Overcoming crypto assessment challenges to improve quantum readiness
Large enterprises have a major problem when it comes to preparing for the advent of quantum computing: few, if any, have a working knowledge of all the locations where cryptographic keys are being stored and used across applications, browsers, platforms, files and modules, as well as being shared with third parties and vendors.
Enterprises with tens or hundreds of thousands of employees require a massive technology base including computers, mobile devices, operating systems, applications, data, and network resources to keep operations running smoothly. Cryptography in all of its various forms is broadly used to encrypt and protect sensitive information as it moves across this vast landscape of systems and devices. Exactly which algorithms and cryptography methods are being used is virtually unknowable without a concerted effort to track down and compile a comprehensive inventory of the literally hundreds of crypto assets in use across an enterprise.
Most enterprise IT managers and chief security officers are well-acquainted with tracking software assets as a way to improve security. A good understanding of software versions can help with ensuring that updates and patches are applied before the next big vulnerability is discovered and systems get compromised. There’s a sense of urgency around patching software as new flaws and data breaches get discovered on a nearly daily basis.
Crypto systems, in contrast, are often perceived to already be hardened and less vulnerable than software applications. Changes to cryptography systems tend to happen slowly, so there is less immediacy. Organizations often take years to upgrade their cryptography, as with migrations from SHA-1 to SHA-2 or Triple Data Encryption Standard (TDES) to Advanced Encryption Standard (AES).
Quantum uncertainty
The lack of urgency concerning cryptography is one of most significant problems facing most enterprises as they consider what steps they should be taking to survive in a post-quantum world. With Y2K, for instance, the deadline to revamp systems with two-digit date codes was obvious. That’s not the case here – the timeline is anything but certain. It could happen in two or three years or it might happen in 10-15 years, or it might never happen. At the current rate of advancement, most experts expect that functional quantum computers capable of breaking current-grade cryptography such as RSA will arrive within the next 10 years. Maybe. Or maybe not.
Uncertainty is a deal breaker for driving urgency. When there are 50,000 fires to fight on a daily basis, enterprises don’t have time to think about a fire that someone tells them is going to happen sometime in the future. It’s a matter of human nature. We all continue living our lives knowing that someday the sun will explode and life on Earth as we know it will be over. We tell ourselves, “Sure, someday quantum computers will arrive on the scene and I’ll deal with it when the time comes, but I’m too busy to think about it right now.”
If guarding against the threat of quantum were a simple matter of using different algorithms, a wait-and-see attitude might be sufficient. In reality, in the 40 years that asymmetric encryption technology has been in use, there has never be a threat to cryptography of this scale. There will be massive upheaval and disruption.
A sweeping crypto transition like this will happen at Internet scale. Making the move to quantum-resistance algorithms will be a complex process for the entire industry, involving countless systems and devices and will require intense engagement with partners and third-party vendors. It will take time and patience.
Every enterprise is different and the only way to know how your organization will fare in a post-quantum world is to gain an understanding of what systems are doing cryptographic signing or encryption. The ultimate goal is a listing all the applications, systems and devices across the organization and its subsidiaries detailing the type of cryptography and algorithms in use. You’ll also want to evaluate exposure to attack, the sensitivity of information that is being protected, and whether there’s support for crypto agility to determine if the system will need to be replaced by something more agile. Such information is often not immediately obvious and may require special tools, expert-level sleuthing and discussions with vendors to figure out. Given a general lack of urgency toward quantum, few enterprises are likely to invest the necessary resources for a comprehensive cryptography audit.
Quantum readiness: Focus on business-critical systems first
A much more practical approach – and one that business leaders will more likely find acceptable – is to focus on understanding the exposure to your more important, business-critical set of applications. For example, if you’re a bank, what systems do you have that allow you to operate daily as a bank? You’re not going to care about an employee website that sells Disneyland tickets. It that were to be turned off tomorrow, it wouldn’t be a problem. By focusing on business-critical systems, you’ve just overcome a major obstacle to getting started toward quantum readiness.
Once you have the ball rolling and business-critical systems identified, now comes the task of tracking down where and how those system are using signing or encryption. Is that SQL database sitting on the network using certificates? How do I know? There’s no magical tool that can run in an environment and tell you everything. You’ll need to look at network ports and look for certificates and even then, you’ll only find a small portion.
If your company makes widgets, you’ll likely decide that the systems you use to make widgets are business critical. Is encryption or signing enabled? If so, what type of cryptographic keys and can it be upgraded? Is there something in the documentation, or will I need to have a conversation with the vendor? It’s also important not to overlook systems that may not be business critical per se but could expose the organization to considerable risk. The video conferencing system used to discuss quarterly earnings could be prime target, for instance.
Improving crypto ability
Even if you aren’t sure about post-quantum impact, having a list of all the systems and algorithms is important for other security controls and standards as well as knowing where your risks are. So even if the quantum supremacy is never realized, it’s still a good process to go through – it’s not wasted nor is it only for the doomsayers.
What’s more, cryptographic algorithms are constantly evolving. Having a list of the type of cryptography in use makes it relatively simple to move to stronger algorithms as needed. Researchers are constantly looking for ways to crack encryption algorithms and sometimes they are successful, such as the discovery of a significant flaw that caused all major browser vendors to flag SHA-1 certificates as unsafe, finally putting that outdated algorithm to bed.
A good understanding of cryptography also puts you in a better position with vendors. As quantum-safe algorithms and methods are developed, you can put pressure on vendors to implement them within a reasonable time frame, or if they refuse, you can move to different vendors. And to some degree, time is of the essence. Even before a quantum computer capable of breaking encryption arrives, malicious actors are already starting to harvest encrypted data hoping they can one day unlock a veritable treasure trove.
Despite the uncertainty surrounding the arrival of quantum computing, sitting back and waiting for the sky to fall is a sure recipe for disaster. Avoid the worst-case scenario by at least documenting how your organization uses cryptography across all business-critical systems.