Calamu: The Next Generation of Data Protection
How to Prevent a Security Breach
Information security technologies are evolving at a rapid rate to keep up with the latest advances in cyber attacks, whether that's from a security breach or a direct attack on MSPs. From passwordless logins to encryption algorithms, businesses and infosecurity leaders are constantly having to innovate and up their threat protection game, especially when it comes to securing company and customer data that is sensitive and personally identifiable.
To get an insight into the latest buzzwords, tools, and talk about infosecurity, we spoke to Andersen Cheng, CEO at Post-Quantum and Nomidio. Andersen is leading the next generation of infosecurity: in 2009, he established Post-Quantum - a start-up working to develop encryption capable of withstanding attacks from a quantum computer. Then, by using many of Post-Quantum’s research and development innovations, Andersen founded Nomidio - a SaaS-based biometric authentication and verification business that works with the likes of Hitachi Capital to deliver secure multi-factor identity services. .
Welcome Andersen! Thank you for taking the time to join us today as I know you must be busy managing two businesses. Can you give us an overview of your professional background and your journey into the cybersecurity world?
I’ve been involved in cybersecurity for just over three decades now. I’m a computer auditor by training, and so the journey really started all that time ago when I first understood that computing systems needed end-to-end security. I was also Head of Credit Risk at JP Morgan and helped to run LabMorgan (the bank’s FinTech incubator) before becoming COO of Carlyle Group’s European Venture Fund some years later. After that, I was on the management team at TRL, which was the only provider of top-secret grade hardware cryptos to the UK government and NATO allies – TRL was subsequently sold to L3, the US Defence Group.
12 years ago I founded Post-Quantum, a start-up that has spent the last decade inventing the next generation of information security by developing encryption capable of withstanding a quantum attack. Our encryption algorithm NTS-KEM (now known as Classic McEliece, after merging with the submission from renowned cryptographer Professor Daniel Bernstein and his team), is now the only ‘code-based’ finalist in the National Institute of Standards and Technology (NIST) process to identify a cryptographic standard to replace RSA and Elliptic Curve, for public-key cryptography.
Even more recently, I founded Nomidio to deliver the first-ever multi-factor biometric identity management service, which is also ‘quantum-ready’. We built a quantum-ready, federated identity cloud, which helps liberate companies from holding unnecessary Personally Identifiable Information (PII) and enables secure customer or employee identification for account sign-in.
What inspired you to specifically get into infosecurity and why do you think it’s such a crucial area of cybersecurity for modern enterprises to invest in given the current climate?
After working with one of my Post-Quantum co-founders, Professor Martin Tomlinson, at TRL, we were looking for the next big problem to solve together. Martin said to me one day, “if you really want to save the world, then protect it from quantum computers, because that really will be the end of the world as everything is dependent on public-key cryptography.” I think that was really the catalyst that got me thinking about the impact of quantum code-breaking and the clear need to future-proof the entire ecosystem – from how we sign-in to IT applications, to how we protect the communications infrastructure that transmits data.
To your second question: I might be biased here, but it’s obvious that every cybersecurity team must deal with information security threats every day. The digital age has transformed the way we store and process information and, with data being such a highly-prized target, the threat of a breach or ransomware attack now looms over every business.
However, quantum computers are the ‘mega-threat’ in information security and we must all lift our gaze from the day-to-day so that the required work occurs in parallel. It’s sometimes difficult to make this claim, as it’s a threat that hasn’t yet emerged. However, it will be a once-in-a-generation challenge that completely re-writes today’s cybersecurity and information security rules. Just take the recent Colonial Pipeline ransomware attack as an example – studies show that a quantum computer attack would be far more protracted and far worse in its effects in terms of economic and social damage. When a quantum computer matures to the point it can crack today’s encryption, every aspect of life will be impacted.
There’s been a lot of talk about the threat of quantum computing to information security, in which the words ‘quantum-safe encryption’ and ‘post-quantum security’ have been popping up a lot. How concerned should business security leaders be about this issue, what do these two terms mean, and where does your eponymous company Post-Quantum come into play?
As I’ve already alluded to, the short answer is that cybersecurity leaders should be extremely concerned. Not in 10 or 20 years; they need to be concerned today. People often talk about commercial quantum computers, and that’s a long way off. But from a cybersecurity perspective, we’re not talking about commercial machines; a huge, poorly functioning prototype in the basement is all that’s needed to break today’s encryption. It does not need to go through any benchmark review or EMC certification. That prospect is much closer and it could happen within the next three to five years.
When this day comes, everyone’s data will be at risk of theft and exploitation, potentially with unimaginably dire consequences. Even more pressing, however, is that there is still a risk today as quantum decryption can be applied retrospectively, in that the groundwork for a ‘collect now, decrypt later’ attack could be laid now. This is when a rogue nation-state or bad actor can intercept data today with the intention of decrypting it once quantum computers are sufficiently developed (sometimes referred to as Y2Q). So, whether you oversee the security of the SCADA network on an electrical grid or are the guardian of financial assets with personally identifiable information (PII), now is the time to prepare.
The risk that quantum computers pose is so pressing that NIST launched a process to develop the next generation of cryptography some years ago. As mentioned, our encryption algorithm is now the only ‘code-based’ finalist in this process to ensure ‘post-quantum security’ and ‘quantum-safe encryption’. Put simply, what these terms mean is building a new standard of cryptography that can withstand a potential attack from a quantum computer.
However, the major challenge now is that, in this push toward standardisation, most organisations will need to overhaul their entire information security and cryptographic infrastructure to ensure systems are quantum-safe and in line with NIST’s new standards. This is not an overnight fix and could take years to complete, as cryptography has been such a fundamental technique in the information security landscape and we’ve embedded it into almost everything we do. If we are trying to replace the likes of RSA and Elliptic Curve, it is going to be extremely complex, which is why organisations should start this process and transition now.
At Post-Quantum, to take this headache away we’re building a suite of solutions that are all quantum-ready and offer a clear option for organisations that need to change a system and wish to make it ready for the quantum era at the same time.
Passwords are the number one target for cybercriminals, hence the invention of passwordless logins, to further complement multi-factor authentication. What are some of the key, but also the lesser-known, business benefits of implementing it?
Going passwordless has gained a huge amount of traction over the past year. Many organisations have accelerated Zero Trust projects during the pandemic to ensure that the right people have the correct access level to the right resources, all the while ensuring a seamless user experience from anywhere in the world.
The obvious benefit to passwordless authentication is reducing password-related risks by enabling users to login to devices and applications without the need to type in a password. I think the other benefits to going passwordless, which are often overlooked, are when it is coupled with technologies such as biometric authentication, single-sign-on (SSO) and federated identity. These all help create a balance between security and user experience, in that they help streamline the user experience for employees within an organization, while stepping up the level of security.
For example, Nomidio IDP uses biometric identifiers such as a voice and face, which are stored in a quantum-ready identity vault. By combining the biometric check with additional ‘silent’ factors, all a user has to do is present their face to log in and we can authenticate the user on any device they’re logging in from, across any application they’re using. This is a prime example of the balance between user experience and security that implementing the right passwordless solution offers.
On your LinkedIn page, you state that you ‘do not use LinkedIn for security reasons’ and that your profile is only ‘a placeholder to prevent ID theft’. When did you make this decision and what are your thoughts on the current state of social media infosecurity?
I made that decision a long time ago and I think two major strands deserve attention here. The first is more well-known and exactly what I mean when I say that my profile is a placeholder to prevent ID theft: social media profiles are public. This means that a countless amount of information is out there about you in the public domain – your relationships, your age, your friends, and family – which, for someone stealing your identity, makes it far easier for them to do so and learn more about you.
The other side of the coin is a bit more complex and related to one of the most existential questions of the modern web: how online companies should generate revenue. The online ecosystem of today reflects primarily one answer to that question: a web where everything is free, but users pay for it by sacrificing privacy. Social media giants often generate the majority of their revenue through selling hyper-targeted advertising based on algorithmically mining user data – we all know this. But what I don’t think people have fully grasped or understood yet is the extent to which your data is being shared.
As a starting point, most people don’t know how much of their activities are being tracked in the first place. Most companies are collecting data these days on all the interactions, on all the places that they touch customers in the normal course of doing business. But where it goes next – that’s the part that is the cloudiest and worries me most. For example, while not all companies, some do sell their data on and work with third-party data brokers, which gather huge swathes of information about a customer’s behaviour across multiple interactions with various social media platforms. You only have to look at the Cambridge Analytica scandal as the most high-profile, malicious instance of this.
While many don’t sell their data, some do simply share access to it. For example, PayPal disclosed that it shares consumer data (such as name, address, phone number, date of birth, bank account information, and recent purchases) with hundreds of entities around the world. While GDPR and the California Consumer Privacy Act (CCPA) have offered a counternarrative, there’s still a long way to go before we truly bring privacy and the control of data back into the hands of users themselves.
A few years ago, I went as far as coining the phrase “Infection Circles” to indicate how a bad actor can propagate from your address book to attack most people in it through some relatively simple combination and manipulation of social media data.
Finally, have you got any advice for businesses who wish to protect their information from current and future threats but don’t know where to start?
It’s important to think end-to-end and not simply about encryption. In the midterm, organisations will have to work towards creating a quantum-safe ecosystem, ensuring that everything from identity encryption to communication systems and the databases we use to store data are all quantum-safe. Irrespective of the standards that NIST eventually settles on, our ultimate goal at Post-Quantum is to build quantum-ready solutions that can form this ecosystem.
However, if a CISO is unsure of where to start, I’d suggest focusing on securing their identity and access management (IAM) – it’s the reason we created Nomidio as a quantum-ready identity service. A lot of people ask me: “Why are you focused on identity-as-a-service when entire communication networks could be at risk.” The simple answer is that we are creating a quantum-safe ecosystem, but identity is the key to the castle. You could secure all of your other pipes and joints, but if someone can obtain your user name and password, then it doesn't matter what else you do – because they can gain ‘legitimate’ access.
Just think about it from a cybercriminal’s perspective: they will attack your pipes to start with; if you secure your pipes, they’ll attack your joints; if you secure your joints, they’ll poison the water. That’s why identity is your gatekeeper to control what flows through the pipes.