13
Fri, Dec
4 New Articles

CIOs must prepare their organizations today for quantum-safe cryptography

Analytics & Cognitive News
Typography
  • Smaller Small Medium Big Bigger
  • Default Helvetica Segoe Georgia Times

Quantum computers are emerging from the pure research phase and becoming useful tools. They are used across industries and organizations to explore the frontiers of challenges in healthcare and life sciences, high energy physics, materials development, optimization and sustainability. However, as quantum computers scale, they will also be able to solve certain hard mathematical problems on which today’s public key cryptography relies. A future cryptographically relevant quantum computer (CRQC) might break globally used asymmetric cryptography algorithms that currently help ensure the confidentiality and integrity of data and the authenticity of systems access.

The risks imposed by a CRQC are far-reaching: possible data breaches, digital infrastructure disruptions and even widescale global manipulation. These future quantum computers will be among the biggest risks to the digital economy and pose a significant cyber risk to businesses.

There is already an active risk today. Cybercriminals are collecting encrypted data today with the goal of decrypting this data later when a CRQC is at their disposal, a threat known as “harvest now, decrypt later.” If they have access to a CRQC, they can retroactively decrypt the data, gaining unauthorized access to highly sensitive information.

Post-quantum cryptography to the rescue

Fortunately, post-quantum cryptography (PQC) algorithms, capable of protecting today’s systems and data, have been standardized. The National Institute of Standards and Technology (NIST) recently released the first set of three standards:

  • ML-KEM: a key encapsulation mechanism selected for general encryption, such as for accessing secured websites
  • ML-DSA: a lattice-based algorithm chosen for general-purpose digital signature protocols
  • SLH-DSA: a stateless hash-based digital signature scheme

Two of the standards (ML-KEM and ML-DSA) were developed by IBM with external collaborators, and the third (SLH-DSA) was co-developed by a scientist who has since joined IBM.

Those algorithms will be adopted by governments and industries around the world as part of security protocols such as “Transport Layer Security” (TLS) and many others.

The good news is that these algorithms are at our disposal to protect against the quantum risk. The bad news is that enterprises must migrate their estate to adopt these new PQC standards.

Previous cryptography algorithm migration programs took years to complete. Ask yourself as an organization: how long was your SHA1 to SHA2 migration program? What about your public key infrastructure (PKI) upgrade program where you increased the PKI trust chain key size from 1024-bit to 2048-bit keys or 3072-bits or 4096-bit keys? How long did all that take to roll out across your complex enterprise environment? Several years?

The impact from quantum computing and the implementation of the PQC standards is vast, covering a comprehensive estate of your organization. The quantum computing risk affects many more systems, security tools and services, applications and network infrastructure. Your organization needs to immediately transition toward PQC standards to safeguard your assets and data.

Start adopting quantum-safe cryptography today

To protect your organization against “harvest now, decrypt later” risks, we advise you to run a quantum-safe transformation program. Start adopting tools and use services that allow you to roll out the recently announced PQC encryption standards.

IBM has developed a comprehensive quantum-safe program methodology, which is currently running across dozens of clients, spread across key industries and dozens of countries, including national governments.

We advise clients to adopt a program with the following key phases:

  • Phase 1: Prepare your cyber teams by delivering quantum risk awareness and identifying your priorities across the organization.
  • Phase 2: Prepare and transform your organization for migration to PQC.
  • Phase 3: Run your organization’s migration to PQC.

Phase 1: Prepare your teams

In phase 1 of the program journey, focus on key areas, such as creating an awareness campaign across the organization to educate stakeholders and security subject matter experts (SMEs) on the quantum risk. Establish quantum-safe “ambassadors” or “champions” who stay on top of the quantum risk and quantum-safe evolution and act as central contact for the program and help shape the enterprise strategy.

Next conduct risk assessments regarding the quantum risk against your organization’s cryptographically relevant business assets—which is any asset that uses or relies on cryptography in general.* For example, your risk and impact assessment should assess the business relevance of the asset, its environment complexity and migration difficulty, among other areas of assessment. Identify vulnerabilities within the business assets, including any urgent actions, and produce a report highlighting the findings to key stakeholders, helping them understand the organizational quantum risk posture. This can also serve as a baseline for developing your enterprise’s cryptography inventory.

Phase 2: Prepare your organization

In phase 2, guide your stakeholders on how to address the identified priority areas and potential cryptographic weaknesses and quantum risks. Then, detail remediation actions, such as highlighting systems that might not be able to support PQC algorithms. Finally, express the objectives of the migration program.

In this stage, IBM helps clients outline a quantum-safe migration roadmap that details the quantum-safe initiatives required for your organization to reach its objectives.

As we advise our clients: Consider critical initiatives in your roadmaps, such as developing a governance framework for cryptography, prioritizing systems and data for PQC migration. Update your secure software development practices and guidelines to use PQC by design and produce Cryptography Bills of Material (CBOMs). Work with your suppliers to understand third-party dependencies and cryptography artifacts. Update your procurement processes to focus on solutions and services that support PQC to prevent the creation of new cryptographic debt or new legacy.

One of the key required capabilities is ‘cryptographic observability,’ a cryptographic inventory that allows stakeholders to monitor the progress of adoption of PQC throughout your quantum-safe journey. Such an inventory should be supported by automatic data gathering, data analysis and risk and compliance posture management.

Phase 3: Run your migration

In phase 3, your organization runs the quantum-safe migration program by implementing initiatives based on priority systems/risk/cost, strategic objectives, delivery capacity, etc. Develop a quantum-safe strategy enforced through your organizational information security standards and policies.

Run the technology migration by using standardized, tested and proven reference architectures and migration patterns, journeys and blueprints.

Include the enablement of cryptographic agility within the development and migration solutions and implement cryptographic decoupling by abstracting local cryptography processing to centralized, governed and easily adaptable platform services.

Include in your program a feedback loop with lessons learned. Allow for the innovation and rapid testing of new approaches and solutions to support the migration program in the years ahead.

Challenges to expect during your PQC transition

Many elements are challenging to migrate. For example, fundamental components of internet infrastructure, such as wide area networks (WANs), local area networks (LANs), VPN concentrators and Site-2-Site links, will be more complex to migrate. Therefore, these elements require more attention than those that have limited use within the organization. Core cryptography services such as PKI, key management systems, secure payment systems, cryptography applications or backends such as HSMs, link encryptors and mainframes are all complex to migrate. You need to consider the dependencies on different applications and hardware, including technology interoperability issues.

You should also consider performance testing the PQC standards against your in-house systems and data workflows to help ensure compatibility and performance acceptability and identify any concerns. For example, PQC sometimes requires longer key sizes, ciphertext or signature sizes compared to currently used algorithms, which will need to be accounted for in integration and performance testing. Some organization-critical technologies still rely on legacy cryptography and might find it difficult or even impossible to migrate to PQC standards. Application refactoring and redesign might be required.

Other challenges include lack of skills or lack of documentations, which have created knowledge gaps within your enterprise. Hardcoded information within systems/config files/scripts, etc., will make it even more complex to migrate.

Make sure that your encryption keys and digital certificates are accurately tracked and managed. Poor management will further complicate the migration.

Not all use cases will be tested by international PQC working groups. There will be many combinations or configuration of technologies unique to your organizations, and you need to thoroughly test your systems from an end-to-end workflow perspective.

Don’t wait for regulations to catch up

Now that NIST has released a first set of PQC standards, we need to anticipate that regulation outside of the US will follow quickly. Examples in the context of the financial industry are:

  • In the EU, the Digital Operations Resilience Act (DORA) explicitly mentions quantum risks in a regulatory technical standard in the context of ICT risk management.
  • The Monetary Authority of Singapore (MAS) has called out a need that “senior management and relevant third-party vendors understand the potential threats of quantum technology.” It also mentions the need for “identifying and maintaining an inventory of cryptographic solutions.”
  • The Payment Card Industry Data Security Standard (PCI DSS) v4.0.1 now contains a control point that requires “an up-to-date inventory of all cryptographic cipher suites and protocols in use, including purpose and where used.”

Therefore, we advise you to focus on developing your cryptography governance framework, which includes the development of a quantum-safe strategy for your organization. It should be aligned to your business strategic goals and vision and target timescales. A center of excellence should support and advise as part of the transformation program. The governance framework should focus on core pillars such as your organization’s regulatory oversight, cryptographic assurance and risk management, delivery capacity building and PQC education. It should support adoption of best practices within your application development and supply security architecture patterns and technical design review boards.

The transformation program is going to be long and complex. It requires numerous cross-departmental engagement and a wide range of skills. Ensure you manage and observe team morale and consider your organization’s working culture and change management practices to help ensure program cohesion across the many years of delivery.

Also, consider partnership development, as many organizations depend on many vendors specific to their industry and ecosystem. Collaborate with others within your industry to learn and share ideas to address the quantum risk and PQC migration together through working groups and user groups.

From an operational perspective, help ensure you have a traceability catalog of key enterprise and business services mapped to regulations and laws and start planning a timeline for transition around each.

How IBM helps organizations with their quantum-safe journey

IBM helps implement quantum-safe migration for clients in financial services, insurance, telecommunication, retail, energy and other industries. We help clients understand their quantum risks, improving their cryptographic maturity and agility, defining their quantum-safe targets and implementing various transformation initiatives, supported by a broad set of technology assets.

At the same time, we are helping to start industry consortia to drive adoption of quantum-safe cryptography, such as:

Now that the first set of PQC standards have been released, organizations are expected to have a proper quantum-safe migration program in place. A solid program should include thorough risk and impact assessments, quantum-safe objectives and the right level of stakeholder attention. Prepare now for the adoption of quantum-safe standards and use technology to accelerate your journey.

Secure your enterprise for the quantum era with IBM Quantum Safe

BLOG COMMENTS POWERED BY DISQUS

LATEST COMMENTS

Support MC Press Online

$

Book Reviews

Resource Center

  • SB Profound WC 5536 Have you been wondering about Node.js? Our free Node.js Webinar Series takes you from total beginner to creating a fully-functional IBM i Node.js business application. You can find Part 1 here. In Part 2 of our free Node.js Webinar Series, Brian May teaches you the different tooling options available for writing code, debugging, and using Git for version control. Brian will briefly discuss the different tools available, and demonstrate his preferred setup for Node development on IBM i or any platform. Attend this webinar to learn:

  • SB Profound WP 5539More than ever, there is a demand for IT to deliver innovation. Your IBM i has been an essential part of your business operations for years. However, your organization may struggle to maintain the current system and implement new projects. The thousands of customers we've worked with and surveyed state that expectations regarding the digital footprint and vision of the company are not aligned with the current IT environment.

  • SB HelpSystems ROBOT Generic IBM announced the E1080 servers using the latest Power10 processor in September 2021. The most powerful processor from IBM to date, Power10 is designed to handle the demands of doing business in today’s high-tech atmosphere, including running cloud applications, supporting big data, and managing AI workloads. But what does Power10 mean for your data center? In this recorded webinar, IBMers Dan Sundt and Dylan Boday join IBM Power Champion Tom Huntington for a discussion on why Power10 technology is the right strategic investment if you run IBM i, AIX, or Linux. In this action-packed hour, Tom will share trends from the IBM i and AIX user communities while Dan and Dylan dive into the tech specs for key hardware, including:

  • Magic MarkTRY the one package that solves all your document design and printing challenges on all your platforms. Produce bar code labels, electronic forms, ad hoc reports, and RFID tags – without programming! MarkMagic is the only document design and print solution that combines report writing, WYSIWYG label and forms design, and conditional printing in one integrated product. Make sure your data survives when catastrophe hits. Request your trial now!  Request Now.

  • SB HelpSystems ROBOT GenericForms of ransomware has been around for over 30 years, and with more and more organizations suffering attacks each year, it continues to endure. What has made ransomware such a durable threat and what is the best way to combat it? In order to prevent ransomware, organizations must first understand how it works.

  • SB HelpSystems ROBOT GenericIT security is a top priority for businesses around the world, but most IBM i pros don’t know where to begin—and most cybersecurity experts don’t know IBM i. In this session, Robin Tatam explores the business impact of lax IBM i security, the top vulnerabilities putting IBM i at risk, and the steps you can take to protect your organization. If you’re looking to avoid unexpected downtime or corrupted data, you don’t want to miss this session.

  • SB HelpSystems ROBOT GenericCan you trust all of your users all of the time? A typical end user receives 16 malicious emails each month, but only 17 percent of these phishing campaigns are reported to IT. Once an attack is underway, most organizations won’t discover the breach until six months later. A staggering amount of damage can occur in that time. Despite these risks, 93 percent of organizations are leaving their IBM i systems vulnerable to cybercrime. In this on-demand webinar, IBM i security experts Robin Tatam and Sandi Moore will reveal:

  • FORTRA Disaster protection is vital to every business. Yet, it often consists of patched together procedures that are prone to error. From automatic backups to data encryption to media management, Robot automates the routine (yet often complex) tasks of iSeries backup and recovery, saving you time and money and making the process safer and more reliable. Automate your backups with the Robot Backup and Recovery Solution. Key features include:

  • FORTRAManaging messages on your IBM i can be more than a full-time job if you have to do it manually. Messages need a response and resources must be monitored—often over multiple systems and across platforms. How can you be sure you won’t miss important system events? Automate your message center with the Robot Message Management Solution. Key features include:

  • FORTRAThe thought of printing, distributing, and storing iSeries reports manually may reduce you to tears. Paper and labor costs associated with report generation can spiral out of control. Mountains of paper threaten to swamp your files. Robot automates report bursting, distribution, bundling, and archiving, and offers secure, selective online report viewing. Manage your reports with the Robot Report Management Solution. Key features include:

  • FORTRAFor over 30 years, Robot has been a leader in systems management for IBM i. With batch job creation and scheduling at its core, the Robot Job Scheduling Solution reduces the opportunity for human error and helps you maintain service levels, automating even the biggest, most complex runbooks. Manage your job schedule with the Robot Job Scheduling Solution. Key features include:

  • LANSA Business users want new applications now. Market and regulatory pressures require faster application updates and delivery into production. Your IBM i developers may be approaching retirement, and you see no sure way to fill their positions with experienced developers. In addition, you may be caught between maintaining your existing applications and the uncertainty of moving to something new.

  • LANSAWhen it comes to creating your business applications, there are hundreds of coding platforms and programming languages to choose from. These options range from very complex traditional programming languages to Low-Code platforms where sometimes no traditional coding experience is needed. Download our whitepaper, The Power of Writing Code in a Low-Code Solution, and:

  • LANSASupply Chain is becoming increasingly complex and unpredictable. From raw materials for manufacturing to food supply chains, the journey from source to production to delivery to consumers is marred with inefficiencies, manual processes, shortages, recalls, counterfeits, and scandals. In this webinar, we discuss how:

  • The MC Resource Centers bring you the widest selection of white papers, trial software, and on-demand webcasts for you to choose from. >> Review the list of White Papers, Trial Software or On-Demand Webcast at the MC Press Resource Center. >> Add the items to yru Cart and complet he checkout process and submit

  • Profound Logic Have you been wondering about Node.js? Our free Node.js Webinar Series takes you from total beginner to creating a fully-functional IBM i Node.js business application.

  • SB Profound WC 5536Join us for this hour-long webcast that will explore:

  • Fortra IT managers hoping to find new IBM i talent are discovering that the pool of experienced RPG programmers and operators or administrators with intimate knowledge of the operating system and the applications that run on it is small. This begs the question: How will you manage the platform that supports such a big part of your business? This guide offers strategies and software suggestions to help you plan IT staffing and resources and smooth the transition after your AS/400 talent retires. Read on to learn: