy solutions — and those solutions include embedded cryptography.
Two things organizations must prioritize:
- Inventory. The first step towards managing cryptographic risk is to improve cryptographic visibility by creating a full inventory of where, how and what cryptography is used. Organizations must also identify all business-critical systems, applications and information and their dependence upon the cryptographic assets; this dependency map should be closely linked to the cryptography inventory. An organization must extend its crypto-visibility into vendors, contractors, OEMs, third parties and partners.
- Invest in crypto-agile solutions. Crypto-agility can help organizations bridge the gap between current and quantum-safe security. Many enterprises are looking to adopt a crypto-agile posture with minimal disruption to existing systems, standards and end users.
Crypto-Agile Solutions Can Ease the Quantum-Safe Migration
Gartner predicts that organizations with crypto-agility plans in place will suffer 60% fewer cryptographically related security breaches and application failures than organizations without a plan.
Crypto-agility describes the ability of an information security system to adopt and integrate new cryptographic algorithms without making significant changes to the system’s infrastructure. Cryptographically-agile organizations can upgrade and evolve their cryptographic systems safely, securely and with minimal disruptions, giving them important advantages and significantly lowering their crypto risk.
There are already crypto-agile solutions available to bridge the gap between classical and quantum-safe encryption — and there are real reasons to take action today:
- Systems, products and platforms being designed today, that will still be in use in a decade or more, need to be quantum-safe.
- Motivated threat actors are already harvesting communications protected by today’s classical cryptography — to decrypt with quantum computers in the future.
- The shift to quantum-safe algorithms will be the largest, most complex and time-consuming cryptographic migration in history.
Consider the following. Connected devices with long in-field service lives will need to receive software updates throughout their functional lifetimes. The integrity and authenticity of these updates must be protected, as software updates will be high-value targets for adversarial nation-states who deploy large-scale quantum computers. The work required to protect future software updates needs to start now. Where appropriate, organizations should also consider using hybrid solutions, which maintain the use of NIST-approved algorithms, while also future-proofing existing systems.
The quantum-safe migration is a long journey ahead. With so much at stake, 2021 is the time to get motivated, stay determined and avoid procrastination — and take that first step.