The threat of quantum computing, coupled with the escalating number of machine identities, is creating a significant cybersecurity challenge that demands immediate attention. Organizations must recognize the current vulnerabilities and prepare for a future where today’s security measures are inadequate.
While the timeline for quantum supremacy is debated, sophisticated adversaries are already engaging in Harvest Now, Decrypt Later
(HNDL) attacks. This involves intercepting and storing encrypted data with the intention of decrypting it once quantum computers become powerful enough. Kevin Bocek, senior vice president of innovation at CyberArk, emphasizes that this threat extends beyond network security to encompass databases and all stored data.
Nation-state actors are actively collecting encrypted traffic from financial transactions, intellectual property, and military communications, anticipating that current security measures will be rendered useless in the future.
Even before the advent of quantum computers, organizations are struggling with basic certificate management. A significant percentage of IT professionals report monthly certificate outages, highlighting the scale of the problem. Furthermore, the CA/Browser Forum is set to enforce shorter certificate lifespans, decreasing from the current 398 days to just 47 days, significantly increasing the workload for security teams.
This change has major implications for IoT devices, many of which are deployed with long-term or non-expiring certificates. Bocek warns that this creates an opportunity for adversaries to compromise networks of devices in the future.
The potential consequences of neglecting certificate management are dire, including compromised medical devices, vulnerable industrial control systems, and smart city infrastructure being exploited.
The long-term solution to the quantum threat lies in post-quantum cryptography (PQC), a new generation of algorithms designed to withstand both classical and quantum attacks. The U.S. National Institute of Standards and Technology (NIST) is leading a global effort to standardize these algorithms, focusing on lattice-based cryptography.
Key standards include CRYSTALS-Kyber for secure key exchange and CRYSTALS-Dilithium for digital signatures, which will replace existing algorithms like RSA and ECDSA.
Adopting PQC requires a comprehensive, multi-year overhaul of infrastructure, not just a simple algorithm swap. Organizations need a “crypto-agile” strategy, transitioning to hybrid certificates that combine classical and PQC key pairs.
Beyond the quantum threat and certificate management challenges, organizations are struggling with the sheer scale and complexity of machine identities. These identities now significantly outnumber human identities, creating new challenges for security teams.
Machine identities are characterized by volume, velocity, and variety. Their numbers far exceed human identities, and they are created and destroyed rapidly. The types of identities also vary widely, from IoT devices to cloud functions.
Traditional security models struggle to cope with this complexity, making it essential to adopt new approaches to machine identity management. Kevin Bocek of CyberArk notes the inadequacy of using spreadsheets to manage API keys and digital certificates.
We are on the verge of a major shift in cryptography, the first in nearly 50 years. Unlike Y2K, this is an ongoing threat. Adversaries are already harvesting data, the certificate crisis is unfolding, and machine identity blind spots exist.
While some vendors are taking proactive steps, such as CyberArk’s experimentation with PQC and its donation of cert-manager to the Cloud Native Computing Foundation, overall preparedness remains low.
In 2024, only a minority of organizations were actively preparing for post-quantum cryptography, while most experienced identity-related incidents and machine account takeovers. There is a need to recognize the urgency of the situation.
The decisions made today will determine an organization’s security posture in the future. Ignoring the impending quantum threat and failing to address certificate and machine identity management issues will leave organizations vulnerable to attack.
