When malicious actors get access to a cryptographically relevant quantum computer (CRQC), the financial sector will likely be a top target. Even though Q-Day is predicted to be five or more years away, banks and other financial institutions need to start taking action today to prepare for tomorrow’s quantum security threat.

We sat down with our own network infrastructure and quantum-security expert Chris Janson, and James Knights from Kyndryl, a Principal Architect and seasoned leader who works with financial institutions and other enterprises to help them digitally transform their networks for performance, security, and future readiness. We got their insights on the security challenges facing banks today and how they can become quantum-safe leaders of the AI and quantum economy.

Overall, why is data security becoming increasingly difficult for financial institutions?

James Knights (JK): Because they’re relying on more network-connected devices than ever. The more devices you have, the greater the risk of those devices creating backdoors and other vulnerabilities that can be exploited. Most banks likely have vulnerable devices they aren’t even aware of because they don’t have full visibility into what’s inside their networks. 

Chris Janson (CJ): They’re also under pressure to move into the cloud. As workloads increase and become more demanding, such as from AI, they will get distributed across multiple clouds. Often institutions will have less visibility and control over their data. While they’re putting a lot of effort into protecting data in-transit on the network, what happens inside the cloud is often an afterthought. Banks trust that the data repositories outside their control are secure, but that’s not always the case.

With the financial sector among the most mature for AI adoption, how is this affecting the way banks need to approach data security?

CJ: When they use AI services, all the analysis, computing and storage are happening somewhere. But do the banks actually know where? Is it farmed out to a data center in a questionable location traversing a network that may or may not be quantum-safe? 

JK: Data sovereignty is also a key concern. Many of my customers are saying they will no longer accept a solution if their data must travel to other countries. A few years ago, it was acceptable for a company to host its control plane functions (for device access and management) in a foreign data center. In today’s geopolitical environment, they want everything to stay in their own country so they can maintain control. 

CJ: With any AI model, there’s a huge amount of data to be processed. If they’re working with somebody else’s AI model, the owner needs to know their data is secure. Building their own model in their own private cloud helps them retain control but also means they are responsible for security. This is sometimes difficult and once the model starts creating value, it’s imperative that it can’t be manipulated in any way.

What’s the best approach for protecting the integrity of data in flight between data centers?

JK: Optical transport is a very secure from of communication. While you can tap into fiber, it’s difficult. Compare that to wireless or satellite, where anybody with a radio kit could potentially capture your data. 

CJ: Ideally, companies, like large multi-national corporations would consider building their own on-premise data centers, or connecting their primary and secondary data centers with fiber they own and control. But, unless they’re the government, they’re most likely leasing fiber and using a cloud-based data center provider. For some commercial enterprises, building their own data centers may not be practical simply because of initial capital and on-going operating expenses. So they need to connect through networks to remote, often leased cloud services. Maintaining data integrity on these networks requires carful consideration of security tools including quantum-safe network practices. 

JK: True Chris, but even if they don’t own the fiber, they should still be aware of the path being taken by their data and the interconnection points where that data could be accessed — and then take steps to secure that path in a quantum-safe way.

Why is it important for data center interconnect (DCI) to be done in a quantum-safe way?

CJ: Because when Q-Day comes, the risk of loss due to a security breach is too great. If a trading institution isn’t using quantum-safe DCI, a bad actor might, for example, interfere with trades, accessing its accounts and, once inside, sell shares at a fraction of their value, causing chaos in the markets. Or, they could break the encryption protecting customer accounts, leading to a surge in fraud sowing distrust of the institution or more broadly of online transactions and markets. 

JK: Looking at where we are today, it will be much easier to use a CRQC to crack into a bank than the military. Many governments are well aware of the quantum threat and already have their defenses up, while most financial institutions aren’t paying as much attention as they should. The bottom line is if they wait until Q-Day to act, it will be too late to prevent significant damage. We have a great opportunity to get ahead of this. The solutions are ready, they don’t require a forklift to upgrade, and the deployments are being proven in networks around the world.

What steps can financial institutions take today to be ready for Q-Day?

JK: The steps are clear. First, companies should start with a network risk assessment and security architecture review to get visibility into all devices in their network and how they are used. They can do this with the help of a trusted technology integration partner, Second, they can build a plan for handling any vulnerabilities identified during the assessment. And third, they need to make somebody accountable for doing this work. It can’t fall to the CISO only; they won’t have access to every network and every device. There needs to be a dedicated position responsible for ensuring no new vulnerabilities can get inside the network. 

CJ: Looking into the architecture, historically, networks have used just one layer of data encryption, often at the application layer. One protection, however strong, assumes a breach could never occur, which is foolish. In the quantum world, banks need to embrace the idea of “defense-in-depth” — that is, implementing multiple protections at the same time, ideally using different cryptographical tools. So even if one barrier is breached, another remains in place. A robust quantum-safe network might use, for example, public key infrastructure (PKI) at the application layer, symmetric key distribution at the IP/MPLS layer and, perhaps, quantum key distribution (QKD) at the physical layer. This affords a high degree of crypto-resiliency as well as the agility needed to incorporate future cryptographical upgrades as threats evolve.

What’s your top piece of advice for financial institutions looking to protect their data in the AI and quantum era?

JK: We hear a lot that quantum is too far away, or people question whether will it really advance to the point where it’s a threat. There are thousands of researchers around the globe working hard to bring quantum computing technology to fruition so that society can use it to solve some of our biggest computing challenges. It is not a matter of if it will arrive, but when. So the worst thing you can do is nothing. Even if it’s just a network assessment to know where you stand, do something. 

CJ: Make sure quantum-safe network solutions are part of your network plans that may be already underway as part of your digitalization or AI strategy. As I mentioned earlier, the good news is that doesn’t mean re-engineering your entire network. You can start small, implementing quantum-safe data center interconnect between your most important data centers first, then expand and add more protections over time to build up your defense-in-depth capabilities. 

JK: You also don’t need to do this yourself! At Nokia and Kyndryl, we have people who have done this before, there’s hundreds of successful trials and deployments, coupled with the experience and tools to do it right. If you’re looking to better secure your network for the AI and quantum era, come talk to us first!

Explore more about quantum-safe networks. Or contact us to explore your options.