top of page
Julie Taylor

A CISO's Guide to Preparing for a Post-Quantum World

Last month, NIST released the first three finalized post-quantum encryption standards. Global powers like the US, China, Germany, and France have already pledged over $55 billion in quantum computing research and development, including initiatives to train thousands of quantum-ready engineers for when quantum computing becomes viable. With all the efforts and breakthroughs, quantum computing is no longer a distant reality – experts believe this could happen within the next five to seven years.


If there’s one thing to learn from the sudden generative AI boom, it’s that long-anticipated technologies can go mainstream virtually overnight. If people, institutions, and organizations aren’t ahead of the transformation, societal and cyber-level repercussions can be immense. We’re still grappling with the lack of regulation in the generative AI and LLM market. With quantum computing on the horizon, now is the perfect time to prepare and act.


Quantum Computing Could Crack Today's Encryption Standards


PQC Migration

One of the looming threats for when quantum computing becomes viable and accessible is in public key cryptography. Quantum computers will soon reach sufficient capability to potentially break RSA and Elliptic Curve Cryptography (ECC) in seconds or minutes, compared to the millions of years it would take classical computers. This would lead to a sudden overhaul of existing security infrastructure unless everyone preemptively shifts to post-quantum cryptographic (PQC) algorithms before the threat becomes imminent.



That’s why NIST urges system administrators, software providers, CISOs, and other stakeholders to start now, as full integration will take time. Soon, information security and data regulations will require organizations to implement PQC or at least demonstrate an actionable migration plan. However, given the extensive sprawl of IT products and data, post-quantum migration can feel overwhelming for CISOs already burdened by modern threats and fast-changing regulations. 


The recent NIST announcement of finalized PQC standards brings critical considerations for CISOs, and here’s all they need to know and are expected to do: 


The ABCs of the PQC Standards


The three newly released PQC standards include one scheme for cryptographic key encapsulation and two for digital signatures. The three finalized standards are:

  1. Federal Information Processing Standard (FIPS) 203: The primary standard for general encryption, featuring comparatively small encryption keys that two parties can exchange easily and a high speed of operation.

  2. FIPS 204: The primary standard for protecting digital signatures, based on the NL-DSA algorithm. 

  3. FIPS 205: Also for digital signatures and intended as a backup method in case ML-DSA proves vulnerable.


These standards are the fruit of a long-running global effort since 2016. Additional schemes may be standardized in the coming years, but they will mostly function as backups to these three schemes. So NIST is encouraging the immediate adoption of these standards without waiting for evaluations of additional algorithms. 


How to Migrate to Post-Quantum Cryptography Schemes?


Here’s a brief overview of what your PQC migration plan could look like:

  1. Assessment and inventory of all systems, applications, and data relying on cryptographic functions, such as encryption, digital signatures, and key exchanges.

  2. Compatibility analysis of current infrastructure with PQC algorithms.

  3. Planning a phased approach for gradual integration of PQC algorithms.

  4. Updating current key management practices to accommodate the new PQC algorithms.

  5. Testing PQC algorithms in a controlled environment to validate performance and compatibility.

  6. Continuous monitoring of performance and security of the newly implemented PQC systems.

  7. Maintaining contingency plans in case of unforeseen vulnerabilities or performance issues with the new algorithms.

  8. Keeping up with ongoing developments in PQC and having a plan ready to update algorithms in the future as the field evolves.


It may seem daunting, but CISOs can take comfort in knowing that a significant portion of cryptography is integrated into products like web browsers, networking equipment, and databases. Companies like Google and Cloudflare have already announced their implementation of PQC in their products and systems. By simply updating their products (such as Chrome) and underlying libraries (like OpenSSL), users will be transitioned to PQC automatically. However, one major blind spot and challenge during these migrations will be managing unstructured data.


CISOs Should Prioritize Migrating Unstructured Data to PQC Standards


Unstructured data accounts for around 90% of all enterprise data and is growing exponentially, doubling every 18 months in sectors like finance. Migrating protections for unstructured data presents significant challenges, including the difficulty of classifying and organizing diverse file types and the complexities of applying consistent security controls across various data formats. As such, CISOs need to:

  1. Identify and classify which unstructured data must be retained and secured for the next 30 years or so. 

  2. Automatically protect identified data using PQC standards and in a manner that is minimally disruptive to existing workflows and applications.

  3. Implement user-friendly and seamless methods for users to still use documents and data protected by PQC without additional hoops to jump through.

  4. Ensure that protected data remains usable by AI agents and models during both training and operational phases.


The fact of the matter is that AI is here to stay, and looking forward, as quantum computing becomes more viable and gains traction, the AI and ML algorithms will become even more sophisticated and data-hungry. So the ability to use protected unstructured data for AI use without sacrificing PQC protections should be a huge priority.


Confidencial – It’s More than a Quantum-Ready DSPM

As a leader in data-centric security solutions for unstructured data and the inventor of patented selective encryption technology, Confidencial has long anticipated the shift to PQC standards. We recognized this transition early and are proud that we are well-prepared for the change.

Our enterprise data protection platform is designed from the ground up to be seamlessly upgradeable to PQC standards.

  • Our collaboration apps, Confidencial SDX and Confidencial Sign, which handle secure document exchange, large file transfers, and seamless e-signatures, are all end-to-end encrypted. They can be upgraded to use NIST's new PQC standards with just a configuration change by administrators – no complex migration plans are required.

  • Our next-gen DSPM product, Cloud Protector, helps enterprises automatically identify unstructured data requiring PQC protection. It plans and automatically executes this migration by encrypting and/or signing entire files or only sensitive portions using PQC, which is already considered quantum-safe.


With Confidencial’s data-blind architecture, your data remains in the safest hands – yours! We cannot view or access your data, as it is never stored on our servers. Confidencial protects your data where it resides and throughout its journey across networks, clouds, and local machines until deletion. With Confidencial, your data is secure now and for the coming decades.

Get in touch now to book a live demo and see Confidencial in action!




22 views0 comments

Comments

Couldn’t Load Comments
It looks like there was a technical problem. Try reconnecting or refreshing the page.
bottom of page