Quantum computing is poised to revolutionize the world. From simulating atoms and molecules to mapping and modeling in medicine, the potential use cases are vast and still unfolding. It may seem far on the horizon, but for those in cybersecurity, especially privileged access management, now is the time to start planning.
Businesses might argue, "Quantum computing didn’t even make it into Gartner’s Top 10 Strategic Trends for 2024." They might believe that its impact will be significant by the decade's end, but not yet urgent.
So, let’s revisit this towards 2030, right? Well, not quite.
Many threat actors are adopting a "harvest now, decrypt later’" strategy. They are storing exfiltrated data and other stolen credentials, ready for when quantum computing becomes more widely available. They may not be able to access this stolen information using classic computers – but they may with quantum computing.
Understanding quantum computing
The "quantum" part comes from the ability to apply quantum mechanics to computer operations. Qubits are the particle units of quantum computers, and the equivalent of the atoms and sub-atoms that are central to quantum mechanics. The quantum state, where every Qubit can represent every possible state or value and its relationship with other Qubits, can be simulated and calculated at the same time.
This is known as a superposition, and is a transformative step up from classic two-bit computers and their ability to store one of four binary combinations (0, 1, 2, 3). A quantum computer can store all four at the same time, with each existing in multiple states simultaneously.
A Qubit can also interact with another Qubit even when light-years apart, a process known as entanglement. This is relevant to encryption, because it offers disruptive potential for use in scenarios when two separate keys are required. Currently these rely on the randomness of sequenced ones and zeroes. Quantum computing can extend the randomness to make encryption truly unbreakable.
This mix of superposition and entanglement help to illustrate why quantum computers have the advantage over classic computers. As for how big an advantage, and what it means in practice, a Google experiment in 2019 gives a clue.
Using a 54-Quibit processor, Google ran computations that took 200 seconds to generate outputs. The world’s fastest supercomputer would have taken 10,000 years to generate a similar output. This speed will have a major quantum computing impact on encryption, with its reliance on unsolvable (at least, within a practical time limit) mathematical problems.
Keeping a Qubit in a coherent state is difficult because of the surrounding noise that can disrupt and lead to decoherence. In other words, the Qubit does not retain the quantum information, and so limits its real-world applications. But in 2023, quantum computing reached another key milestone.
Researchers increased the time of Qubit coherence by almost 1,000X. The achievement can be likened to extending a Qubit’s lifespan, and "should translate into low cost in building and running large-scale quantum computers." Naturally, these developments will impact privileged access management (PAM), and information security in general.
PAM’s current role in cybersecurity
While IAM spans identities across an IT environment, PAM focuses on privileges that allow or deny access to sensitive systems. Those high-priority targets for malicious actors, because of the valuable data that can be accessed, beyond a standard user’s permissions. This calls for a series of layers and functions for securing remote workforce with PAM:
- Credential management:
Ensuring credentials and secrets are regularly swapped, rotated and vaulted. - Privileged session management:
Managing the length of time that access is granted to privileged users – tracking, logging and monitoring activity during sessions. - Principle of least privilege:
Limiting attack surfaces by limiting user accounts to only access the resources needed to perform specific functions.
Achieving Zero Trust should be the ultimate goal, but the path is complex with quantum threats to PAM coming from various components. Access is not only for human users – the rise of IoT means that devices need access, along with entities such as applications. These machine identities are often cloud-based and so beyond the traditional perimeter. Add quantum computing to the list of considerations, and quantum computing in cybersecurity gets even more complex.
Quantum computing’s potential impact on PAM
Think of algorithms such as AES, SHA-2, 256-Bit ECDSA and various other public key infrastructures. For years, these have formed the backbone for processes including identification, certification, authorization and software distribution.
That is because there has never been technology capable of cracking encryption – at least, not without waiting a few million years. It's not that encryption is impossible to crack; rather, it's a matter of it not being feasible with current technology. However, the advent of quantum computing could swiftly turn this "not yet possible" into an immediate concern. Quantum computers have the capability to perform calculations and factor numbers at speeds far surpassing those of today's computers.
For example, RSA encryption, the foundation for financial transactions, involves multiplying two large prime numbers, with the result being the modulus. For a 2048-bit key, that would be a number of 600+ digits. Classic computers cannot factor, or reverse-engineer, the modulus to work out the original prime numbers. Whereas Shor’s algorithm, a quantum algorithm, can.
Here’s the thing: If quantum algorithms can be used to break current encryption methods, they can also be used to enhance cryptography too. The potential of Qubits in relation to entanglement offer potential ways to truly randomize keys across any distance, delivering quantum key distribution.
Although this isn’t possible for asymmetric encryption schemes such as RSA, where one key remains public. So there will be operational challenges when it comes to integrating quantum computing with existing PAM systems. What’s clear is that identity validation will remain integral, in the form of quantum identity authentication protocols. While some quantum algorithms such as Shor are established, new protocols and standards will appear in the future. Now’s the time to start preparations.
Preparing for the quantum future of PAM
The first stoz for many organizations should be NIST’s Post-Quantum Cryptography Standardization Initiative. This contains quantum-resistant cryptographic algorithms that are designed to protect against quantum computer-based attacks. Four were selected from a series of rounds and competitions:
- For general encryption:
Crystals-Kyber - For digital signatures:
CRYSTALS-Dilithium (the recommended primary algorithm), FALCON (for applications that need smaller signatures than Dilithium can provide), SPHINCS+ (somewhat larger and slow than the other two, but a valuable backup owing to ‘a different math approach’.)
NIST will work to standardize these for wider use. And then they’ll form part of a post-quantum cryptographic standard, for protecting information across public networks and digital signatures for identity authentication.
Further features to look for in PAM tools include:
- Quantum-safe encryption:
A platform that secures data beyond current methods that involve public-key cryptography. - Quantum-level analytics:
Allowing automated audit-ready reporting, with quantum-ready mechanisms for identifying unusual behaviors and anomalies. - Just-in time access:
Granting finely-grained access for specific roles, using quantum cryptography methods (potentially including entanglement) to limit attack surfaces and automatically revoke when the need has expired.
Long-term strategies and innovations
As seen with the NIST frameworks, the focus is on inviting participants to these initiatives and contribute to the future of cybersecurity with quantum computing. Crowdsourcing knowledge will benefit business and wider stakeholders in society with:
- Evaluation:
The ability to identify which encryption algorithms are in use and vulnerable to quantum computing. - Standardization:
Using the NIST framework as a foundation for defining the protocols to be used across geographies and different industry use cases. - Research:
Supporting quantum research projects to increase chances of breakthroughs with quantum-resistant algorithms. - Adaptation:
Developing a culture of innovation and visibility across entire environments, to help identify when quantum-level unusual behaviors are occurring.
Preparation has already been happening at government level, with HR7535 passing into law during 2023. The Quantum Computing Cybersecurity Preparedness Act states federal agencies must start migrating their systems to quantum-resistant cryptography systems, and “establish and maintain a current inventory of information technology in use by the agency that is vulnerable to decryption by quantum computers.”
Meanwhile, the National Security Agency recommends implementing post-quantum cryptographic algorithms for National Security Systems by 2025, with owners, operators and vendors required to report on progress for compliance purposes.
Quantum computing and access management: The central question
It’s not yet Q-day. The day that a quantum computer becomes capable of cracking the encryption methods used to secure financial services, distribute sensitive data and manage critical infrastructure. So there’s still time for CISOs, CIOs, Heads of compliance and IT, decision-makers, plus security researchers, academics, and your own clients and customers too.
There’s also plenty of opportunity for securing enterprise access like never before. By harnessing quantum concepts such as Qubits, entanglement, and superposition. Even if it does mean an end to encryption algorithms that have served the world until now. Momentum is building from multiple angles, with new guidelines from policymakers coupled with ongoing innovation from researchers, and new educational initiatives to build a pipeline of quantum talent.
Whatever comes next in quantum computing, attacks will still rely on gaining access with enough privileges to move and act inside a network. That will put PAM at the center of preparing for quantum cybersecurity. The clock is ticking for organizations – have you started your journey to a post-quantum future yet?
