How post-quantum cryptography will help fulfill the vision of zero trust

Lost in the debate over if, or when, a quantum computer will decipher encryption models is the need for post-quantum cryptography (PQC) to become part of organizations’ tech stacks and zero-trust strategies. Enterprises need to follow the lead Cloudflare has taken and design PQC as a core part of their infrastructure, with the goal of extending zero trust beyond endpoints.

At this week’s RSAC 2023 event, VentureBeat delved into the current state of PQC and learned how urgent the threat of quantum computing is to encryption and national security.

Four sessions covered cryptography at the RSAC this year. The one that provided the most valuable insights was the Cryptographer’s Panel hosted by Dr. Whitfield Diffie, ForMemRS, Gonville and Caius College, Cambridge, with panelists Clifford Cocks, independent consultant; Anne Dames, IBM Infrastructure; Radia Perlman, Dell Technologies; and Adi Shamir, the Weizmann Institute, Israel.

Dr. Shamir is a noted authority on cryptography, having contributed research and theory in the area for decades. Dr. Shami says that he doesn’t believe quantum computing to be an immediate threat, but RSA or elliptic curve cryptography could become vulnerable to decryption in the future.

Anne Dames of IBM warned that enterprises need to start thinking about which of their systems are most threatened by potential rapid advances in quantum computing. She advised the audience that public key cryptography systems are the most vulnerable ones.

“Today, companies are facing AI- and machine learning-assisted crypto-attacks and other cryptographic threats that find vulnerabilities in software and hardware implementations,” writes Lisa O’Connor, managing director, Accenture Security, cybersecurity R&D, Accenture Labs. “If this weren’t worrisome enough, we’re one year closer to the breaking point of our 40-year-old cryptographic schema, which could bring business as we know it to a screeching halt. Quantum computing will break these cryptographic fundamentals.”

Harvest-now, decrypt-later attacks increasing 

The consensus of industry researchers, including members of government advisory committees interviewed at RSAC, predicts exponential growth in bad actors and advanced persistent threat (APT) groups that are funded by nation-states. They aim to crack encryption well ahead of the most optimistic estimates. Last year the Cloud Security Alliance launched a countdown to Y2Q (years to quantum) that predicts just under seven years until quantum computing will be able to crack current encryption.  

CISOs, CIOs and their teams must commit to continual learning about post-quantum cryptography and its implications on their tech stacks in order to block ”harvest-now, decrypt-later” attacks that are growing globally. 

“That’s an area [where] I feel like the market needs to be thinking about much more, and that’s where we’ve spent a fair amount of our resources, as well as what do you do today [as an organization to prepare]. So that when quantum does hit, you’re not compromised at that point in time,” Jeetu Patel, EVP & GM of security and collaboration business units at Cisco, told VentureBeat at RSAC this week.

Patel compared the deciphering of encryption to Y2K: “The difference between quantum and Y2K is on day one of Y2K, things flipped over.” All the work done on Y2K “was based on day one. Whereas … let’s say it takes 10 years to get [PCQ] to where it needs to be. Well, the bad actors have 10 years’ worth of data, and [they] can unencrypt all of that … after the fact.”

Veetu agreed that nation-states too are continuing to invest in quantum computing to crack encryption, shifting the balance of power in the process.

Cybersecurity and AI leaders serving on government task forces tell VentureBeat that threats to cryptographic systems and the authentication technologies protecting them are considered high-priority for national security. Initiatives to counter the threat are being fast-tracked.

The memorandum issued by the Executive Office of the President on May 4, 2022, “National Security Memorandum on Promoting United States Leadership in Quantum Computing While Mitigating Risks to Vulnerable Cryptographic Systems,” is a start. Secretary of Homeland Security Alejandro N. Mayorkas had outlined his cybersecurity resilience vision in a speech on March 31, 2021. NIST will release a post-quantum cryptographic standard in 2024.

Hacked encryptions’ first victim will be everyone’s identities 

PQC shows potential for strengthening the areas of zero trust network access (ZTNA) where attackers are always searching for weaknesses. Identity and access management (IAM), multifactor authentication (MFA), microsegmentation and data security are some of the areas where PQC can strengthen any organization’s zero-trust framework. 

CISOs tell VentureBeat that despite current economic headwinds, their best chance of getting funded is to build a business case for technologies that deliver measurable gains in protecting revenue and reducing risk. It’s a bonus if the technology investment further strengthens their zero-trust security posture. 

PQC is now part of the conversation, driven to board-level awareness by NATO and the White House recognizing post-quantum threats and preparing for Y2Q. Gartner predicts that by 2025, post-quantum cryptography risk assessment will be the top security issue that businesses will look for advice on.

The advisory firm cautions startups to concentrate on clearly communicating the business value and advantage their PQC systems deliver, or they risk running out of funding. “By 2027, 50% of the startups in the quantum computing space will go out of business because they focused on quantum advantage/supremacy over business advantage for clients,” writes Gartner in its research note, Emerging Tech: How to Make Money From Quantum Computing (client access required) published February 24 of this year.

“Trust is the factor that unifies zero trust architecture (ZTA) and PQC, writes Jen Sovada, president, public sector, SandboxAQ, in her recent article Bridging Post-Quantum Cryptography and Zero Trust Architecture. “Implementation of both will require trusted identity, access and encryption that wrap around next-generation cybersecurity architectures using continuous monitoring. Cryptography — and more importantly, cryptographic agility enabled by PQC — offers a foundation for ZTA in a post-quantum world.” 

PQC technologies’ potential for protecting identities is already showing, and that’s reason enough for CIOs and CISOs to track these technologies. While no one knows when a quantum computer will crack encryption algorithms, well-financed cybercriminal gangs and advanced persistent threat (APT) groups funded by nation-states have made it known they are all-in on attacking encryption algorithms before the world’s organizations, large-scale enterprises and governments can react. The urgency to get PQC in place is warranted because hacked encryptions would be devastating.  

How and where post-quantum cryptography will benefit zero trust 

Planning now to strengthen zero-trust frameworks with PQC will help to close the security gaps in legacy approaches to cryptography. Closing these gaps is core to a future of identity-based security scaling beyond endpoints and the machine identities proliferating across networks. 

PQC’s quantum-resistant algorithms will further harden the encryption technologies that zero trust’s reliability, stability and scale rely on. Closing these gaps also strengthens confidentiality, integrity and authentication. PQC secures data in transit and at rest, further strengthening zero trust. By enabling secure communication among organizations and systems, PQC will help build a zero-trust digital ecosystem. Interoperability ensures secure connections with partners, suppliers and customers even as technology changes.

Key areas where PQC will harden zero trust include identity and access management (IAM), privileged access management (PAM), microsegmentation, multifactor authentication (MFA), protecting log data and communications encryption, and data security, including protecting data at rest. The following table provides an overview of where PQC can contribute most by core areas of zero trust.

Conclusion 

Industry leaders advising the government on the risks of quantum computing tell VentureBeat that over 50 nations are today investing in the technologies needed to break authentication and encryption algorithms. Harvest-now, decrypt-later attacks are motivated by everything from financial gain (for example, on the part of the North Korean government) to government and industrial espionage, where new technologies under development are targeted.

CISOs and CIOs need to stay current on quantum computing threats and consider how they can capitalize on the momentum of zero trust to further harden their infrastructure with PQC technologies in the future.