From Risk to Readiness: Why Quantum-Safe IAM Demands Immediate Action
Image Source: depositphotos.com
Quantum computing hasn't gone mainstream yet, but signs increasingly suggest that it may do so soon. Some researchers and industry experts estimate that we could see significant breakthroughs as early as the next decade. This anticipated shift is often referred to as Y2Q, like Y2K that we had at the beginning of this millennium. While the timeline remains uncertain, the growing pace of research and investment in the field makes it important to start considering the practical implications now, especially in areas like cybersecurity and data protection.
That being said, organisations are already dealing with several pressing challenges. This raises the question: as developers and architects, should we already be worrying about the potential implications of quantum computing, or can we afford to wait until quantum computing becomes mainstream as we did with AI? The answer is that quantum computing poses an immediate risk that demands our attention now.
Standing on the shoulders of giants
Our lives today are deeply entangled with digital technologies, whether we actively use them as individuals or not. From communication, banking, finance, education, and entertainment to healthcare, transportation, supply chains, work, and even our social lives, every aspect is so closely integrated with the digital world that imagining life without the Internet feels impossible. The 2024 Windows security software outage, which disrupted airlines, banks, broadcasters, healthcare providers, and retail payments, clearly demonstrated just how interconnected our lives have become with digital infrastructure.
We continue to live comfortably in this digital world because we've been assured that our data and activities are relatively safe. That sense of safety is made possible by a range of underlying systems, with foundational digital infrastructure playing a major role in delivering the security and privacy we depend on. Among these, public key infrastructure (PKI) stands out as a key enabler. It powers many of the security and privacy features we rely on in our digital applications, things like TLS, encryption, digital signatures, digital certificates, secure messaging, and cryptocurrencies.
Harvest now, decrypt later!
One major challenge organisations are facing is that the long-trusted algorithms used as fundamental building blocks of modern cryptography, such as RSA, Elliptic Curve Cryptography (ECC), and SHA-256, won't hold up against the power of quantum computing. These algorithms, once considered practically unbreakable due to the limitations of classical computers, could be broken relatively easily with the capabilities that quantum machines are expected to bring. It's not just some distant sci-fi threat; realistically, we're looking at quantum computing becoming mainstream within the next 10 years.
Even if encrypted data is secure today, it may not remain that way for long. If an attacker manages to steal encrypted data now, they might not be able to decrypt it with current classical supercomputers or even the quantum machines we have today. But that could change rapidly as quantum computing matures. This tactic, often referred to as "harvest now, decrypt later", is exactly what it sounds like: collect sensitive data today with the intent of breaking its encryption once the technology catches up.
In other words, data that appears secure under today's cryptographic standards might eventually become vulnerable, leaving organisations exposed in the future. This looming possibility is already becoming a strong motivation for malicious actors to ramp up efforts to harvest encrypted data, anticipating the moment when quantum capabilities make it accessible.
Quantum-safe future
This threat gave rise to an entirely new area of research focused on mathematical problems believed to be hard to solve, even with quantum computers, such as lattice-based and code-based problems. This emerging area of research is called Post-Quantum Cryptography (PQC). The goal of PQC is to develop cryptographic techniques that are secure even in the presence of powerful quantum computers. The good news is that this work is already underway. Organisations like NIST have taken the lead in standardising quantum-safe algorithms, and open-source initiatives such as the Open Quantum Safe (OQS) project are actively working on implementing these new algorithms in usable software libraries. While quantum computers are still developing, quantum-safe algorithms are evolving in parallel.
A few notable quantum-safe algorithms that have already been standardised and considered future-ready include: FIPS 203 - Module-Lattice-Based Key-Encapsulation Mechanism Standard, FIPS 204 - Module-Lattice-Based Digital Signature Standard, FIPS 205 - Stateless Hash-Based Digital Signature Standard.
However, one important point to remember is that as quantum computing advances rapidly, post-quantum cryptography is evolving too. This means organisations can't rely on a single set of cryptographic algorithms forever; they need the flexibility to adopt new ones as needed with minimal effort. This adaptability is known as crypto agility, and it is critical to plan and achieve this within an organisation.
Quantum-safe IAM
Quantum-safety is important for virtually every digital application, but its significance becomes critical when it comes to an organisation's Identity and Access Management (IAM) solution. IAM systems are deeply rooted in cryptography at every level. From hashing passwords and encrypting sensitive user data to signing and encrypting security tokens and ensuring secure communication over encrypted channels, they heavily depend on the integrity of cryptographic algorithms. Every request to and from an IAM system typically passes through a secure, encrypted channel to prevent tampering or interception.
Furthermore, IAM solutions act as the gatekeepers to an entire business's ecosystem. It authenticates users and manages access to an organisation’s most critical systems. That means if an attacker compromises the IAM layer, they potentially gain access to everything behind it: personal data, business logic, confidential operations. This makes IAM a high-value target in a quantum-threat world. If today's encryption becomes obsolete due to advances in quantum computing, the IAM layer could become the weakest link, putting both user privacy and the entire digital infrastructure of the business at serious risk. That's why ensuring quantum-safety as well as crypto-agility is foremost important in IAM.
Quantum-safe TLS and Symmetric encryption
Choosing a vendor that provides platform support for inbound quantum-safe TLS connections is important, as this enables a gradual adoption of post-quantum cryptography without requiring major architectural changes.
Additionally, employing symmetric encryption internally for a variety of tasks, including securing passwords for secondary user store connections, credentials for event publishers, and passwords and client secrets for federated authenticators.
To enhance quantum safety, platforms should configure AES-256, which is widely recognised as strong enough to withstand current quantum threats. Additionally, these vendors should continuously evaluate emerging cryptographic algorithms and incorporate support for new standards as they mature.
Preparing for a Quantum Future
Quantum computing, an emerging technology advancement, can also pose a serious threat to our current cryptographic standards. The "harvest now, decrypt later" tactic makes it clear that organisations can no longer rely solely on traditional algorithms like RSA, Elliptic Curve, and SHA-256, as they could become easily breakable in the not-so-distant future.
That's where Post-Quantum Cryptography (PQC) steps in. New standards like ML-KEM, ML-DSA, and SLH-DSA offer strong quantum-resistant alternatives. But simply switching algorithms isn't enough; organisations also need crypto agility, the ability to adopt and integrate new cryptographic methods quickly and with minimal friction as the landscape evolves.
For identity and access management (IAM) systems, this combination of quantum-safety and crypto-agility is critical.