lolloj - Fotolia

Enterprise data encryption: Preparing for a post-quantum future

With the race toward quantum computing underway, interest in post-quantum encryption is growing. ISACA's Rob Clyde explains how CIOs and CISOs can get up to speed.

The quantum leap for computers is still years away, but it already has researchers and experts sweating about how their advent into the mainstream will influence enterprise data encryption. Now is the time for CIOs and CISOs to garner knowledge about quantum and monitor post-quantum encryption efforts, according to Rob Clyde, the chairman-elect of governance organization ISACA's board of directors and board director at data protection company Titus Inc.

"They should keep tabs on the pace of quantum -- listening to experts on how close we are to achieving quantum supremacy," Clyde said. "I personally think the range is seven to 15 years, but if it happened in six years, I would not be overly surprised."

In this Q&A, Clyde offers strategies that can help CIOs and CISOs prepare for the implementation of post-quantum encryption. He explains that it is crucial to create an inventory of encrypted data and to ensure that preferred vendors have the ability to easily adapt to post-quantum encryption algorithms once they materialize. Clyde also sheds light about how the enhanced interest in privacy is driving enterprise data encryption strategy.

Editor's note: The following interview has been edited for clarity and length.

How should CIOs and CISOs prepare for quantum computing and its effect on enterprise data encryption?

Rob ClydeRob Clyde

Rob Clyde: No. 1, they should brief the board about this risk so that they can understand what the risk is and why it matters. Secondly, the board is going to ask, 'What do we do?' For most organizations right now, the right thing to do is monitor what's happening with NIST (National Institute of Standards and Technology) and other efforts to build quantum-resilient algorithms.

They should understand where their encrypted data is and how it is encrypted. With GDPR (General Data Protection Regulation) and other things, we're going to end up with more encrypted data. For most organizations, they are not implementing encryption algorithms by writing code themselves. They're actually using products. For example, if you build a website, you're using SSL or some other technique that has encryption inside it.

Once new algorithms have been recommended by NIST, the next step for organizations will be to monitor and get verification from their vendors that those algorithms have, in fact, been implemented in that inventory that they have done. And then they will need to look at any data at rest. For data at rest, all the old data that's encrypted the old way has to be re-encrypted the new way.

For data at rest, all the old data that's encrypted the old way, has to be re-encrypted the new way.
Rob Clydechairman-elect, ISACA

How much of an effort does re-encrypting data require?

Clyde: It is going to be a pain. It is going to take some computation. However, this idea of re-encryption is not new. Organizations have regularly increased, for example, the key length that they have used to encrypt data as conventional computers became more powerful and were able to break keys that are too short.

As algorithms have changed, for example, from the data encryption standard to some of the newer techniques that we have, you need to re-encrypt that data. Many vendors that sell products that essentially encrypt your data actually have features to do re-encryption in a way that is relatively straightforward.

One of the things organizations should look at as they do an inventory of their encrypted data is look at their various tools and figure out if each tool has a simple method, a feature, where they can re-encrypt. That way, when a new algorithm is implemented in the future, organizations could take advantage of that with the tools they have. That's the big question for CIOs and CISOs to ask of their vendors that are providing encryption for data at rest.

When it comes to enterprise data encryption, do you see encryption becoming de facto?

Clyde: Yes, I do, for data about individuals. We are entering a world where, not long from now, any data about data subjects, about individual people -- from email addresses to health records to home IP addresses, the list goes on and on -- that data will end up getting encrypted as a way to avoid breach notification.

If an organization had a breach, if they are able to show that they had a policy in place that certain categories of data are automatically encrypted in all cases -- and they could actually show that by the policy, methods and tools they implemented -- they can actually avoid having to disclose that breach because the data is protected. That's huge for companies.

In the United States in particular, we have gone through a period where privacy has taken a back seat and individuals have been willing to give up all kinds of aspects to their privacy in return for various conveniences, social media advantages, etc. Those days are starting to close now and there is an enhanced interest in privacy.

As we're entering a period of a bit of hyperawareness on the privacy side, at least from the government regulatory perspective, we are likely to see more privacy regulation. That will continue to drive more implementation of encryption -- not less.

In part one of the interview, Clyde explains why post-quantum cryptography should matter to CIOs.

Dig Deeper on Risk management and governance