The commercial availability of quantum computers that can compromise traditional asymmetric cryptography is still five to 10 years away. But security and risk (S&R) professionals must assess and prepare for the impact of quantum security now. While the encryption market has a history of vendors publishing incredible claims like “unbreakable encryption”, the hype and interest around quantum is real because hackers are already using the “harvest now, decrypt later” approach. This new report examines the governance, strategy, architecture, and impacts of quantum security over the short, medium, and long term horizons.
Quantum Security Should Be The Security Foundation Of Your Environment
Quantum security and cryptoagility (the ability to replace and upgrade cryptographic algorithms in infrastructure, commercial, and in-house-built applications) will improve the security of any information exchange, improve digital signatures, and mitigate the risk of “harvest now, decrypt later” attacks.
We see quantum security as consisting of several technologies, including post-quantum or quantum-computing-resistant key exchange, digital signatures, key generation and management, cryptographic algorithm discovery and inventory, certificate management, cryptographic algorithm change management (cryptoagility), and quantum key distribution (QKD). With quantum security, organizations can expect to:
- Build a future foundation for security. Quantum security will force an overhaul of systems across an organization’s: 1) on-premises and cloud computing, 2) storage and network infrastructure, 3) commercial off-the-shelf software, 4) commercial software-as-a-service (SaaS) offerings, and 5) software built in-house. Organizations will need to upgrade their entire security stack to ensure cryptoagility for the future to protect their data.
- See quantum security requirements accelerate security investment. Three key externalities — third-party partner management and business requirements, regulatory requirements, and cyber insurance requirements — will drive new investments in security technologies and services. Quantum security will impact all three, putting additional pressure on organizations to act, demonstrate proof of cryptoagility, and use pluggable and easily manageable cryptographic algorithms across infrastructures and point products.
- Find increasing clarity and guidance from standards bodies and governments. Organizations, technology vendors, and industry groups have been waiting for quantum security standards. NIST released the first three finalized post-quantum encryption standards in August 2024. This kicked off a flurry of announcements from Amazon, Google, and IBM highlighting their ongoing contributions to standards and working groups, current implementations of quantum security in products and services, and migration activities. Governments around the world have also issued guidance on migration to post-quantum cryptography, with some specifying requirements and migration timelines.
Quantum security will impact all areas of security including certificate and key management, data encryption and digital signatures, TLS and secure comms, and authentication. This demands that orgs have a plan for building in crypto-agility and build a security architecture that can securely operate in a post-quantum world, even if quantum computing is still several years away.
Our report examines how quantum security will deliver ROI over the short, medium, and long periods of time, identifies the key factors influencing each timeline and provides guidance on how to increase their security posture today while preparing for tomorrow. Such opportunities don’t come along often, so S&R pros need to begin a plan for cryptoagility now.
If you are looking to better understand the implications of quantum security on your security architecture, please read our report and schedule an inquiry or guidance session with us.