Everyone is talking about post-quantum cryptography (PQC), the batch of algorithms and related solutions that will be required to head off potential cybersecurity attacks originating from quantum computers.
And by “everyone” we mean the National Institute of Standards and Technology, which is due (actually overdue) to release a list of new PQC encryption standards; the Biden White House; which recently set requirements for federal government agencies to adopt PQC; Congress, not only in the Endless Frontier Act, but also a newer bill from Reps. Ro Khanna, Gerry Connollly and Nancy Mace;; and a whole bunch of technology companies looking to address the migration from older encryption techniques like RSA to new PQC solutions.
This group includes firms like Sandbox AQ, which recently was spun off from Google owner Alphabet, and now QuSecure. That San Mateo, California-based firm announced its entry into the PQC sweepstakes earlier this week with what its described as an end-to-end PQC encryption platform that addresses the important–and possibly until now–somewhat overlooked aspect of orchestration.
Skip Sanzeri, who fills multiple roles–founder, COO, chief revenue officer, chairman of the board–at QuSecure, told Fierce Electronics, “A lot of companies have point solutions that solve a piece of the problem, but we feel enterprise and government need a full orchestration layer which allows them to do full management and policy management. That’s our easy button for navigating this post-quantum environment.”
The company’s QuProtect offering uses an end-to-end quantum security as-a-service (QSaaS) architecture that combines Zero Trust security and PQC, as well as “quantum-strength keys, high availability, easy deployment, and active defense into a comprehensive and interoperable cybersecurity suite. The end-to-end approach is designed around the entire data lifecycle as data is stored, communicated, and used,” according to a QuSecure statement.
Sanzeri added, “We are able to secure any endpoint and create a quantum channel with encryption that is post-quantum. We can't do a rip-and-replace. It’s not like an enterprise can just tear out a bunch of stuff like it’s Legos. So we built a protocol switch which allows us to be backwards compatible, and that means that we can translate between a quantum layer and a TLS [transport layer security] layer really, really easily. And that means that enterprises can do this at their pace.”
QuSecure is coming out of the gate already touting relationships with customers such as Franklin Templeton and the U.S. Department of Defense, with which it has several projects. As a way of illustrating how quickly some organization are moving to adopt quantum-resistant cryptography, Sanzeri said QuSecure in recent weeks signed on a “billon-dollar company” as a customer “in three days,” and already is starting on the project.
The only challenge with PQC is that the goalposts may move when NIST announces its PQC standards. That announcement has been expected for weeks by many in the quantum sector. Security companies for now are either offering their own flavors of quantum-resistant solutions, or the standard-candidate algorithms, or perhaps both. The final list of standards is in question because at least one of them was successfully hacked by an IBM team evaluating it, but Sanzeri said that standards are a key gating factor to the market opportunity.
“We have to support them because no government agency or large enterprise is going to adopt post quantum cybersecurity without using these standards,” he said. “So if anybody's operating outside of that, developing algorithms that aren't approved by NIST, I think it's largely a waste of time. But that’s why we built in what we call crypto agility. So we already built all these finalists into our system so it won't matter which ones are approved. We can install all of them and use all of them.”
RELATED: Quantum-safe security standards coming soon, but recent hack raises questions