‘Crypto agility is not enough,’ Quantum Xchange’s Berk says
The transition to post-quantum cryptography (PQC) presents an opportunity to re-think previous approaches to enterprise security, and rebuild these architectures with redundancy in mind, according to Vince Berk, Chief Revenue and Strategy Officer at Quantum Xchange.
Many security companies have spoken of the need for organizations to embrace a “crypto-agile” mindset that allows them to quickly adopt new PQC standards as they become available, but Berk told IQT recently, “Crypto agility is not enough.”
A discussion of PQC standard candidate Rainbow and SIKE having been compromised led Berk to add, “When people who really want to break cryptography actually break cryptography, you are not going to know about it. Being agile is kind of useless if you don’t know that the encryption you are using has been broken. Agility means I can go do something else quickly and easily, but what if you don’t know that’s necessary.”
Berk said the enterprise security ecosystem for too long has been thinking too narrowly about security instead of looking at the model of data centers, where layers of redundancy are built in for data storage and power in the event of a disaster. “When it comes to cryptography nobody thinks about this,” Berk said. “We use one algorithm, one software implementation, one channel, and that means a single point of failure. We need to get rid of the single point of failure.”
That could make security management more complex, but Berk noted that is why companies in the future will need a control plane that helps them manage their various algorithms and layers of protection that will lend greater redundancy to their security strategies.
Dan O’Shea has covered telecommunications and related topics including semiconductors, sensors, retail systems, digital payments and quantum computing/technology for over 25 years.