Achieving Crypto‑Agility for Quantum‑Safe Enterprises
Key Points
- Quantum computing will soon jeopardize current encryption, so enterprises must start building quantum‑safe security today.
- Achieving “crypto‑agility” – the ability to swiftly adopt new cryptographic algorithms as threats evolve – requires a structured framework.
- The framework consists of three pillars: governance (defining standards, policies, and algorithm adaptability), supply‑chain security, and technology implementation.
- Within governance, maintaining algorithm adaptability, complying with recognized standards, and using an open Cryptography Bill of Materials (CBOM) ensure consistent, auditable crypto inventories and rapid response to emerging vulnerabilities.
Sections
- Quantum‑Ready Crypto‑Agility Framework - Enterprises must adopt a crypto‑agility framework—governance, supply‑chain, and technology—to swiftly replace vulnerable encryption and achieve quantum‑safe security.
- CBOM and Crypto‑Agility Supply Chain - The speaker describes how a Cryptography Bill of Materials (CBOM) creates a single, open‑standard inventory for enterprises to enforce compliance and governance, and emphasizes mapping cryptographic implementations across all supply‑chain assets to understand and mitigate risk.
- Centralized Cryptography Abstraction & Automation - The speaker stresses that organizations must abstract cryptographic functions into a single, centrally managed layer and automate their configuration and lifecycle to stay agile and avoid widespread code changes.
Full Transcript
# Achieving Crypto‑Agility for Quantum‑Safe Enterprises **Source:** [https://www.youtube.com/watch?v=5jPvRs96Kx4](https://www.youtube.com/watch?v=5jPvRs96Kx4) **Duration:** 00:08:33 ## Summary - Quantum computing will soon jeopardize current encryption, so enterprises must start building quantum‑safe security today. - Achieving “crypto‑agility” – the ability to swiftly adopt new cryptographic algorithms as threats evolve – requires a structured framework. - The framework consists of three pillars: governance (defining standards, policies, and algorithm adaptability), supply‑chain security, and technology implementation. - Within governance, maintaining algorithm adaptability, complying with recognized standards, and using an open Cryptography Bill of Materials (CBOM) ensure consistent, auditable crypto inventories and rapid response to emerging vulnerabilities. ## Sections - [00:00:00](https://www.youtube.com/watch?v=5jPvRs96Kx4&t=0s) **Quantum‑Ready Crypto‑Agility Framework** - Enterprises must adopt a crypto‑agility framework—governance, supply‑chain, and technology—to swiftly replace vulnerable encryption and achieve quantum‑safe security. - [00:03:20](https://www.youtube.com/watch?v=5jPvRs96Kx4&t=200s) **CBOM and Crypto‑Agility Supply Chain** - The speaker describes how a Cryptography Bill of Materials (CBOM) creates a single, open‑standard inventory for enterprises to enforce compliance and governance, and emphasizes mapping cryptographic implementations across all supply‑chain assets to understand and mitigate risk. - [00:06:31](https://www.youtube.com/watch?v=5jPvRs96Kx4&t=391s) **Centralized Cryptography Abstraction & Automation** - The speaker stresses that organizations must abstract cryptographic functions into a single, centrally managed layer and automate their configuration and lifecycle to stay agile and avoid widespread code changes. ## Full Transcript
Enterprise organizations must prepare today for the cybersecurity threat of the future.
It won't be long before quantum computers
are able to break the encryption schemes that protect our most valuable data today.
And now even we see the threats are emerging every day.
So how do enterprises protect themselves and build a secure, quantum safe future?
It starts with a foundational capability, what we call crypto-agility.
Crypto-agility refers to an ability for an organization, an application or a system, or even a platform,
to quickly adopt the cryptography mechanisms,
cryptography algorithms in response to changing threats technological advances, but also the vulnerabilities.
Of course, this raises your question How do you, as a cybersecurity leader and practitioner, achieve the crypto agility?
Honestly, in order to achieve the crypto-agility, you need a framework,
a framework that can help you understand the capabilities that are most critical
to ensure the long term security, privacy and compliance for your enterprise.
And this framework is made up of the three components.
The first one is governance,
and the second one is the supply chain,
and the third one is technology.
Let's review each of these three components, starting first with the governance.
When we talk about the governance, it's actually an ability for an organization to
understand the standards policies related to an organization's cryptography.
That means an industry related standards, best practices, selecting the right algorithms based on their security needs,
ensuring the algorithms are complying to the regulatory requirements,
and cryptography governance also defines the guidelines.
That algorithm selections standardization and periodic reviews
of incorporating the new standards and deciding when the old standards are outdated.
And this capability that is most essential to a good governance should have what we call first thing as algorithm's adaptability.
Algorithm's adaptability means an organizational ability to accommodate the wide range of cryptography algorithms,
symmetric encryption, asymmetric encryption, the classical or
the new quantum safe algorithms, or even including hashing and digital signatures as well,
a nd the other important capability that's most important from governance perspective is what we call standard compliance.
What do we mean by that?
Is enabling enterprises to make sure they support recognized cryptography standards
and the way that is enabling the single source of truth for their enterprises to
keep that cryptography inventory in a common format.
And that format usually is called cryptography bill of material or CBOM.
CBOM is a cryptography standard that communicates all the information that you need to be agile and it fulfills
The automating risk management enabling the compliance,
but also challenging the enterprises or government agencies to enforce their governance framework of their own.
CBOM is an open standard and making it convenient tool for organizations who can point.
Then increasing the vendors to their supply chain
that provides the software, hardware and other technologies and ensuring the right justification for their governance needs.
Let's talk about the second component of the crypto-agility framework, which is supply chain.
What do we mean by supply chain is honestly understanding the enterprise
infrastructure landscape, which means knowing about the applications,
the network,
and the systems.
This is important to know that what cryptography is being implemented in
each of these assets that you are acquiring from multiple different vendors
because it creates a risk that you must understand.
While you are trying to understand the cryptography implementation will meet
your requirements of cryptography compliance regulation that you need to abide by.
This is very important because quantum safe cryptography will just be another source of vulnerability.
We know that.
And it is also important to find that how these components have dependencies to each other.
That means there are different cybersecurity regulations that point the understanding the supply chain.
This includes the frameworks like NIST DORA NIST2.
All view supply chain management as a key cybersecurity measure.
Without the information and availability from the supply chain.
It is not possible to plan a successful cybersecurity migration.
Let's talk about the last component of this framework, which is technology.
Cryptography functions should be separated from the hard coding
into each of the organization's network applications and the systems that you have.
This is one of the key requirements, what we call modularity.
What we mean by modularity is, is that every time you need to replace a cryptography scheme or an algorithm,
you should not be requiring to shut down your entire organization.
Rather, you should be able to quickly adopt the new algorithms and should be running seamlessly.
The other important capability you must have in the organization, what we call abstraction.
What we mean by abstraction is obviously that how can you detached the hard coding
of the cryptography implementations from your applications, but also in your network
and the systems so that every time you are making a change in a cryptography, you don't make the change
at the thousand different places, you are making in a single place,
a centralized place, and replicating those changes across the other places.
So this can only be possible if you have abstracted the cryptography implementations within your applications.
And this is very important in order to have you really be agile.
The next important thing is about what we call automation.
What we mean by automation here is that you must have dynamic capabilities to configure, manage your cryptography,
so that any time you need to have a management of cryptography parameters,
the encryption techniques, the type of the certificate management
or the other key management capability across the infrastructure,
we should be able to dynamically change, configure and
required them to be updated as needed, and the automation tools and scripts can help
handle these tasks like examinations, rotations.
Updating the cryptography settings based on the predefined policies and events.
Together these three components.
Governance, supply chain, and technology will enable your enterprise to develop the true crypto-agility.
They will allow you to create a secure environment that is flexible, compliant and ready for the quantum safe future.