Vince Burke is Chief Strategist at Quantum Xchange , a post-quantum cryptocurrency provider . AI/ML PhD, Founder of FlowTraq.
Today, cryptography is based on algorithms, mathematical equations specially designed and used to both break the plaintext sent and make it unreadable until decrypted.
These cryptographic algorithms evolve and change over time. However, until recently most relied on the mathematics of the RSA standards from more than 40 years ago. The latest algorithms were developed by the US Department of Commerce's National Institute of Standards and Technology (NIST), which last year selected finalists for encryption methods specifically designed to withstand a quantum computing attack.
As math changes and RSA security algorithms fail, become obsolete, or are superseded by this new post-quantum cryptography (PQC), it's time to think about how to manage these migrations in the enterprise.
This type of encryption forms the basis of all communications sent over your network, so surely an important component of your security profile is already well managed, right?
Unfortunately this is not the case.
Today, security policies apply to objects (networks, laptops, desktops) and anyone using the operating system through those objects.
But the algorithms behind cybersecurity are not “objects”. They are present in every software application, server or cloud infrastructure. And in many cases, information security experts do not know which algorithms are used where.
We know that just like the new PQC algorithms I talked about in my previous article, RSA will also contain bugs. The question for every information security manager is: what can you do to reduce your risks and successfully transition your IT infrastructure into the quantum age?
Most importantly, you should implement a cryptographic resiliency policy as an extension of your security management.
Today, basic cryptographic security resides at the certificate level (i.e. management of certificate keys or user authentication keys). Major management platforms have a level of policy control where you can set minimum standards such as: B. how long or which actions require authentication.
Such policies should also regulate encryption algorithms. This would provide cryptographic flexibility to facilitate the use of changing algorithms, minimum standards, and even cryptographic reserves.
For example, your main customer platform uses a loss algorithm. Crypto resiliency policy means you know what algorithm is being used and have the ability to deploy a new algorithm to replace a failed algorithm with a simple policy adjustment.
This goes beyond "troubleshooting" in the software, if you will, to security checks at the mobile level.
Another thing you can do is talk about managing encryption policies. As in the early days of computing, when data storage and application logic were separated into common SQL database entries, it's time to move cryptography out of the application layer and into dedicated and risk-tolerance policies.
You should also seek and encourage collaboration from your vendors in implementing cryptographic governance and controls. You can create a Crypto Light backup plan for your technology. This also applies to cloud providers.
If you belong to IT consortia or professional bodies, encourage the formation of crypto resilience working groups to identify best practices and opportunities. As an industry, it needs leaders to strengthen and define crypto governance policies to ensure minimum standards for security, infrastructure, operating systems, services and providers.
We must be vigilant when it comes to eliminating single points of failure in cryptography, and there's no better place to start than the beginning of your security system. Based on the above tips and guidelines, a cryptocurrency management enterprise platform can future-proof your data and communication networks and protect your business.
The Forbes Technology Council is an invitation-only community for global CIOs, CTOs, and technology leaders. Am I eligible?