Quantum computing is on the horizon, and its promise to revolutionize fields like medicine, finance, and climate science is incredibly exciting. But it’s important not to overlook the potential risks, particularly in the world of cybersecurity. Today’s cryptographic systems, which underpin secure communication and data protection, may become obsolete in the face of powerful quantum algorithms capable of cracking them.
At the 2024 Venafi Machine Identity Management Summit, Valentin Chatelard, Machine IAM Security Architect at Air France-KLM, shared valuable insights on how organizations can prepare for this imminent shift by modernizing their Public Key Infrastructure (PKI). The PKI transformation he oversaw at Air France-KLM not only ensured scalability and efficiency, but also prepared the organization for the post-quantum cryptographic era.
Let’s explore key lessons from Valentin’s session, so you can take those same actionable steps to future-proof your PKI systems.
PKI: Are You Doing It Wrong?
PKI Evolution at Air France-KLM
While PKI systems were once the guardians of secure communication, legacy infrastructures are now at risk of becoming a bottleneck in managing modern security requirements. At Air-France KLM, modernizing their PKI was both a challenge and a necessity.
- Legacy Challenges: The original PKI systems at Air France-KLM were not designed to scale with the realities of modern enterprise IT. The explosion of digital certificates (from 500 issued monthly to upwards of 700,000 certificates) introduced inefficiencies, vulnerabilities, and gaps in agility.
- Modernization Drivers: The rise of cloud adoption, microservices architecture, and the sheer scale of machine identities drove the need for change. By integrating their PKI with DevSecOps processes, Air France-KLM achieved the speed and scalability required to effectively manage their volume of certificates.
- Increased Automation: Automation was the backbone of their PKI transformation. Tasks that once required significant manual intervention, such as certificate issuance, renewal, and management, were seamlessly automated and integrated into DevSecOps workflows. The shift not only reduced human error, but also empowered the team to focus on strategic initiatives rather than routine operations.
Auditing PKI and Preparing for the Future
Comprehensive Audit
Valentin shared how Air France-KLM conducted an extensive audit of their certificate landscape using APIs and custom-built tools by Venafi, a CyberArk company. The results were eye-opening. Over 2.7 million certificates were analyzed, and the audit uncovered inefficiencies such as poor governance, template duplication, and misaligned systems that hindered agility and placed security at risk.
Efficient Governance and Compliance
By addressing these inefficiencies, they created standardized processes and policies that improved their ability to adapt to new challenges, including those posed by emerging quantum threats.
Preparing for Post-Quantum Cryptography
Quantum computing brings tangible threats to traditional cryptographic algorithms, such as RSA and ECC, which are commonly used in PKI systems. Preparing for this new reality requires a proactive approach.
Crypto-Agility: The New Imperative
- NIST (National Institute of Standards and Technology) is in the process of identifying standard post-quantum algorithms. Organizations must prepare for hybrid certificates that incorporate both classical and quantum-resistant algorithms for a phased transition.
- Automation plays a critical role in implementing post-quantum cryptography. By integrating automated processes with compliance checks and governance frameworks, organizations can ensure new cryptographic standards are adopted seamlessly without introducing risks.
Key Recommendations for Modernizing PKI
The lessons Valentin learned from Air France-KLM’s overhaul provide a blueprint for organizations aiming to modernize their PKI systems.
1. Centralization and Rationalization
Combining PKI teams and consolidating hardware and software components is critical. This approach enhances visibility into certificate usage, improves governance, and ensures compliance with cryptographic standards.
2. Enhanced Automation
Automation is essential to meet the growing demand for certificates while reducing manual errors. Tasks such as certificate issuance, renewal and revocation should be automated. Tools like Venafi enable centralized policy management, reducing operational friction.
3. Visibility and Reporting
Comprehensive visibility into your certificate landscape is non-negotiable. With tools like Venafi, organizations gain real-time insights into certificate usage, identify vulnerabilities, and ensure accountability in cryptographic operationss
4. Prepare for Hybrid Certificate Transitions
Organizations should begin testing hybrid certificate models that use both classical and post-quantum algorithms. This ensures infrastructure readiness once NIST finalizes its recommendations for quantum-resistant standards.
Why Governance Matters and Much as Tech
Modernizing PKI isn’t just about tools and technology; governance plays a pivotal role. Without clear policies and well-defined roles, even the most advanced infrastructure can descend into chaos. Standardizing processes, aligning stakeholders, and enforcing accountability are key to building a resilient PKI capable of withstanding quantum risks.
Final Takeaways
Automation is Key
Without automation, scaling certificate operations to meet modern demands is impractical. Automating repetitive tasks not only enhances security but also liberates your team to focus on innovation.
Proactively Adapt for Quantum
You can’t afford to wait! Being reactive will only expose your infrastructure to unnecessary risks. Start integrating crypto-agility into your PKI today.
Invest in Governance and Visibility
A lack of governance is a ticking time bomb. Centralized policy management and robust reporting are non-negotiable for ensuring a secure, compliant PKI.
Valentin Chatelard summed it up best during his session: “Identify productivity gaps, leverage automation strategically, and stay informed on cryptographic advancements to secure your infrastructures against quantum threats.”
The clock is ticking. Is your PKI ready for the quantum future? For more insights into this important topic, watch Valentin’s full session at the Machine Identity Security Summit!
Related Posts