Why We Need End-to-End Quantum-Resistant Encryption
In a world that increasingly revolves around data, security and encryption are key. Unfortunately, too often organisations do not take security seriously. Big tech giants like Facebook allow firms such as Cambridge Analytica to syphon away 50 million user profiles, while the average Internet of Things device is so easy to hack that a kid can do it, even if it is meant to be a highly-secure crypto wallet. In the years to come, data will only increase in importance and as such in value. With that will come increased attention by hackers to steal data or hack your products, services or servers. More than ever, data security is vital if we wish to benefit from it.
Data security comes in many flavours, which roughly speaking can be divided into three different streams:
- Processes and organisational solutions;
- Technical and hardware solutions;
- Data and software solutions.
Let’s briefly discuss the first two, which should be obvious for all of us by now and take deep dive in the third stream:
Processes and organisational solutions
Security processes and organisational solutions are very straightforward, or at least should be. By now, every organisation should enforce a hard-to-guess password, preventing users and employees from using passwords such as 123456 or qwertyui, which, unfortunately, still happens. Other practical solutions include educating staff not to use a random USB-stick that they found somewhere as well as having and enforcing a security policy within your organisation. Processes and organisational solutions are so straightforward that every organisation should adhere to them. Unfortunately, that is still not the case.
Technical and hardware solutions
To improve your security, you should have not only organisational solutions but also secure hardware solutions. Hardware-based security helps to prevent hackers from accessing your servers by using, for example, dongles in combination with security tokens as a requirement to access a certain service or server. The dongle can include biometric technology to prevent anyone being able to use it. Without the required dongle and having the right biometrics, it is impossible for hackers to gain access to secure data. Of course, this does not count if the hardware itself contains a backdoor or has been tampered with before being installed.
Data and software solutions
Even if you have the best security policies that everyone adheres to and you have implemented all the possible hardware security solutions, it is still possible that your organisation will be hacked. After all, every organisation can be hacked, and if you are not hacked, you are simply not, yet, important enough. Therefore, the starting point of your organisation should be that hackers will obtain access to your data, even if you have implemented the right organisational and hardware preventions.
So, what measure should you take if you know that hackers will obtain your data? Of course: encryption! After all, if hackers have access to your data but cannot read your data because they do not have the right encryption key, the stolen data remains useless to the hackers. However, unfortunately, many organisations don’t have encryption, and if they do, they don’t have end-to-end encryption.
A 2016 survey showed that from those organisations researched, only 44% made use of extensive data encryption technologies. The main barriers for organisations not to implement encryption is, according to the survey, a lack of budget (37%), performance concerns (31%) and lack of knowledge (28%). 1% of the respondents believe that encryption is not effective in protecting their data, which to me points to a lack of understanding encryption in the first place. Those companies that do not ensure encryption leave their data vulnerable in case of a data breach. With that, you breach your customers’ privacy, and that could make you liable, especially under the new GDPR regulations.
However, even if you have implemented encryption, you could still face problems with the advent of quantum computing. After all, most of the existing encryption will end up useless when we have working quantum computers. The problem with existing cryptography is that a sufficiently powerful quantum computer could easily solve the mathematical problems that are currently used by most encryption algorithms. If that happens, any data that is currently encrypted using those algorithms will become accessible to those with access to such quantum computing. As such, intelligence agencies are, most likely, already storing currently unbreakable intercepted data in the hopes that quantum computing will give them access. In addition, once hackers gain access to quantum computing, your encrypted data is anything but safe. As such, despite offering enormous opportunities to solve some of the world’s biggest problems, quantum computing also is one of the biggest security risks.
Therefore, organisations should adopt quantum-computing proof encryption, also known as post-quantum cryptography or quantum-resistant cryptography, which increasingly is gaining more attention from researchers as well as organisations. However, developing new quantum-resistant cryptography takes time while the developments around quantum computing are accelerating. Earlier this month, Google revealed a 72-qubit gate-based superconducting system, bringing us rapidly closer to quantum supremacy (meaning a quantum computer that outperforms the world’s fastest supercomputer).
So, what can organisations do today to ensure that their current data remains secure when quantum computing has arrived? The obvious answer is to use quantum-resistant cryptography, but that is easier said than done. However, new startups are working on new solutions, and one of these is Cryptelo (full disclaimer: I am a strategic advisor to Cryptelo):
Cryptelo offers a sort of state-of-the-art encryption-as-a-service that brings a fresh perspective to data protection and data manipulation. Their vision is to build a new ecosystem where there will be a shell around your data before you share or store it. Every time someone would like to open it, he/she has to prove that his/her access is still valid. Thanks to this you’re able to remove access to an attachment in an email, even if you already sent it or let other people see your documents without the ability to copy it or forward it to someone else to see. The world of crypto is fascinating, and it is moving forward fast. Cryptelo Labs constantly works on cryptography research and improvements to make sure that the data of their clients will be protected even against the quantum implementation of Shor’s algorithm etc. and with that allow organisations to be ready for a post-quantum era.
End-to-end encryption that is resistant to quantum computing will become increasingly important in the, near, future. Therefore, organisations that want to protect their data, that want to protect their customers’ data and as such comply with GDPR, should look into companies such as Cryptelo to ensure that their data will remain secure. Now and in the upcoming era of the quantum computer.