Don’t Panic, Prepare: Start Your Journey to Post-Quantum Readiness

April 2, 2024 Kaitlin Harvey

Quantum Readiness

Don’t Panic.

The iconic words inscribed on the back cover of “The Hitchhiker’s Guide to the Galaxy” are a solid tip if your planet has been destroyed to make way for a hyperspace bypass (like Arthur Dent, the hapless protagonist, in Douglas Adams’ magnum opus).

It’s also sound advice for any InfoSec professionals grappling with post-quantum cryptography planning.

Well, we’re here to tell you there’s indeed no need to panic. There is, however, a dire need to prepare. But we also understand you don’t have the time to get entangled in lofty standards or erudite white papers. So, we’ve assembled some quick background and advice to help InfoSec professionals know where to start their journey to post-quantum readiness, translating all that post-quantum complexity into simple, straightforward…er…guidance.

Oh, the Enormity!

To again quote the irreverent Adams, “Space is big. You just won’t believe how vastly, hugely, mind-bogglingly big it is.” The same can be said for the potential advantages quantum computers are set to bring to society.

They may not be ideal for every kind of computing scenario, but quantum computers far outperform their classical counterparts in pharmaceutical research, financial modeling and climate change predictions. And while we can’t wrap our heads around the full potential of their positive impact, we know one thing for certain: they’ll also bring enormous cybersecurity risks. 

In some cases, they already are. But we’ll get to those. For now, let’s talk about the latest developments in quantum computing.

Engage the Quantum Accelerators

Quantum computers may not yet be strong enough to obliterate today’s cryptographic algorithms, but the industry made significant strides in the last two years. And it’s picking up momentum.

The rate of new quantum developments rose on an almost-monthly basis in 2023, and there was certainly no shortage in 2024, either. What with NIST announcing their first set of standards (FIPS 203, 204 and 205), and Shanghai cracking a 22-bit encryption key with a quantum computer, there were plenty of advancements to go around.

We can expect 2025 to follow a similar trend, with quantum readiness predicted to become the number one board-level cybersecurity topic, according to Kevin Bocek, Chief Innovation Officer at Venafi, a CyberArk Company. He says, “In 2025, post-quantum readiness will become boards’ hottest cybersecurity topic. This is a generational change in cybersecurity not just simply a Y2K event.”

It Must be Q-Day. I Could Never Get the Hang of Q-Day.

Although Arthur Dent was originally complaining about Thursdays in this iconic line, the road to Q-Day requires some careful planning and preparation.

Here’s a quick preview of the projected Q-Day countdown that experts, like the Cloud Security Alliance, are forecasting. But much like our ever-expanding universe, this timeline is dynamic and evolving.

  • 2024-2026: Regulatory bodies standardize first round of quantum-resistant algorithms; certified libraries to begin implementing PQC.
  • 2027-2029: A huge vendor push expected as tech companies adopt NIST-approved algorithms.
  • 2030-2035: Q-Day dawns and Cryptographically Relevant Quantum Computers (CRQCs) break classic encryption. (But by starting your prep today, you’ll be ready long before then.)
  • Also in 2035: NIST deadline stating teams need to have completed their full post-quantum transition, as vulnerable, outdated encryption methods will be deprecated.

67% of InfoSec leaders dread quantum questions. 78% will “deal with it” later.

In a 2024 research report gauging readiness for 90-day TLS certificates, we surveyed 800 security leaders about their current sentiments on the migration to quantum-resistant cryptography. Two camps emerged: dread and denial.

  • 67% of InfoSec professionals dread the day their board asks about post-quantum planning, as they currently don’t know where all their keys and certificates are stored.
  • 78% say that if a quantum computer capable of breaking encryption is built, they will “deal with it then.”
  • 60% say quantum computing doesn’t present a risk to their business today or in the future.

These are some rather alarming sentiments, but there’s no need to fret. You do still have some runway.

Regardless, any industries handling confidential, private or customer information should start planning sooner, rather than later. And even if you’re not in a high-risk sector, it’s not a bad idea to start preparing today—radical shifts in encryption, as historical evidence shows from the SHA-1 deprecation, take a lot of time.

You’ve Told Me to Prepare 42 Times Now. Prepare for What, Exactly?

Organizations, no matter what industry, will need to solve for the same quantum encryption attack problems.

  • Steal now, decrypt later attacks: Threat actors are already harvesting encrypted data, storing it and planning to decrypt it when CRQCs become available.
  • Unauthorized code execution: Without a resilient code signing operation, internal software faces a greater risk of ransomware, malware, zero-day exploits and other tampering.
  • TLS protocol transition: To deny others the ability to read, modify or intercept data—or impersonate your business—TLS protocols must be transitioned to NIST-approved, quantum-resistant algorithms.
  • Active protection of data and code in use: Data and code that’s currently being accessed and processed must also be protected.

Solving all these challenges relies on a secure bedrock of machine identities—and robust machine identity security. That’s your key to quantum victory, and it’s also a crucial cornerstone of the 3-step framework recommended by regulatory bodies like NIST, ETSI, ENISA, AIVD and BSI.

Your 3 Steps to Quantum Victory

PQC diagnosis

Your first step is to inventory all machine identities (like TLS certificates, SSH keys and code signing credentials), their protocols and the apps that use them.

Planning the migration

Next, you should plan, prioritize and test migration for critical machine identities, and all associated apps, to protocols or schemes leveraging PQC algorithms.

Execute the migration

Don’t you love it when a plan comes together? Here, you’ll decide on timing and execute the migration of critical machine identities and associated apps.

Machine Identity Discovery: InfoSec’s Largest PQC Concern

When asked about their greatest concerns related to post-quantum readiness, 86% of InfoSec teams said taking control of keys and certificates is the best way to prepare for future quantum risks. But in the research referenced above, they also reported experiencing challenges with the discovery and inventory of machine identities—and that’s without quantum computers in the picture.

We asked Faisal Razzak, one of our resident PQC experts, to weigh in on these findings. He deemed them unsurprising, because most companies are still at Step 1, the diagnosis (or discovery and inventory) stage. Razzak also emphasized that automation is an equally (if not more) critical piece of the puzzle.

“The scale of machine identities involved in a PQC migration will be massive, and automation a necessity. It’s also vital for assuring crypto-agility, which enables your machine identity security to turn on a dime in case of large-scale events, such as widespread cryptographic vulnerabilities.” – Faisal Razzak, Group Manager, Post Quantum & Secure Software Supply Chain Initiatives

Remember: Don’t Panic, Prepare. You’ve Got This.

The post-quantum timeline is dynamic and evolving, but if you begin taking stock of your machine identities, you’re already well on your way.

And if you haven’t started yet, don’t worry. Because you can rely on us as your trusted partner in the PQC migration process. Through centralized, automated machine identity security, you can:

  • See all machine identities: Discover and monitor all certificates that you are currently using, their health and their cryptographic status.
  • Build consistent parameters: Define and enforce policies using automation and approval workflows.
  • Stay operational: Reduce downtime with a fast, automated service that scales.
  • Work the way you want: Choose the best post-quantum approach for your specific business requirements.

Kaitlin Harvey is digital content manager for machine identity security at CyberArk. 

 

 

Previous Article
How Secure is Automotive Digital Identity?
How Secure is Automotive Digital Identity?

In the automotive industry’s fast lane, the fusion of digital innovation with vehicular engineering has rev...

Next Article
Election Security: Defending Democracy in Today’s Dynamic Cyber Threat Landscape
Election Security: Defending Democracy in Today’s Dynamic Cyber Threat Landscape

With over 50 countries heading to the polls this year, including major economies like the U.S., India and t...