With post-quantum technology having the potential to trigger a new wave of cyber threats, we identify 10 steps that organizations should take to prepare.
The security implications of post-quantum technology are legitimate cause for concern. Around the world, corporations and nation-states are pouring millions of dollars into developing quantum computing technology. In response, governments and supranational organizations are sounding the alarm and readying themselves for a new era of cyber threats. Yet, the prospect of such threats should cause neither panic nor paralysis. As with all disruptive technologies, preparation is the best defense.
Concerns about protecting data and assets from post-quantum threats are best assuaged through so-called ‘cryptographic agility’. Cryptographically agile organizations can shift gears quickly, switching out their original encryption method or cryptographic primitive (the building blocks of higher-level cryptographic algorithms), without disrupting their overall system infrastructure. This will be an important attribute for any organization looking to achieve quantum readiness, as quantum algorithms will develop and update as cryptographic research matures in line with technical advances.
The following ten-step checklist is a useful jumping-off point for security teams seeking to determine their organization’s level of readiness for Post-Quantum Cryptography (PQC), and create an effective strategy to realize true cryptographic agility.
Ten steps toward post-quantum readiness
Assess
Like preparing for any other security overhaul, the road to cryptographic agility begins with a thorough analysis of the organization’s environment, to determine exactly what you’re working with, where the gaps are, and what needs to be done next:
1. Take stock of your entire security strategy.
2. What cryptographic tools do you use?
3. Who has control over them?
4. What is the lifecycle management policy?
5. Create a comprehensive inventory of your cryptographic tools.
As part of the assessment process, organizations must identify all of the systems currently using cryptographic technologies for any function, as well as any cybersecurity and data security standards in place that will need to be updated in line with post-quantum requirements.
Prioritise
Data currently encrypted by methods based on classical cryptography can be accessed and stored by bad actors until they obtain quantum technology, in a move known as a “Store now, decrypt later” (SNDL) attack. This means that organizations warehousing data with a long shelf life must be particularly aware of this threat, and make plans that prioritize valuable data with a long shelf life:
6. Determine what is your most valuable data.
7. Which data has the longest shelf life?
Plan for action
Creating and adopting a cryptographically agile approach allows organizations to future-proof their security strategy by providing the mechanism to address potential threats quickly and effectively as they appear:
8. Make plans to migrate the most valuable data, together with the data with the longest shelf life, to PQC first.
9. Prepare to follow NIST guidelines for PQC algorithms, but be prepared to adopt changes on the fly.
10. Adopt a cryptographically agile strategy.
While each of these steps is critical to achieving cryptographic agility and preparing a strategy for post-quantum readiness, they can be challenging without the right support. Consider finding an expert in cryptographic security solutions to help your organization develop a strategy to achieve cryptographic agility.
Contact us or read more about our solutions for key management and crypto-agility.
This article was originally published in Information Age https://www.information-age.com/preparing-for-post-quantum-in-10-steps-123501654/