By Frank Guanco, Quantum-Safe Security Working Group, Cloud Security Alliance
Recently there has been an increase in the perceived threat of the quantum computer to modern cryptographic standards in widespread use. During the last year, security agencies such as the United States Government National Security Agency (NSA) and the United Kingdom’s Communications Electronics Security Group (CESG) have called for a move to a set of quantum-safe cryptographic standards. The consensus is that today’s cyber security solutions needs to be retooled sooner rather than later, and the transition to quantum-safe security must begin now. The arrival date for a practical quantum computer is still up for debate, however, most experts believe we will see a quantum computer capable of breaking current public key cryptosystems within five to 15 years.
Recently the Quantum-Safe Security Working Group from the Cloud Security Alliance (CSA), released its ‘Applied Quantum-Safe Security’ paper, designed to provide individuals in the security industry and related fields with applicable knowledge regarding the quantum computer and its influence on cyber security. The white paper discusses how cryptographic tools must be adapted to fit specific types of data and serves as a call-to-arms for the available protection options for when the quantum computer arrives.
Digital and physical security
Computer security has primarily focused on digital security methods, however, physical security of data is also critical. Algorithms provide authentication and encryption for online communications and security of a cryptographic scheme is based on mathematics and resilience against large computing power to ensure digital security. Consider this physical security example – security breaches impacting governments and large organizations are often linked to insiders, capable of physical access not afforded the outside world. This breach occurs despite the fact that digital avenues may have been closed and intensive security protocols employed. Cryptographic keys are not only abstract random strings, but also real physical objects that should be stored in secured physical appliances. To be more quantum-safe, new tools must include all physical and mathematical security systems, each with its own practical application domain.
Impact of Cloud Computing
The ongoing move toward the cloud for all our IT needs greatly increases the reliance on data networks. Data is stored in huge data centers, and transferred between them at ever-increasing rates. The cloud model—with its associated storage and network requirements—enables a stronger and more reliable IT infrastructure. This heavily networked model also opens some serious new post-quantum threat vectors, with the most serious being a “data-vaulting” or harvesting attack where an attacker stores communications between the client and the cloud so that data can be decrypted in the future when general purpose quantum computers are available. What we need to keep top of mind is that data stored today may already be compromised by future quantum computers, especially if the data is being monitored and stored.
Data “at rest” in enormous cloud data centers is also at risk since quantum computers will effectively reduce the keys protecting that data to half of their original strength. Additionally, post-quantum attack vectors will compromise the key management systems that generate, distribute and protect the keys needed to secure that data. Any connections and links between these large data centers must have the highest levels of protection possible. The need for quantum-safe cybersecurity is greatly compounded in a cloud-based IT environment.
As we move towards a world of quantum computers, organizations need to take the knowledge outlined in the ‘Applied Quantum-Safe Security’ paper and assess their own quantum-safe needs. Not every organization will require the same security measures and it takes time to change an infrastructure. The best way to prepare is to follow what is going on with the development of the quantum computer and its security solutions.
Since the cloud relies heavily on secure communications, quantum safety is a critical issue for the CSA. Enterprises will only use cloud services if they believe that their data is safe, both in the cloud provider servers and in transit. Quantum-safe security is a true requirement for further expansion of the cloud. The CSA encourages industry leaders to start thinking and talking about quantum safety. Quantum-related technology is evolving very quickly every day, both on the attack side and the defend side. Organizations should think about adopting some low-risk solutions now to improve infrastructure.
Cyber security technology never has and never will be a ‘one size fits all’. There is no one universal solution that would provide the perfect security against all possible threats. What we have learned, however, is that we must prepare ourselves for emerging technology, especially when we know it’s coming. The key to quantum computer protection is the use of adaptable cryptographic tools. These tools must be tailored to fit specific types of data and specific applications. To download a copy of the full white paper, please visit here.