Protecting data now as the quantum era approaches
Startup QuSecure is the latest vendor to jump into the field with its as-a-service offering
Protecting data now and in the future
Sanzeri also noted its backwards compatibility, enabling enterprises to use it now for today's threats.
"No enterprise is going to rip and replace," he said. "It's too risky. It's too expensive. You just don't do that. We built our own protocol switch, which allows them to move from quantum layers back to TLS layers and translate so that they can upgrade over time at their rate, at the speed they want to do it."
QuSecure, which was founded in 2019, has installed the beta version of the software suite at about a dozen sites, including DoD agencies and commercial organizations like global investment firm Franklin Templeton. The startup also recently signed a contract with a multi-billion-dollar US company that operates in the data management and storage space.
The first full version of the architecture will go into production in a few weeks and will include key management and orchestration, some policy management and the backwards compatibility and the crypto agility functions. The next version will add detection and active defense, he said.
Brown, the former DoD and DHS specialist and retired Navy rear admiral, said that when he saw a demonstration of QuSecure's architecture, "it made operational sense. There's a lot of proofing that needs to be done. That's why they're doing the proof-of-concepts. But from a defense or national security perspective … the ability to deploy in current legacy type infrastructure to solve today's problems while preparing to solve tomorrow's, I really like the engineering and the architecture support and then the overall operational environment."
It's also got other attributes important to enterprises, including being easy and efficient to deploy, given the skills shortage at most companies when it comes to quantum computing, he said.
Several quantum security options
Lawrence Gasman, a longtime industry analyst and founder and president of research and information site Inside Quantum Technology, said there essentially are three types of quantum security systems: post-quantum encryption, Quantum random number generator (QRNG) and quantum key distribution (QKD). Vendors are using combinations and variations of these systems in their offerings. That includes QuSecure with its post-quantum cryptography.
"Post-quantum encryption is real," Gasman told The Register. "There's nothing very special or quantum-ish about that. The algorithms around it have been proposed in NIST and will be sorted out. That's about as real as could be. You want things to be secure anyway and that makes it more secure."
- Take this $715,000 and find security gaps in quantum computers, says NSF
- JPMorgan Chase readies for post-quantum security world
- Crypto for cryptographers! Infosec types revolt against use of ancient abbreviation by Bitcoin and NFT devotees
- NSA: We 'don't know when or even if' a quantum computer will ever be able to break today's public-key encryption
The interest in post-quantum cybersecurity is growing. Gasman has seen it at conferences he organizes that focus on quantum computing. Brown runs much of the public sector events at the RSA Conference – which is coming up June 6 – and quantum technology is a key part of the conversations.
That makes sense, Gasman said. RSA encryption has been around for more than 40 years. It's had a good run, but the time is now for organizations to decide what the next step is.
"There are many who believe that it will be at least 10 or more years before quantum computers are practical and affordable [enough] to break strong encryption that is being used today," Sounil Yu, CISO at cybersecurity vendor JupiterOne, told The Register.
"Nonetheless, CISOs should take action today on crypto-agility initiatives to ensure that they can easily swap out cryptographic trust anchors. Regardless of when quantum computers become capable of breaking today's encryption, crypto-agility is a capability that is needed today."
Now is the time
Mike Parkin, senior technical engineer at cybersecurity firm Vulcan Cyber, told The Register that it's "hard to predict when quantum computing will make it into the mainstream and become a serious threat to our existing encryption schemes," he said.
- Biden orders new quantum push to ensure encryption isn't cracked by rivals
- Alphabet spins off quantum AI 'Sandbox'
- Terra Quantum nets $75m for cryptography, security work
- Why is IBM selling post-quantum crypto when it's still a pre-quantum company?
"It's possible, if unlikely, that hidden away in a classified lab somewhere there is already a quantum computer doing just that. The state of the art in quantum computing is advancing rapidly and it would be prudent to deploy quantum-resistant encryption sooner rather than later."
A survey earlier this month by Cambridge Quantum – which last year merged with Honeywell's quantum computing unit and emerged as an outfit named "Quantinuum" – found that 75 percent of the 600 respondents said that quantum attacks would defeat current encryption but only 13 percent have bought products to counteract the threat. That said, 38 percent indicated their companies will be ready within two years.
At this point, according to Brown, even if a cybersecurity offering "isn't true quantum capable," the question is, "how can we get some capability out there that is going to increase the amount of resources the bad guys, the nation-states, are going to have to devote to try to break the data information?" ®