Digital Trust Is the Foundation for Every Business.

Cryptography is the ultimate line of defense that protects your organization’s most sensitive information. It enables trust in the digital identity of your systems and users. And it enables everything that makes the internet useful, from private emails to financial transactions. These are powered by cryptographic algorithms that scramble your data so that only intended parties can read it.

But a few years ago, new mathematical methods weakened the cryptography most organizations rely on. And these new methods run extremely well on quantum computers. So, in the not-too-distant future, quantum computers may be able to crack the algorithms underlying public key infrastructure, putting the very roots of digital trust at risk.

Business leaders urgently need to grasp the risks their organization faces, and implement effective safety solutions. 

In the first article in our CEO’s Guide series, we explored the risk side of the equation. We looked at what bad actors can do once quantum computers mature, and discussed the fundamental elements of digital trust that organizations need to have in place. In this second part, we delve deeper into how organizations can shield themselves from the widespread disruption that quantum computing may bring.

Quantum Is Closer Than You Think

Like all transformational technologies, quantum will not arrive with the flip of a switch. The machines are still some years away from general use. Some people may look at the current state of quantum computing and decide they can afford to wait until the technology has matured, and the industry has decided on the universal best way forward.

That would be a mistake.

While a new generation of quantum-safe algorithms will soon be available, the transition to post-quantum cryptography (PQC) will take time. There will be difficult problems to solve before you are ready to implement them in your organization. The closer you get to your current cryptographic methods becoming outdated, the harder it will be to catch up and implement the necessary changes without major disruptions to your business.

Meanwhile, you are a sitting duck for cybercriminals looking to exploit weak spots in your digital trust armor. 

Another reason to move early? Being quantum-safe is going to be a key differentiator. We are already seeing requirements around this for those doing business with government entities. So, how prepared is your organization to meet these emerging standards?

From Here to Crypto-agility

Right now, we are not sure which of the many PQC algorithms will make it through the standardization process. Your digital suppliers won’t gamble on one specific algorithm, since it is impossible to predict which one will eventually emerge as the industry standard. 

The best approach is to plan for crypto-agility. This is the ability to smoothly switch from one way of doing encryption to another, without making significant changes to the system’s infrastructure or exposing your organization to unacceptable business continuity risks.

Crypto-agility allows you to protect your applications with classical and quantum-inspired cryptographic algorithms today, and swap in more powerful post-quantum cryptography tomorrow.

How do you build a crypto-agile organization like this? The following framework will help you plan, manage, and budget for the transition:

Prioritize wisely: Design a phased roadmap of now, next, later

Discovery phase: You cannot fix what you do not know

Sizing the monster: How big is your cryptographic challenge?

1. Discovery Phase: You Cannot Fix What You Do Not Know

Cryptography is in everything from your cell phones to your servers, Docker Hub containers, and edge devices. You need to understand what data you have, how it is protected (when traveling or at rest), and how cryptography is being used to gauge the scope of the challenge ahead of you.

The quality of the inventory governs whether your crypto-agility will be successful or not. It must contain enough information to calculate what you need to change, so follow the trail to its end: Which crypto libraries are you using? Where in the application is the cryptographic component being utilized? Where are the dependencies, such as a certificate in one place and verification in another? If you change a third-party library, is there a possibility of breaking dependencies?

Another element of discovery is to understand what your vendors’ plans are. What are their timelines for implementing quantum-proof algorithms? How will they do this and what will be the impact on your systems? Unfortunately, you do not control the future of third-party systems, and what you do not know about your vendors’ roadmap can hurt you. Speak to the vendors you heavily rely on and factor their plans into your own cyber security transition plans.things: Become crypto-agile, and get your house in order for the radical changes to come.

2. Sizing the Monster: How Big Is Your Cryptographic Challenge?

Once you have an inventory of all your cryptography, the next step is to see how big the monster is. Baby dragons may be slayable with just a couple of code changes. Giant beasts are going to take more effort, especially if the cryptographic fundamentals are so deeply hidden that it is going to take a lot of onion-peeling to find out what the impact is.

You may have to skin these monsters in layers, over many weeks or months, to gain control over them.

Also, this is not just an IT problem! Crypto-agility will touch many parts of the organization including digital identity, application development, digital network architecture, vendor management, procurement, compliance, and risk management. Since you cannot fix everything at once, prioritize your most at-risk assets where work needs to be started first (both from a crypto perspective and a business perspective).

For example, intellectual property and secrets you need to keep for years to come are higher on the priority list than data you can dispose of next month. Digital identity verification services and digital signatures might also be at the top of your list because they are fundamental to trust in digital transactions. The same applies to legacy systems with weaker cryptography; this may not even support post-quantum cryptographic algorithms, making these systems especially vulnerable.

As you’ll know well, effective leadership relies on a clear plan. So, sizing the monster is key to building your business case for the transition to crypto-agility. It will help you to allocate the time, resources, and investments necessary to make your organization crypto-agile, and to get the support you need from stakeholders.

3. Prioritize Wisely: Design a Phased Roadmap of Now, Next, Later

Crypto-agility is an area of active research, and new solutions are emerging continuously as cryptographers race to find quantum-resistant algorithms. While some vendors may release quick-fix products, you need the right solution for your organization’s setup without unbearable impact on your systems.

The nature of the solution will depend on your particular “monster”. For example, if you peel back the layers and discover that one key is used to encrypt a critical communication in your digital network architecture, you can choose to do something spectacular with that key. You might triple its size. Or you might use a hybrid solution, which is essentially a quantum-inspired algorithm that runs on classical computers, but whose logic will survive a transition to quantum computers in the future. Or you might use a post-quantum algorithm for that particular key.

The point is, there is no one-size-fits-all. If digital identity verification is incredibly important in your organization, it will need setting up immediately with a safe and compliant certificate structure. Even if it is less important to your work, taking proactive steps is wise (rather than waiting to react once your outdated algorithms become an issue).

Make sure you know your options, and plan to migrate different parts of your systems at different times. Work in phases, with cybersecurity solutions that support interoperability. This will mean you avoid trying to execute a massive update all at once.

When to Get Help

As a business leader—especially if you do not have a technical background yourself—figuring out which applications need which solutions can be a challenge. Once the many technical issues are identified, businesses will need expert guidance to evaluate needs, consider the options, and reap the benefits.

Your technical team may be on top of this already. Even so, bringing in a specialist can minimize the risk of a costly misstep. You only need to understand your current cryptography once, but your analysis must be exceptionally thorough. After all, the app you see on your iPhone or desktop is merely the penguin standing on top of the iceberg. A specialist with decades of experience in using cryptography to keep information secure can dive below the surface, into your myriad dependencies and the compliance frameworks that impact your organization. And they can provide the solutions you need, or point you in the right direction to reach them. Then, you will be back on track: Once you are crypto-agile, you will be ready to respond to any future developments.

Keep your customers in mind, too, as they need confidence in the security of your systems and processes. Their data is on the line; they need to know that your trust mechanisms are not compromised by sloppy cryptography. Call it brand management, call it risk management—either way, you need to be able to stand by your claims of crypto-agility. Partnering with a specialist can give you that confidence.

Bottom line? Know your monsters, pick your battles, choose to have knowledge, and choose to have control. The post-quantum train is coming to the station whether you want it to or not. If you bring in the right partners, and slay the right dragons, then it is just business as usual.

Wondering what your next step should be to be crypto-agile?
Contact our experts to get personalized insights on your requirements and strategic priorities.