In this document we will examine the concepts of Zero Trust and Post Quantum Cryptography (PQC) on a high level and examine the points of relationship between them and how the Fortanix DSM platform can help implement a zero-trust architecture utilizing post quantum cryptography algorithms.
The vast majority of organizations, either in the public or the private sphere, have already made a move to have either parts or even the entirety of their IT infrastructure in the cloud. This has necessitated a transition of their security posture model from the old, ‘walled garden’, network-perimeter centric security architecture to a newer, data- and identity-centric model. This new model has been given the name ‘Zero Trust’ and allows for adopting a more comprehensive defense-in-depth security posture. A Zero trust architecture is built on the following principles:
- Comprehensive, data classification driven security policies.
- Single, strong identity management.
- Strong authentication for both machines and users.
- Access and authorization policy enforcement for applications.
- Continuous monitoring of both network and data endpoint perimeters.
- Micro-segmentation of network traffic based on the principle of least privilege.
Unifying requirements to implement a PQC underpinned Zero Trust Architecture
Cryptography plays a critical role in the implementation of a Zero Trust architecture within an organization. Strong, centralized Identity Management is performed through the effective deployment of a Public Key Infrastructure for producing the cryptographic certificates that will function as both user and machine and application identities. Authentication is performed through protocols that have public key cryptography at its core, namely TLS and SSH. Moreover, the implementation of data driven security policies gives rise to requirements for data encryption, signing and masking to provide effective security in depth that is independent of network security requirements and facilitates access to data according to the principle of least privilege.
As such, adoption of a centralized platform that functions as a key lifecycle management system and cryptographic provider that underpins the identity management provider and deployment of cryptography for data encryption, tokenization, and authentication becomes an effective requirement for organizations that need to implement a zero-trust architecture at scale.
More specifically, a centralized key management system that has implemented post quantum algorithms as part of its core capabilities allows for effective cryptographic asset enumeration and cryptographic agility as it allows for the rapid adoption of post quantum cryptography algorithms as part of an organization’s security posture and the implementation of an effective transition strategy from 'traditional' public key algorithms to PQC ones.
A centralized key lifecycle management and cryptographic provider provides an identity management system with the capacity to generate hybrid certificates that utilize PQC cryptographic keys in conjunction with ‘traditional’ public key cryptography (i.e. RSA or elliptic curve keys) while allowing for automation, monitoring and logging capabilities to accommodate large, enterprise-scale deployments.
A centralized key lifecycle management and cryptographic provider can also act as a point of managing and consuming cryptographic keys as well as a secure storage and consumption point for certificates for the purpose of data encryption and signing that enables continuous monitoring of cryptographic transactions for data categories for which security requirements mandate strict access control.
Post Quantum Cryptography
Post Quantum Cryptography (PQC) is the term used to refer to cryptographic algorithms that are secure from a cryptanalytic attack utilizing a quantum computer. The development of post quantum encryption algorithms is a direct response to the breakthroughs occurring on the quantum computing space and the direct threat a mature quantum computer will pose to the standard public key cryptography algorithms currently in use (RSA, Diffie-Hellman key exchange, elliptic curves).
The effective adoption of PQC within an enterprise scale infrastructure mandates specific measures be taken:
- Full enumeration of cryptographic assets within an organization (deployments, keys, dedicated hardware etc.).
- Adoption of cryptographic agility as part of an organization’s security posture (i.e. the rapid adoption and deployment of new ciphers within an organization’s infrastructure).
- Identification of areas within an organization’s infrastructure that will require ‘cordoning off’ and more strictly managed from an access control perspective until the legacy cryptographic components are replaced and/or legacy equipment decommissioned.
Why Fortanix DSM
Fortanix DSM is a platform combining HSM, KMS and cryptographic provider functionality that offers multiple features that make it a robust post quantum cryptography solution:
- Already implements LMS algorithm, which is a stateful hash-based algorithm (with a strong cluster-based state management).
- Strong authentication, authorization, and quorum-based controls available for PQC.
- Accessible using REST APIs.
- Designed from the ground up with Zero Trust as a core architecture component.
Apart from the above, Fortanix DSM is ideal for implementing a PQC transition strategy tailored for a Zero Trust architecture on multiple levels due to its unique architecture and feature set.
DSM enumeration capabilities
Fortanix DSM offers, as a platform, unique flexibility in the management of a key estate. Its REST API based architecture, key metadata handling and reporting and auditing capabilities that allow for automated and comprehensive management of a key estate. Reports can be produced that allow for estate enumeration per key type, key deployment and/or key metadata allow the user to quickly map out the types, purposes and deployment locations of cryptographic keys.
Alongside the above, DSM includes the HSM Gateway feature that allows for direct interfacing with external HSMs (such as nCipher Connect and Luna HSM) and automatically discovering and managing the keys stored therein.
The above capabilities allow for the efficient and complete enumeration of cryptographic assets of an organization with great automation capabilities for reporting and auditing.
DSM PQC transition capabilities
In addition to the capability of rapid inclusion of new algorithms to the platform, Fortanix DSM offers a range of advantages for the execution of a PQC transition strategy. It offers a vast range of integration options with almost all major applications, both on premises and in the cloud, functioning as a centralized, single pane of glass ‘command and control’ platform for cryptographic key management and cryptographic services provider, utilizing, apart from its inherent REST API capabilities, a variety of APIs for all commercially significant programming languages. All the above capabilities are offered within a platform whose design and architecture conforms to the zero trust architecture requirements, with inbuilt RBAC controls and mature MFA capabilities.
DSM Integration within a zero-trust architecture designed infrastructure
Fortanix DSM offers direct integration with most PKIs in the market, functioning as a centralized key management service and source for secure key generation and distribution for both Root certificates and critical identities, a cornerstone for the deployment of a strong, single source of identity. It provides facilities for automation, storage and consumption of mission critical identities that require hardware protection and extensive monitoring, logging and reporting capabilities.
Fortanix DSM’s API capabilities provide a central source of consumption of cryptographic keys for the purposes of data encryption, signing and masking for mission critical data that already includes PQC signing capabilities.
In addition, it offers a vast range of integration options with almost all major applications, both on premises and in the cloud, functioning as a centralized, single pane of glass ‘command and control’ platform for cryptographic key management and cryptographic services provider, utilizing, apart from its inherent REST API capabilities, a variety of APIs for all commercially significant programming languages. All the above capabilities are offered within a platform whose design and architecture conforms to the zero trust architecture requirements, with inbuilt RBAC controls and mature MFA capabilities, underpinning the execution of a comprehensive Zero trust architecture.