A

You're listening to the RSA Conference podcast, where the world talks security. Hello listeners, welcome to this edition of our RSAC podcast series. Thank you for tuning in. I'm Tatiana Sanchez.

B

And I'm Casey Zirkis and we are

A

your RSAC podcast host. Casey, what are we going to discuss today?

B

Gosh, Tatiana, it is the leap to quantum computing that's a big one. And I am so fascinated at the level of attention that quantum computing is getting. It's for so long been seen as like this thing that will happen at some time in the future, but it feels like people are paying more and more attention to it. So it isn't just a technical milestone. It's a fundamental shift in the security landscape that demands this, that everyone stop patching the past and start really architecting a future where privileged access is inherently unshakable. So we are excited to welcome our guest today, Malhar Vora, as he explores how to protect critical access against quantum threats and AI powered attacks. Such an important conversation going on across the industry right now. He'll be addressing the current preparedness gap and provide actionable strategies for crypto agility and securing all identities, human and non human, for a resilient future. That's a lot. But are you ready to dive in, Tatiana?

A

Yes, I'm absolutely ready to unpack everything. But before we get started, we do want to remind our listeners that here at RSAC we host podcasts twice a month and we encourage you to subscribe, rate and review us on your preferred podcast app so that you can be notified when new tracks are posted. And now we would like to ask our guest to take a quick moment to introduce himself. Malhara.

C

Thank you both. Good day to everybody from Australia. My name is Malhar. I am working as a principal security engineer and the engineering leader at the Anz bank here in Australia. I often share the thought process on the various identity topic and today I'm so keen to talk about the content safe Pam, which is actually preparing the privilege access for the post quantum era.

A

And thank you for being here today. Melhar. We often hear about quantum computing as a someday problem, but other cybersecurity professionals argue that people need to start preparing now because there's really no due date. And when it's going to come, it can come in 2035, it can come sooner or even after 2035 and it kind of aligns what you talk about that quantum computing is actually a pressing concern. So why is now the time for organizations to stop looking at the horizon and start worrying about their current encryption standards.

C

Yeah, sure, that's a great question. So before I answer, let me start with a simple story. So imagine a thief walks into a bank building, but instead of trying to correct the safe, they photograph every single one, every lock, every dial, every receptor deposit and they walk out. So they can't open anything today, but they are betting in in few years from now a universal safe cracker will exit. And when it does, they will have everything they need. So this is not a movie plot, this is what is happening to the organizations right now. The nationwide state actors and the software security threat groups are quietly collecting your encrypted data, which is your session recordings, admin credentials, authentication tokens, right? And then storing it. And they're simply waiting it for the future. So today we are talking about what it means for the threat access management, the critical system that holds the keys to your most sensitive environments and what you need to do about it before the safe cracker arrives. Right? And this is the quantum safe pam.

B

Obviously building a quantum safe blueprint for privileged access management is something that's really important to you. But for those listening who are still managing maybe these traditional frameworks, what does it actually look like to merge cryptographic foundations with privileged control?

C

So the cryptographic standard already exists today, things like RSA and ecc, whether it's a session recording, whether it's the authentication, whether it's the internal traffic within the PAM system, they all are encrypted. But because of the quantum computer which is arriving in the near future, those encryption method like RSA and ECC are breakable by the quantum computers. Now the fundamental question is that what we can do about it, how do we prepare ourselves for that future which is not very far from today. Today we are talking about what it means for the privilege access management. The system holds the key to the most sensitive environments and what you need to do about it before the safe cracker arrives. And this is the quantum safe pam. So let me go deep dive into it. So let me start with the, I would call it as a chapter one of our podcast today, which is why your PAM vault is suddenly in the crosshairs right now. Think of an encryption like a padlock. And let's start with a simple thing. All the encryption protecting your privilege access environment today, the stuff which is keeping your vault communication, your session recording, your admin password safe is based on one big assumption. And that assumption is certain. Maths problem are so hard to solve, it would take millions of years for any computer to correct them. And that's been true until now. Quantum computers work completely different to those laptops and servers we are used to. They don't grind through the calculations one at a time. They can explore millions of possibilities simultaneously. And for the specific type of maths that underpin through this encryption, they solve it fast, just in few hours. So the padlock we have been relying on, the ones protecting every handshake, every login, every pillar sessions can be open. Not today, but the clock is ticking. If I have to simplify it, today's encryption is a padlock that takes millions of years to pick. A quantum computer is a key that opens in minutes. And the padlocks are on everything in your palm environment. So what's actually at risk in your palm environment? So let's deep dive into further. Right, so here is what I want to be specific, because encryption, it has risk. Sounds abstract, right? Let me make it concrete. In your PAM environment, the things that depends on this breakable encryption includes the secure channel to your vault users to talk to the endpoints, the authentication handset. Every time an admin logs in, the digital signature on the certificate that tells your system, okay, this connection is legitimate and please allow them the encrypted recordings of every session when that encryption breaks. None of these things can be trusted anymore. An attacker would decrypt your historical vault traffic, could reconstruct the admin credentials, they could forge authentication, they could replay the privileged sessions and walk straight into your cron jewels. For organizations in the banking and the financial services, I'm talking about, you know, your swift connections, your payment rails, your core banking system. This isn't an abstract, this is exist, Exist.

A

And how do these two forces, AI and zero trust, and sometimes, you know, they align with one another or they can be complicated. Do you see that they complicate or perhaps even strengthen the mission to secure privilege access against quantum level threats?

C

Absolutely, absolutely. Yeah. So when the quantum safe becomes reality, or much before it becomes a reality, we need to prepare all the critical data in such a way that we can quantum proof all the important data by implementing the zero trust, which means we remove the entitlements from all the critical data, which is the privileged accounts, so that at any given time, if it has been compromised, the likelihood of that account remains very low because it's a sort of like zero trust. And when we talk about the key actions to secure the environment from the quantum safe, the AI helps in certain way. The AI can help to audit the existing data faster. The AI can find out all the gaps in your Organizations particularly to the current encryption standard. It can then help to align with the NIST standard and then it can give a roadmap how to quickly implement it. And of course there must be the AI tools which can smartly do all of these jobs together.

B

So if we're talking about moving from reactive patching to true crypto agility, this is obviously a massive shift. So if a security leader recognizes a preparedness gap today, what's the first practical step they should take to embed these future ready principles into their identity architecture?

C

Yeah, absolutely. The first and foremost is to audit. Find every certificate, every encrypted channel in your environment and that's a big task itself. And that's where the things like the AI tools can become very handy. It can do the job much quicker than a traditional system can do. Step number two is to prioritize which is focus first on the long lived and high sensitive data and the credentials. The third one is reaching out to your PAM vendor and ask for their readiness for the post quantum and get the roadmap in the writing. The step four is to basically migrate, I would say so start with the new deployment at the same time, run the old one and the new encryption in parallel. And step number five, it would be govern. So this would require an executive level sponsorship, right. As a proper program, assign the right owners, get the required budget and then you know, work on it.

B

Lots of real world encryption guidance for our listeners today. Really appreciate that. And I know that you had also alluded to how to hold maybe vendors or create some accountability for vendors. Can you talk a little bit about some action there that our listeners can put into.

C

Yeah, absolutely. So the most of the vendors that I know of today in this space are already have a plan. So we basically, you know, but from our side what we can do is you can go and talk to the vendor, get the roadmap and see how they are planning to fix this problem. You know, that would give give you a blueprint for your PAM environment and to see how you're going to migrate from the current system to the new system, what sort of controls you're going to put in place, what sort of standard is going to be supporting from the NIST point of view as well. And yeah, work with your vendor to plan out a strategy which can help you to mitigate the risk.

B

Fantastic.

A

Mallor.

B

Thank you so much for being here today listeners. Thank you for tuning in. Please keep the conversation going in our RSAC membership platform by visiting onersac.commembership and be sure to check onersac.com for new content posted year round. Until next time.