Sc Awards
Header image

The Quantum Storm in a Teacup

Just because adversarial quantum computing poses no risk today doesn't mean you should not future-proof systems that may still be in service a decade from now.

You’re more likely to read that aliens have landed in tomorrow’s papers, than that a quantum computer has cracked today’s encryption and machine identities. This isn’t to say that the quantum risk isn’t real – it is. But we are a long way off having a quantum computer that will bring our digital world to a standstill. All this handwringing and panic is very premature.

When that time does come, he decisions about what new form of quantum resistant algorithm will usurp our current system of encryption and machine identity will be made in the bowels of international governments. The task of then building those algorithms into clouds and applications will fall to Silicon Valley. The average enterprise – and I include major global banks and defence organisations in this – will not be the ones redesigning these algorithms.

Yet what we will all need to do is adapt to the new regime by changing your machine identities. This means getting a grip on what machine identities you have, where and how they are being used, and having the means to control and replace them with the updated quantum resistant versions; whatever they may be. And this is where businesses should be focusing their attentions in the near-term.  

Crypto is not your problem

Let’s be clear. The threat to public key encryption from quantum computing is a real one. One day, quantum computers will solve the mathematical problems on which asymmetric cryptography is based in the blink of an eye. Yet the type of threats we anticipate this creating is not in the land of data encryption. Instead, the cryptographic assets that secure our system of machine identities – the SSH, TLS, SPIFFE, Code signing and other types of identities they underpin – will be the likely targets.

When this happens – which is likely to be decades from now – our machine identities could be easily spoofed and that could create chaos in global markets. We would no longer be able to trust the software, services, and hardware we have become entirely reliant on.  But this isn’t your problem to solve.  

While NIST has led the way in urging organizations to prepare for a post-quantum world, having released the first four quantum-resistant algorithms, it’s ultimately not a crypto problem that businesses need to be concerned about. There is no point in businesses debating and lamenting the merits of one algorithm, versus another – someone else far higher up the digital food chain will make that decision and it will be weaved into the new digital fabric regardless of your opinion on the topic.

No IT team is going to start tinkering with load balancers, cloud services and web servers. That’s the job of the vendors themselves, who’ll be at the leading edge of quantum migration. Businesses don’t need to worry about the detail; all the software, services, tools and libraries you use will allow you to migrate really easily – it will all get baked in.

So, what should businesses be focusing on?

Quantum is likely the least of your worries

NIST’s recent special publication (PDF) on the topic attests: “It is critical to begin planning for the replacement of hardware, software, and services that use affected algorithms now, so that data and systems can be protected from future quantum computer-based attacks.” 

The best way to do this is by having a real-time observability of all the machines you are using – be that hardware, software or services – and the identities associated with them that may need to be replaced in the future. This involves asking questions such as, “do I have visibility into all my apps and machine identities?” If the answer to this is “no,” you have a far more serious and immediate risk to contend with.

Machine identities are foundational to our global digital economy. If not looked after properly, they can be stolen, forged, spoofed, enabling an attacker machine to impersonate a legitimate enterprise machine, and thus be trusted with sensitive data. They can be misused on enterprise networks to hide malicious activity and enable privileged access to data and systems. And if not properly managed, they can expire, causing serious outages that critically impair the customer experience and business operations. These are the imminent threats that are hurting businesses around the world right now.

Looking ahead, these are the same machine identities that will eventually need to be swapped out once quantum decryption becomes a reality. Getting a deeper understanding of them now will make migration to quantum encryption much easier down the line.

Get it right today and you’ll be ready for tomorrow

So, let’s put things in perspective. Quantum computing is a long way away, but it should be part of a businesses risk planning. Assuming responsibility for managing machine identities and patching software to make it quantum safe will be central to this.

There’s no better way to do so than via a control plane. A control plane provides automated, continuous visibility and control of the entire enterprise machine identity ecosystem. This gives businesses the ability revoke and update machine identities automatically,  helping to accelerate digital transformation, reduce security risks, and eliminate revenue-impacting machine identity related outages. Even better, the same platform will help organizations transition more easily to a post-quantum era, by enabling businesses to identify, revoke and reissue new machine identities that align with new quantum-resistant algorithms.

If the CEO asks what the enterprise is doing with its post-quantum safety efforts, focus on what matters today – readying yourself by automating machine identity management and understanding your applications. Ultimately, if you're doing what you should be today, you can add value in the short term, while also preparing for the unknown implications of the post-quantum world.  

Kevin Bocek VP of Ecosystem and Community Venafi

Kevin Bocek is responsible for security strategy and threat intelligence at Venafi. A 16-year cybersecurity veteran, Bocek boasts past leadership roles at RSA Security, Thales and CipherCloud. Today he focuses on shaping security strategies and identifying threats, particularly in protecting machine identities and securing digital communications.

Kevin Bocek VP of Ecosystem and Community Venafi

Kevin Bocek is responsible for security strategy and threat intelligence at Venafi. A 16-year cybersecurity veteran, Bocek boasts past leadership roles at RSA Security, Thales and CipherCloud. Today he focuses on shaping security strategies and identifying threats, particularly in protecting machine identities and securing digital communications.

Upcoming Events

No events found.
Sc Awards