Leaping the security gap

In mid-September, WTW joined the RANT cybersecurity community for an exclusive roundtable discussion in London, where senior leaders from the Indigo Vault team presented their quantum-resistant document protection platform. The product was given a detailed cross-examination by a group of senior cybersecurity experts.

Here’s what they learned.

When WTW’s CIO Mark Beardall and his team discovered the power of quantum computing in breaking encryption, they realized the threat it could pose to the company’s vast troves of confidential and sensitive data. “We realized that, when quantum computers are readily available, all the secrets of today are gone,” Beardall revealed. The company took immediate action, investing significant funds to find a solution. This led to the development of Indigo Vault, a quantum-resistant document protection platform. The platform was developed internally and used for two years within the company before it was launched publicly.

WTW was aware that the complexity of a security tool could influence its usage. Lee Marmara, WTW’s product owner for Indigo Vault, acknowledged the balance between security and ease of use: “If there’s friction, users won’t use it – but if there’s no friction then you’ve lost the security.” The company aimed to find a balance that would maintain security without causing friction for the user. Beardall agreed, noting that overuse of the tool could pose risks but also provide benefits like reducing the risk of accidental data leakage.

One question raised during the discussion was how the company could guarantee that Indigo Vault would work in a post-quantum era while we are still pre-quantum. Sean Plankey, Indigo Vault’s general manager, explained that WTW based its performance and encryption features against standards developed by NIST. “Have they been tested in quantum environments? That remains to be seen. But the mathematical principles are said to be quantum-resistant,” he said. This assurance may not answer every question quantum technology will raise, but it does represent the best available solution currently.

One concern raised was the storage of the decryption keys. The system uses Azure to store the key vault and any elements of code needed for decryption would be held in escrow. The geographic location of data is also considered. This gives businesses another layer of security to meet any regulatory or legal residency requirements.

The questions and concerns raised during the discussion highlighted the necessity of designing security against threats that don’t exist yet. It demands flexibility, adaptability and a willingness to rethink the solution as the challenge changes. Despite this, most of the senior security leaders at the roundtable discussion believed that Indigo Vault is a product they would like to see deployed on their networks, indicating its potential success in the cybersecurity market.