Don’t Panic.
The iconic words inscribed on the back cover of The Hitchhiker’s Guide to the Galaxy are a solid tip if your planet has been destroyed to make way for a hyperspace bypass (like Arthur Dent, the hapless protagonist, in Douglas Adams’ magnum opus).
It’s also sound advice for any InfoSec professionals grappling with the thought of quantum computers shredding their cryptographic defenses.
Well, we’re here to tell you there’s indeed no need to panic. There is, however, a dire need to prepare. But we also understand you don’t have the time to get entangled in lofty crypto standards or erudite white papers.
So you can consider InfoSec’s Guide to Post-Quantum Readiness your Babel fish for post-quantum readiness, translating all that PQC complexity into simple, straightforward…er… guidance.
This eBook covers:
- The latest PQC developments from NIST, ETSI, ENISA, AIVD, BSI and other governing bodies
- An estimated countdown to Q-Day
- Specific quantum threats that could already be endangering your data, code and machines
- The industry-recommended three-step framework for quantum readiness—and the critical role machine identity management plays
- Expert insights on InfoSec’s greatest quantum concerns
- How to start preparing your business for tomorrow’s quantum threats, today
Oh, the enormity!
To again quote the irreverent Adams, “Space is big. You just won't believe how vastly, hugely, mind-bogglingly big it is.”
The same can be said for the potential advantages quantum computers are set to bring to society.
They may not be ideal for every kind of computing scenario, but quantum computers far outperform their classical counterparts in pharmaceutical research, financial modeling and climate change predictions. And while we can’t wrap our heads around the full potential of their positive impact, we know one thing for certain: they’ll also bring enormous cybersecurity risks.
In some cases, they already are. But we’ll get to those. For now, let’s talk about the latest developments in quantum computing.
Quantum-Proofing Your Data: Are You Ready for the Future of Cryptography?
Engage the quantum accelerators
Quantum computers may not yet be strong enough to obliterate today’s cryptographic algorithms, but the industry made significant strides in 2023. And it’s picking up momentum.
The rate of new quantum developments rose on an almost-monthly basis last year, and according to Deloitte, there’s plenty more in store for 2024.
It must be Q-Day. I could never get the hang of Q-Day.
Although Arthur Dent was originally complaining about Thursdays in this iconic line (which I don’t get—you’re so close to Friday, my man), the road to Q-Day requires some careful planning and preparation.
Here’s a quick preview of the projected Q-Day countdown that experts, like the Cloud Security Alliance, are forecasting. But much like our ever-expanding universe, this timeline is dynamic and evolving.
- 2024-2026: Regulatory bodies expected to standardize quantum-resistant algorithms; certified libraries to begin implementing PQC
- 2027-2029: A huge vendor push expected as tech companies adopt NIST-approved algorithms
- 2030-2033: Q-Day dawns and Cryptographically Relevant Quantum Computers (CRQCs) begin to pulverize classic encryption (But by starting your prep today, you’ll be ready long before then.)
95% of businesses aren’t quantum ready. Half aren’t concerned yet.
During a recent webinar with SecureWorld, we polled the audience on their state of post-quantum readiness. A rather alarming 95% of organizations admitted they’re not prepped for the shift.
There’s no need to fret. You still have some runway.
Regardless, any industries handling confidential, private or customer information should start planning sooner, rather than later. And even if you’re not in a high-risk sector, it’s not a bad idea to start preparing today—radical shifts in encryption, as historical evidence shows, take a lot of time.
You’ve told me to prepare 42 times now. Prepare for what, exactly?
Organizations, no matter what industry, will need to solve for the same quantum encryption attack problems.
- Steal now, decrypt later attacks: Threat actors are already harvesting encrypted data, storing it and planning to decrypt it when CRQCs become available.
- Unauthorized code execution: Without a resilient code signing operation, internal software faces a greater risk of ransomware, malware, zero-day exploits and other tampering.
- TLS protocol transition: To deny others the ability to read, modify or intercept data—or impersonate your business—TLS protocols must be transitioned to NIST-approved, quantum-resistant algorithms.
- Active protection of data and code in use: Data and code that’s currently being accessed and processed must also be protected.
Solving all these challenges relies on a secure bedrock of machine identities—and robust machine identity management. That’s your key to quantum victory, and it’s also a crucial cornerstone of the 3-step framework being recommended by regulatory bodies like NIST, ETSI, ENISA, AIVD and BSI.
Your 3 steps to quantum victory
PQC diagnosis
Your first step is to inventory all machine identities (i.e. TLS certificates, SSH keys and code signing credentials), their protocols and the apps that use them.
Planning the migration
Next, you should plan, prioritize and test migration for critical machine identities, and all associated apps, to protocols or schemes leveraging PQC algorithms.
Execute the migration
Don’t you love it when a plan comes together? Here, you’ll decide on timing and execute the migration of critical machine identities and associated apps.
For more details on each of these steps, including pro tips, check out the full eBook.
Machine identity discovery: InfoSec’s largest PQC concern
When asked about their greatest concerns related to post-quantum readiness, most InfoSec teams reported worries with the discovery and inventory of machine identities.
We asked Faisal Razzak, our resident PQC expert, to weigh in on these findings. He deemed them unsurprising, because most companies are still at Step 1, the diagnosis (or discovery and inventory) stage.
Razzak also emphasized that, though automation is a lower concern today, it’s still a critical piece of the puzzle.
“The scale of machine identities involved in a PQC migration will be massive, and automation a necessity. It’s also vital for assuring crypto-agility, which enables your machine identity management to turn on a dime in case of large-scale events, such as widespread cryptographic vulnerabilities.”
– Faisal Razzak, Group Manager, Post Quantum & Secure Software Supply Chain Initiatives
Remember: Don’t panic, prepare. You’ve got this.
The post-quantum timeline is dynamic and evolving, but if you begin taking stock of your machine identities, you’ll already be well on your way.
And if you haven’t started yet, don’t worry. Because you can rely on Venafi as your trusted partner in the PQC migration process. With our Control Plane for Machine Identities, you can take charge and:
- See all machine identities: Discover and monitor all certificates that you are currently using, their health and their cryptographic status.
- Build consistent parameters: Define and enforce policies using automation and approval workflows.
- Stay operational: Reduce downtime with a fast, automated service that scales.
- Work the way you want: Choose the best post-quantum approach for your specific business requirements.
And don’t forget to grab your copy of InfoSec’s Guide to Post-Quantum Readiness for simple, straightforward advice on ensuring your business doesn’t just survive in a post-quantum world, but thrives.