The future is here. Or just about. After a number of discoveries, researchers have proven that quantum computing is possible and on its way. The wider world did not pause long on this discovery: Goldman Sachs, Amazon, Google, and IBM have just announced their own intentions to embark on their own quantum developments.
Now that its within our reach we have to start seriously considering what that means in the real world. Certainly, we all stand to gain from the massive benefits that quantum capabilities can bring, but so do cybercriminals.
Scalable quantum computing will defeat much of modern-day encryption, such as the RSA 2048 bit keys, which secure computer networks everywhere. The U.S. National Institute of Standards and Technology says as much, projecting that quantum in this decade will be able to break the protocols on which the modern internet relies.
The security profession hasnt taken the news lying down either. Preparations have begun in earnest. The DigiCert 2019 Post Quantum Cryptography (PQC) Survey aimed to examine exactly how companies were doing. Researchers surveyed 400 enterprises, each with 1,000 or more employees, across the US, Germany and Japan to get answers. They also conducted a focus group of nine different IT managers to further reveal those preparations.
SEE ALSO:DevSecOps Panel Best DevOps Security Practices & Best Tools
An encouraging development is that 35 percent of respondents already have a PQC budget, and a further 56 percent are discussing one in their organisations. Yet, many are still very early in the process of PQC planning. An IT manager within a manufacturing company said, We have a budget for security overall. Theres a segment allotted to this, but its not to the level or expense that is appropriate and should be there yet.
The time to start preparing, including inquiring of your vendors readiness for quantum computing threats, is now. One of the respondents, an IT Security manager at a financial services company, told surveyors, Were still in the early discussion phases because were not the only ones who are affected. There are third party partners and vendors that were in early discussions with on how we can be proactive and beef up our security. And quantum cryptology is one of the topics that we are looking at.
Others expanded upon that, noting that their early preparations heavily involve discussing the matter with third parties and vendors. Another focus group member, an IT manager at an industrial construction company, told the group, We have third party security companies that are working with us to come up with solutions to be proactive. So obviously, knock on wood, nothing has happened yet. But we are definitely always proactive from a security standpoint and were definitely trying to make sure that were ready once a solution is available.
Talking to your vendors and third parties should be a key part of any organisations planning process. To that end, organisations should be checking whether their partners will keep supporting and securing customers operations into the age of quantum.
The data itself was still at the centre of respondents minds when it came to protection from quantum threats, and when asked what they were focusing on in their preparations, respondents said that above all they were monitoring their own data. One respondent told us, The data is everything for anybody thats involved in protecting it. And so you just have to stay on top of it along with your vendors and continue to communicate.
One of the prime preparatory best practices that respondents called upon was monitoring. Knowing what kind of data flows within your environment, how its used and how its currently protected are all things that an enterprise has to find out as they prepare.
SEE ALSO:As quantum computing draws near, cryptography security concerns grow
To be sure, overhauling an enterprises cryptographic infrastructure is no small feat, but respondents listed understanding their organisations level of crypto agility as a priority. Quantum might be a few years off, but becoming crypto agile may take just as long.
Organisations will have to plan for a system which can easily swap out, integrate and change cryptographic algorithms within an organisation. Moreover, it must be able to do so quickly, cheaply and without any significant changes to the broader system. Practically, this means installing automated platforms which follow your cryptographic deployments so that you can remediate, revoke, renew, reissue or otherwise control any and all of your certificates at scale.
Many organisations are still taking their first tentative steps, and others have yet to take any. Now is the time for organisations to be assessing their deployments of crypto and digital certificates so they have proper crypto-agility and are ready to deploy quantum-resistant algorithms soon rather than being caught lacking when it finally arrives.Read More..