Transcript
I can confidently state that many organizations are actively working on cyber-resilient strategies, plans, and runbooks that include not just their core infrastructure, but also the supply chain components of their business. But at the same time, not many seem to have given the risk exposure from post-quantum computing much thought yet. But having that as a general notion, it's probably because it's probably several years away. But the stark reality is that post-quantum cryptography is definitely on an accelerated timeline. Based on what you're seeing across the industry, what do you think the IT and security leaders should be asking of their technology vendors, their ecosystem players about post-quantum readiness? Yeah. So I'll probably start with everything being highly connected, whether they be ecosystems or infrastructure. We know everything is really going to be as strong as the weakest link. So it would be great to see other software and technology vendors really implementing post-quantum algorithms and post-quantum resistant encryption across the board to prevent widespread damage. Working with partners, we're starting to see forced security behavior. And I know that many of the customers that I talk to, they first feel uncomfortable about it. But at the end of the day, they understand that everyone's really trying to keep everything from left to right secure. I completely agree with you on that. And not just that, but I'm also seeing a massive resistance given the kind of performance overheads that post-quantum cryptography imposes. I mean, I can understand the fact that it certainly cannot be a strategy for all the data in an IT landscape. I can definitely see a hybrid cryptographic architectural deployment taking place where you would have the classical side coexisting with the post-quantum cryptography architectures. Certainly the word of the day is going to be crypto agility. And for me, I sum it up as the ability for a system to quickly and seamlessly switch to the most appropriate cryptographic algorithms or protocols. And with NIST constantly releasing recommendations and providing supportability for them, it's super important for our customers to be secure against these quantum threats. And we built our PQC implementation with crypto agility in mind. As we know, the quantum landscape is going to continue to evolve with better, faster, cheaper algorithms and machines. So it's really important that we provide and extend that capability as the threat landscape continues to change. And as you pointed out, like all encryption, there's some compute penalty. So having access to different algorithms and key links is important for us to balance the flexibility between having something that's super secure and something that is also cost effective from a compute standpoint. Makes perfect sense. So given what we just discussed, what would you think is the first logical, practical step for an organization as they start taking these baby steps towards quantum resistant security? I wouldn't frame it as out of possible, right? NIST has been providing guidance for a couple of years now. There's primary and secondary recommendations and we've already made them available. So we strengthen cyber resiliency for today, tomorrow and the foreseeable future because we built these frameworks. It is also worth mentioning that we don't need to understand quantum to enable PQC. We've made it super easy for our customers to implement it. So it's just a checkbox in a group configuration to get protected. But what I would say is if folks really want to start to get down that journey, I would say they should first evaluate long-term sensitive data to understand where they're going to actually use PQC, which again is why crypto agility is super important because you don't have to apply today, you could apply it tomorrow. But having that capability embedded is super important if you need to make quick pivots. And then sometimes you just discovered a whole bunch of sensitive data. So now you want to quickly have that protected with the latest algorithms. And again, security and cost could be part of that consideration. If you don't know where your sensitive data is, like we talked a lot to customers where they're like, I think I have something here. I know where a lot of like my super high sensitive data is, but I may not know where all of it is. We have capabilities like Cobalt risk analysis that allows you to do data discovery and classification so that you could apply the correct level of encryption to those particular scenarios. And if you don't know what your encryption levels are, you could leverage something like security IQ. So you can see like we're building this ecosystem around really having customers understand their data, understand their levels of encryption and where to find this information. And then again, PQC just becomes part of that. And one of the good things about our post-quantum cryptography as part of the platform or the security part of our platform, it's free. So as long as you're on CPR 2024E or newer, you can enable this immediately. So customers should still remain vigilant against data breaches and threats to the network on infrastructure or data silos. Again, exfiltration is one of those things that you may not be aware of, but you should remain vigilant against those things. And as you can see, like we're really building a solid frame of discovery, recommendations, implementation, and still making sure that customers deploy other controls so that we can provide that total cyber resiliency across the board.
