As years to quantum (Y2Q) draw nearer, it becomes increasingly essential for organizations to gain clarity on how they will become quantum-safe by adopting post-quantum cryptography (PQC). It is important to be on this journey today and not wait until the last minute.

With NIST recently publishing long-awaited draft standards for several post-quantum cryptographic algorithms, the case for beginning your migration has never been stronger – starting with a cryptographic inventory.

A cryptographic inventory is a critical enabler of PQC migration planning. It helps you identify cryptographic vulnerabilities and prioritize the order for migrating your systems.

According to the latest Quantum-Readiness Migration to Post-Quantum Cryptography fact sheet, developed by the Cybersecurity and Infrastructure Security Agency (CISA), NSA, and NIST, quantum-readiness project teams should initiate proactive cryptographic discovery activities that identify the organization’s current reliance on quantum-vulnerable cryptography. Having an inventory of quantum-vulnerable systems and assets enables an organization to begin the quantum risk assessment processes, demonstrating the prioritization of migration.

The complexities and interconnectedness of cryptographic discovery make it clear that a successful PQC migration requires the effort of numerous stakeholders. Challenges, strategies, and findings exist to ease migration from the current public-key cryptographic algorithms to replacement algorithms that are cryptographically relevant to quantum computer-based attacks.

Organizations should invest resources into cryptographic discovery before the post-quantum algorithm standardization effort is finalized.

Here are three potential reasons:

1. Classical risks aren’t going away

There are cryptographic risks besides quantum risks. Organizations today often use cryptography that is weak by today’s standards, if not outright obsolete, and can be broken. This is a strong argument for making cryptographic discovery a core part of any organization’s risk management strategy.

Beyond the cryptographic algorithms, knowing what protocols are in place and what versions and configurations is necessary. An organization may have a server somewhere that no one has touched in years that still accepting obsolete and unsecure connections. Cryptographic discovery is essential for general risk management, including meeting compliance obligations and protecting data.

2. Cryptographic inventories enable migration planning

Until you have a cryptographic inventory, you cannot effectively start planning a PQC migration. Knowing what algorithms you’re using, where, why, and how makes it much easier to make systems quantum-safe.

Some organizations might not know what cryptography is running under the hood of one of their systems, but they know it is not quantum safe. They are confident they will eventually get a quantum-safe update from the vendor. Even in this situation, there are essential questions you still need to ask:

  • Are you comfortable getting updates according to whatever schedule your vendor chooses?
  • Do you know what that timeline is?
  • Do you know if the vendor even has a plan?
  • What happens if you switch to a new algorithm and lose interoperability with legacy devices?
  • How would you manage an update breaking a mission-critical workflow?

A cryptographic inventory helps answer these questions. It is also not purely a cryptographic problem; there are change management, risk management, and business continuity questions to consider. Moreover, an organization needs time to do proof-of-concept testing, understand the constraints and requirements of their environments, and investigate the appropriate solutions, as not all PQC algorithms have equal performance characteristics. Maybe the organization discovers a need to implement a hybrid solution to mitigate harvest now and decrypt later attacks. These answers begin with an inventory.

Why is it a clever idea to plan migration before the PQC standards are published? A PQC migration will be complicated, have many moving parts, and require a lot of research, testing, and engagement with different stakeholders. Meaning, it’s prudent for organizations to start as soon as possible.

3. Alignment with other change roadmaps

A PQC migration is not likely the only technological change organizations will undergo. There is also migration to Zero Trust. Like a quantum-safe migration, a Zero Trust migration benefits from being phased and iterative. It also requires a cryptographic inventory. Hence, there is an excellent opportunity to strategically align different change roadmaps the organization might have to save costs, resources, duplication of efforts, and headaches.

A smart quantum-safe migration is phased, iterative, and planned over a longer term. By doing so, the net costs, errors, and risks can be minimized. If you wait until PQC standards are finalized, you will play catch-up.