From PKI to PQC: Devising a strategy for the transition
Quantum computers capable of breaking currently used encryption algorithms are an inevitability. And since the US, China and Europe are sprinting to win that arms race, we know that day is coming sooner rather than later.
Will organizations be ready to counter this threat to their data, though?
The Ponemon Institute recently canvassed 1,426 IT and IT security practitioners knowledgeable about their organizations’ approach to post-quantum cryptography, and found that 61% of them worry that their organization will not be ready to address the security implications of post-quantum computing.
As they see it, the main challenges are lack of time, money, and skilled personnel, but also:
- Uncertainty about the implications of post-quantum cryptography (PQC),
- The fact that post-quantum algorithms are still in the process of being standardized, and
- The fact that there is no clear ownership of the transition process within the organization.
Obstacles to remove for a successful transition to post-quantum cryptography
Before starting, organizations should know the answers to the following questions: Who holds the budget for the transition to post-quantum cryptography? Who is going to drive the effort? And where does the responsibility lie?
“Independently of PQC as a topic, one of the challenges often voiced by our customers is that public key infrastructure (PKI) can exist in a company in a broad range of departments, making it difficult centralize the responsibility for and ownership of it,” Jason Sabin, Chief Technology Officer at digital security company DigiCert, told Help Net Security.
Companies are solving that problem in different ways. In some cases, they centralize their cryptographic activity under one department and one head. In other cases, they create an acting committee, with stakeholders across the company who influence the direction of their programs.
“The companies that have already started to centralize management have an organizational method to request that budget and schedule the activity. But for the organizations that have not, there’s a little bit of an organizational design challenge present. And that’s where, I think, the technology leaders need to partner with the business leaders to come up with the best organizational path forward,” he remarked.
Quantum-resistant algorithms still not having been standardized is not an insurmountable challenge: Draft standards are available, the algorithms can be explored and tested on different systems, and the results can help organizations devise the right implementation plan in advance.
Finally, a change in mindset around quantum cryptography is needed. Executives must realize that the threat to data privacy and confidentiality exists even if cryptographically relevant quantum computers are not yet at hand.
“Threat actors can employ Harvest Now, Decrypt Later strategies to steal data, sit on it, and then decrypt it once quantum computers are around,” Sabin pointed out.
“The other vector are software or devices that will be deployed in the field for a long time. They need to be secured with quantum-safe keys now, so that they can still protect the data and the users employing them when quantum computers become a reality.”
All of this makes it obvious that a certain degree of urgency IS warranted.
A lot is at stake
Good relationships – whether business or personal – are based on trust. Unfortunately, trust that has been built over a long period of time can be lost quickly, leading customers and business partners to walk away.
“As a customer, I want to know which companies are investing in getting ready for a post-quantum future, and especially which are not! And companies will care whether their vendors and suppliers are ‘quantum-safe’,” Sabin pointed out.
From that perspective, a timely transition to post-quantum cryptography equals shoring up business resiliency.
“I think this transition should not be viewed just as a technology requirement or something that’s happening deep in the weeds in the technology organization, but also something that needs to be at the forefront of business strategy into the next decade,” he added.
And if, while transitioning the algorithms, companies make the effort to adopt a more efficient and secure approach to managing their cryptographic assets, they can end up with a better security posture overall.
The question now is to what degree are companies prepared to invest in maintaining trust with their partners, customers, and employees?
Know what you have and prioritize what needs to be prioritized
The good news is that there’s a global concerted effort aimed at mitigating the data confidentiality risks associated with post-quantum computing ahead of time. For once, security is not an afterthought: we know what’s coming and we can prepare for it.
To start, senior leadership must be made to understand the threats to data security caused by post-quantum computing, and they must make sure that resources are allocated to prepare for it.
(Ponemon’s study revealed that currently only 30 percent of respondents say that their organization is allocating any budget for PQC readiness. 22% say that their company has no plans at the present time to allocate budget.)
Ideally, the organization already has a “central hub” that deals with all internal PKI matters, and the allocated budget can be used to – among other things – engage experts that will test post-quantum algorithms and generally work on the transition to post-quantum cryptography.
They will first create and keep updated an inventory of cryptography keys in use. This activity must reveal the keys’ characteristics, where they are located and for what they are used.
(Ponemon found that 52% of organizations have already invested in creating a centralized crypto-key inventory and gained operational benefits from this. But with PQC on the horizon, such an inventory will become a necessity.)
This information will allow them to:
- Identify priorities (e.g., protection of intellectual property, customer data) and answer questions that need to be answered (e.g., “How long does the data need to be protected?“)
- Create a detailed plan of action (by consulting guidance such as NIST’s Migration to Post-Quantum Cryptography),
- Establish a centralized crypto-management strategy that will be applied across the entire enterprise.
“Companies can then look at how to streamline the operations of managing the transition, by putting in place systems that deliver crypto-agility, i.e., automated certificate and key management. This will enable them to respond quickly and in sequence to their needs as the pressures on the cryptographic landscape change,” Sabin concluded.