Tag: cybersecurity services

Exploring the Importance of Post-quantum Cryptography: An Unbreakable Vault to Protect Enterprises Against Advanced Cyberattacks, Part 2 | Blog

Post-quantum cryptography (PQC) has become essential for enterprises to protect against future quantum-enabled attacks and secure digital assets and sensitive data. Read on to discover providers’ crucial role in preparing enterprises for PQC. Reach out to explore this topic further.

As discussed in our previous blog, the emergence of quantum computing poses a significant threat to current public key cryptographic methods. When run on quantum computers – or more specifically, Cryptographically Relevant Quantum Computers (CRQCs) – some algorithms such as Shor’s can potentially break widely used methods like RSA, DSA, ECDSA, EdDSA, and DHKE, among others.

The advancement of quantum computers can seriously threaten data security and privacy for various enterprises, affecting fundamental principles such as confidentiality, integrity, and authentication. This makes it essential to reassess the security of these cryptographic methods.

The early and widespread use of quantum computers could wreak havoc, enabling new advanced cyberattacks that are impossible using classical computers. Post-quantum cryptography (PQC) is the solution to this problem. Let’s explore this further.

What is post-quantum cryptography?

In the quantum computing era, PQC is vital in ensuring the long-term security of digital communication and data protection. PQC focuses on researching and adopting cryptographic algorithms that are ready for this era.

These algorithms are designed to be secure against both quantum and classical computers. Furthermore, they are expected to be deployable and integrable without significant modifications to current protocols and networks.

With extensive ongoing research in this field, researchers have proposed several mathematical schemes that meet the requirements for being potential candidates for quantum-safe cryptographic algorithms. These include lattice-based, multivariate polynomial, code-based, hash-based, and isogeny-based cryptography.

The U.S. Department of Commerce’s National Institute of Standards and Technology (NIST) launched a program in 2016 to create standardized quantum-safe cryptographic algorithms.

After a rigorous six-year evaluation involving global experts, it announced four finalists for quantum-safe cryptographic standards. The following algorithms selected by NIST address general encryption and digital signatures that are crucial for securing data exchanges and identity authentication:

PQC algorithm Cryptographic scheme Purpose
CRYSTALS-Kyber Lattice-based cryptography Key encapsulation method (KEM)
CRYSTALS-Dilithium Lattice-based cryptography Digital signature
FALCON Lattice-based cryptography Small digital signature
SPHINCS+ Hash-based cryptography Digital signature

Several other developments related to PQC have occurred recently. The notable ones are highlighted below:

Timeline final

Common cryptographic pitfalls

The complexity of cryptographic fields makes it difficult for enterprises to navigate data security. With numerous algorithms, protocols, and standards, enterprises often struggle to understand and implement robust cryptographic solutions.

Enterprises may encounter several common cryptographic pitfalls, including:

  • Lack of awareness about cryptographic algorithms used for data protection
  • Dependency on long-life data secured by cryptographic schemes not suitable for the quantum computing era
  • High costs and efforts required to update cryptography across systems and applications manually
  • Use of outdated cryptographic algorithms
  • Challenges in ensuring interoperability between different cryptographic systems and protocols, especially in hybrid IT environments
  • Limited resources, including security budget and expertise, hindering effective cryptography implementation and management
  • Risk of vulnerabilities and security breaches due to incorrect implementation of cryptographic protocols or algorithms

Enterprise considerations for embracing PQC

Considering the current challenges with cryptography, enterprises would face far more significant difficulties if they do not strategically plan for PQC. To prevent this, cybersecurity leaders globally must proactively prepare and initiate early plans to migrate to post-quantum cryptographic standards.

Taking a proactive stance is crucial since transitioning to new quantum-safe algorithms will be discontinuous, considering the inherent disparities in key size, error-handling properties, and other complexities.

Hence, enterprises should give themselves enough time to start small, experiment, learn from positive impacts and challenges, and explore ways to reduce technology transition costs.

Steps to establishing a quantum readiness roadmap

Staying abreast of advancements in quantum computing and quantum-safe solutions is paramount. Enterprises must establish a comprehensive quantum readiness roadmap following these five steps:

  • Inventory quantum-vulnerable systems: To kickstart readiness efforts, enterprises should conduct a thorough inventory of quantum-vulnerable systems across both information technology (IT) and operational technology (OT) environments, covering all cryptographic assets, including keys, certificates, protocols, libraries, and algorithms. Understanding cryptographic assets and algorithms, locations, and purposes is a fundamental best practice, especially when preparing for post-quantum cryptography. It is also crucial to identify where long-life data resides, comprehend data flows, and understand the types of cryptography used to protect it.
  • Conduct an internal risk assessment: This can help identify and prioritize assets most impacted by a quantum computer cryptographically, thus exposing the organization to greater risk. Chief Information Security Officers (CISOs) and Chief Revenue Officers (CROs) must ensure that quantum risk mitigation is integrated into existing risk management strategies.
  • Engage with technology vendors: Partner with supply chain providers to understand their quantum readiness roadmaps and migration strategies to facilitate a smooth transition that aligns with enterprise goals and timelines.

Streamline the current cryptographic infrastructure: Enterprises can initiate modernization efforts by streamlining their current cryptographic infrastructure, including consolidating or replacing vendors to enable a managed migration process. The CFO should collaborate with other executives to prioritize PQC investments based on the risk appetite and strategic objectives and adopt a fully crypto-agile approach. Establishing a governance structure with clearly defined roles and responsibilities to adopt PQC effectively is also recommended.

  • Adopt PQC algorithms: Enterprises eventually should integrate PQC algorithms into browsers, applications, public key infrastructure (PKI), files, and data systems, wherever quantum-vulnerable cryptography is employed. CIOs must collaborate closely with CISOs and other stakeholders to assess the compatibility of current systems with PQC solutions.

There is an ongoing debate over some adversaries already gathering encrypted foreign communications, anticipating the future ability of quantum computers to decrypt such systems, and aiming to extract valuable secrets from the data collected. This threat, known as “harvest now, decrypt later,” highlights the urgency of making cryptographic changes rather than waiting.

How can service providers help enterprises navigate the PQC era effectively and efficiently?

As quantum computing advances, the demand for comprehensive quantum-resistant cryptographic solutions will only increase, favoring a ripe market for cybersecurity service providers to capitalize on.

PQC offers a significant opportunity for providers to position themselves as vital partners in ensuring the security and resilience of enterprises’ digital assets against the evolving quantum computing threats.

Leaders may need help understanding the advanced mathematical concepts and algorithms involved in PQC. The complexity of these cryptographic methods may need to be clarified for enterprises trying to grasp the intricacies of quantum-resistant solutions.

With all the latest discussions about quantum computers, service providers should take this time to develop a perspective on how PQC would impact enterprises from various industry verticals.

Providers should play an educational role, creating awareness about the risks posed by quantum computing and guiding enterprises on the importance of proactively transitioning to quantum-resistant solutions.

Service providers should develop strategies to hire, train, and upskill talent in PQC and quantum computing concepts. Additionally, they can invest in R&D initiatives to explore new approaches and solutions in the PQC field. By collaborating with relevant technology vendors, research institutions, and other organizations paving the way for PQC, service providers can foster innovation and help their clients stay at the forefront of technological advancements.

Cybersecurity service providers can offer specialized consultation and assessment services to help enterprises evaluate and inventory their current cryptographic infrastructure, prioritize components based on risk, identify vulnerabilities to quantum attacks, and recommend appropriate post-quantum cryptographic solutions.

Moreover, they can engage with enterprises on initial levels to develop comprehensive strategies for implementing and managing these solutions effectively, ensuring seamless integration with existing security frameworks and compatibility with legacy systems.

Unlocking potential: Exploring use cases with PQC

Service providers should prioritize PQC to address the threat quantum computing poses to traditional cryptographic systems. By embracing PQC, service providers can safeguard their clients’ data and infrastructure against potential quantum attacks.

Additionally, they can explore new use cases for PQC to unlock innovative solutions and stay ahead of the curve in the rapidly evolving quantum landscape. These new use cases may include:

  • Quantum-safe communication (use cases for cloud computing, data centers, 5G networks, secure private communication links, )
  • Security in the banking sector, securing ATM and online credit card transactions, as well as customer data stored in bank data centers
  • Quantum-safe VPN and SD-WAN
  • Quantum-safe cybersecurity for automotive systems
  • PQC in Internet of Things (IoT) and Mobile Edge Computing (MEC) domains for protection of data transmitted between connected devices and central data processor/edge servers
  • Quantum-safe blockchain
  • Safeguarding the storage, transmission, and processing of sensitive patient data in healthcare (including that collected by biosensors in wearable devices)
  • Quantum-safe PKI for OT environments
  • PQC in Zero Trust Architecture (ZTA)

Envisioning the future

PQC is no longer a theoretical concept but a reality. Multiple applications of PQC have emerged. In their latest release, OpenSSL has fully enabled PQC for digital signatures and fundamental establishment mechanisms. The Signal Protocol, an essential constituent of Signal, Google RCS, and WhatsApp messengers, has also announced support for the PQXDH protocol, becoming the first to introduce PQC for the initial key establishment. Apple has introduced a fresh encryption protocol named PQ3 for iMessage, offering advanced post-quantum security measures for instant messaging.

PQC is rapidly gaining traction for quantum-safe digital signatures, encryption, and fundamental exchange mechanisms. Its widespread adoption seems inevitable as the risks of quantum supremacy proliferate.

The standardized algorithms aren’t battle-tested yet, and exploitable weaknesses could be uncovered, leading to adjustments in their functioning or the development of entirely new algorithms.

We anticipate PQC becoming the cornerstone of cybersecurity strategies in the coming years. Moreover, the security standards are expected to recommend or mandate PQC.

PQC has become a crucial element of enterprise security, safeguarding against quantum-enabled attacks and ensuring the integrity and confidentiality of sensitive data.

Enterprises must start planning to migrate from a secure lock to an unbreakable vault: post-quantum cryptography! Service providers play a crucial role in guiding and supporting enterprises every step of the way.

To discuss post-quantum cryptography further, please contact Prabhjyot Kaur, Kumar Avijit, and Ronak Doshi.

Decoding Quantum Computing: Uncovering its Potential Impact and Opportunities, Part I | Blog

With their exceptional computing prowess, quantum computers have the potential to revolutionize various sectors by expediting complex problem-solving. In this first blog of our two-part series, we delve into quantum computer types, opportunities for businesses and IT service providers, and their impact on modern cryptographic algorithms. Get in touch to discuss further.

What is quantum computing?

Quantum computing is an innovative approach that leverages the principles of quantum mechanics to solve extremely complex problems much faster than classical computers. Unlike classical computers using bits, quantum computers employ qubits, such as photons or atoms, for information encoding. Quantum computing progressed from 2-qubit systems in the 1980s to tens in the 2000s, and by the late 2020s, significant milestones were achieved. Google’s “quantum supremacy” in 2019 with a 53-qubit processor and IBM’s 433-qubit chip, IBM Osprey, set records. In 2023, Atom Computing unveiled an 1180-qubit quantum computer.

Quantum bits exhibit numerous types of quantum phenomena. Let’s explore the following:

  • Superposition – Quantum bits, or qubits, can represent both 0 and 1 simultaneously, allowing quantum computers to process information much faster than classical computers
  • Entanglement – Qubits become perfectly correlated, even when separated by large distances. This means that changing one qubit instantly affects its entangled partner, enabling quantum computers to determine the value of the other qubit immediately.

These principles allow quantum computers to perform calculations based on the probability of a qubit’s state before measurement, revolutionizing computing capabilities

Despite substantial investments, current systems face scalability and stability issues. Error correction and fault tolerance also remain complex, with each additional qubit increasing the probability of errors and higher sensitivity to environmental noise. These issues highlight the ongoing hurdles in quantum computing’s path to widespread commercialization.

Quantum computer types

Quantum computers have different architectures, determined by the nature of qubits and quantum mechanics phenomena used to manipulate them. The research and innovation put into these architectures deliver solutions to problems that previously could not be solved due to classical computers’ limited computing capabilities.

Below are some of the most typical architectures that enterprises should be familiar with:

  • Superconducting: Usually made from superconducting materials, these computers use loops and circuits to produce and alter the qubits. They are the most sophisticated and popular quantum computers and can accurately model and simulate the behavior of molecules, materials, chemical reactions, etc. This feature finds practical utility in fields like drug discovery, materials science, and chemistry, where understanding the quantum behavior of complex systems is essential. They also excel in solving optimization problems, such as route optimization, scheduling, and resource allocation, which have applications in logistics, supply chain management, and financial portfolio optimization
  • Trapped ion: These quantum computers use ions trapped and manipulated in an electromagnetic field as qubits. Their long coherence times make them viable for applications requiring high stability and control levels
  • Neutral atom: Similar to trapped ion quantum computers, these use neutral atoms suspended in an ultra-high vacuum by arrays of tightly focused laser beams. They also offer long coherence times and high-fidelity operations, making them suitable for implementing complex quantum algorithms such as simulations and solving optimization problems in logistics and cryptography
  • Quantum dots: These use semiconductor quantum dots or tiny semiconductor nanocrystals as qubits that can confine electrons or other charge carriers, usually manipulated by electrical, magnetic, or microwave pulses. Theyhave the potential for robust scalability and are typically implemented in quantum communication networks and quantum sensing, among other use cases
  • Photonic/optical: Photonic quantum computers leverage photons (or packets of light) to carry and process quantum information. It can play a significant role in quantum communication protocols, enabling secure transmission of information through quantum key distribution (QKD) and quantum teleportation. This ensures the confidentiality and integrity of data, which is essential for various sectors such as finance, defense, and telecommunications

Implications for enterprises and IT service providers  

Quantum computing presents numerous opportunities for enterprises across various industries to revolutionize their operations, drive efficiency, and unlock new possibilities for growth and innovation.

As the field matures, business leaders must prepare to embrace quantum computing in the following five ways:

  1. Educate stakeholders: Enterprise leaders must educate themselves, their teams, and stakeholders about quantum computing, its potential applications, and its implications for their industry. They can organize workshops, training sessions, and seminars to increase awareness and understanding of quantum computing concepts and opportunities
  1. Identify potential use cases: Leaders must understand their respective fields’ most significant challenges and opportunities and actively search for quantum computing use cases. This can be achieved by either having an in-house team of quantum computing experts or collaborating with academia, research institutions, regulatory bodies, and other industry players to stay abreast of the latest quantum computing technology advances
  1. Build a quantum-ready workforce: After identifying relevant quantum computing use cases, leaders must build a dedicated team with expertise in quantum physics, algorithms, hardware, software, and other related fields that can work together to research, design, and implement quantum solutions tailored to their needs. This will enable the enterprise to filter out the hype and focus on areas with real business implications
  1. Invest in research and development: By allocating resources to R&D initiatives focused on quantum computing, enterprises can explore potential use cases, develop proof-of-concept projects, and experiment with quantum algorithms and applications relevant to their industry
  1. Understand technology needs: Enterprises should determine the frequency of their quantum computing usage to help decide whether to purchase/own a quantum computer or utilize cloud-based quantum services provided by computing companies. It is crucial for enterprises to carefully evaluate and choose quantum-computing partners based on their unique requirements

Service providers can play a crucial role in educating enterprises about the potential applications of quantum computing in their specific industry sectors and help them navigate the challenges and benefits associated with its adoption. Enterprises should understand they don’t necessarily need to own or build a quantum computer. Instead, they should embrace quantum computing as a service that provides multiple benefits, such as scalability, elasticity, reduced costs, and increased accessibility.

Furthermore, it’s crucial to communicate to enterprises that quantum computers will not require continuous availability, as they will coexist alongside classical computers. Providers can collaborate with enterprises on R&D initiatives and develop custom algorithms and applications tailored to their business needs. Additionally, providers have an essential role in helping enterprises navigate quantum computing security concerns.

Quantum computing’s impact on modern cryptographic algorithms

Cryptography has served as the cornerstone of secure communication in the digital age, addressing multiple information security aspects, such as confidentiality, data integrity, authentication, and non-repudiation in the presence of third parties or adversaries. Some of the foundational elements of cryptography are:

 

Algorithm Description Use-cases Examples
Hash function/

algorithm

Transform input data into fixed-size strings called hash values Password hashing, digital signatures, hash-based message authentication codes (HMACs), and data integrity verification SHA2, SHA3, Blake2
Symmetric algorithms Uses one key for both encryption and decryption Data encryption, SSL/TLS, MACs, and VPNs AES, RC6, Blowfish, Twofish
Asymmetric algorithms Uses a pair of keys: a public key for encryption and a private key for decryption HTTPS, digital signatures, email encryption, blockchain, public key infrastructure (PKI) RSA, DSA, ECDSA, EdDSA, DHKE, ECDH, ElGamal

Many cryptographic algorithms that enterprises rely on today, such as RSA and ECC, are based on mathematical problems that are computationally difficult for classical computers to solve efficiently.

However, the advent of quantum computing threatens the security of these algorithms. Shor’s algorithm efficiently solves integer prime factorization and discrete logarithm problems, breaking the security of RSA and other asymmetric encryption schemes. Additionally, Grover’s algorithm threatens symmetric cryptographic algorithms and hash functions by offering a quadratic speedup in searching through unsorted databases.

 

Cryptographic algorithm Type Purpose Impact from large-scale quantum computer
AES Symmetric key Encryption Large key sizes needed
SHA-2, SHA-3 Hash functions Large output needed
RSA Public key Signatures, key establishment No longer secure
ECDSA, ECDH

(Elliptic curve cryptography)

Public key Signatures, key establishment No longer secure
DSA

(Finite field cryptography)

Public key Signatures, key establishment No longer secure

Source: Report on Post-Quantum Cryptography (nist.gov)

Quantum computing – a mixed blessing?

Given their immense computational powers, quantum computers have the potential to revolutionize various fields by solving specific problems much faster than classical computers. Rapid technological advancements in the field make it critical for enterprises to understand the technology, determine potential use cases, and prepare for it.

However, the need for robust quantum-safe or post-quantum cryptographic solutions becomes increasingly evident as quantum computing advances. Read our next blog in this series to learn how to navigate quantum computing security concerns.

To discuss further, please contact Prabhjyot Kaur, Kumar Avijit, and Suseel Menon.

Don’t miss the Global Services Lessons Learned in 2023 and Top Trends to Know for 2024 webinar to learn the successes, challenges, and trends that defined the services industry in 2023 and the opportunities for business leaders in 2024.

Everest Group Research: C-Suite Must Recognize Critical Difference Between Cybersecurity and Cyber Resilience

According to Everest Group, an enterprise shift from mere awareness of cyber threats to actively working toward resilience has the potential to redefine the future of cybersecurity services.

 

DALLAS, August 29, 2023 — Everest Group is calling on enterprises to make the critical shift in focus from cybersecurity to cyber resilience. While cybersecurity focuses on safeguarding against threats, cyber resilience emphasizes the ability to withstand, respond and recover quickly from them.

Everest Group issues this call to action in its recently published “State of the Market Report” on cybersecurity services. The report focuses on differentiating cybersecurity from cyber resilience, emphasizing that these two concepts are often mistakenly considered synonymous in the business world.

“Cybersecurity is just one component of cyber resilience, but, unfortunately, many enterprises fail to understand the subtle difference,” said Kumar Avijit, practice director of Information Technology Services at Everest Group. “While a majority of C-suite executives concentrate on preventive controls and response, equal importance needs to be allocated to the recovery, revamp, and reinforcement stages of cyber resilience. For any business, having a comprehensive cyber resilience strategy is critical in safeguarding long-term viability and success.”

 

Everest Group rates current C-suite focus on the “5 Rs of cyber resilience” as follows:

  • Ready – High: C-suite is extensively focusing on pre-emptive measures to secure themselves from cyberattacks and are investing in cutting-edge technologies.
  • Respond – High: There is rapid adoption of extended detection and response (XDR) tools in the market, and service providers too are now focusing on automated incident response to cut down on the standard metric of Mean Time to Resolution (MTTR).
  • Recover – Medium: There is very little focus on the recovery aspect from the C-suite, underpinned by the challenges of data fragmentation, infected backups, and meeting Recovery Time Objective (RTO) that are visible across the C-suite.
  • Reinforce – Low: C-suite is not focused on learning from cyberattacks on peer organizations and building defenses accordingly. In most case, the C-suite lacks a comprehensive vision of security and instead remains reactive.
  • Revamp – Low: C-suite is not acting agile enough to focus on the next-generation technology and thinking a step beyond on how to secure itself from the new attack vectors that the new shine tech brings.

 

These findings and more are detailed in Everest Group’s recently published report, “Cybersecurity Services State of the Market Report 2023: Cyber Secure to Cyber Resilient.”  ***Download a complimentary abstract here. ***

The report provides an in-depth analysis of the global cybersecurity market, with special sections on North America and Europe. In addition, the report introduces a unique and easily understandable framework to assist enterprises, particularly the C-suite, in swiftly incorporating cyber resilience into their operations. Additionally, the report explores the implications for providers in key areas such as solutions, services, partnerships, talent, and engagement models, illustrating how they can enable enterprises to adopt cyber resilience.

Selected Highlights:

  • Projections suggest the cybersecurity services market, currently valued at $US 70-73 billion, will surpass the $100 billion mark in 2025, exhibiting a CAGR of 16-18% between 2021 and 2025.
  • Identity and access management (IAM), cloud security, and application security form the largest segments of the cybersecurity market, collectively representing 56% of the overall market.
  • Cybersecurity consulting services are experiencing rapid growth, with a current market share of 25%. This is closely followed by design and implementation at 29% and managed security services leading at 46%.
  • North America remains the largest market (40%) followed by Europe (33%) and Asia (21%).
  • 63% of enterprise have mentioned lack of skills/talent as among their top three biggest challenges when it comes to cybersecurity.
About Everest Group

Everest Group is a leading research firm helping business leaders make confident decisions. We guide clients through today’s market challenges and strengthen their strategies by applying contextualized problem-solving to their unique situations. This drives maximized operational and financial performance and transformative experiences. Our deep expertise and tenacious research focused on technology, business processes, and engineering through the lenses of talent, sustainability, and sourcing delivers precise and action-oriented guidance. Find further details and in-depth content at www.everestgrp.com.

How can we engage?

Please let us know how we can help you on your journey.

Contact Us

"*" indicates required fields

Please review our Privacy Notice and check the box below to consent to the use of Personal Data that you provide.