IBM Security Architect Advises Post-Quantum Data Protection
Christiane Peters, a security architect for Benelux at IBM, warns that organisations must act quickly in carrying out post-quantum risk assessments and invest in post-quantum data protection at the right time.
There has been no shortage of news coverage around the rise of quantum computing, with experts across the board agreeing that the ‘post-quantum age’ is drawing ever-closer. Despite this, some organisations are still unaware of the implications that quantum computers will have on their security systems.
Speaking at the EEMA ISSE 2018 cyber security conference in Brussels and covered in ComputerWeekly, Christiane Peters – a prominent security architect at IBM – has warned these organisations that they should not delay carrying out a post-quantum risk assessment to establish how secure they are against quantum attack. Changing cryptographic systems, she explained, takes time and money so organisations must make the right investments at the right time.
Her advice came a matter of months after Arvind Krishna, Director of IBM Research, suggested that quantum computers could be capable of breaking today’s toughest security encryption in little more than five years. This means that, assuming organisations work on a 5-10 year upgrade cycle of their security systems, they will indeed need to begin planning for quantum-safe cryptography today.
What is a post-quantum risk assessment?
“A post-quantum data risk assessment,” Peters explained, “should include developing or updating existing crypto policies; creating an inventory of all systems and applications using cryptography; classifying data and mapping data flows; creating an enterprise-specific outlook and timeline for quantum safe crypto; and developing a post-quantum implementation strategy.”
Alongside the systems and applications that utilise cryptography, organisations should also look at auditing and securing their IoT devices that lie on the edge of their network. If data is left flowing between them unencrypted, they can provide cyber criminals with easy access to key systems and infrastructure.
While referencing the Ponemon Institute’s latest Cost of a Data Breach Survey, Peters explains that the business case for cryptography should also be addressed as part of the assessment as the results are likely to be persuasive: “The overall finding of the report is that investing in security and encryption in particular pays off in the longer term.”
Peters concludes with the thought that, in isolation, quantum-safe cryptography will not protect organisations – it needs to be part of a wider security strategy that includes certificate management, protection of data at rest and data loss prevention. “There is no silver bullet, but a combination of capabilities working together.”
The three pillars of quantum-safe security
From our perspective, transitioning to quantum-safe security to protect data in motion relies on three pillars: The first, acting as the cornerstone of security, is good random numbers that can generate strong keys based on true randomness. Hardware-based Quantum Random Number Generators are the perfect solution, providing full entropy and inherent security thanks to the fundamentals of quantum physics.
The second pillar is Quantum Key Distribution (QKD), which is designed to distribute the keys generated by QRNG securely to different locations. The technology offers forward secrecy and is impervious to environmental perturbations, guaranteeing the security of the transmitted keys.
The third pillar, needed to bind the above together, is a set of Quantum Resistant Algorithms (also known as Post Quantum Algorithms) that are thought to be secure against attack by a quantum computer. Current algorithms used on symmetric cryptography are widely believed to be quantum-safe and should be integrated into a new framework.
Other algorithms related to public-key cryptography (such as lattice-based and code-based) are still under investigation and can be securely upgraded as and when they are approved for use.
If you would like to discuss your post-quantum needs, please don’t hesitate to contact us.