The clock is ticking. As quantum computing advances, now is the time to prepare for post-quantum cryptography, or PQC.
Readiness requires organizations to have a transition plan that includes input and support from across the enterprise. Staying ahead of technical debt and keeping up-to-date on evolving regulations will ensure the organization-wide mindset shift towards the new realities of a post-quantum future.
Some experts predict that PQC could arrive in as few as five years, so the time to act is now.
Why It’s Smart to Start Modernizing
- Prepare for Harvest Now threats. Well-resourced nation-state actors are using Harvest Now Decrypt Later attacks to steal encrypted files today and holding on to them until they can decrypt them.
- Readiness is a moving target. Even though PQC guidelines are evolving, bad actors are continuously innovating, and for large organizations, it can take years to develop an agile approach that can adapt constantly.
- There is no template! Every plan is custom with unique metrics and milestones, and they can not be developed in a vacuum.
- Time is moving fast. Recent estimates suggest quantum computers capable of breaking RSA-2049 could emerge as early as 2035, leaving less than a decade to complete large-scale transitions.
4 Steps to Prepare
Beginning to modernize PKI today makes strategic sense for several reasons. In fact, Keyfactor has found that successful post-quantum readiness isn’t just a PKI challenge – it’s an organization-wide transformation. True crypto-agility requires cross-functional collaboration across security, IT, legal, compliance, and product teams.
This enterprise-wide approach improves asset inventory, risk assessment, training, and incident response, all while reducing exposure to future threats. By aligning teams now, organizations can accelerate PKI modernization and stay ahead in their PQC journey.
Step One: Discovery and Inventory
It may surprise you, but many organizations still lack a complete inventory of their cryptographic assets, despite dealing with a complex array of digital certificates, private keys, algorithms, and protocols.
Taking inventory is crucial in making a transformation plan that encompasses the whole infrastructure. Look for the public key infrastructure (PKI) components, including certificates and keys, and don’t forget to account for embedded cryptography in applications and devices, as these algorithms will need to be updated too. Legacy systems demand special attention, as they often rely on outdated security configurations; the cryptography they employ may already fall short of existing best practices and standards. Depending on the sector of your enterprise, operational technology (OT) systems that support machinery, physical devices, and hardware should also be included in the inventory.
Even for smaller organizations, taking inventory can get complex very quickly, so it’s important to enlist help. Cryptographic discovery tools can help identify assets at scale, flagging the most vulnerable ones in the process. Such tools may also help pinpoint instances of shadow IT, or usage of unauthorized software and/or hardware outside of the official purview of the IT department, in your organization. Such usage, while often well-intentioned, presents a security concern worthy of consideration. The PQC transformation process is an ideal moment to fill these potential gaps and strengthen your organization’s overall security posture.
Once you have the full inventory and a clear idea of which systems demand which action first, you will be able to compile the migration plan accordingly, from assets for urgent remediation to “migrate later” lower-priority protocols and certificates. The highest-priority, highest-exposure assets will demand a top position in the cryptography algorithm upgrade queue.
Step Two: Implementation Triage of Crypto-Agile Solutions
Following the principles of crypto-agility when adopting or orchestrating your cryptography architecture will allow all parts of the ecosystem to support current and post-quantum cryptography algorithms during the transition period. During the discovery and inventory step, you prioritized the key systems for the PQC migration. These systems will require dual certificates (post-quantum as well as traditional) to maintain backwards compatibility before the transformation is complete.
The highest priority systems typically support long device lifespans, including Internet of Things (IoT) devices and firmware. Next-gen connected vehicles, in the automotive sector, are a perfect example, whose direct impact on the safety of human operators demands the highest standards of security even before the quantum era dawns. In the healthcare sector, “smart” pacemakers are another―by virtue of their placement they aren’t easily accessed once operational and thus need to be able to receive updates over the air with all the safeguards appropriate for the level of care they provide.
Systems that contain highly sensitive, proprietary, and business-critical data should also be at the top of a priority list. The cryptography supporting the security of such data needs to migrate to post-quantum algorithms as early as possible to prevent HNDL attacks.
Step Three: Digital Certificate Management Automation
Upgrading to post-quantum cryptography doesn’t rid organizations of PKI management complexities. Manual certificate management doesn’t scale today at the enterprise level; therefore, it seems unlikely to be viable at all in the PQC era.
It is not just a question of volume. Certificate lifespans are expected to be as short as 47 days by 2029, making manual PKI management, frankly, a dangerous idea. The algorithmic complexity of post-quantum certificates will increase substantially, too, making automated solutions essential to tracking a complete cryptographic inventory.
To maintain business continuity and cryptographic integrity, a post-quantum transformation plan should include transitioning to automated certificate issuance, renewal, and replacement, if such tools aren’t in place already. While there are many PKI solutions on the market, choose one, such as Keyfactor EJBCA, that provides governance, role-based access, and detailed audit logs to maintain compliance and reduce operational risk.
Step Four: Ongoing Governance of Post-Quantum Cryptography
Post-quantum readiness is complex, and PQC implementation is a living, breathing strategy that needs continuous updating. Being quantum-ready requires ongoing governance, risk monitoring, and cryptographic hygiene in line with crypto-agility principles.
Some of the best practices for maintaining an up-to-date risk profile include establishing and regularly revising policies for algorithm deprecation, periodic key rotation, and fallback mechanisms in case of unforeseen or newly discovered algorithmic weaknesses. The key to staying quantum-ready is preparedness to adapt.
Quantum-safe algorithms are constantly evolving, and so should your policies and protocols. These should include staff training and education, as well as PQC-expertise-specific criteria when hiring for security and IT roles. Maintaining organization-wide participation and buy-in in staying quantum-ready is essential to the ongoing success of the initiative.
Conclusion: Modernize Now for the Post-Quantum Era
It’s time to future-proof your business. Preparing for post-quantum cryptography is a difficult challenge, but it’s an opportunity to reassess, evaluate, and modernize your cryptographic infrastructure. Criminals are evolving their techniques. Organizations should too.
Contact Keyfactor for proven tools and expertise to navigate the coming security risks of quantum computing.
