Thales Blog

Why organizations need to prioritize a PQC-readiness lab

February 13, 2024

Jenn Nuttall Jenn Nuttall | Product Marketing Manager More About This Author >

It’s an exciting time for technology – we are on the cusp of seeing some innovative and disruptive new technologies emerge that will have impacts on every industry and sector around the globe. From Quantum computers to Web3/Virtual Reality to Artificial Intelligence, there’s no doubt these will bring a critical shift in our daily lives.

It’s also an important time because the world is still trying to catch up to changes brought about by the benefits of the Cloud. The impacts of Cloud on datacenters and IT infrastructure is still at the transformative stage where it is beginning to be well-established as the new normal. With each of these new technologies come great benefits, but they also come with great risks, particularly from Quantum computers. The sheer magnitude of their inherent design makes the risks stemming from this new technology extremely impactful. As an example, the math behind the cryptographic technology today takes many years to crack, making it sufficient to protect our technology today. But due to the emergence of Quantum computing, conventional cryptography will be “cracked” in a matter of hours, or as per some estimates, even seconds.

Despite this imminent threat, the most important reason for organizations to act immediately is that many data centers are not able to easily pivot their cryptography. Stemming from the Greek words kryptós, meaning “hidden” or “secret” and graphein meaning “to write”, cryptography is essentially large, complex mathematical equations that will need to be updated, replaced, or even altered completely for the new Post-Quantum Cryptography (PQC) algorithms so they can be implemented and configured across all data centers once the new compliance regulations are set by NIST and other regulatory bodies.

The Upcoming Cryptography Revolution

Digital transformation to the Cloud has added additional layers of complexity to an already complex situation. The 2023 Thales Data Threat Report found that 62% of organizations now have at least 5 key management systems as a result of cloud implementations, making it extremely complex to update to PQC. Additionally, in a recent Thales webinar about Code Signing, participants were polled, and a significantly large number of participants did not know where they stored these critical keys. Keys are are what locks and unlocks the secure algorithms by programs and applications that need access to the secure data.

It is crucial that organizations understand that PQC is a huge overhaul to cryptography, and as such, it is going to be an extremely labor-intensive process lasting for several years. It will involve various components such as crypto discovery (finding your keys and encrypted data), mapping them back to where they are stored, and then re-defining the algorithms and protections in place today.

The process can seem overwhelming and daunting since it is so large and complex, while happening at a time of economic instability. Organizations need to:

  • Map all their applications and data to existing cryptography and keys
  • Identify key crypto implementations at risk
  • Evaluate and prioritize where to spend their dollars to create efficiencies in cost
  • Ensure the process is as smooth as possible with minimal disruption to the organization and its customers

No one wants an expensive security retrofit after an incident occurs. Not only is the cost higher, but it takes a lot longer than when organizations begin early. For this reason, Thales recommends organizations begin taking the very first step immediately to ensure a smooth process, minimize risk, and reduce costs.

Taking the First Step

The first step is to initiate a PQC lab to test your applications, data, and devices that currently use or leverage cryptographic controls. Set up a couple of dedicated roots of trust, provided by Hardware Security Modules, in your data center that will test your key programs run using the PQC algorithms under evaluation by NIST, along with support for Quantum Random Number Generation and potentially, Quantum Key Distribution. Testing is essential for any changeover in cryptography as it is best to get it wrong in a lab environment, so you don’t create disruption within your organization (or to your customers). Otherwise, there is a very high risk of organizational wide downtime or data breaches.

To make it as easy as possible for our customers, Thales, along with our partner Quantinuum, has created a PQC Starter Kit that combines our Luna HSMs along with some of our technology partner integrations to enable customers to begin quickly, easily, and cost-effectively test their Post-Quantum Cryptography within their organization on their data, devices, and applications. Moving beyond the theoretical and into the practical is where Thales and its partners are striving to help organizations navigate through this overhaul in cryptography, as discussed in another recent blog with IBM.

But don’t just take our word for it, read the customer case study about a large, financial services organization who implemented the PQC Starter Kit from Thales and its partners to address the risks associated with the changeover.

Don’t delay – begin to get ready for PQC today.