Improve your quantum risk posture with crypto-agility
The cryptographic protocols that safeguard the world’s data, infrastructure, and communications have evolved over the past few decades, with each new generation of technology bringing improvements to security capabilities and performance. The most recent innovations in cryptography—known as post-quantum or quantum-safe cryptographic algorithms—are driven by the rapid progress of quantum computers, which one day will be capable of breaking many of the encryption standards upon which the modern digital economy relies.
Deploying quantum-safe solutions will not be a one-and-done experience. Rather, it will likely require periodic updates, hybrid methods, and pattern-based scaling. For these reasons, cryptographic agility is critical to establishing a robust quantum risk posture. Cryptographic agility, or crypto-agility, refers to an organization’s ability to anticipate and respond to cyber threats by updating or replacing its cryptographic algorithms and protocols without having to upend its cybersecurity architecture and disrupt operations. At IBM Quantum, we see crypto-agility as key to a successful and sustainable quantum-safe journey. That is why we are developing quantum-safe cryptographic technologies, services, and infrastructure that support an agile cybersecurity posture. Here are four best practices for building crypto-agility in service of a quantum-safe future.
Prepare a comprehensive cryptographic inventory.
Classical encryption algorithms cannot necessarily be swapped out directly for quantum-safe alternatives—some quantum-safe updates may be layered on top of existing classical security protocols or may require additional modifications to the cryptographic architecture. In addition, quantum-safe cryptographic algorithms and standards will likely continue to evolve as quantum technology progresses. To maintain compliance during upgrade cycles, you need to know exactly where and how cryptography is used throughout your IT environment. Scanning tools like IBM Quantum Safe Explorer can help you discover your cryptography usage in applications and generate cryptographic inventories such as a Cryptography Bill of Materials (CBOM), which describes cryptographic artifacts and their dependencies in a format that can be easily shared with your software supply chain. To obtain a comprehensive picture of your cryptography usage, you’ll need to pair this static code inventory with a dynamic view of your cryptography, such as what IBM Quantum Safe Advisor provides with its monitoring of net locations, cipher suites, certificates, keys, and CBOMs associated with particular cryptographic assets.
Create a prioritized quantum-safe transformation strategy.
If the first step to attaining crypto-agility is knowing where cryptography is used, which cryptographic libraries the calls originate from, and what the various dependencies are, the second is translating this data into actionable insights—knowing which current cryptographic assets to swap, layer, or replace with a quantum-safe solution and, crucially, in what order. Cryptographic risk assessment involves contextualizing cryptographic inventories with compliance and business data so that you can determine which assets should be prioritized in your quantum-safe transformation strategy. IBM Quantum Safe Advisor collects and consolidates cryptographic metadata from your IT landscape and augments it with policy and device information so you can target assets that are most vulnerable to current security risks. For example, if you are looking to safeguard your enterprise against “harvest now, decrypt later” attacks, in which bad actors steal and store data for future decryption by a cryptographically relevant quantum computer, you would likely focus on critical data that needs to stay confidential for a long time and is externally exposed.
Implement and automate quantum-safe solutions.
Executing your quantum-safe transformation strategy requires careful planning and incremental implementation. Therefore, IBM Quantum has introduced trainings like Practical introduction to quantum-safe cryptography, a new course offered free of charge on the IBM Quantum Learning platform. Organizations should also consider establishing a Cryptography Center of Excellence (CCoE), which provides a governance framework to ensure teams have the necessary expertise and alignment on policies, procedures, and responsibilities to manage their cryptographic risk posture with agility.
New quantum-safe encryption algorithms and protocols should be tested before being deployed to your stack. Hybrid implementations that combine classical and post-quantum cryptography will support an agile transition, as will proxy-based solutions that accommodate legacy systems during the quantum-safe transition. Rather than hardcoding cryptography into your applications and network implementations, using an API to call a centralized quantum-safe encryption, key, and certificate management service will reduce the time it takes to adapt to new cryptographic infrastructure, as well as the costs and DevSecOps burden. IBM Quantum Safe Remediator provides a variety of quantum-safe remediation patterns, including direct and proxy-based solutions, for organizations looking to address vulnerabilities without necessarily editing application code. Once remediation patterns are selected for deployment, automated tooling can further support crypto-agility.
Build on quantum-safe infrastructure.
This quantum-safe transformation strategy should be executed with the objective of establishing an enterprise platform consisting of quantum-safe communications, storage, and processing systems. IBM has already begun integrating quantum-safe cryptography into its enterprise infrastructure and services so that our systems not only are more resilient, but also can more efficiently accommodate new encryption algorithms as they are developed. IBM z16, the first quantum-safe mainframe, secures data and applications with hardware-accelerated encryption. With quantum-safe TLS modes for IBM Cloud®, you can safeguard your data in transit from potential quantum cyberattacks. IBM Cloud® Hyper Protect Crypto Services, a dedicated key management and hardware security module, has also been outfitted with quantum-safe digital signature support. Additionally, IBM researchers created the first enterprise-class tape drive with built-in quantum-safe encryption technology. These technologies contribute to an agile cybersecurity posture that is robust against quantum risks now and in the future.
Get involved with the quantum-safe ecosystem.
If your cryptography largely exists within third-party applications or vendor-owned infrastructure, it can weaken your crypto-agility when suppliers retain legacy encryption methods. Search out opportunities to engage with task forces and working groups to align transformation efforts and drive change across organizations and industries. IBM Quantum, for example, is a founding member of the GSMA Post-Quantum Telco Network Taskforce and the Post-Quantum Cryptography Coalition, both of which bring together researchers, technologists, and other ecosystem partners to facilitate the adoption of quantum-safe cryptography.
These best practices will help you enhance your crypto-agility as you navigate the quantum-safe transition. In support of its mission to bring useful quantum computing to the world and to make the world quantum safe, IBM Quantum is leveraging these principles to help organizations accelerate their quantum-safe readiness with IBM Quantum Safe cryptographic technologies, services, and infrastructure. Learn more about IBM Quantum Safe at https://ibm.com/quantumsafe.
Sponsored by IBM Quantum.
Author Scott Crowder.