2879: Quantum Horizons: How Thales is Pioneering the Path to Secure Encryption

[00:00:00] Have you ever wondered how the advancing field of quantum computing might actually redefine

[00:00:08] the landscape of digital security?

[00:00:10] What happens when quantum computing breaks the cryptography that we all rely on every

[00:00:16] single day in our life and our work?

[00:00:20] Well today we're going to venture into the realm where the cutting edge of technology

[00:00:24] meets the bastion of cyber security.

[00:00:27] And who's joining me?

[00:00:29] Well it's a returning guest, it's the fantastic Bob Burns from TALES and he's going to guide

[00:00:34] us through this complex terrain.

[00:00:36] And as regular listeners will know Bob brings a wealth of expertise from TALES.

[00:00:41] He is a global leader in advanced technologies where he's at the forefront of developing

[00:00:45] solutions that safeguard against that looming quantum threat.

[00:00:50] And in this episode we're also going to dive into the intricacies of post-quantum

[00:00:55] cryptography and a vital field of study that aims to protect our data against the formidable

[00:01:01] processing power of quantum computers.

[00:01:04] And the fact that there is a staggering 61% of organisations that are yet to devise a

[00:01:10] post-quantum strategy, the time to act is now.

[00:01:14] And Bob's going to share his insights into their innovative PQC starter kit which

[00:01:18] is designed so you and your business are fully prepared for that quantum era.

[00:01:22] But we're going to do it all in a language that everyone can understand because I think

[00:01:26] that is the only way that we can ensure that everybody's ready for this.

[00:01:30] So let's embark on this enlightening journey with Bob Burns and understand how today's

[00:01:34] preparations will safeguard tomorrow's security.

[00:01:37] But before we get today's guest on it's time for a quick shout out to these sponsors

[00:01:41] of Tech Talks Daily and in today's digital age where data breaches are all too common,

[00:01:46] securing sensitive information has never been more critical right?

[00:01:50] Well enter Kiteworks, a pinnacle of managed file transfer security or MFT security.

[00:01:57] So with it's FedRAMP moderate authorisation, a prestigious certification that they've held

[00:02:02] since 2017 by the Department of Defence, Kiteworks stand as a bastion of security

[00:02:08] and a sea of uncertainty.

[00:02:10] So step into the future of secure file transfer with Kiteworks by visiting Kiteworks.com

[00:02:16] today to see why it's hailed as the most secure MFT on the market.

[00:02:20] So once again, Kiteworks.com and now let's get today's guest on.

[00:02:25] So buckle up and hold on tight as I beam your ears all the way stateside where Bob's

[00:02:30] waiting to join us today.

[00:02:34] So a massive warm welcome back to the show.

[00:02:37] For anyone that missed our last conversation can you just remind everyone listening

[00:02:40] with a little about who you are and what you do?

[00:02:44] Yeah, thanks for having me Neil.

[00:02:46] So I'm Bob Burns, I'm the Chief Security Officer with Talus Cloud Protection and Licensing.

[00:02:52] So me and my teams we look after the security of all our products and services

[00:02:59] from soup to nuts, from cradle to grave and we take a very keen interest in all

[00:03:05] things security including cryptography which is going to be our main topic today.

[00:03:10] Yeah, that's one of the reasons I was excited to get you back on the podcast

[00:03:13] because as you know, we always try and demystify a different topic every single

[00:03:17] day and there's someone that's at the forefront of navigating the transition to

[00:03:21] post quantum cryptography.

[00:03:24] Can you just provide an overview of exactly what PQC is and why it is

[00:03:28] increasingly becoming critical in the era of quantum computing which is I would

[00:03:33] say getting closer and closer but in many aspects it's already here isn't it?

[00:03:37] Yeah, for sure.

[00:03:38] And it is a confusing topic.

[00:03:40] I get this a lot, the word quantum pops up in so many different realms and it invokes

[00:03:46] images of advanced physics and all kinds of other things.

[00:03:50] But in reality for what we're talking about for post quantum is we're really

[00:03:55] trying to address a world where our clever scientists and engineers and

[00:04:01] companies are successful at building a quantum computer which is a different

[00:04:07] form of computing that uses multiple states that has the potential of being

[00:04:12] able to solve some problems that our classical computers can't solve right

[00:04:16] now.

[00:04:17] So a lot of people are hard at work on it, there's a lot of excitement,

[00:04:19] there's a lot of energy in it.

[00:04:21] However, the downside and the danger and the thing that we're concerned

[00:04:26] about with thinking about cryptography is that it is theorized and pretty

[00:04:33] much agreed by most scientists that if a quantum computer does come into

[00:04:40] existence in such a way that it can run the algorithms necessary,

[00:04:45] it would be able to more easily break a lot of the cryptography that we

[00:04:49] rely upon today.

[00:04:51] So what that means is that the algorithms that we use to protect our

[00:04:54] sensitive data, our private data, our communications, our messages,

[00:04:59] our transactions, our financial transactions, all of that could be at risk

[00:05:05] if that were to come about.

[00:05:06] So rather than waiting for that day to come through, we have been

[00:05:12] busily planning and working collectively as an industry and collection

[00:05:16] of experts to come up with primitives that would not be susceptible to the

[00:05:23] same family.

[00:05:24] So that's where post quantum cryptography comes in.

[00:05:27] Well, that's another reason I invited you back on the podcast today,

[00:05:30] because I recently read about the launch of the PQC starter kit by

[00:05:34] Thales, which feels somewhat like a pioneering step towards getting

[00:05:38] that quantum readiness.

[00:05:39] So can you explain what this kit is, how it functions and the kind

[00:05:44] of testing that it enables for enterprises?

[00:05:46] Yeah, yeah, that's a very good point.

[00:05:48] And so as part of this journey of moving towards a world where we have

[00:05:54] to consider the existence of a quantum computer, we need to be able to deploy

[00:06:00] and test these algorithms not just in a lab and not just in a testing

[00:06:05] scenario. We need to be able to see how it operates in a real world

[00:06:10] scenario.

[00:06:11] And to be able to do that, companies and peoples and organizations,

[00:06:15] they need to be able to execute this new cryptography within their

[00:06:21] existing applications and existing infrastructures.

[00:06:23] So that's what this package allows.

[00:06:26] It's a sort of a lower friction way to bring in some quantum algorithms,

[00:06:32] some quantum key distribution and quantum random number generation,

[00:06:35] and try it out with your real applications to integrate it into the real world so

[00:06:40] that you could get an idea of whether or not there are any potential performance

[00:06:45] impacts, whether or not there are some areas where your crypto agility may not be

[00:06:49] up to snuff and other changes need to be made.

[00:06:52] So it's kind of like a way of trying it out in a low risk environment in a way so

[00:06:58] that you can plan for the future once we get the standards published and more

[00:07:03] products support this capability.

[00:07:05] And one of the many reasons I think this kit is so important is a great

[00:07:09] stat out there. It's not a great stat, it's a disappointing stat.

[00:07:13] It's 61% of organizations that they are yet to define a strategy for a post

[00:07:19] quantum world.

[00:07:20] So for those people that are listening, probably shaking their head in agreement.

[00:07:24] How does this start a kit help these organizations test their crypto agility

[00:07:29] and preparedness for this future of quantum computing threats that are

[00:07:33] probably weighing on the horizon?

[00:07:35] Yeah, that's a great question.

[00:07:37] And the kit is a very important part, but I would encourage folks, if you

[00:07:41] haven't gone through the thought exercise of being able to at least

[00:07:46] assess what your exposure is with respect to crypto agility or your ability

[00:07:53] to swap to post quantum algorithms.

[00:07:56] We also offer a post quantum readiness survey.

[00:08:00] It's just a simple web form with 16 questions that kind of walks you

[00:08:04] through some of the high level things you should be considering about things

[00:08:08] like where is your data?

[00:08:10] Do you know the sensitivity of that data?

[00:08:13] Do you know the lifetime of that data?

[00:08:15] And it walks you through that and sort of gives you a little bit of a temperature

[00:08:18] gauge just to give you a litmus test of saying, hey, where are you in the cycle?

[00:08:24] Is it still very early for you and you've got more work to do?

[00:08:27] Are you actually more mature and have a lot of things in place?

[00:08:31] So with that, you can then jump over to our readiness kit, which then allows

[00:08:38] you to be able to try this stuff out.

[00:08:40] So it actually gives you all of the cryptographic algorithms that are

[00:08:43] currently either approved by NIST, used based on the hash based algorithms,

[00:08:49] or the ones that are imminently going to be standardized by NIST,

[00:08:52] hopefully this summer and put them into your actual applications.

[00:08:58] And by doing that, what you'll quickly be able to find is you'll be able

[00:09:02] to find interoperability.

[00:09:03] It will point out where you're using crypto in your organization.

[00:09:07] It'll help highlight the areas in which there are interoperability

[00:09:11] problems.

[00:09:12] And in effect, it will allow you to start that journey on practically

[00:09:17] allocating, locating and finding all your sensitive data and sensitive

[00:09:21] keys that you use within your organization.

[00:09:25] And the concept of crypto agility seems pivotal in this transition to PQC.

[00:09:30] So for any business leader that could be listening to this conversation

[00:09:34] anywhere in the world, on the way to the office, we've raised a few alarm

[00:09:38] bells and going straight to the IT director and say, Hey, I've just listened

[00:09:40] to a podcast about this.

[00:09:42] Can you just expand on the importance of crypto agility and how it

[00:09:46] ultimately facilitates that smoother migration to post quantum algorithms?

[00:09:50] Yeah.

[00:09:51] Yeah.

[00:09:52] Ultimately what we have to realize is that the value of securing our data

[00:09:58] is not blocking it away in a safe and never seeing it or using it

[00:10:02] or touching it.

[00:10:02] Right.

[00:10:03] The real value of our data is being able to securely reference it,

[00:10:07] move it around and share it with people so that you can get value and

[00:10:12] be able to use that data to your advantage.

[00:10:16] But to do that, it needs to be able to talk to multiple systems.

[00:10:20] So systems are not in isolation.

[00:10:22] They have to be able to communicate.

[00:10:23] They have to be able to share.

[00:10:25] They have to be able to store all of this data.

[00:10:27] And to do that, you need systems that were developed separately to

[00:10:31] be able to talk to each other and to be able to interoperate.

[00:10:35] And in that realm, if you fix that system on one single crypto algorithm,

[00:10:42] what will happen is if others want to upgrade or change those algorithms,

[00:10:45] that system will be stuck and that will be broken.

[00:10:48] So crypto agility is really describing the way in which different systems

[00:10:53] and different parties can move and change their cryptographic algorithms

[00:10:57] and negotiate with each other on which algorithms to use such that

[00:11:01] you can share that information in a safe way.

[00:11:06] And crypto agility really enables the transition to post-quantum crypto

[00:11:11] in a much more easy fashion because if you already support that agility,

[00:11:16] if you support the ability to negotiate or agree on changing our different algorithms,

[00:11:21] that will make that much easier.

[00:11:23] And being able to be agile, crypto agile,

[00:11:27] only facilitates that capability a bit more.

[00:11:30] The other reality around crypto agility we have to recognize is that even though

[00:11:36] we do have these new algorithms that are in place, that are theorized to be good,

[00:11:41] we're not stopping there.

[00:11:43] The industry's not stopping there.

[00:11:44] The governments aren't stopping there.

[00:11:46] They're continuing their research to improve and come up with new

[00:11:50] algorithms that also have that same safety but also improve on things like performance.

[00:11:55] The age of finding one algorithm, standardizing on it and fixating on it

[00:12:00] and implementing that everywhere is gone.

[00:12:03] That time is gone.

[00:12:04] The future is where algorithms will come and go.

[00:12:08] We will be improving them.

[00:12:09] We will be adding to them.

[00:12:10] We will be strengthening them and improving them.

[00:12:12] And the best way to deal with that is to make sure we're building our systems

[00:12:15] in an agile way such that we can upgrade those algorithms

[00:12:19] while not breaking or having to replace everything that's in place today.

[00:12:23] One of the significant concerns for anyone listening working in cyber security,

[00:12:28] especially with quantum computing, is those potential for Harvest Now decrypt later

[00:12:33] style of attacks, which is what keeps a lot of people awake at night.

[00:12:37] How does this approach quantum safe protocols?

[00:12:42] How does that protect against such future threats like that?

[00:12:46] Well, the Harvest Now and decrypt later thread is really around the notion that

[00:12:53] even though it can't be broken now, that we're still protecting data today

[00:12:58] that we consider valuable.

[00:13:00] And maybe that is valuable in five or 10 or 15 years.

[00:13:04] We still want that information to be safe.

[00:13:06] However, someone could passively capture that encrypted data today.

[00:13:10] Let's say it's on a cell phone line, a telephone line,

[00:13:15] an internet connection, and you happen to capture it.

[00:13:17] It's safe because it's encrypted today.

[00:13:20] But let's say five years down the road, we are able to create that quantum computer

[00:13:25] that can run these algorithms.

[00:13:27] You can all of a sudden take data that was safe five years ago

[00:13:31] and decrypt it in the future such that now they have access to that information.

[00:13:38] So the sooner that we can begin the transition to using these quantum safe algorithms,

[00:13:44] the lower that window of opportunity of being able to capture now and decrypt later becomes a risk.

[00:13:51] So the kit enables you to begin your journey sooner, to make that transition happen,

[00:13:58] and to be able to get your organization and your data protected using algorithms

[00:14:03] that won't be susceptible to that.

[00:14:04] So right now, that is the thing we can control.

[00:14:07] We can control implementation of the algorithms and that transition time.

[00:14:11] It's up to each organization to assess their own risk, to assess their own value of data,

[00:14:16] and to begin that journey with the urgency that makes sense for what they're doing today.

[00:14:23] I also wanted to bring up the collaboration with Quontinuum,

[00:14:27] how that also introduces quantum random number generation or QRNG technology

[00:14:33] into that PCQ PQC starter kit.

[00:14:37] How does QRNG technology, how does that enhance the security and robustness of encryption keys

[00:14:43] in the context of PQC, everything we're talking about here?

[00:14:47] Yeah. Well, everything in cryptography, whether it's traditional classical or any new

[00:14:54] algorithms that we're inventing that are quantum safe, the key element of that is the

[00:15:01] unguessability of the secret data that you're using as key material.

[00:15:06] Entropy is an extremely important aspect. Adding in quantum random number generation

[00:15:13] really bolsters our technology's ability to not only load balance, but also create

[00:15:21] a bit of redundancy in our sources of entropy to make sure that regardless of

[00:15:28] how you're generating your keys or when you're generating keys, that you can be assured that

[00:15:33] there was a sufficient amount of entropy that went into that key generation process.

[00:15:38] You can think of it as added layers or belts and braces, as they say, to be able to make

[00:15:44] sure that all the new keys that we're generating moving forward have a great deal of

[00:15:50] high quality entropy as part of the key generation process.

[00:15:54] And considering the National Institute of Standards and Technology's role in standardizing

[00:15:59] post-quantum algorithms, how are you at TELUS aligning its PQC solutions with the

[00:16:05] anticipated standards? And what kind of challenges do you foresee in the widespread

[00:16:10] adoption of these new algorithms? It seems like there's an equal amount of challenges

[00:16:14] and opportunities ahead. Yeah, exactly. Now it's very fortunate

[00:16:20] that NIST, National Institute of Standards and Technology at the US, while they have a US focus,

[00:16:26] they've really been leading the charge from a global standpoint. And they did that by creating

[00:16:31] their post-quantum algorithm competition back a number of years ago. And they are really

[00:16:38] helping with the standardization process. And for the listeners out there who don't know,

[00:16:43] actually TELUS was a submitter along with a consortium of a few other companies and

[00:16:49] were one of the co-authors of the Falcon algorithm that was ultimately adopted for

[00:16:54] standardization in this round. So we obviously have a vested interest and keen

[00:17:00] alignment with NIST on that. But beyond that, on the bigger standards,

[00:17:04] we're very engaged and have always been very engaged with NIST around the standardization

[00:17:09] process because that's an important part of being able to create crypto agility,

[00:17:14] is to have algorithms and to have standards that are shared and scrutinized around the world

[00:17:22] so that we can end up with higher levels of confidence in those algorithms. So we've

[00:17:28] been working closely with them, not just with Falcon, but just generally with respect

[00:17:32] to all of our products and services. And we have been a part of that. We're also a member

[00:17:37] of the NCCOE, which is the National Cybersecurity Center of Excellence through

[00:17:45] the US government focusing on their post-quantum transition working group where we're going to be

[00:17:51] able to produce documentation and reference material for supporting organizations in making

[00:17:57] that transition from a pre-quantum world to a post-quantum world.

[00:18:03] And if we do dare to look towards that future, what do you think are the next steps required

[00:18:10] in ensuring that organizations all around the world are ready for this post-quantum era?

[00:18:14] And also, are there any particular sectors or even types of data that should be prioritized

[00:18:21] during this transition to PQC?

[00:18:25] Yeah, that is a great point. And I think the key message that I could share is that

[00:18:31] the time of waiting and seeing has probably passed. And I think that now is the time for planning

[00:18:38] because it's no longer a matter of if we should try to mitigate this risk from a crypto

[00:18:46] standpoint, it's a matter of when. Because as we mentioned earlier, the length of value of data,

[00:18:53] the longer that data is protected using classic crypto algorithms, the wider your surface area is

[00:19:02] or compromise if a computer comes about. So we're encouraging organizations right now,

[00:19:07] you should be in the act phase where you are preparing. So whether that means just surveying

[00:19:12] your enterprise, finding out where your key data is, how sensitive it is, what sort of

[00:19:18] lifetime you think it has, finding where all of your valuable keys are, your public

[00:19:23] cryptography keys, looking at your systems, your interoperability, understanding the types

[00:19:29] of other actors in the world that you have to interact with from a business continuity standpoint

[00:19:35] and starting to do that plan. You should be implementing, you should be trialing,

[00:19:39] you should be looking at interoperability, crypto agility, and being able to start to create

[00:19:46] in your roadmaps transition plans for being able to integrate this new technology into your world.

[00:19:55] Well, thanks so much for joining me again on the podcast talking about TALES and Quentinium's

[00:20:00] Launch Starter Kit that is going to help enterprises prepare for post-quantum cryptography

[00:20:05] and some of those big changes ahead. Priceless information, especially for a lot of those

[00:20:11] businesses, but 61% were mentioned that are yet to have a plan. I think it will be incredibly

[00:20:16] valuable to those people listening. Before I let you go though, I want you to leave one final

[00:20:21] gift to everyone listening and that is a book that we can add to our Amazon wishlist that

[00:20:25] you'd encourage listeners to check out. Well, all I ask is what are you going to leave us with

[00:20:29] and why? Sure, that's an interesting question and actually it's something I just revisited

[00:20:37] very recently. It's something I come back to every four or five years.

[00:20:41] The good news is that it is a freely available story. It's a story called The Machine Stops

[00:20:49] and it was a short story written back actually in 1908 that sort of predicts

[00:20:57] some of the future world that we live in today with respect to long distance video

[00:21:03] communication, machines that answer any question that you may have and that sort of thing.

[00:21:10] I highly encourage readers to look it up online. You can find many resources for it. It's a story

[00:21:15] by E.M. Forster called The Machine Stops and I think it's a good reminder in our world today

[00:21:21] where we're constantly chasing technology and relying upon it more and more. I think it

[00:21:27] provides a good grounding to realize that our world is most useful when we remember

[00:21:37] that humanity plays an important part in that. Hopefully, that's something that inspires you.

[00:21:43] It's a short story. It doesn't take very long to read. I highly recommend it and

[00:21:48] looking forward to folks consuming it the way I do.

[00:21:51] Oh man, I'm going to be not only adding that to the wishlist, I'm also going to check

[00:21:55] that out myself sounds right up my street. We did cover a lot today, but anyone listening?

[00:22:00] Just interested in finding out more about that starter kit, how it can help their enterprise prepare

[00:22:05] for post-quantum cryptography changes ahead and so much more that we covered. Where would you

[00:22:11] like to point everyone listening because I know the Talus website is a huge website.

[00:22:14] Is there any way in particular you'd like to point everyone?

[00:22:18] Sure. Certainly go to our website at cpl.talusgroup.com and it should be

[00:22:23] prominent on the front page. If not, you can easily use the search capability if you just

[00:22:27] search for post-quantum, post-quantum readiness or kit. It should take you to a number of

[00:22:33] resources that we have including that survey I mentioned earlier that will help guide you through

[00:22:38] your journey and understanding where you're at and be able to connect

[00:22:42] you with people to talk about next steps. Well, thanks so much for highlighting

[00:22:45] the fact that crypto agility and preparedness for the post-quantum era is essential in

[00:22:51] mitigating the risk of data breaches once quantum computing reaches its maturity. It

[00:22:56] is on the horizon and not only for highlighting the challenges but also the solution,

[00:23:01] this PQC starter kit and how it offers quick and easy ways for users to test and measure

[00:23:07] their post-quantum readiness for protection against those quantum computing attacks.

[00:23:11] So you've not only highlighted the problem but also offered the solution and even having time

[00:23:17] to leave us with a great book too, The Machine Stops, which I'll be looking for in just a moment

[00:23:21] but thanks again, a pleasure as always Bob. Thank you Neil, appreciate being on, thanks for

[00:23:26] having me. So as we conclude today's conversation with Bob, I think it's clear that the horizon

[00:23:32] of digital security is brimming with both challenges and opportunities in equal measure.

[00:23:38] Because the advent of quantum computing presents a pivotal moment in our ongoing quest

[00:23:43] to protect the sanctity of our digital lives, but today's discussion also shed light on the

[00:23:48] crucial steps that organisations must take to fortify their defences in anticipation

[00:23:54] of these quantum advancements. And also a big thank you to Bob for highlighting the significance

[00:23:59] of that post-quantum cryptography starter kit and the imperative of developing a robust

[00:24:06] post-quantum strategy. But as we all look towards a future where quantum computers will

[00:24:11] undoubtedly redefine the bounds of what's possible, the role of standardised quantum

[00:24:17] resistant algorithms is becoming more and more paramount. So that journey towards quantum readiness,

[00:24:24] yes it's fraught with complexities but with experts like Bob leading the charge,

[00:24:29] I think the path to securing a digital future is much easier than you probably may have thought.

[00:24:35] But I'd love to hear your thoughts on today's topic. Are you quantum ready?

[00:24:41] How do you see quantum computing impacting your digital security strategy?

[00:24:45] Please join the conversation, share your insights as we navigate this fascinating journey together

[00:24:50] and you can do that by emailing me techblogwriteroutlook.com, Twitter, LinkedIn,

[00:24:55] Instagram at Neil C Hughes. Let me know your thoughts. But that's it, it's quitting time

[00:25:00] for me. I'm going to be preparing for another guest bright and early tomorrow where I will be

[00:25:05] talking to you once again. But more than anything thank you for listening today. Hopefully

[00:25:09] you'll join me again tomorrow but until next time, don't be a stranger.