As businesses come to realise that they may be required to store some data for decades, encrypted data should be secure well beyond its useful life, and with this in mind, security architect for Benelux at IBM, Christiane Peters, is suggesting that businesses should start preparing now to implement post-quantum data protection.
The suggestion is that, in a relatively short time, quantum computers will be commercially available. One threat from this could be that quantum computers in criminal hands could be used to try and crack encrypted business data. For example, in the US, the National Security Agency (NSA) warned back in 2015 that progress in quantum computing was at such a point that organisations should deploy encryption algorithms that can withstand such attacks from quantum computers.
The encryption algorithms that can stand up to attacks from quantum computers are known by several names including post-quantum cryptography / quantum-proof cryptography, and quantum-safe / quantum-resistant cryptographic (usually public-key) algorithms.
What’s The Problem?
Ultimately, with technology advancing at such a rapid rate and with organisations needing to keep some data for long periods of time, there is the risk that even though this sensitive data is stored in secure encrypted formats now, this encryption could be cracked in the not-too-distant future by cyber-criminals with access to commercial supercomputers. Being able to crack encryption could mean encrypted data could no longer be safe even if it is stolen. For example, this could mean that encrypted data lost/stolen in a breach this year could be accessed in the future. Indeed, it is known that some data is being stolen today with this in mind.
How To Prepare Now For Quantum Computer Risk
Christiane Peters is reported as suggesting that ways in which companies could prepare to counter the encryption code-cracking risk posed by the ability of cyber-criminals to use commercially available quantum computers include:
- Developing/updating crypto policies.
- Creating an inventory of all systems and applications using cryptography.
- Classifying data and mapping data flows.
- Creating an enterprise-specific outlook and timeline for quantum safe crypto.
Developing a Post-Quantum Implementation Strategy
Understanding that encryption is just one way to protect data, combining other capabilities with encryption will help overall cyber resilience over time. For example, companies could also focus on certificate management, mobile device management, application scanning, data loss prevention, security incident response, access control, data classification and digital forensics.
Personal Data Protection Could Pay Off In The Long Term
Christiane Peters, commenting on the findings of a Ponemon Institute study, has also pointed out that, as well as preparing for the security of cryptography in the post-quantum era, businesses that are able to focus on data protection could, by investing in security and encryption now, reap the benefits in the longer term. For example, the report shows that the average cost saving with extensive use of encryption is $13 per data record.
What Does This Mean For Your Business?
What the experts appear to be saying is that even though the use of robust, high-assurance encryption technologies may make the decrypting of protected data impossible in the short-term, this may not always be the case. The power of super-computers may mean that, quite soon, criminals may be able to crack encryption codes. In order to ensure that sensitive company data, particularly personal data is safe in the longer term, companies may want to start looking into ways that they can prepare for quantum data protection standards.