Intelligent CISO Issue 59 | Page 34


� can then decide what data you need to protect first as you begin a phased deployment of post-quantum cryptography .

We often refer to data as having a ‘ half life ’ similar to that of nuclear material , with data losing value and relevancy over time . Something might be critical business data today , but in a week , month , year or decade this might not be the case . When you assess the value of your data , you should measure data value over time against the cost of implementing any additional security .
Of course , there will always be critical digital assets , such as sensitive intellectual property , state secrets and sensitive personal records , that need protection over decades . For some sectors , there are strict regulations mandating the protection of such information for 10 + years and this should be factored in when assessing and prioritising what data to protect first .
Once you have assessed and identified your high value digital assets , the next stage is to assess the vulnerability of data at rest , in transit and in use . Most organisations use Hardware Security Modules ( HSM ) to store encryption keys and considerations should be made on how these modules will handle postquantum cryptography .
Learning lessons from adopting AES
As every CISO knows , even the best laid plans rarely survive contact with the real world and transitioning to PQC standards will undoubtedly bring challenges . One of the biggest will be to avoid significant accidental data loss . I remember in the early 2000s , working as a security analyst , helping recover encrypted data ( using gaming PCs with powerful GPUs ) after a senior leader left the company without sharing the passphrase key . The weak point was cracking passphrase which took seconds and not breaking the encryption itself .
However , this is simply not a viable option anymore and having clear ownership of the transition process with an understanding of roles and responsibilities between networking and security teams will be essential while also including joint KPIs , safeguards and checkpoints to prevent inadvertently losing access .
It would be wrong to assume from the outset that organisations can migrate to new encryption standards unanimously everywhere . This is especially important in businesses that need to encrypt data on a continuous basis such as transaction data . Imagine having to encrypt and decrypt terabyte size files to share them internally due to restrictive policies . This is often seen to be catastrophic for performance , increasing latency and severely impacting business functions .
Instead , we should use existing principles of Zero Trust to guide the rollout , leveraging a Secure Access Service Edge ( SASE ) platform to give network and security teams greater visibility over who is accessing those critical assets not just for on-premises servers and databases but for cloud apps and cloud infrastructure . With this insight , dynamic policies can be implemented to ensure these assets are protected by PQC when the need exists .
How to phase the transition
First , identify your key vendors and those in the supply chain so you can start to engage on how they will become prepared for a PQC world . Adding this future-proof requirement into the purchasing process will help accelerate this change but the cost of doing so should always be measured against the value of the assets they are protecting .
Secondly , consider your digital infrastructure , particularly when it comes to public cloud . Consider engaging with your HSM provider to discuss how they can assist in this transition . Additionally , you should review your digital infrastructure ’ s regular maintenance and upgrade schedules and budgets for places to incorporate the adoption of PQC-resistant secure products into this process .
Finally , don ’ t just look at encryption as a requirement for your own internal security . If your organisation provides digital products or services , the performance specifications for PQC encryption should be included in your own new product design pathways . These standards are the future and will be implemented in the
34 www . intelligentciso . com