Why Migrating to PQC is No Slam Dunk
Enterprises intent on securing their data and communications are choosing quantum-resistant encryption. For entities aiming to maximize these cybersecurity efforts, quantum-based cryptography is the future. This next-generation quantum-enabled technology will become vital as cybercriminals begin to deploy quantum computers to crack classical encryption methods, rendering them obsolete.
Leaders seeking to shield themselves and their companies from quantum attacks are already reviewing the post-quantum encryption algorithms recommended by The National Institute of Standards and Technology (NIST) designed to defeat cracking attempts powered by quantum computers. However, enterprises seeking to migrate to post-quantum cryptography (PQC) may find it far more challenging than expected.
Maëva Ghonda, Head of Quantum Risk Management and Governance at the Quantum AI Institute, recently underscored this idea, stating: “I have personally experienced the many unpredictable challenges of massive migration of IT systems to new cybersecurity protocols to mitigate cyber risks for a corporate board level initiative at a large multinational enterprise. Many unexpected challenges arise when migrating the enterprise to new cybersecurity protocols. A rushed deployment of new cybersecurity systems and tools will inevitably lead to many security vulnerabilities that will be exploited.”
The Heavy Lifting
Earlier this week, SoftBank Corp. announced that it had created a successful hybrid approach to PQC implementation to ease this process. The company collaborated with SandboxAQ to combine classical encryption algorithms with post-quantum cryptography algorithms. Even with this, implementing PQC upgrades will be a lengthy process for many enterprises due to the numerous devices and information systems that rely on encryption.
The solution will be to migrate to the newer PQC algorithms in a more modular, crypto-agile manner so that the algorithms may be adjusted as needed. However, the migration process presents enterprises with another significant issue: finding the location of the encryption code in the current infrastructure. Leading cryptography security firm SandboxAQ has sought to solve this problem with an AI Discovery Engine that can locate all the locations where a company has employed encryption, a crucial piece of technology they possess. The company is currently employing its AI Discovery Engine to conduct encryption inventories at banks, pharmaceutical firms, government organizations, and telecom firms.
Mike Brown, Principal at Polar Analysis, a premiere consultancy that helps organizations understand threats to their cryptographic infrastructure, recently remarked: “cryptography is a necessary part of the security that enables business. The quantum threat to cybersecurity and the cryptographic changes that NIST is standardizing means that all companies will inevitably have to migrate toward PQC. Large businesses could expect to spend up to a decade on this transition, so it is essential to start preparation today.”
Promoting PQC Education
Since enterprises are finding migration to PQC to be a steep learning curve. Consequently, cybersecurity companies are finding it necessary to provide in-depth information to enterprises about the emerging quantum threat, the need for PQC implementation in enterprises, the migration process and timetables, and recommendations for what to prioritize.
Companies like SandboxAQ are sponsoring webinars and conference presentations related to the topic. Highly respected PQC experts Mike Brown, cited above, are also making the rounds. Brown reveals what he considers optimal quantum-safe cybersecurity solutions at cybersecurity events like the upcoming Quantum Safe Cybersecurity Summit.
Fortunately, many enterprises are becoming proactive about the need for PQC. According to a new Zapata Computing survey report, 65% of respondents are extremely or very concerned about PQC, and 63% of respondents are actively working with a vendor to prepare for PQC.
In Conclusion
Since PQC is still in its infancy, enterprise adopters are leery of implementing a paradigm that might not be the best for their security needs in the long run. And since post-quantum technology is still in its infancy, it’s impossible to predict which hardware architecture will dominate. However, enterprises don’t have the luxury of waiting.
While companies like SandboxAQ are finding innovative ways to facilitate this migration process, many enterprises may find that simply educating themselves on the many PQC options available to them. Fortunately, the market is responding to these concerns.
