Planning for Post Quantum for Enterprises

Quantum computing provides exciting opportunities for incredible leaps forward in processing data and the technological advancements it can bring. Unfortunately, it also provides catastrophic challenges from a cyber security perspective.  Many of the systems we use for user authentication and encryption methods are expected to be vulnerable in a post quantum computing environment.  The advanced processing ability will make decrypting files and breaking shared secrets for authentication much easier and cheaper. These are the backbone elements of every enterprise’s cyber security strategy. Consider if all internet traffic that currently travels point to point encrypted will be able to be decrypted by anyone that captures it.  For an enterprise, this means trade secrets, customer and pricing information, and financial information becoming instantly public information. Attackers will be able to capture user credentials and access accounts. This will likely be the largest disruption to cyber security we have ever experienced. 

It is not reasonable for each enterprise to develop their own post quantum solutions, but there are planning steps that can be taken. Enterprises will continue to rely on major hardware and software vendors for new solutions, but enterprises cannot just wait for solutions to become available. The vendors relied upon for operating systems, security devices, software, and other technology resources will undoubtedly play a huge role, but enterprises need to be preparing for how those changes will be implemented in their individual environments.  Many vendors are touting quantum safe solutions, but if those solutions do not operate with the rest of an enterprise’s system, they provide little to no value. At this point, every enterprise should be identifying and inventorying their systems, assessing the potential impact on each system, and planning for alternatives and updates. 

Public Certificates

Some of the first impacts will likely be seen related to digital certificates purchased from publicly trusted certification authorities (CAs). These certificates are most used for transportation layer security (TLS) connections, and are most common between an enterprise’s website and customers. They are also used to sign software code that will be delivered to customers and trusted by the customer’s operating systems, and to enable secure email through secure/multipurpose internet mail extension (S/MIME). The basis for these certificates is to establish trust between an organization and external parties. 

Since that external party can be either known or unknown, these certificates must be trusted publicly and therefore come under a high level of industry regulations and scrutiny.  The public CAs that offer these certificates and the web browsers and software designers that trust these certificates are monitoring developments closely. They will likely be some of the first parties to push regulations. New regulations must be tempered and not be rolled out so fast they break all the connections they are attempting to secure. 

Public CAs are performing a lot of the planning for post quantum changes, but enterprises need to be prepared for their role in the process.  The webservers operated by enterprises are responsible for generating keys used for authenticating the website and encrypting the traffic. Enterprises need to inventory all webservers, email systems and other systems that interface with public certificates. The algorithms accepted by these systems need to be inventoried to allow the enterprise to track when updates are required based on new algorithms being put in place.  Updates will likely need to be deployed quickly to minimize downtime.  Systems that are not supported for updates will likely need to be replaced. 

Separate from quantum computing, public certificates are expected to see their lifecycles shortened significantly in the next few years. This is especially true for TLS certificates. Inventorying these systems and developing automated tooling to manage the certificate lifecycle will help enterprises be better prepared for whatever changes come their way. 

Internal Systems

Internal systems impacted by vulnerabilities from quantum computing are more difficult, because they are likely greater in number and will not benefit from direct support from public CAs. Enterprises systems that will become vulnerable can include VPN connections to remote devices, single sign on tooling, and database encrypting software, just to name a few. These systems can also include physical security devices, such as badge readers and security cameras. While these systems are not always externally facing, they are a critical part of the enterprise’s defense in depth approach to cybersecurity. Enterprises should start with inventorying all systems that utilize encryption or authentication mechanisms, especially focused on those with key pairs and shared secrets.

Just as with systems that utilize public certificates, internal systems will need to be updated to utilize new algorithms in a post quantum environment.  Assessing the risk involved with each system will help enterprises prioritize the criticality of updates.  Dataflow diagrams will help enterprises determine systems that interact with each other. System to system authentication is often overlooked, but are critical to operations. Data flows between different systems within an enterprise will likely will be impacted by updating required algorithms and could break connections. Enterprises need to consider risks related to security and availability when evaluating systems. Some systems might be behind enough layers of security and not critical for immediate updates. These systems also might not support updates as easily. 

Most enterprises are not at the stage to test new quantum computing safe algorithms and developing corresponding hardware and software.  As always, vendors will play a significant role in the process of preparing for a post quantum time.  Maintaining an inventory of vendors and the points of reliance will be critical to an enterprise’s strategy. Major vendors that provide operating systems, significant security systems, and cloud providers, are likely top of mind, but enterprises will need to dig deeper.  Consider backup vendors that encrypt files, copiers and printers, and hardware vendors. Hardware that is not configured to support new algorithms could bring operations to a grinding halt.  Hardware has integrated features for disk encryption and boot processes. These systems will likely not be easily updated for new algorithms, because keys can be burned into the chips. 

Once an enterprise completes a full inventory and the risk to each system has been assessed, an enterprise will need to evaluate the strategy to address each system. Vendor supplied patches might be an easy solution, but will need to be applied as connecting systems are made compatible. Internally developed systems might require custom updates, and some systems might need to be replaced.  For those systems that cannot be updated, consider looking to a vendor that can supply supplemental systems to add post quantum support to legacy systems. These solutions will become more popular as some enterprises determine which systems are inflexible, for the time being. 

After inventorying systems and assessing risk, enterprises should begin developing and testing plans to move to quantum safe algorithms, also known as post quantum cryptography (PQC).  The National Institute of Standards and Technology (NIST) has laid a lot of groundwork and narrowed the list of recommended PQC algorithms to a few promising options. While the list is still being scrutinized, enterprises can begin testing methods to change key pairs and deploy updates in an efficient manner. It is still unknown the exact changes we will need to make to be prepared for a post quantum world, but understanding what systems require changes and testing process to make those changes will put every organization in the best position to respond quickly. 

Hybrid certificates, which have both current key pair, such as RSA keys, and PQC keys, are gaining popularity as a transition tool. These certificates allow for multiple signature algorithms. This allows enterprises to still rely on traditional algorithms, while testing quantum safe algorithms. These certificates might allow organizations to test their readiness while not taking down systems in the process. This will also allow for testing various PQC algorithms while the industry is still evaluating various options. 

Conclusion

The two biggest takeaways in preparing for PQC are know your enterprise and remain flexible. All Enterprises should consider a three-step approach to knowing its environment. They should identify/inventory, assess risk, and plan for remediation of the assessed risks. The identify and inventory process should not be taken lightly, because it will lay the groundwork for preparing the enterprise.  There are several organizations looking to sell quantum safe solutions, but if those do not function within your enterprise profile, it could make for a long and expensive process. Make sure you work to understand your entire organization before implementing changes. 

In December 2023 a significant vulnerability was discovered in a leading quantum safe suite algorithm, CRYSTALS-Kyber (Cryptographic Suite for Algebraic Lattices). This vulnerability does not impact the underlying encryption math, but rather the implementation. This is a good example of why an enterprise needs to remain flexible. Developing new technology will be bumpy, and new patches and fixes will be required frequently. The ability to flex between multiple algorithms and implementations will allow an enterprise to adapt to the quickly changing environment.