July 30, 2023

Post-Quantum Cryptography Will Strengthen Zero Trust Architecture

QNu Labs

Cyberattacks can lead to devastating losses of money, trust, and reputation. So, companies have an intrinsic incentive to strengthen their security set-up. Cyber-resilience starts at the root – the IT security architecture. The IT security architecture determines how technical security measures are established within the overall enterprise architecture, aligning internal and external requirements. The security architecture addresses the entire life cycle of (electronic) data – from data generation, usage, transfer, and storage to archiving and destruction – and it covers all components, including physical or virtualised client and server endpoints, IT and business applications, IT platforms and infrastructure, as well as the network that connects all the various resources.

The perimeter enforcement is not sufficient anymore because many devices on a network have access to the internet. If a device is compromised, the attacker can access the corporate network without passing through the perimeter. A new paradigm is therefore required: Zero Trust.

The Basics of Zero Trust

Zero trust focuses on resource protection and the premise that trust is never granted implicitly but must be continually evaluated. Zero trust architecture is an end-to-end approach to enterprise resource and data security that encompasses identity (person and nonperson entities), credentials, access management, operations, endpoints, hosting environments, and the interconnecting infrastructure

Zero trust architecture (ZTA) is an enterprise’s cybersecurity plan that utilizes zero trust concepts and encompasses component relationships, workflow planning, and access policies. Therefore, a zero trust enterprise is the network infrastructure (physical and virtual) and operational policies that are in place for an enterprise as a product of a zero trust architecture plan.

Unlike solely perimeter-based security, Zero Trust promotes a micro-perimeter approach based on user access, data location, and an application hosting model. Within this micro-segmented network, sensitive data is protected, and any access is verified and requires authorisation. Zero Trust is thus a very good way of modernising network security in times of modern workforces and externally hosted IT services.

How will Post-Quantum Cryptography (PQC) Help ZTA?

PQC might strengthen the areas of zero trust network access (ZTNA) where attackers are always searching for weaknesses. Identity and access management (IAM), multifactor authentication (MFA), micro-segmentation, and data security are areas where PQC can strengthen an organization’s zero-trust framework.

Trust unifies zero trust architecture (ZTA) and PQC. Implementing these will require trusted identity, access, and encryption using continuous monitoring for next-generation cybersecurity architectures. Cryptographic agility enabled by PQC offers a foundation for ZTA in a post-quantum world.

PQC technologies’ potential for protecting identities is already visible, and that’s reason enough for CIOs and CISOs to track these technologies. While it is hard to predict when a quantum computer will crack encryption algorithms, well-financed cybercriminal gangs and funded advanced persistent threat (APT) groups have made it known they are all-in on attacking encryption algorithms before the world’s organizations, large-scale enterprises, and governments can react. The urgency to get PQC in place is warranted because hacked encryptions would be devastating.

PQC’s quantum-resistant algorithms will harden the encryption technologies that zero trust’s reliability, stability and scale rely on. They also strengthen confidentiality, integrity, and authentication. PQC secures data in transit and at rest, fortressing zero trust. By enabling secure communication among organizations and systems, PQC will help build a zero-trust digital ecosystem. Interoperability ensures secure connections with partners, suppliers, and customers even as technology changes.

Reference:

PWC

NIST

VentureBeat