Paul German, CEO, Certes Networks, explains the risk associated with bulk encryption strategies and the importance of crypto-segmentation in reducing criminal exposure to data in a post-quantum world
It is now inevitable that the encryption algorithms used to secure vital data across the world – from defence and banking to infrastructure and air travel – will be breached. With the escalation in computing power enabled by quantum technology, the question is not if, but when potentially devastating breaches will occur.
With ‘harvest now, decrypt later’ hacking strategies currently in progress, criminals are banking on the power of quantum computing to allow them to unlock huge data resources. The onus is on companies not just to consider the future quantum threat but to determine how best to protect current resources today.
Here, I explain the risk associated with bulk encryption strategies and the importance of crypto-segmentation in reducing criminal exposure to data in a post-quantum world.
A quantum leap
Quantum computing is edging ever closer to reality, with venture capitalists investing almost $1.02 billion in quantum computing start-up companies in 2021 alone. While there is huge excitement around the step change in AI performance, there are issues such as the quantum computing power which could be unleashed– to which the security implications are potentially devastating.
Globally, security experts expect quantum computers to herald the breach of the asymmetric cryptography used to secure everything – from defence to infrastructure. While classical compute power would take billions of years to execute Shor’s Algorithm, which is proven to break the encryption strategies currently in place, the arrival of a quantum computer of sufficient size and complexity totally changes the game.
For companies reviewing security strategies, this post-quantum security threat is not in the future; it is not about considering how to respond when quantum computing becomes available. Criminal organisations globally are embarking upon mass data harvesting and breach schemes today on the basis that even though the information cannot be immediately decrypted, at some point in the future, access to quantum compute power will unlock these information resources. Systems are at risk – not in the future, but today.
Time and data
While security bodies across the world, including Open SSL, are working hard to develop new quantum-proof algorithms, no organisation can afford to wait. Changes need to – and moreover can – be made today to safeguard current data resources and reduce the decryption risk posed by quantum computing. What is required is both a change in mindset and a change in technical approach to the solutions already available.
A key step is to minimise the value of ‘harvest now, decrypt later’ strategies by reducing the amount of ‘usable’ data collected during a breach. During many recent attacks, criminals have been able to spend months collecting data – and although it is encrypted, they had the time (often months) to access vast data sets. This enabled them to build up enough knowledge about the encryption algorithm being used to know that, once they have the opportunity to use quantum computing, they will be able to break the key and have full access to the entire data resource.
Today’s priority is to institute data security policies that radically reduce the time and data available to criminals.
Many organisations are starting to adopt micro-segmentation as part of their data security policies. While this is a step in the right direction, unless they are also applying cryptography, ultimately, data harvesting is still a very real threat.
It is also vital to recognise the inherent risk associated with the bulk encryption model: using the same encryption key, however strong, to protect all data resources is not a robust policy. Once in, a criminal has one data set to work with, one encryption key to identifying.
The concept of crypto-segmentation, however, is based on a far more nuanced approach to protecting data, defining different data classes for each data type and protecting each class with its own encryption strategies, algorithm and encryption key.
In addition to creating multiple data classifications, regular rotation of the encryption keys used for each class will also hugely limit a criminal’s time with any data set. If keys are being rotated every hour, for example, anyone capturing the data has minutes, not months, to work on a data set. That means minutes to understand the data; to determine which data packets belong to which data classification, group the data sets together to create a sample; identify the encryption strategies used for each data class and then reverse engineer the keys. Plus, with very small sample sizes in each data class, it becomes incredibly difficult to crack the keys being used.
Incorporating new standards
The next generation of post-quantum encryption strategies are being developed. But this is a challenge that will never disappear – especially for security agencies that are required to retain data for decades. With the phenomenal growth in computer power, tomorrow’s groundbreaking algorithm will be easy to break in five, ten, or twenty years’ time – however smart the algorithm is, no organisation can risk reliance on one encryption key.
Bulk encryption is inherently flawed, which means organisations must maximise the value of an array of standard encryption algorithms. Using crypto-segmentation and key rotation is an important step, significantly increasing protection against the quantum threat even with current encryption algorithms. As and when new post-quantum encryption standards are introduced, they can be incorporated into this model to maximise the organisation’s protection.
Encryption strategies need updating now
This threat is not in the future; it is happening today. ‘Harvest now, decrypt later’ breaches are occurring right now. Quantum compute services in the cloud offer criminals the chance to buy a slice of quantum power. Algorithms will continue to evolve and improve; criminals will continue to gain access to ever more powerful computers. By creating multiple data classes and using regular key rotation, not only is the limited data set harder to decrypt, but it is also likely to offer far less value; value is outweighed by the enormous cost of quantum compute power.