Prevent today’s encrypted data from becoming tomorrow’s treasure

You may think that encrypting data with today’s technology will provide robust protection. Even in the event of a data breach, you can assume that the information is secure. But if your organization works with “long-tail” data — meaning its value lasts for years — you’re wrong.

Fast forward five to 10 years from now. Quantum computers – which use quantum mechanics to perform operations millions of times faster than today’s supercomputers – will arrive and can crack the current cipher in minutes. At this point, nation-state actors only need to upload the encrypted data they have been collecting for years into a quantum computer, and within minutes they will be able to access any part of the data. stolen in the clear. This type of “harvest now, decrypt later” (HNDL) attack is one of the reasons adversaries are now targeting encrypted data. They know they can’t decipher the data today, but they can tomorrow.

Even though the threat of quantum computing is a few years away, the risk exists today. It is for this reason that US President Joe Biden signed a national security memorandum demanding that federal agencies, defense, critical infrastructure, financial systems and supply chains develop plans to adopt resilient encryption. quantum. President Biden setting the tone for federal agencies is an apt metaphor – quantum risk needs to be discussed and risk mitigation plans made at the executive level (CEO and board).

Take a long-term view

Data from research analysts suggests that the typical CISO spends two to three years at a company. This leads to potential misalignment with risk likely to materialize in five to 10 years. And yet, as we see with government agencies and a host of other organizations, the data you generate today can provide opponents with tremendous value in the future once they can access it. This existential problem will probably not be tackled only by the person in charge of security. It needs to be addressed at the highest level of business leaders because of its critical nature.

For this reason, savvy CISOs, CEOs, and boards should address quantum computing risks together, now. Once the decision to adopt quantum-resistant encryption is made, the questions invariably become, “Where to start and how much will it cost?”

The good news is that it doesn’t have to be a painful or expensive process. In fact, existing quantum resilient encryption solutions can run on existing cybersecurity infrastructure. But this is a transformational journey – the learning curve, internal strategy and project planning decisions, technology validation and planning and implementation take time – so it is imperative that business leaders are starting to prepare today.

Focus on randomization and key management

The road to quantum resilience requires the engagement of key stakeholders, but it is practical and generally does not require mining and replacing existing cryptographic infrastructure. One of the first steps is to understand where all your critical data resides, who has access to it, and what safeguards are currently in place. Next, it is important to identify which data is the most sensitive and how long it lasts. Once you have these data points, you can develop a plan to prioritize migrating data sets to quantum resilient encryption.

Organizations need to consider two key points when considering quantum resilient encryption: the quality of the random numbers used to encrypt and decrypt the data and the key distribution. One of the vectors that quantum computers could use to crack current encryption standards is to exploit encryption/decryption keys derived from numbers that are not truly random. Quantum strong cryptography uses encryption keys that are longer and, most importantly, based on truly random numbers so they cannot be hacked.

Second, the typical enterprise has multiple encryption technologies and key distribution products, and management is complex. Therefore, to reduce key dependency, often only large files are encrypted or, even worse, lost keys leave lots of data inaccessible. It is imperative that organizations deploy enterprise-wide, high-availability encryption key management to enable encryption of a virtually unlimited number of smaller files and records. The result is a significantly more secure business.

Quantum-resistant encryption is no longer a “nice to have”. With each passing day, the risk increases as the encrypted data is stolen for future cracking. Fortunately, unlike quantum computing, it does not require huge investments and the resulting risk reduction is almost immediate. Getting started is the hardest part.

About Mariel Baker

Check Also

New supercomputer for climate research inaugurated in Hamburg

A new supercomputer called Levante has been inaugurated at the German Climate Computing Center. It …