C (2:57)

Yeah, sure, that's a great question. So before I answer, let me start with a simple story. So imagine a thief walks into a bank building, but instead of trying to correct the safe, they photograph every single one, every lock, every dial, every receptor deposit and they walk out. So they can't open anything today, but they are betting in in few years from now a universal safe cracker will exit. And when it does, they will have everything they need. So this is not a movie plot, this is what is happening to the organizations right now. The nationwide state actors and the software security threat groups are quietly collecting your encrypted data, which is your session recordings, admin credentials, authentication tokens, right? And then storing it. And they're simply waiting it for the future. So today we are talking about what it means for the threat access management, the critical system that holds the keys to your most sensitive environments and what you need to do about it before the safe cracker arrives. Right? And this is the quantum safe pam.

B (4:00)

Obviously building a quantum safe blueprint for privileged access management is something that's really important to you. But for those listening who are still managing maybe these traditional frameworks, what does it actually look like to merge cryptographic foundations with privileged control?

C (4:19)

So the cryptographic standard already exists today, things like RSA and ecc, whether it's a session recording, whether it's the authentication, whether it's the internal traffic within the PAM system, they all are encrypted. But because of the quantum computer which is arriving in the near future, those encryption method like RSA and ECC are breakable by the quantum computers. Now the fundamental question is that what we can do about it, how do we prepare ourselves for that future which is not very far from today. Today we are talking about what it means for the privilege access management. The system holds the key to the most sensitive environments and what you need to do about it before the safe cracker arrives. And this is the quantum safe pam. So let me go deep dive into it. So let me start with the, I would call it as a chapter one of our podcast today, which is why your PAM vault is suddenly in the crosshairs right now. Think of an encryption like a padlock. And let's start with a simple thing. All the encryption protecting your privilege access environment today, the stuff which is keeping your vault communication, your session recording, your admin password safe is based on one big assumption. And that assumption is certain. Maths problem are so hard to solve, it would take millions of years for any computer to correct them. And that's been true until now. Quantum computers work completely different to those laptops and servers we are used to. They don't grind through the calculations one at a time. They can explore millions of possibilities simultaneously. And for the specific type of maths that underpin through this encryption, they solve it fast, just in few hours. So the padlock we have been relying on, the ones protecting every handshake, every login, every pillar sessions can be open. Not today, but the clock is ticking. If I have to simplify it, today's encryption is a padlock that takes millions of years to pick. A quantum computer is a key that opens in minutes. And the padlocks are on everything in your palm environment. So what's actually at risk in your palm environment? So let's deep dive into further. Right, so here is what I want to be specific, because encryption, it has risk. Sounds abstract, right? Let me make it concrete. In your PAM environment, the things that depends on this breakable encryption includes the secure channel to your vault users to talk to the endpoints, the authentication handset. Every time an admin logs in, the digital signature on the certificate that tells your system, okay, this connection is legitimate and please allow them the encrypted recordings of every session when that encryption breaks. None of these things can be trusted anymore. An attacker would decrypt your historical vault traffic, could reconstruct the admin credentials, they could forge authentication, they could replay the privileged sessions and walk straight into your cron jewels. For organizations in the banking and the financial services, I'm talking about, you know, your swift connections, your payment rails, your core banking system. This isn't an abstract, this is exist, Exist.

A (7:40)

And how do these two forces, AI and zero trust, and sometimes, you know, they align with one another or they can be complicated. Do you see that they complicate or perhaps even strengthen the mission to secure privilege access against quantum level threats?

C (7:55)

Absolutely, absolutely. Yeah. So when the quantum safe becomes reality, or much before it becomes a reality, we need to prepare all the critical data in such a way that we can quantum proof all the important data by implementing the zero trust, which means we remove the entitlements from all the critical data, which is the privileged accounts, so that at any given time, if it has been compromised, the likelihood of that account remains very low because it's a sort of like zero trust. And when we talk about the key actions to secure the environment from the quantum safe, the AI helps in certain way. The AI can help to audit the existing data faster. The AI can find out all the gaps in your Organizations particularly to the current encryption standard. It can then help to align with the NIST standard and then it can give a roadmap how to quickly implement it. And of course there must be the AI tools which can smartly do all of these jobs together.

B (9:06)

So if we're talking about moving from reactive patching to true crypto agility, this is obviously a massive shift. So if a security leader recognizes a preparedness gap today, what's the first practical step they should take to embed these future ready principles into their identity architecture?

C (9:31)

Yeah, absolutely. The first and foremost is to audit. Find every certificate, every encrypted channel in your environment and that's a big task itself. And that's where the things like the AI tools can become very handy. It can do the job much quicker than a traditional system can do. Step number two is to prioritize which is focus first on the long lived and high sensitive data and the credentials. The third one is reaching out to your PAM vendor and ask for their readiness for the post quantum and get the roadmap in the writing. The step four is to basically migrate, I would say so start with the new deployment at the same time, run the old one and the new encryption in parallel. And step number five, it would be govern. So this would require an executive level sponsorship, right. As a proper program, assign the right owners, get the required budget and then you know, work on it.

B (10:33)

Lots of real world encryption guidance for our listeners today. Really appreciate that. And I know that you had also alluded to how to hold maybe vendors or create some accountability for vendors. Can you talk a little bit about some action there that our listeners can put into.

C (10:56)

Yeah, absolutely. So the most of the vendors that I know of today in this space are already have a plan. So we basically, you know, but from our side what we can do is you can go and talk to the vendor, get the roadmap and see how they are planning to fix this problem. You know, that would give give you a blueprint for your PAM environment and to see how you're going to migrate from the current system to the new system, what sort of controls you're going to put in place, what sort of standard is going to be supporting from the NIST point of view as well. And yeah, work with your vendor to plan out a strategy which can help you to mitigate the risk.

B (11:37)

Fantastic.

A (11:38)

Mallor.

B (11:39)

Thank you so much for being here today listeners. Thank you for tuning in. Please keep the conversation going in our RSAC membership platform by visiting onersac.commembership and be sure to check onersac.com for new content posted year round. Until next time.