sakkmesterke - stock.adobe.com

Start preparing for post-quantum data protection

Organisations that need to retain sensitive information for long periods of time need to start preparing for the post-quantum era, according to an IBM security architect

Changing cryptographic systems takes time and money, so organisations should waste no time in carrying out a post-quantum risk assessment to make the right investments at the right time, warns Christiane Peters, security architect for Benelux at IBM.

“The quantum-resistant cryptographic standards are expected to be completed in three to five years, so it is wise to use the time to think about the changes required to implement those standards,” she told the EEMA ISSE 2018 cyber security conference in Brussels.

The US National Institute of Standards and Technology (Nist) is currently in the process of testing and assessing submissions for post-quantum cryptography algorithms, and plans to select the best for inclusion in a post-quantum cryptographic standard.

While practical quantum computers capable of parallel processing are not yet a reality, once they exist, they will be a threat to most public key encryption systems in use today to protect sensitive data.

“Some legislation requires organisations to keep data for up to more than 30 years in some cases, so every organisation should assess their need to protect data into the future and start thinking now about how they will be able to future proof their encryption systems,” said Peters.

Algorithms developed in the 1990s by mathematician Peter Shor and computer scientist Lov Grover demonstrated that quantum computers would be able to use such algorithms to attack public key cryptography schemes, said Peters, which is why organisations should start preparing now.

Read more about quantum computing

A post-quantum data risk assessment, she said, should include developing or updating existing crypto policies; creating an inventory of all systems and applications using cryptography; classifying data and mapping data flows; creating an enterprise-specific outlook and timeline for quantum safe crypto; and developing a post-quantum implementation strategy.

“Draw up an inventory and know where you use cryptography, but do not let anyone sell you ‘the’ post-quantum solution before the standardisation process is completed by Nist,” said Peters.

In addition to preparing for the security of cryptography in the post-quantum era, she said organisations should ensure they are focusing enough effort and resources on data protection.

The costs alone are prohibitive, not to mention the potential fines for loss of personal data, she said, highlighting some of the findings of the latest study on the cost of data breaches by the Ponemon Institute, which found the average cost of a data breach is $3.86m.

The study also shows the average cost of a lost or stolen record is $148 per record, the likelihood of a recurring breach is 27.9%, and the average time to identify a breach is 196 days.

However, the study found the average cost saving with extensive use of encryption is $13 per record. “The overall finding of the report is that by investing in security and encryption in particular pays off in the longer term,” said Peters.

“However, encryption is just one element, and success in data protection is ultimately not just about having various capabilities, but about the level of maturity in those capabilities and the level of integration between them.”

Other capabilities

Other capabilities working in concert with encryption include things like certificate management, mobile device management, application scanning, data loss prevention, security incident response, access control, data classification and digital forensics.

“There is no silver bullet, but a combination of capabilities working together and integration at a technology and process level so the right teams within an organisation are connected is what is most effective,” she said.

Read more on Privacy and data protection