Home » latest » Defense In Depth Must Be Part Of Any Quantum Security Conversation
defense in depth must be part of any quantum security conversation
Categorieslatest

Defense In Depth Must Be Part Of Any Quantum Security Conversation

Share to Facebook Share to Twitter Share to Linkedin Security CEO and founder of Safe Quantum Inc., working with data-driven companies to define, develop and deploy quantum-safe technologies. getty While a quantum internet may still be years away, the threats posed by powerful quantum technology such as a cryptographically relevant quantum computer must be discussed today. The short, simple reason is risk. No one in cybersecurity today deploys a simple antivirus software and thinks it’s going to be enough. After all, a one-solution defense is the very definition of a single point of failure. Instead, CISOs use an array of tools as part of a holistic defensive strategy—at the application and network layers, computer anomalous process detection and now machine learning and AI can detect and remediate issues. We’re now faced with a similar challenge in post-quantum security. As quantum computing advances, it threatens to break traditional cryptographic schemes like RSA and ECC. Implementing quantum-resistant algorithms (often referred to as post-quantum cryptography, or PQC) as part of a defense-in-depth strategy ensures that data remains protected even as quantum capabilities evolve. As quantum computing advances, it threatens to break traditional cryptographic schemes like RSA and ECC. Implementing quantum-resistant algorithms (often referred to as post-quantum cryptography) as part of a defense-in-depth strategy ensures that data remains protected even as quantum capabilities evolve. MORE FOR YOU Netflix: Marvel Dud Among Movies New On Streaming Service This Week Houston Rockets Land Third Pack In Upcoming NBA Draft As Knicks And Rangers Captivate New York, The Yankees Quietly Roll Along We know post-quantum cryptographic algorithms have great protection potential. Yet they still represent a single approach, a single defense and, ultimately, a single point of failure. That single point of failure will persist until we add something else that is completely different. And that something is based on quantum physics. Adding additional levels of security, including quantum key distribution (QKD) and other quantum-based technologies, eliminates the single point of failure. Defense-in-depth buys insurance and creates crypto agility in these unsure times. Earlier this year, however, John Burke, principal director of quantum science in the Office of the Under Secretary of Defense for Research and Engineering, included in his keynote speech at the 2024 Photonics West conference some so-called issues that amount to a report card for QKD. The good news is that the number of issues of concern have been reduced to the following 1. QKD Initial Authentication: In this arXiv paper and in previous Forbes columns, I’ve detailed how that concern has been mitigated through various well-known authentication approaches. I advocate for pre-placed keys generated by PQC algorithm CRYSTALS Dilithium. 2. Risks Of Man-In-The-Middle Attacks And Denial Of Service: Key management systems (KMS) can be used to manage cryptographic keys in a secure environment, providing data communication route diversity and redundancy that protects against malicious attempts to disrupt service. There are other aspects of setting up a QKD network that also address this fear. 3. MDI-QKD Effectiveness Over Distance: The concern of side-channel attacks on QKD security systems can be removed with measurement-device independent QKD, or MDI-QKD, which can generate up to 390 keys per second even at distances up to 200 kilometers. Limited key rate and range seem to be a solved issue, per this research. While quantum computing introduces new challenges to cybersecurity, a defense-in-depth strategy that includes QKD provides a robust framework for safeguarding against these and other threats by layering multiple, diverse defensive measures. While strong cryptographic algorithms form a crucial foundation for secure systems, a defense-in-depth strategy for quantum cybersecurity is highly valuable due to the fundamentally different nature of quantum computing compared to classical computing. 1. Layered Security: The core concept of defense-in-depth is to have multiple security layers, so if one layer is breached, others still provide protection. This is crucial in a quantum context, where certain cryptographic protocols may become vulnerable. Additional layers, such as physical security, secure admin procedures and advanced quantum-resistant algorithms, help ensure overall system integrity. 2. Enhanced Risk Management: By employing a variety of security measures, organizations can better manage the risk of quantum attacks. This includes regular updates to security protocols, adopting new standards as they become validated and continually assessing the quantum threat landscape. This approach is neatly summarized as crypto agility, which will be necessary in our dynamic quantum security environment. 3. Redundancy: Defense-in-depth inherently incorporates redundancy in security measures. This redundancy can be critical in mitigating the impact of a security breach, especially when conventional encryption methods are compromised by a quantum computer attack. 4. Adaptability: A multilayered approach allows organizations to adapt to emerging threats in a more flexible manner. As quantum technologies and their associated threats evolve, security strategies can be adjusted layer by layer, without overhauling the entire security infrastructure. 5. Comprehensive Protection: Beyond just cryptographic solutions, defense in depth includes policies, controls and monitoring systems that address a broad spectrum of vulnerabilities, including insider threats, physical breaches and operational errors, thus providing comprehensive protection. This approach not only prepares organizations for current cyber threats but also equips them to handle future developments in quantum technology. Instead of continuing to question QKD, I urge my government colleagues to fully evaluate the technology and others. The time is now for the U.S. Department of Commerce, led by Secretary Gina Raimondo, to authorize NIST to develop a protection profile for QKD so that NIST and NIAP laboratories can certify QKD as secure for all applications, including those of the U.S. Department of Defense. Without a quantum-based QKD security defense, we will be defending ourselves with a single-point-of-failure approach, and that just is not good enough. Forbes Technology Council is an invitation-only community for world-class CIOs, CTOs and technology executives. Do I qualify? Follow me on Twitter or LinkedIn. Check out my website. John Prisco Editorial Standards Print Reprints & Permissions

0 0 votes
Article Rating
Subscribe
Notify of
guest
0 Comments
Inline Feedbacks
View all comments
0
Would love your thoughts, please comment.x
()
x
Verified by MonsterInsights