Begin Transitioning to Post-Quantum Cryptography Now

Hurdles to overcome include:

• Lack of easy replacement options. No drop-in alternatives exist for current cryptographic algorithms. This creates the need for discovery, categorization and reimplementation.

• Varied performance requirements. New algorithms have different performance characteristics than asymmetric ones. Key and ciphertext sizes are larger, for example, and encryption and decryption times are longer. This may impact performance and require restating or rewriting of current applications.

• Lack of organizational knowledge. Few organizations know how their cryptography works, where keys and algorithms are used, or how secrets are stored and managed.

• Lack of vendor preparedness. Don’t assume that your vendors are equipped to handle post-quantum cryptography. Most are unprepared to upgrade and may not recognize that they need to unless you push them.

To address these challenges and smooth the transition to new algorithms, start by developing policies on algorithm substitution, data retention and the mechanics of swapping or modifying your existing use of cryptography. A policy-based program will reduce confusion and arbitrary choices, and increase manageability.

From there, build a metadata database of all in-use cryptographic algorithms. This enables your organization to scope the impact of new cryptography, determine the risk to specific applications, reduce existing cryptographic security debt and reprioritize incident response plans. Create a life cycle policy to reflect the risks to asymmetric keys.

Ask the vendors you identify in your inventory about their plans for moving to post-quantum cryptography, the overall roadmap for implementation and the potential impact of upgrades to existing systems.

Finally, implement crypto-agile application development. Vet and test new post-quantum cryptographic algorithms to understand their characteristics, uses and performance. Upgrade or replace hardware where necessary.

To effectively transition to post-quantum cryptography, organizations must take a proactive and structured approach. Begin by establishing a dedicated team to assess the scope, impact and cost of the transition, coordinate cryptographic policies and provide necessary expertise. To get started:

• Create a crypto center of excellence (CCOE) to assess the scope, impact and cost of the transition. Coordinate cryptographic policy, retain valuable metadata about algorithm usage and provide expertise to development teams.

• Build a metadata inventory. Understand what data is where and why it's there. Prepare for changes to cryptographic algorithms by building an inventory of metadata for applications that use cryptography.

• Replace weakening cryptographic methods with stronger, quantum-safe alternatives. Collaborate with security operations and software engineering leaders to plan upgrades to cryptographic dependencies.

• Establish centralized policies to govern the replacement of cryptographic algorithms, ensuring a consistent and secure transition. Start by developing policies on algorithm substitution, data retention and the mechanics of swapping or modifying your existing use of cryptography.

• Connect with your vendors to understand their plans for moving to post-quantum cryptography, the overall roadmap for implementation and the potential impact of upgrades to existing systems.

• Implement crypto-agile application development. Vet and test new post-quantum cryptographic algorithms to understand their characteristics, uses and performance. Upgrade or replace hardware where necessary.

• Read the Planning Guide for Cybersecurity Architects to access action plans for PQC and other key technology trends impacting security. 

Learn more about how Gartner works with technical teams to execute efficiently and drive business results.