putilov_denis - stock.adobe.com
How to achieve crypto-agility and future-proof security
Quantum computing will render current asymmetric encryption algorithms obsolete. Organizations need to deploy crypto-agile systems to remain protected.
Quantum computing promises organizations the ability to optimize processes, overcome logistical challenges, reduce costs and improve decision-making. Quantum computing's advanced functionality and compute capabilities, however, also mean current cryptographic algorithms will no longer provide the protection they once did.
While the quantum computing market is still nascent, with revenue estimates for 2024 around $1.3 billion, it is expected to grow to $5.3 billion by 2029. With current asymmetric encryption at risk, it's critical that organizations prepare now for post-quantum cryptography (PQC) -- a key aspect of which is adopting crypto-agility.
What is crypto-agility and why is it important?
Crypto-agility is an approach that enables systems to dynamically shift among multiple cryptographic algorithms, mechanisms and key management systems as needed to counter threats. It applies changes without interrupting the system's infrastructure. This approach is both a proactive defensive measure and an incident response tool that is used when a cryptographic algorithm is found to be compromised.
A successful crypto-agile system is one where the algorithms can be switched out with ease and at least partially through automation. The goal of agile cryptography management is to enable organizations to future-proof systems' abilities to counter threats to cryptography.
Steps to achieve crypto-agility
The best way to overcome post-quantum security challenges is to have a solid implementation plan, which should include the following:
- Create crypto-agile policies and processes. Create and implement policies and processes for shifting between algorithms if they become compromised. Automate these processes where possible.
- Develop communication and incident response plans. All organizational staff need to understand their individual roles in executing crypto-agile policies and keeping stakeholders apprised of changes. Also, train employees on any new tools and processes, as well as how to recognize and respond to post-quantum threats that might arise.
- Conduct a cryptographic asset inventory. Keep an inventory of cryptographic algorithms, digital certificates and key management systems to understand the full scope of PQC migration and to determine where to implement PQC algorithms first. Review regularly to keep the inventory up to date.
- Deploy a key management system. Cryptographic keys need to be managed, updated and rotated on a consistent basis. Key management systems help automatically create, store and alternate cryptographic keys.
- Implement a public key infrastructure for PQC. Use PKI to automatically create, distribute, manage, maintain, and replace keys and digital certificates.
- Consider legacy systems. Avoid potential issues by creating a pragmatic migration plan for nonagile systems. First, determine which systems and applications can be updated, and then discern how to update and secure them. Be sure to budget for costs associated with transitioning to PQC.
- Perform rigorous systems testing and ongoing validation. Test and audit quantum security controls and processes to detect and remediate weaknesses and vulnerabilities. Also, consider backups and recovery strategies.
- Prepare for future threats with quantum computing. Quantum computing can help elevate an organization's security posture. For example, consider quantum machine learning, which will be able to expedite threat identification and detect attacks before they penetrate a network.
Amy Larsen DeCarlo has covered the IT industry for more than 30 years, as a journalist, editor and analyst. As principal analyst at GlobalData, she covers managed security and cloud services.
