As quantum technology advances, the risk of breach via cryptographic compromise increases, emphasizing the importance of transitioning to post-quantum cryptography (PQC) to secure sensitive data against future quantum threats. During the recent webinar, "Achieving Cryptographic Agility with CyberArk and Venafi," experts from Merlin Cyber, CyberArk, and Olympus Solutions provided a comprehensive look at quantum threats, global standardization efforts, and how federal agencies can effectively leverage CyberArk and Venafi's solutions to stay secure in the incoming era of quantum computing.
Quantum Threats
Quantum computing presents an immediate and severe threat to existing cryptographic systems. Current encryption standards like RSA-2048 are predicted to become vulnerable by 2030, creating an urgent need for the proactive adoption of quantum-safe cryptography. Federal agencies must assess and prioritize cryptographic migration to secure cryptographic vulnerabilities and mitigate risk.
The Importance of Standardization
Considering the timeline of expected viability for quantum computers, regulatory compliance mandates are emerging and evolving to equip federal agencies with best practices for adopting post-quantum cryptography:
- NIST: NIST’s PQC leadership spearheads international efforts in developing robust PQC standards. FIPS 203, FIPS 204, and FIPS 205 are drafts of critical guidelines released in August 2024 to enable agencies to future-proof their security strategies and standardize PQC algorithms.
- ISO/IEC 27000-Series: Continuously updates standards to incorporate emerging PQC technologies, ensuring that global cybersecurity frameworks remain effective against quantum threats.
- NSA’s Commercial National Security Algorithm Suite (CNSA): CNSA has updated guidelines over recent years to highlight the importance of integrating strong PQC protocols to safeguard national security infrastructures.
- OMB M-22-03: Designates annual timelines and requirements agencies must demonstrate adherence to, including submitting cryptographic inventories, testing algorithms for vulnerabilities, and strategizing the use of automation to assess agency progress towards PQC adoption.
Cryptographic agility, the capability to swiftly transition between cryptographic algorithms, is essential for protecting sensitive information against evolving quantum threats. Federal agencies must work towards achieving cryptographic agility by maintaining a comprehensive cryptographic inventory and implementing compatibility checks for smooth algorithm transitions across systems. However, research indicates that it will take years to comprehensively convert existing algorithms to PQC protocols, highlighting the need for agencies to begin proactive planning now.
Automation is Key to PQC Adoption
Assessing all cryptographic algorithms across a sprawl of legacy on-prem systems and newer hybrid, multi-cloud environments is a daunting task that requires automation, not just out of necessity but also per guidance like M-22-03 from regulatory bodies. Without automation, agencies face an uphill battle in cataloging algorithms and conducting vulnerability assessments, leading to a heightened risk of unmanaged keys in the wild. Left unmanaged, these cryptographic algorithms serve as potential threat vectors for data breaches, exfiltration, and system compromise, posing a threat to national security. In response to the impending arrival of quantum technology, CyberArk has built a robust suite of tools and strategies centered around three pillars—visibility, control, and automation—to help federal agencies achieve cryptographic agility:
- Comprehensive Visibility: CyberArk Certificate Manager discovers and monitors TLS/SSL certificates across both on-premises and cloud environments, creating a unified, real-time cryptographic asset inventory.
- Lifecycle Automation: CyberArk automates the entire certificate lifecycle, from issuance to renewal and revocation. This automation significantly reduces operational risks and minimizes manual errors, especially critical as certificate lifetimes shorten and cryptographic standards evolve.
- Policy Enforcement: Agencies can define and automatically enforce certificate policies related to key length, validity periods, and approved issuers, ensuring regulatory compliance and readiness for rapid cryptographic transitions.
- Automated Remediation: Automation drives proactive alerts and remediation of issues, preventing downtime from expiring or misconfigured certificates.
- Machine Identity Management: Delivers consolidated visibility and policy-driven automation across all machine identities—certificates, secrets, workload identities, and SSH keys—enabling agencies to proactively identify, assess, remediate, and modernize cryptographic algorithms.
- Secure Key Management and Access Control: Through secure digital vaulting, multi-factor authentication, and stringent access controls, CyberArk ensures only authorized users access sensitive cryptographic keys. Detailed audit, monitoring, and workflow approval capabilities further enhance security, compliance, and forensic analysis.
The Cryptographic Agility Roadmap
Our expert panelists also outlined a structured and practical roadmap to quantum-readiness, recommending a phased approach:
- Wave 1: Foundational Activities
- Updating cryptographic capabilities, policies, and frameworks.
- Identifying and training cryptographic talent.
- Comprehensive asset inventory and assessment of cryptographic practices, solutions, and systems.
- Wave 2: Transition to Post-Quantum Cryptography
- Conducting detailed risk, dependency, and impact assessments for different use-cases.
- Implementing hybrid cryptographic models for a gradual and smooth transition.
- Establishing cryptographic agility with advanced automation features.
- Providing clear transition roadmaps and executing strategic changes systematically.
- Wave 3: Cleanup and Optimization
- Identifying and decommissioning legacy cryptographic practices and remaining classical cryptography.
- Mitigate and refactor remaining cryptographic dependencies.
- Ensure practical crypto-agility and update cryptographic management frameworks for future challenges.
Plan and Prepare for PQC Adoption
Cryptography is the linchpin of digital security, yet these algorithms are increasingly vulnerable to compromise when left unmanaged. For government agencies, the inability to inventory and control cryptographic algorithms poses significant risks to their operations and the security of sensitive data. By recognizing the critical importance of cryptographic agility and investing in the necessary tools and policies, agencies can mitigate these risks and proactively migrate towards PQC standardization. To learn more about how Merlin Cyber can equip your agency with proactive quantum-readiness measures vital for ensuring cybersecurity resilience, email us at info@merlincyber.com.