Post-Quantum Security: Have You Started Your Journey?
The European Policy Centre recently published a quantum cybersecurity agenda for Europe in July 2023. This is yet another example of raising awareness and issuing calls to action for post-quantum security preparations. This follows the World Economic Forum and Deloitte issuing a perspective on transitioning to a quantum-secure economy in 2022. Also in late 2022, President Biden signed the Quantum Computing Cybersecurity Preparedness Act. This bipartisan legislation prioritizes federal agencies’ migration to post-quantum cryptography. Has your organization begun post-quantum security planning?
Andras Cser, Sandy Carielli, and I published our Security Guide To Quantum Computing report in April 2023, highlighting the current trajectory of quantum computing as well as the implications for security and cryptography. We also outlined an approach for post-quantum security preparations and implementing cryptographic agility across a people, technology, and process framework. A few selected highlights of considerations as you prepare:
- Map out the encryption and assess the value of your sensitive data. Understand what data you have today, how sensitive this data is, an estimation of this data’s long-term value, how this data flows, and how you currently protect it. Understand the scope of encryption in use within your environment. This is where cryptographic discovery and inventory can help provide visibility and a foundation for your quantum and crypto agility risk assessment.
- (Re-)design infrastructure for cryptographic agility. Not everyone has confidence in the post-quantum algorithms — it’s telling that one of the NIST candidates was broken shortly after it was promoted to Round 4. Focus on making algorithms easily maintainable and replaceable. This can involve using modular design and plugins in cryptography and use of cryptography-as-a-service offerings and cryptographic agility providers to support your rework.
- Form teams for ongoing queries on commercial and open source software suppliers. The software you use will have post-quantum vulnerable cryptographic algorithms. You’ll need to have people responsible for maintaining dialogue with your vendors on this topic. This includes getting software update timelines and asking about algorithm choices.
I’m excited to say that Andras, Sandy, and I are teaming up once more to collaborate on a new stream of research that aims to dive deeper into specific aspects of post-quantum security preparations — in other words, research for helping organizations take the next steps to bring their plans to life!
If you have started on this path of thinking about how your organization might get ready for post-quantum security, we’d love to chat to exchange ideas! Drop me a note at hshey@forrester.com. We keep research interviews anonymous. As a thank you for participating in this research, we’d be happy to share a copy of the final research (or if you’d prefer not to wait, we can share a copy of the initial piece of published research mentioned at the beginning of this blog post — the Security Guide To Quantum Computing).