Quantum computing promises to solve complex problems even the world’s most powerful supercomputers cannot solve today.

At the same time, as highlighted by the World Economic Forum in this article, “the power of quantum computers creates an unprecedented threat to the security of our data through its potential to break the cryptography that underpins our digital ecosystem.”

When large-scale quantum computers are available, they pose a potential risk that they will be able to break the systems that are built on public-key cryptography that are currently in use. To protect against this risk, IBM has developed a clear strategic agenda that includes the research, development, and standardization of core quantum-safe cryptography algorithms in open projects such as CRYSTALS and Open Quantum Safe.

One of the most popular and widely used public-key cryptography systems is Transport Layer Security (TLS), which is used to protect data sent over the network. While TLS connections today are well suited to protect access to cloud applications via the Internet, any attacker able to access the network traffic could store it and potentially decrypt it in the future when quantum computers are available. This can be done by decrypting the phase of the TLS connection establishment where the two parties agree on a session key through a key exchange. Specifically, to mitigate the risk from breaking the encrypted data sent over TLS, quantum-safe-crypto (QSC) key exchange mechanisms (KEM) like KYBER could be used during the session key establishment of a TLS connection.

Protect your cloud native apps on IBM Cloud from quantum risk

IBM Cloud has market-leading data protection capabilities that help protect data-at-rest using a Keep Your Own Key (KYOK) key management solution with IBM Cloud Hyper Protect Crypto Services, data-in-use using confidential computing capabilities with IBM Cloud Data Shield and IBM Cloud Hyper Protect services, and data-in-transit where TLS connections can be offloaded to Hyper Protect Crypto services.

Extending this security leadership to address threats of the future, IBM Cloud is enabling QSC support in TLS connections to cloud native applications. When cloud native containerized applications run on Red Hat OpenShift on IBM Cloud or IBM Cloud Kubernetes Service, TLS connections are handled by an HAproxy router in Red Hat OpenShift deployments, and by an ingress controller in Kubernetes deployments.

To enable these apps with QSC protected access to clusters in the IBM Cloud, IBM has implemented a custom ingress controller for IBM Cloud Kubernetes Service and a custom router for Red Hat OpenShift on IBM Cloud (managed OpenShift). With these technologies, clients can access their clusters benefiting from QSC-protected TLS session key establishment, while not having to do any code change to their application logic.

The custom ingress controller for IBM Cloud Kubernetes Service and custom router for Red Hat OpenShift are terminating TLSv1.3 connections from a QSC-enabled application client and feature full backward compatibility for non-QSC operation. This approach enables network connections to use QSC KEM algorithms for session key establishment and also offer the possibility to use hybrid QSC/non-QSC session key establishment. This hybrid mode of QSC enablement in TLS offers a way to prepare for the future and take a staged transition to QSC operation.

Note: IBM allows you to bring your own ingress controller, but IBM does not provide support for your ingress deployment. QSC integration is currently a technology preview with further offering integration and support to follow.

How can I get started?

To get started with quantum-safe cryptography for cloud native apps on IBM Cloud, you can refer to this page for details about the deployment pattern, technology implementation, and configuration details. 

We are also applying QSC support to protect the TLS communication with IBM Key Protect key management services. With this support, the encryption key lifecycle operations and APIs can be protected against quantum risk. You can get more details about this QSC support in Key Protect.

With these new quantum-safe cryptography capabilities, combined with the comprehensive set of data security capabilities already available, IBM Cloud provides a rich set of industry leading data security options, while providing the best developer experience in building and managing cloud native applications.

Was this article helpful?
YesNo

More from Cloud

Enhance your data security posture with a no-code approach to application-level encryption

4 min read - Data is the lifeblood of every organization. As your organization’s data footprint expands across the clouds and between your own business lines to drive value, it is essential to secure data at all stages of the cloud adoption and throughout the data lifecycle. While there are different mechanisms available to encrypt data throughout its lifecycle (in transit, at rest and in use), application-level encryption (ALE) provides an additional layer of protection by encrypting data at its source. ALE can enhance…

Attention new clients: exciting financial incentives for VMware Cloud Foundation on IBM Cloud

4 min read - New client specials: Get up to 50% off when you commit to a 1- or 3-year term contract on new VCF-as-a-Service offerings, plus an additional value of up to USD 200K in credits through 30 June 2025 when you migrate your VMware workloads to IBM Cloud®.1 Low starting prices: On-demand VCF-as-a-Service deployments begin under USD 200 per month.2 The IBM Cloud benefit: See the potential for a 201%3 return on investment (ROI) over 3 years with reduced downtime, cost and…

The history of the central processing unit (CPU)

10 min read - The central processing unit (CPU) is the computer’s brain. It handles the assignment and processing of tasks, in addition to functions that make a computer run. There’s no way to overstate the importance of the CPU to computing. Virtually all computer systems contain, at the least, some type of basic CPU. Regardless of whether they’re used in personal computers (PCs), laptops, tablets, smartphones or even in supercomputers whose output is so strong it must be measured in floating-point operations per…

IBM Newsletters

Get our newsletters and topic updates that deliver the latest thought leadership and insights on emerging trends.
Subscribe now More newsletters