The security implications of post-quantum technology are legitimate cause for concern. Around the world, corporations and nation-states are pouring millions of dollars into developing quantum computing technology. In response, governments and supranational organisations are sounding the alarm and readying themselves for a new era of cyber threats. Yet, the prospect of such threats should cause neither panic nor paralysis. As with all disruptive technologies, preparation is the best defence.
Concerns about protecting data and assets from post-quantum threats are best assuaged through so-called ‘cryptographic agility’. Cryptographically agile organisations can shift gears quickly, switching out their original encryption method or cryptographic primitive (the building blocks of higher-level cryptographic algorithms), without disrupting their overall system infrastructure. This will be an important attribute for any organisation looking to achieve quantum readiness, as quantum algorithms will develop and update as cryptographic research matures in line with technical advances.
The following ten-step checklist is a useful jumping-off point for security teams seeking to determine their organisation’s level of readiness for Post-Quantum Cryptography (PQC), and create an effective strategy to realise true cryptographic agility.
Ten steps toward post-quantum readiness
Like preparing for any other security overhaul, the road to cryptographic agility begins with a thorough analysis of the organisation’s environment, to determine exactly what you’re working with, where the gaps are, and what needs to be done next:
- Take stock of your entire security strategy.
- What cryptographic tools do you use?
- Who has control over them?
- What is the lifecycle management policy?
- Create a comprehensive inventory of your cryptographic tools.
As part of the assessment process, organisations must identify all of the systems currently using cryptographic technologies for any function, as well as any cybersecurity and data security standards in place that will need to be updated in line with post-quantum requirements.
Data currently encrypted by methods based on classical cryptography can be accessed and stored by bad actors until they obtain quantum technology, in a move known as an “Store now, decrypt later” (SNDL) attack. This means that organisations warehousing data with a long shelf life must be particularly aware of this threat, and make plans that prioritise valuable data with a long shelf-life:
6. Determine what is your most valuable data.
7. Which data has the longest shelf life?
Plan for action
Creating and adopting a cryptographically agile approach allows organisations to future-proof their security strategy by providing the mechanism to address potential threats quickly and effectively as they appear:
8. Make plans to migrate the most valuable data, together with the data with the longest shelf life, to PQC first.
9. Prepare to follow NIST guidelines for PQC algorithms, but be prepared to adopt changes on the fly.
10. Adopt a cryptographically agile strategy.
While each of these steps is critical to achieving cryptographic agility and preparing a strategy for post-quantum readiness, they can be challenging without the right support. Consider finding an expert in cryptographic security solutions to help your organisation develop a strategy to achieve cryptographic agility.
Q&A: IDC research manager on how quantum will transform business — Heather West, Ph.D, quantum computing research lead at IDC, spoke to Information Age about how quantum could transform business in the coming years.
Quantum in financial services: HSBC partners with IBM to accelerate quantum readiness —HSBC and IBM are embarking on a three-year collaboration to explore applications for quantum computing in financial services.