Nobody — or at least I think that is the case — can deny the threat that quantum computing could potentially have for existing security systems. This danger, however, can be avoided if organizations start preparing for it now.
With that said, it is always good to get sound advice from an expert in the space. One such authority is Greg Wetmore, VP of Product Development at Entrust, a Minneapolis-based company that offers services for multi-cloud deployments, mobile identities, hybrid work, machine identity, electronic signatures, encryption etc.
Wetmore, who has worked for Entrust for more than two decades, explained in a video what quantum computing is and what the security implications are for a post-quantum world where computing will be powerful enough to break the RSA and ECC algorithms currently in use.
Wetmore was first asked what the threat is associated with quantum computing, but before he answered that question, he wanted to highlight some of the positives:
“Maybe before we talk about the threat, we should acknowledge the opportunity,” Wetmore began. “It’s thought that quantum computers are going to be incredible tools for research in fields like medicine, material science and data science, so I no doubt that quantum computers will advance fields like that incredibly quickly. What we do know,” he went on, “is that quantum computers will be able to break the complex mathematical structure that’s underneath today’s public key technology.”
Wetmore explained that what that really means is organizations are going to have to transition to what is called quantum-safe/post-quantum cryptographic algorithms, as it’s that public key cryptography technology that allows organizations to keep data confidential or secure for a long period of time encryption.
“The most important thing is a sense of urgency: organizations need to start acting and planning now,” said Wetmore, off the question as to how organizations can prepare for post-quantum computing. “We know from previous cryptographic transitions from SHA-1 to SHA-2 — or RSA to elliptic curve — that this process takes time, and it takes planning. It’s important to understand that this transition we will go through from traditional public-key cryptography to quantum-safe cryptography is even more complex and difficult than those previous transitions.”
Wetmore pointed out that it’s important that organizations start developing their quantum-safe strategy now, starting with an inventory of their data, thinking about where in the organization there is high-value data that needs to be secure for a long period of time.
“The next step,” he went on, “would be looking at your systems and inventory of cryptographic assets. Where in your organization do you have keys, secrets and certificates? What algorithms are being used? What software systems are implementing those security technologies? Then we need to be working with our security vendors. Security vendors need to have post-quantum in their roadmaps, and you should be asking your security vendors about this.”
Entrust’s VP of Product Development identified that any vendors today are going to be able to provide integration or test systems that incorporate quantum-safe cryptography, so organizations can start to build out their plans and begin to do interoperability and backward compatibility testing in their environments.
And the key takeaway regarding post-quantum security, what was Wetmore’s suggestion:
“The threat from quantum computers is real. Experts broadly agree that quantum computers will develop to the point where they will break today’s public-key cryptography systems. Organizations need to start a plan today and need to begin to implement and work with their security vendors, asking them about crypto agility so they can begin to implement them,” he said.
Feature image: Greg Wetmore, credit Entrust