By Jen Sovada, President, Public Sector, SandboxAQ
The latest cybersecurity buzz phrases, “post-quantum cryptography” and “zero trust”, are increasingly discussed across government offices, among conference ballrooms, and on media websites–but how are they linked, and are there solutions that answer requirements for both?
The White House released several related mandates in the past two years that provide requirements and timelines for organizations to gradually evolve and effectively safeguard U.S. government IT systems and sensitive data. The 2021 Executive Order on Improving the Nation’s Cybersecurity focused heavily on advancing Zero Trust Architecture (ZTA) and included directives for all federal agencies to develop ZTA implementation plans. And in October 2022, the DoD CIO office released the Department’s Zero Trust Strategy, which lists dozens of capabilities needed to help the Department achieve what it has dubbed “targeted zero trust.” In May 2022, the White House issued NSM-10 on mitigating risks to vulnerable cryptographic systems, which was followed in November 2022 by an OMB memo that included requirements for each federal agency to designate a cryptographic inventory and migration lead, submit a prioritized inventory of quantum-vulnerable cryptographic systems, and submit an assessment of the funding required to migrate the systems inventoried to post-quantum cryptography (PQC). Also, late last year, President Biden signed the Quantum Computing Cybersecurity Preparedness Act, which cements into law the requirement to migrate federal IT systems to PQC. Yet many stakeholders still lack a comprehensive understanding of what ZTA and PQC are and how they are connected.
The National Institute of Standards and Technology (NIST) describes zero trust as a guiding paradigm for cybersecurity experts that focuses on the end user (and their devices and applications) and requires a migration in mindset from “Trust, but verify” to “Never trust, always verify.” Meanwhile, PQC is often described as protecting sensitive, encrypted data by migrating from today’s public-key cryptography to a new series of NIST-approved cryptographic algorithms designed to resist attacks by fault-tolerant quantum computers. While global powers and the private sector race to build the first capable quantum computers, for many in government, PQC enables migration to new standards while also protecting against “store now, decrypt later” (SNDL) attacks already underway by nation-states and other adversaries in anticipation of this milestone. This is not a minor concern–the eventual decryption of sensitive data from SNDL attacks could lead to national security breaches, critical infrastructure failures, and loss of intellectual and personal property.
With such a flurry of comprehensive initiatives coming from the Executive Branch, Pentagon, and NIST, it can be challenging for U.S. government CIOs and CISOs to determine where to prioritize resources, but ZTA and PQC aren’t mutually exclusive: effective, agile cryptography forms the basis of zero trust principles and eases PQC adoption.
Trust is the factor that unifies ZTA and PQC. Implementation of both will require trusted identity, access, and encryption that wrap around next-generation cybersecurity architectures using continuous monitoring. Cryptography–and more importantly, cryptographic agility enabled by PQC–offers a foundation for ZTA in a post-quantum world. Security systems built with crypto-agility in mind are designed to rapidly incorporate new cryptographic protocols without requiring significant changes to the system’s infrastructure. The process of securing data from quantum and other emerging threats is continuous. Organizations that build crypto-agile IT architectures will be empowered to maintain complete control over cryptographic processes and to implement seamless updates, for example, as certain algorithms are cracked, and new ones are introduced and standardized.
The first crucial component of ZTA is explicit verification: using all available data about entities requesting access. This is the bridge that connects the security principles of ZTA and PQC. Explicit verification requires vigilant identity management, which includes authentication mechanisms and authorization procedures. These mechanisms and procedures require robust cryptographic algorithms, protocols, and architectures to perform cryptographic validation, which is essential to guarantee confidentiality, integrity, authenticity, availability, and non-repudiation.
Necessary elements of a true zero trust architecture are the ability to reliably control the cryptography in use as well as the flexibility in architectures, software, or hardware to adapt or modify the underlying cryptography with new approaches as they are developed and standardized. In this way, PQC and crypto-agility are fundamental pillars in the protection of endpoints, apps, infrastructure, and network traffic.
Pairing ZTA with PQC enables IT professionals to implement flexible security protocols for seamless modernization and adaptation in the face of persistent adversaries.
The DoD Zero Trust Strategy recommends the simplification and automation of governance, stating: “Establish appropriate governance controls that continuously modernize the existing fragmented approaches to data management, IT modernization, and cybersecurity policies and solutions.”
ZTA and crypto-agile PQC are both based on the principles of explicit verification, presumption of breach, and continuous modernization, which makes it logical and efficient to incorporate both under the same architecture to leverage the essential–and soon-to-be legally required–cybersecurity advantages PQC offers any federal organization.
ZTA alone is not enough to protect government networks and systems. PQC enables crypto-agility and delivers quantum-resistant cryptography now and into the future.